Dependencies! What a nasty piece of software they are! :)
I’m not against dependencies, I’m against unjustified dependencies only. One time we had a frontend story to deliver (oh yeah, scrum): add “traceparent” header to every HTTP request we send to our APIs. How difficult that could be? Hook on the API handling layer, extend the existing header() defintions with one more line, commit, call it a day.
But wait! We have a library for that! Or, like a dozen! I swear we spent more time analyzing and trying out these packages than the actual work. It was me who insisted to analyze packages (on very reasonable conditions, btw), because my end goal was to avoid this dependency entirely because “How difficult that could be?”.
One of the deps were so bloated, it added 33% to the final production bundle (100k minified JS). I was horrified! One single header and 33% more bloat? You gotta be kidding me! It was a general purpose, full-fledged tracing/monitoring package which accidentally provided this pretty little function our junior dev found in it. I was lucky to catch that PR before it went production. I literally cannot imagine that many edge cases which justifies that +100k, no way.
The culture of mindlessly adding dependencies is definitely harmful. Every new dep should be carefully analyzed based on various conditions to be granted with the privilege to be our dependency.
(sorry for the tone, my PTSD is still very vivid from this particular project)
Another great story, transitive dependencies! One of our 5th layer deep dep had a security issue discovered. I spent a few hours tracking down who is responsible adjusting it, went thru github issues (because yeah, ~200 other issues) and found the golden comment from the maintainer: “sorry, I’m not in the mood of fixing it”. I don’t blame him, I often don’t have the mood myself to work on pet projects, but boy, if you have 200 of the fortune 500 companies relying on you and you’re proud of it (!), it is at least not the kindest thing to say. The issue sat there for a few months until it was fixed - till then, we had to justify every release for the holy corporate security, that our reponsibles are aware of the risk (it was a very narrow attack vector, but you know, processes).
So yeah, dealing with dependencies is vulnerability, if you don’t pay as much attention as to produce good code, you will have bad days ahead.
I feel like I must be misunderstanding you, because that sounds obviously false. I’ve used HTTP Basic and Negotiate auth on websocket requests for years. Can you explain what you mean by this?
If the browser’s already used Basic auth with that server in that session, it’ll send the credentials with every request. That includes the GET that creates the WebSocket.
Also, note that the OP is an IoT developer, so they don’t care about what browsers do.
We’re not talking about random custom headers, though. If you do the standard 401 dance and ask for a type of auth that browsers support, they’re happy to include it on websockets just like on any other request.
Can you share the client-side snippet, please? I’ve seen k8s smuggle the token inside Sec-WebSocket-Protocol for some reason and I have failed to find a better solution myself.
There’s no client-side work involved if you’re in a browser context. You return a 401 if the websocket request doesn’t include the auth you want, and the browser will retry with the auth header if it has appropriate credentials.
Looking at today’s instant messaging solutions, I think IRC is very
underrated. The functionality of clients for IRC made years ago still
surpass what “modern” protocols like Matrix have to offer. I think
re-adoption of IRC is very much possible only by introducing a good UI,
nothing more.
About a year ago I moved my family/friends chat network to IRC. Thanks to modern clients like Goguma and Gamja and the v3 chathistory support and other features of Ergo this gives a nice modern feeling chat experience even without a bouncer. All of my users other than myself are at basic computer literacy level, they can muddle along with mobile and web apps not much more. So it’s definitely possible.
I went this route because I wanted something that I can fully own, understand and debug if needed.
You could bolt-on E2EE, but decentralization is missing—you have to create accounts on that server. Built for the ’10s, XMPP + MUCs can do these things without the storage & resource bloat of Matrix + eventual consistency. That said, for a lot of communites IRC is a serviceable, lightweight, accessible solution that I agree is underrated for text chat (even if client adoption of IRCv3 is still not where one might expect relative to server adoption)—& I would 100% rather see it over some Slack/Telegram/Discord chatroom exclusivity.
I dunno. The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower). I don’t see any newer software projects using IRC (a depressingly large number of them still point to Freenode, which just reinforces my point).
I like IRC and I still use it but it’s not a growth area.
There’s an ongoing effort to modernize IRC with https://ircv3.net. I would agree that most of these evolutions is just IRC catching up with features of modern chat plaforms.
Calling IRCv3 an “ongoing effort” is technically correct, but it’s been ongoing for around 8 to 9 years at this point and barely anything came out of it - and definitely nothing groundbreaking that IRC would need to catch up to the current times (e.g. message history).
The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower).
I don’t know if that’s really the right conclusion. A bunch of communities that were on Freenode never moved to Libera because they migrated to XMPP, Slack, Matrix, Discord, OFTC, and many more alternatives. I went from being on about 20 channels on Freenode to about 5 on Libera right after Freenode’s death, and today that number is closer to 1 (which I’m accessing via a Matrix bridge…).
I guess it just depends what channels you were in; every single one I was using at the time made the jump from Freenode to Libera, tho there were a couple that had already moved off to Slack several years earlier.
It’s “opt-in” in the sense that if you send an OTR message to someone without a plugin, they see garbage, yes. OTR is the predecessor to “signal” and back then (assuming you meant “chats” above), E2EE meant “one-to-one”: https://en.wikipedia.org/wiki/Off-the-record_messaging – but it does support end-to-end encrypted messages, and from my memory of using it on AIM in the zeros, it was pretty easy to setup and use. (At one point, we quietly added support to the hiptop, for example.)
Someone could probably write a modern double-ratchet replacement, using the same transport concepts as OTR, but I bet the people interested in working on that are more interested in implementing some form of RFC 9420 these days.
When I looked at the site on my phone earlier, it was unreadable. I’m glad I came back to it on a desktop. The site is a work of art, especially the little Arkanoid-like game at the bottom.
I’m definitely throwing this on my list of “Things that will be handy if I ever get ’round to a Game Jam again”.
All of the conspiracy theories are real! The industry managed to keep the evidence from us for decades, but finally a marketing agency of a local newspaper chain has blown the lid off the whole thing, in a bunch of blog posts and PDFs and on a podcast.
Everyone believed that their phone was listening to them even when it wasn’t. The marketing agency of a local newspaper chain were the first group to be caught taking advantage of that widespread paranoia and use it to try and dupe people into spending money with them, despite the tech not actually working like that.
It’s a false dichotomy. This conspiracy can be real without all the others. It’s not all or nothing.
local newspaper chain
Cox? They’re a little more than that. These are the folks trying to sell me a Contour Voice Remote [1]. It’s not hard to imagine what they’re doing with the data.
I think you’re hitting the nail on the head here. I think the slides are getting crafty with language.
The power of voice (and our devices’ microphones)
They flex the reader into an ingroup mentality with “our” to think they are talking about the devices we all have in our pockets. I think the reason their active listening occurs only once they’ve targeted a very specific geographic area is because it is their devices they are listening to in that area. I suspect they partner with stores, malls, car services, etc to host always-recording microphones attached to reliable power sources, with decent acoustics (i.e. not in someone’s pocket). Then they use BTLE signals, etc that stores already use for tracking consumers around stores to know which consumers are near the microphones and thus might be the ones talking about products they are about to buy. In other words, I think this is targeting people who are in Target (for example) and wondering if Amazon has a better price for the lotion they are standing in front of.
While less paranoia-inducing, this would also be a sleazy thing to do.
Because scanning local networks to gather intelligence for targeted advertising and exposing ink levels over SNMP are not the same thing as turning on a microphone and listening to what people are saying. Completely different levels of scandal.
Seriously, I’ve now actually looked around and I’m finding nothing. I’m going to go ahead and say “that’s not true” on that one. Perhaps a flag for “needs source” would be nice lol
So a reddit post? Where someone connected a device to their network and it explicitly integrated with other devices on the network, because it is a home management device for managing devices on a network?
I’m dismissing this entire thing. I mean, I could easily justify this behavior, but I’m not going to even think about it when the evidence is a confused, non technical redditor.
I may have misremembered the source but I definitely read about it on some website, not reddit directly (even old.reddit.com doesn’t work for me anymore).
I have never owned an Alexa device, but I believe that this “integrating with other devices on the network” thing you mentioned, would make me ditch the device the moment I’d notice that it gathers intelligence to push me to towards making more purchases via Amazon.
But what’s the alleged “conspiracy”? I don’t think it takes a conspiracy to make this true
If people are saying that Facebook has a secret API in iOS and Android so they can listen to you when their app isn’t running and permissions are off, then I’d say “no that conspiracy requires too many parties to coordinate without it leaking”
If people are saying that apps that have permission overcollect data, including audio data, and that this information eventually makes it back to Facebook for ad targeting, then I’d say “that probably happens”
Why wouldn’t it happen?
The whole reason sites like Reddit have purposely let their website rot and push the app so hard is because a web browser is sandboxed in a way that a phone is not
I’m pretty sure the device ID is a huge thing for advertisers – if they didn’t have the device ID, they couldn’t join global profiles together, even when you are logged out
The way I think it works is that every there are a bazillion data streams of different apps, but you are not logged in on all the apps.
You might look like 20 or 30 different users to the advertisers
Now the trick is to find a fuzzy join key that can join most of your profiles together, because it’s shown to improve ad conversion rates
I think basically what happened over the last 10 years is that the joining got better. That’s why people noticed more things “following them around”
Hell I just got printed spam via snail mail from some company ZocDoc (who I have no relationship and never gave my mailing address or e-mail to), recommending a Dentist that lives with 3 blocks of me, because I’ve been using the web to search for dentists, and I guess all my profile data / location is leaking
There is so much damn data out there that this is sort of inevitable
Every damn company is pushing you to install their app, because when you do, it unlocks all the data from the other apps you use. They are pooling their data together, to “improve business for all”
I guess Apple noticed all this and locked it down a LITTLE, but not 100%. I’d be interested in details/corrections from people who know more
So I think that is analogous to what has happened in the ad industry. There is not necessarily an EXPLICIT secret agreement, but there is so much data sharing that it can give the EFFECT of coordinated action
i.e. an implicit “conspiracy” rather than than an explicit one
And no doubt SOME of that data is audio data, collected from phones (where the app has permission).
Also, the book “Chaos Monkeys” has some good detail on how Facebook came to join data in a way that Google doesn’t (or didn’t at the time)
As far as I remember it involved pre-Internet “offline” databases of consumer information
Right: that’s the thing. The rental price collusion among landlords is true. The way advertising companies merge data together from all sorts of different sources is also true. We need to know that those things are true so we can respond to them, because they are real threats to our privacy.
“Facebook apps listen to you through your phone’s microphone and target ads at you” is not true. Believing it’s true is a distraction from the things we should be reacting to.
Apps listen to you through your phone’s microphone and target ads at you
Is that true from the average person’s perspective? I’d argue it is
In a different comment, you said
I care. This is such a damaging conspiracy theory. It’s causing some people to stop trusting their most important piece of personal technology: their phone.
I’d say their phone is in fact untrustworthy. Why would they trust it? (honest question)
And I personally behave in a way that’s consistent with that – I have never installed a social media app on my phone ever. If I have to use social media, I use the web
I worked at Google for 11 years (not anywhere near ads), and I have only a rough idea how it all works, but I know that there is data sharing and tracking without any real consent
As the salesperson explained, your “consent” is part of the multi-page EULA
It’s also due to purposely grinding down the web experience and nagging you to death (and again I personally don’t consent by not using many apps on phones)
The average person doesn’t know what any of these things are
operating system (what does that do?)
permissions (I just click the button because I want to do the thing that they said I can do)
ad network, ad exchange
bidding
first party / third party
So again, if someone says, Apps listen to you through your phone’s microphone and target ads at you, then I’m not really going to disagree with them
Just like they can say landlords collude to fix prices – that also appears to be true, and is a new type of crime enabled by technology
On the iPhone there’s an orange circle that displays if an app has access to the microphone.
Yeah, I’ve seen variants of this argument before: phones do creepy things to target ads, but it’s not exactly “listen through your microphone” - but there’s no harm in people believing that if it helps them understand that there’s creepy stuff going on generally.
I don’t buy that. Privacy is important. People who are sufficiently engaged need to be able to understand exactly what’s going on, so they can e.g. campaign for legislators to reign in the most egregious abuses.
I think it’s harmful letting people continue to believe things about privacy that are not true, when we should instead be helping them understand the things that are true.
This discussion thread is full of technically minded, engaged people who still believe an inaccurate version of what their devices are doing. Those are the people that need to have an accurate understanding, because those are the people that can help explain it to others and can hopefully drive meaningful change.
It uses some hacked together voice recognition to turn audio into text. There is no advanced AI.
This is fed into some industry-wide service, in exchange for other joined data.
So the salesman is not lying when he says:
“Active Listening” software uses artificial intelligence to “capture real-time intent data by listening to our conversations.
Advertisers can pair this voice-data with behavioral data to target in-market consumers
Just exaggerating. From experience, these companies don’t have the kind of engineering that FB/Google do.
(e.g. Google engineers bypassed Safari protections to collect more data (and paid a settlement); I don’t think most companies do that.)
Now, this single Cox Media Group incident does NOT necessarily justify widespread consumer perception that their phones are untrustworthy, or that they are being constantly spied on via audio.
But I would ask if you can rule that out.
You can consider the CMG app an instance of “grayware”. Surely it’s not the only one that exists. The incentive is there for thousands of such apps to exist.
I am reminded of all those grayware search toolbars that were (are?) so prevalent on Windows machines (I think tens or hundreds of millions of machines). You or I would instantly notice that and remove it, but many users won’t
Did anyone ever consent to them? Weren’t they allowed by Chrome’s or IE’s app permissions? All it takes is a click to consent
Some version of this IS happening right now on phones – we just don’t know how prevalent it is. There are regular “outbreaks” in the Android ecosystem, and no doubt iOS. It’s an ongoing war. (Again the “story about Jessica”, while fictional, I think gives a flavor of how different most people’s experiences with computers, and motivations, are from “us”)
Wikipedia said there are 2.2 million iOS apps, and Android probably has more. Data collection is a huge incentive for basically all of them – otherwise they would just be websites. (It’s expensive to create both Android and iOS apps)
It’s a question of degree, not “if it happens”. Trust is also not binary, and some users have experiences that rationally lead them to trust less than others.
Create buyer personas by uploading past consumer data into the platform
Identify top performing keywords relative to your products and services by
analyzing keyword data and past ad campaigns
Ensure tracking is set up via a tracking pixel placed on your site or landing
page
Now that preparation is done:
Active listening begins in your target geo and buyer behavior is detected
across 470+ data sources […]
Our technology analyzes over 1.9 trillion behaviors daily and collects opt-in customer behavior data from hundreds of popular websites that offer top display, video platforms, social applications, and mobile marketplaces that allow laser-focused media buying.
Sources include: Google, LinkedIn, Facebook, Amazon and many more
That’s not describing anything ground-breaking or different. That’s how every targeting ad platform works: you upload a bunch of “past consumer data”, identify top keywords and setup a tracking pixel.
I think active listening is the term that the team came up with for “something that sounds fancy but really just means the way ad targeting platforms work already”. And then they got over-excited about the new metaphor and added that first couple of slides that talk about “voice data”, without really understanding how the tech works or what kind of a shitstorm that could kick off when people who DID understand technology started paying attention to their marketing.
To be fair, I mostly agree with you but this is a tricky topic. There are like multiple ‘conspiracies’ & multiple claims..
I do not believe my personal iPhone has recorded any audio that’s made it “downstream” to the ad/behavior/intent market. That is seemingly not how the sausage gets made.
However, there are lots of audio sources that I believe feed the downstream: voice control remotes, video doorbells, anything I say in a supermarket. I do not think there’s much conspiracy in saying all that audio is fair game. If all that audio is on the table, so to speak, it’s going in the sausage; they’re not leaving it on the floor.
Other sources, I’m not sure. Hey Alexa, I’m not sure (I don’t own that stuff). Voicemail speech-to-text, I’m not sure. Baby monitors, I’m not sure.
So there’s the too-far-too-specific claims like your-iPhone-is-listening-always that they can confidently deny. (without mentioning they don’t even need that, as much as they’d like it) Is it bad journalism to jump to the (likely false) conclusion? Sure. I don’t know why they do that. It muddies the topic, and gives them an out. That is not a hill I wanna argue on.
But to claim the slides are faked ?? That’s wild, to me. There’s clearly legitimate sources for this audio, and business interest, and technical capability. The sausage does get made, it would seem. (the question is: out of what?) The slides do not say that your-iPhone-is-listening-always so it’s like there are 2 conversations going on. A tricky topic.
I do not think there’s much conspiracy in saying all that audio is fair game.
There are relevant laws to consider. The US has various federal and state level wiretapping and eavesdropping laws. There are privacy laws like GDPR in the EU and CCPA in California. Illinois even passed its own “Keep Internet Devices Safe” act, albeit with lobbyist alterations that will stir up skeptics even more.
Tech companies do a lot of bad things. That’s why I care about us accurately describing the bad things they do, rather than saying “Yeah, Facebook probably advertise to you based on listening to what you say through your microphone, that’s the kind of thing they would do.”
I couldn’t agree more. The technical aspects of option 1 are usually overlooked, especially when it comes to power usage. I have some experience with audio fingerprinting with smartphones (kind of like Shazam but for TV/Radio commercials). Even turning on the mic for one second every 10 will absolutely obliterate your battery. This is not just in terms of daily consumption, expect the overall battery life to be severely reduced. Back in the days you would have to swap your battery for a new one every other month.
That is to say: people will notice if any app is sampling the microphone constantly.
Back in the day where I had a Google account and an Android phone (circa 2018), I did the experience of downloading all the data that Google had about me in their cloud. Inside, I found many audio records that appeared to be random part of every day.
I could hear myself playing with my children far from the phone. I had glimpse at several conversations with my wife.
Those were actual audio files stored on Google cloud. I had no knowledge of it. I had never asked anything to be recorded. In fact, I even had “Ok Google” disabled (because of false positives). Yet, those audio files were there and there was nothing preventing Google to analyse them.
In fact, for some snippets, I even suspected that my phone was in airplane mode while it was recorded (my phone is, by default, in airplane mode at home). So those were probably recorded and then sent afterward.
It was six years ago. At the time, I, like you, considered that phones could not listen all the time but I had to surrender to evidence : Android phones do listen all the time and send random audio excerpts of your life on Google servers. That’s a hard, indisputable fact.
How does “OK, Google” or “Hey Siri” work?
One thing is listening thru mic and another is sending it out from the device. I think simpe voice pattern matching with predefined and tailored set of keywords downloaded regularly to the device can be kept low enough to not make a notice of the additional power consumption.
supposedly, with almost no way to verify, and big co’s have used device exploits in the past for gain so I still default to zero trust with all devices, apple included.
If you want to make a ton of money effectively targeting ads at people, I think you want to know their age, gender, location and general demographics.
Snippets of conversations they had are so much less useful than that. What if they were sat in a coffee shop next to some loud talkers? What if they left the phone near the radio?
I’ll believe audio snippets from phones are valuable when they become a serious part of the conversation around selling ads (and I don’t mean the Cox team who briefly promoted this last year and then dropped all references to it).
I don’t believe Facebook is hacking anything, but in terms of using audio for targeting it’s quite doable.
Smart TVs already have ability to identify what you watch and listen to, and they’re not hiding it.
ML around sound recognition has gotten really good recently. Detecting radio or non-conversational speech is perfectly doable. It’s also possible to estimate age and gender of speakers.
Even without phone location access FB knows where its long-term users live from IPs & usage patterns + GPS clusters of photos.
Note that the data doesn’t have to be perfect, nor explicit. It’s just more features to throw into the big machine learning pile.
Smart TVs already have ability to identify what you watch and listen to, and they’re not hiding it.
I think that’s a case in point: we all know smart TVs tell the mothership what TV shows you are watching. It’s not a conspiracy theory. It’s well known. (Incidentally, now that you can’t rely on public TV ratings anymore, this data is very valuable to the streamers to know which of their competitors shows are most popular.)
How would turning on microphones be secretly burning zero days and not telling anyone and yet still raking in sufficient money to make up for it? It doesn’t make sense. If they were doing it, it wouldn’t be a secret.
Yeah. If I were in charge of avoiding mic use detection, I’d use beacons/geofencing to only listen in commercial zones, to increase the likelihood of picking up something useful. Avoid the radio draining the battery by saving to upload only when wifi is available. And minimize/skip actual processing of audio on the phone, let remote servers handle that.
I am also suspicious of these claims for the same reasons as you. However, reading through the linked slides, the time when the microphone would need to be active seems pretty narrow. They claim to only do so after you’ve paid a daily rate for a specific area and once they know the ad metadata that is best associated with your product. They could pretty easily use other data sources to eliminate most potential targets in the area and be sure to only listen to each phone once for multi-day engagements. So this would look like one of those times where you thought you had half a battery but a few hours later you’re at 10% and you can’t quite remember if you did actually have half a charge.
The other reason I’m very suspicious of these claims is that voice data just doesn’t seem that helpful. I don’t talk to anyone about most of the things I buy. The shopping conversations I have with my wife are “did the toilet paper ship yet?” (well after a purchase) and “should I grocery shop on Saturday or Sunday?” (with no content about products). Intersect that with the probability of you listening when I happen to be talking about it and we must be near $0 expected value.
For some people it’s more comforting to believe that malevolent global powers are spying on you than to accept that you’re not that unique, and that using a few fairly public signals you can be characterized and have ads targeted at you fairly accurately.
Anecdotally, I spoke on the phone with my dad about an upcoming visit to a family member several states away in GA, and later that day told my wife in person that I needed to make a dentist appointment soon. Later that day I got a YouTube ad for dentists in the town I was going to visit in GA.
This isn’t proof of anything, but it’s a hell of a lot more than “you’re just not that unique, get over yourself”
Oh interesting! There’s actually a setting on https://myactivity.google.com/activitycontrols?utm_source=my-activity for “Include voice and audio activity” which defaults to off - but the information panel about it explains that if you turn this on they use your “Hey Google…” audio snippets like this:
Google uses audio saved by this setting to develop and improve its audio recognition technologies and the Google services that use them, like Google Assistant.
You get a lot of ads for things other than dentists, and you probably don’t notice dentist ads when you’re not thinking about needing to make an appointment. As for the geographic specificity, I’d blame a web search or map lookup or a data broker buying your travel plans from an airline company or something.
I’ve worked on the audio stack for mobile devices and you really couldn’t justify the power consumption for always on recording, let alone voice recognition and uploading it to the cloud.
I’m not saying something didn’t listen to you and make targeted ads for you, but it seems odd to assume it was your cell phone.
Cell phones are battery powered and resource constrained. Much easier to use things that are always plugged in that are around you, or have someone in the middle of the communication path listen in. Where they are not as resource constrained.
It would be very interesting if you spent the time trying to figure out what if any device it might in fact be, and get network traces to prove it.
I’ve never had anything like this happen to me, but it’s also possible that it never will since I have little tech near me that could listen in and block almost all ads from reaching me anyway.
I don’t have any smart devices or assistants, so it would have been either my phone or my laptop ¯_(ツ)_/¯
I spent a good bit of time rapping my brain on what else could have brought that up but I hadn’t done any googling (already had a dentist) or maps searches (I’d been to that family members house before)
It would be really interesting to get some network traces though, I’ve considered setting something up to block ad trackers in genera
If you can come up with a reasonable explanation for why I get ads 5 minutes after talking about something that I am positive is:
Not something I’ve ever searched for directly
Not something I can even use
Not in anyway related to other interests
I’ll listen. I just spoke of a product. Going to browse the web a bit and see if I get related ads.
(Edit: To be clear, I don’t believe the mic idea. I do think that human behavior is easy to manipulate, and engineer. But have, on numerous times, wondered what the odd set of steps were that lead to being served an ad for Rice-a-Roni — the product I spoke 30 minutes ago, and am now seeing ads for. Something caused me to believe I have no connection to that item—it’s not in the stores I shop at. Not something I can even eat.—yet, here I am being targeted for it. The explanation of “conspiracy” is just obvious, right?)
Try this exercise: make a note of every time you say anything out loud within range of a microphone. Then note how often you see an ad related to the thing you said within the next five minutes. The goal here is to count how often you DON’T see an ad relating to a snippet of audio.
This exercise is deliberately absurd, because nobody would ever make notes that detailed about what they were saying… but if you did, I bet the number of times a relevant ad came up would be a fraction of a fraction of a percent.
And that’s what’s happening. We don’t notice all of the times that we say something and our devices DON’T then show us an advert - but when it does happen (purely out of coincidence, combined with our broad demographics: I see ads that a 40-something Californian male might be interested in) we instantly associate it with our recent conversations.
Are you sure it’s not more simply explained by selective memory? I frequently catch myself looking at a TV at the gym and seeing an advertisement for something that seems targeted to me, only to realize it’s impossible. I don’t tend to remember the other ads.
I think your comment is a useful corrective, but I’ve only been hearing people I know talk about hyperspecific targeted advertising that can be connected to your speech for a few years. So it wouldn’t be that the industry was doing it for decades, but that they were doing it for a few years.
…I had one of those terrible moments where I started to say “yeah, just a few years ago”, but though my felt sense of time is wrong that 2017 is just a few years ago, it’s also not decades, meaning we were both off by a bit.
And to your point, keeping it a secret for 7 years is more work than for 3.
it’s not conspiracy when it’s true. If the code is closed source and the employees sign NDAs how are people supposed to get evidence? It’s not even that crazy to think that without evidence. It happened hundreds of times to me and people I know that after mentioning something in a conversation a related ad pops up on fb. Now I might not know the technical details, but it’s definitely not a coincidence if it happens every single time to everybody.
It doesn’t happen “every single time to everybody”.
If this has been going on for the past 5-10 years enough people know about it that somebody would have leaked - NDAs are one of the reasons journalists sometimes grant anonymity to their sources.
(Conspiracy theories can be true - but this one definitely isn’t.)
I don’t know why you insist on the conspiracy theory angle. It’s e.g. no state secret that google collects data of your every movement through google maps and google play services. The average person doesn’t care as long as they can get an uber. Same thing with FB, the average person won’t care that their audio data is collected without their consent as long as they can use facebook. People are far less concerned about data when they are asked to change their habits. FB doesn’t need to hide things, but what happens to fb if this comes out with evidence? Nothing. Because at best people don’t care. And those who care are not on facebook. So what’s the great conspiracy here? Data collection is old news
I spent some time yesterday digging through the Facebook and Google tools that allow you to view and export the data that they are using for targeting ads to you.
They are actually extremely transparent: You can see exactly what kind of location data they are keeping, plus lists of companies that they have identified you as interacting with.
There is no hint of the kind of audio data what we are discussing here. The closest is Google’s defaulted to off preference that allows them to use your “hey google” audio snippets for further improvements to that model.
Why would they be transparent about all of their other creepy location data, but entirely omit the audio stuff?
I think because they are not storing audio content in the first place.
More likely, who cares? We’re focused on finding which is more profitable, and it turns out misinformation is wildly more profitable than providing a useful and reliable service. Lying to people and making society dysfunctional is a small price to pay ;)
I care. This is such a damaging conspiracy theory.
It’s causing some people to stop trusting their most important piece of personal technology: their phone.
We risk people ignoring REAL aprovecha threats because they’ve already decided to tolerate made up ones.
If people believe this and see society doing nightingale about it, that’s horrible. That leads to a cynical “nothing can be fixed, I guess we will just let bad people get away with it” attitude. People need to believe that humanity can prevent this kind of abuse from happening.
People need to believe that humanity can prevent this kind of abuse from happening.
People shouldn’t believe things the evidence keeps pointing away from. Are you aware of any instances of someone not getting away with this kind of thing in the last decade or two?
I’d say the real damage is 4. it further estranges folks from an understanding of their property, making it harder for them to control. On (1), phones shouldn’t be trusted by default, not as long as their manufacturers and carriers insist on being so undeserving of trust.
But you’ve talked to Facebook users, right? On (2), a close friend replied to learning that Facebook materially contributes to three genocides by explaining that they only use it to stay in touch with friends and family, and also Marketplace. On (3), they see anybody with phone discipline as engaging in some sort of illusory moral elitism rather than genuinely caring about health and safety. Facebook is a real threat and people invite it in anyway.
I also care and I think the right view here is that this is happening.
If there is a chance that ad-partners are injecting this kind of functionality into Facebook then Facebook needs to fix that. If there is a chance that people are giving shady apps too much access to their microphone then Apple and Google need to fix that.
It doesn’t really matter to me at what scale it’s happening, it should be next to impossible. I’m sure there will always be people with sufficiently low moral standards to do it if they can figure out how.
Strong agree here. I got a major sense of deja vu from this story - pretty sure some other random marketing company made the same claim a few years ago and it was swiftly debunked?
As pointed out in the comments, there are too many flaws in my methodology to draw any conclusions (for instance I am live streaming directly to YouTube which of course necessitates recording my microphone the whole time).
Well, someone should repeat the experiment without livestreaming then. What we’re doing instead is deliberating whether it’s a conspiracy theory or not while the truth is within reach of a scientific experiment.
The fact that nobody has successfully produced an experiment showing that this is happening is one of the main reasons I don’t believe it to be happening.
It’s like James Randi’s One Million Dollar Paranormal Challenge - the very fact that nobody has been able to demonstrate it is enough for me not to believe in it.
Yeah my bullshit detector has gone off on this every time it’s been “proven”. I understand that ad targeting is really good, but it just doesn’t pass the smell test to think that a weirdo marketing agency has figured out a way around Apple’s permission structure and not, say, the NSA
How many times in the last few years did you have a conversation and then NOT spot ads relating to that conversation?
Most of the time. But assuming the tech is real, they wouldn’t want to overuse it, so that makes sense. Overuse runs the risk of detection, and could spur users to aggressively disable their microphone permissions. Similar to how the Allies in WW2 had to be picky about what German intel they could act on, lest they give away what they knew. If they just do it occasionally, there’s sufficient doubt.
Personally, I’ve had some relevant ads appear after conversations on super-obscure topics that I only discussed once with my coworkers, and never searched for online. It felt too implausible to be a coincidence the human mind latched onto, like successfully guessing a specific UUID.
I can’t prove anything, but I don’t think Facebook deserves the benefit of the doubt here.
I agree, but white-collar crime is rarely prosecuted, so jail is not much of a credible deterrent.
E.g., look at a similar case: Facebook during the Cambridge Analytica scandal. What were the consequences? Well, Facebook apologized a lot. Zuck went before Congress. And CA itself went bankrupt.
Facebook paid the SEC only $100 million, which is 0.02% of its then-market cap of $500 billion. A couple of years ago, they settled a class action lawsuit over CA for $725 million, which brings the percentage up to 0.1% of their market cap. Their stock prices dropped 24% at the time, but then recovered two months later.
I can’t prove anything, but I don’t think Facebook deserves the benefit of the doubt here.
Benefit of the doubt would be assuming they were sophisticated enough to build out a working system capable of listening like this and effectively using it to target ads without being caught. That seems far-fetched; it’s much more likely that they built some half-assed prototype, threw an LLM at it, and brag to their customers how advanced their “AI-driven technology” is. We’ve seen over and over that studies show that even “regular” targeted advertising is not remotely as effective as advertisers play it up as.
I have no doubt they would do this if they were actually capable of it.
I have no doubt they would do this if they were actually capable of it.
Facebook has the engineers, the time, and the amorality to figure out how to make this work, even if it’s not subverting the iOS microphone. This honestly doesn’t seem like a stretch to me.
We’ve seen over and over that studies show that even “regular” targeted advertising is not remotely as effective as advertisers play it up as.
Maybe… but then that’s an incentive to get as much info as possible. It doesn’t eliminate the motivation, it enhances it.
Facebook has the engineers, the time, and the amorality to figure out how to make this work
The article is reporting on claims made by Cox Media Group. There have been no claims reported that Facebook has built this. Facebook is one of their alleged clients.
OK, but I thought we were talking about Facebook because of what I said above:
Personally, I’ve had some relevant ads appear after conversations on super-obscure topics that I only discussed once with my coworkers, and never searched for online. It felt too implausible to be a coincidence the human mind latched onto, like successfully guessing a specific UUID.
I can’t prove anything, but I don’t think Facebook deserves the benefit of the doubt here.
Fwiw, I think it less likely that CMG has pulled this off, but I wouldn’t be surprised if a company with the resources of Facebook had.
I’m far more willing to believe “mall/store has microphones installed everywhere and sells audio to data brokers” over “an ad agency managed to circumvent/get a backdoor in the iOS and Android permission systems”
FWIW I’ve been getting those wide shoe ads a lot recently too, and I never talked to anyone about shoes (or anything else to suggest that I’m shoe shopping, because I’m not).
Any chance your wife searched for [wide converge shoes] at some point to see if that’s a thing, and because you’re both under the same IP address it got linked back to you?
Personally, I wore Chucks for decades, and have never seen a wide version, so I wouldn’t bother to search for it, since I figure I already know the answer.
I’m absolutely unsure that the current HTTP methods are expressive enough for the various actions we can ask a backend to do. Given that situation, we always need to explain and distinguish between them. If we need to explain, it loses the semantic value, and really doesn’t matter from that point if we use POST for everything. Also, these semantics are important for devs only, end-users don’t really see the added value.
In a QUERY you can send a body but with a GET you have to use query parameters in the URL.
It’s useful for queries that take a lot of bytes to express. In the case of the article, you could imagine a moderately complicated search “form” using the body for payload.
The HTTP spec enumerates several ways that GET bodies are useless or outright broken:
content received in a GET request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack
Micro libraries are an unfortunate artifact of node’s decision a decade+ ago to ship without a robust standard library, in favor of micro libraries who would fill in the gaps.
The solution I’d like to see happen is shipping a JS runtime with a bigger library. Bun is doing this today but there is still room for improvement there.
I think this is too simplistic an answer to be particularly accurate here.
Firstly, NodeJS did ship plenty of standard library modules. Where NodeJS is weak (e.g. string manipulation or maths libraries), it’s usually because the language has always been weak in this regard. In that sense, NodeJS didn’t change anything that JS devs hadn’t already been dealing with for years.
Secondly, because this was an old and known problem, it has also had a fairly well-explored solution: third party standard libraries like underscore, lodash, rambda, etc. These have been used for years and were all accessible in NodeJS.
Thirdly, we don’t see the same issue in other languages. Rust also had a deliberately anemic standard library, and a robust package management system, but doesn’t have anywhere near the same issues as Javascript for small libraries. OCaml had also historically had a poor standard library, but there are multiple third-party options to choose from as an alternative.
So I don’t think this analysis tells enough of the story.
I suspect the issue is a lot more cultural. Javascript is used a lot on the web, and so a lot of the ways it is used have been informed by the pressures of the web - easy minification, simple bundling, small file size, etc. For as long as I’ve been doing web dev, there has been a push for small modules as an optimisation - originally in terms of loading smaller files, and later as a way of making things easier for bundlers. This philosophy became a part of the JS culture, even after bundlers became powerful enough to make it largely irrelevant.
Rust also had a deliberately anemic standard library, and a robust package management system, but doesn’t have anywhere near the same issues as Javascript for small libraries.
Dependency hell is just as pervasive in Rust as in JavaScript. Every Rust package I’ve ever had to install had over 200 dependencies.
Why didn’t people made the JS equivalent of C++’s boost (which I see as: a bigger, batteries included, stdlib and sometimes experimental sandbox for future specs) ?
I’m sure there were attempts at it, but people considered “having to download megabytes of data to run a webapp” as bad practice.
Funny thing, Rust is also full of micro libraries and yet its stdlib is quite good.
I remember the time when we had a security red flag in our project for about half a year, because the maintainer of lodash (one of our transitive dependency, 4 levels deeper) couldn’t be bothered fixing a CVE in his library. So the next question would be the governance of those libs.
That’s a pretty popular question to be asked nowadays in this context, feels like a flamebait. To answer it, no, I was ready to make a contribution in the form of adjusting the code (it was a single dep version bump, no big deal), when I realized there is already a PR open for the same purpose. It sat there for a long time, not even sure it was merged at the end.
This was the reason why I used “governance”: a language’s standard library should not be in a single maintainer’s hand. Not everything can be answered with money.
I didn’t mean it as flamebait, it is a thing that comes up repeatedly to illustrate how much we expect from maintainers for free. I do think you can expect a different level of support when you pay a maintainer for their time. We are lucky we have many of the free things we do have. When you look at things from that perspective, it explains the incentive structure that leads to the unsatisfying outcome. It’s not specifically you not-paying, it’s the system by which it’s exceedingly difficult to get paid enough to dedicate time to these things. I don’t know if governance (more people?) is the solution, as there are tradeoffs with that too.
C++ doesn’t have npm or cargo though. I think if it did maybe boost wouldn’t exist and it would be just as micro dependency heavy. I feel like the popularity of header only libraries supports that.
I think
boost
Qt’s (and other C++ gui frameworks) tendency to include things like containers, networking functionality etc.
folly and abseil
all come out of “dependencies are a pain in the neck, one giant general purpose dependency is less painful than many smaller targeted ones.”
Boost is an interesting beast. One thing you get from it that you wouldn’t get from a bunch of separate packages as easily is the consistency (both API-wise and internals-wise). Things like the boost::get<> function that feel a bit weird but are everywhere and once you get used to it it’s fine.
It won’t have any one and official package manager, but tools like
conan do the job fine. It has a good chunk of popular libraries in its
index, and integrates with lots of build tools (cmake, meson, raw
makefiles). It makes using thirdparty libs much easier.
Yes conan exists, but so does vcpkg, build2, FetchContent, etc etc.
Node has npm and yarn, which uses npm’s registry.
If the library you want is in the package manager you use it absolutely is easier to consume. Having N package managers doesn’t make it easier to produce a library though.
It is much easier to launch a new updated C++ compiler or stdlib than ship a new ECMAScript standard to all mainstream browsers. It took a good amount of time for them to catch up with modern features that exists for years.
Nope. It’s still a problem. It’s even worse than that, ECMA is a specification that the browsers need to devote a lot of resources to implementing. There is drift, there is lag, there are edge cases. What other programming language runtimes do you know of that have 3 different production implementations? What do you think would happen to the stdlib if we had to wait for 3 different runtimes before we could use a new feature?
Browser choice is not an ideology. It’s a pragmatic choice for nearly everyone. Chrome is simply consistently better. Shaming people for not using Firefox for ideological reasons won’t work.
If chrome disables the use of ad blockers, first of all most people won’t even notice. For the minority that do, chromium forks will emerge or they’ll switch to Firefox at that point.
I think this was true like … five years ago or so, but up to the point last year where I finally ditched Chromium altogether I wasn’t really seeing any difference whatsoever between the two.
If chrome disables the use of ad blockers, first of all most people won’t even notice
Honestly this is kind of sad. Ad blocking technology right now is far and away the most important User Empowerment thing we’ve got going for us. You have Linux Zealots going around trying to convince people to switch operating systems for abstract reasons that no one actually finds convincing, or trying to get people to stop using Facebook which has some serious social isolation downsides, but meanwhile installing an ad blocker takes like two minutes, has really compelling and self-evident benefits, and no down sides.
or trying to get people to stop using Facebook which has some serious social isolation downsides,
I don’t want to let this statement go unchallenged. I think it’s a harmful fallacy. Social interactions via “traditional” channels like phone, email, text and video conference are excellent.
We may not promote or educate people about them enough anymore, but they are more social than the often semi-anonymous and harmful interactions platforms like FB foster.
GP is right unfortunately. You lose awareness of many in-person events, and even among people considered friends it can be difficult to make the transition to more direct contact and not have it be weird. I’ve doubled down and accepted the cost for long enough that there’s no going back, though I wonder sometimes if it was really worth it.
The way to make progress on these kinds of problems is coordinating lots of people to move together. This is why Jon Haidt promotes Wait Until Eighth to keep kids off social media and so on.
Social interactions via “traditional” channels like phone, email, text and video conference are excellent.
Those technologies are fine, but they don’t offer the sense of “ambient humanity” that Facebook, Instagram, Twitter, et al. do. Those platforms allow you to lurk. It’s a very different interaction model from a phone call, where at least one party has to explicitly initiate it, and then both parties have to continue participating (at least for the best results!).
I do agree that there are still ways to get meaningful social interaction outside the big platforms. I have a bunch of SMS and iMessage group chats that allow me to keep in touch with close friends and family, and I can participate more actively or more passively depending on my mood and whether or not I have something to say. You could set up the same kind of thing on any number of chat platforms. But my point is that Facebook was never just a substitute for calling a friend on the phone.
That lurking is the worst aspect. Its the one that prompts people to preen on social media and to envy others and then lapse into depression, negativity or anxiety.
If anything since deleting my FB account I have been more socially active, because whenever I want to communicate something I text people or call them and I have an actual conversation, while before I would have broadcasted the thing to a bunch of people in exchange for some like…
Yeah, I haven’t actually used facebook so admittedly I don’t know what I’m talkitg about here; I should have said “perceived downsides” because it doesn’t matter for the larger point if it’s true or not.
I finally ditched Chromium altogether I wasn’t really seeing any difference whatsoever between the two.
There have been ups and downs in the competition between the two ever since chrome was released but chrome has always more or less held its own. It’s either been much better or about the same in this period. That’s why I used the word “consistently.”
Honestly this is kind of sad.
Strong agree with all of your reasoning here. The ability to provide a practical benefit like avoiding ads is a huge selling point for FOSS but instead people are finger wagged for reasons they will never understand.
Using Firefox mobile was noticeable slower (on android at least). On my new-ish phone (Samsung S23) it’s fine, but I wouldn’t was it’s for everyone. I love having extensions and supporting an alternative browser, but not everyone can afford high-end phones to just do browsing.
I think this was true like … five years ago or so…
I switched to Firefox for work a couple years ago and basically everything is fine except for a couple apps. For example, Grafana just cannot handle large queries on Firefox, it’s 90% of the reason I still have Chrome installed at all. I suspect that they only test it on Chrome and that there are just subtle differences in the JS implementations, so I wouldn’t say Chrome is “better”, but it certainly “works” in some cases where Firefox does not.
When people talk about what “most people” think about a topic, I don’t get who they’re talking about. I think most of my friends would care if Adblock was removed, and they’re a very diverse set of people.
I think most people do care about these topics like privacy and diversity in browser space, if you take the time to educate them as to why they should. No one cared about the environment nor democracy initially either, it took a lot of campaigning to get people to start caring.
if you take the time to educate them as to why they should
But that’s the entire point. The vast majority of chrome users dont use Adblock and don’t care enough to seek out education on Adblock. That’s just the reality.
The worst part of tech the past 20 years is consistently hearing over and over that technologists and their aesthetics don’t matter because the masses put up with whatever they’re force-fed.
If people want their browsers to track the crap out of them, that’s fine by me. I prefer a world of healthy alternatives. And I hate hearing that my values don’t matter. They do matter, and I know I represent a quiet but stubborn faction of people who see the internet not as five sites but the beautiful messy decentralized system it is.
We will take it back. It won’t be something that will be recognized by non-technologists for a long time. And that’s a feature.
Honestly, it’s not terribly surprising that webdevs allowed this to happen. They’re fed a steady diet of the web not being enough (just use Angle Reaction 24.8!) as is.
If people want their browsers to track the crap out of them, that’s fine by me.
… until you realize that these people are helping data-hoarding-bigcos track the crap out of you as well. Your neighbours scan your wifi and bluetooth devices, your contacts share your phone number, name and whatever data they happen to know about you (maybe they fill in your DoB, workplace or upload your picture), when you called each other, meet each other and such.
I prefer a world of healthy alternatives. And I hate hearing that my values don’t matter.
Healthy alternatives exist and you’re free to use them. Your values likely don’t matter to the majority of other people in the world, they’re your values. The world is a big place.
We will take it back. It won’t be something that will be recognized by non-technologists for a long time.
I think you’re underestimating how many people are on the internet and how many of them don’t care about technology at all but simply use it to get from point a to point b. This isn’t the mid 90s anymore.
Large companies who must behave according to data to survive understand this.
At least that’s what Google believes (they wouldn’t go ahead with the breaking change if they thought it’d cause too many users would switch away from Chrome), and they surely know their users better than we do.
But some of the users who don’t care enough can be made to care with a bit of advocacy, like in this article. Just like with environmental issues, it can take a lot of explaining to understand how important a topic is.
That’s exactly what people said about Internet Explorer back in the day, and how it got to be such a nuisance… Once a monoculture has become entrenched, it’s very hard to get rid of it when it ceases to be the better option.
I agree it’s a pragmatic choice, but the main way in which Chrome is “better” in 2024 is that everyone is already using it. Your peers would look at you a little funny for using something else, switching takes effort, and it isn’t obviously worse such that you’d be motivated to switch. At this point Chrome inherited its dominant position; it isn’t particularly earning that position anew by better addressing user needs. Not unlike Google web search.
Because maintaining a browser (or even, third party patches for a browser in this case) is a massive, time consuming, ongoing, never ending effort that requires constant reworking after every minor web change, or upstream change.
It’s simply not feasible for small open source communities to maintain a patchset as massive as this.
Because maintaining a browser (or even, third party patches for a browser in this case) is a massive, time consuming, ongoing, never ending effort that requires constant reworking
The same could be said of all work. Any serious endeavor requires constant labor, open source or not. The way we accomplish these things is by creating sustainable revenue streams so that we can fund the labor. The real problem here is that few people care about privacy enough to sustain this development effort. Ideology doesn’t pay the bills.
At a recent security event (National Academies thing on memory safety a couple of weeks ago, I think), someone mentioned that Chrome has an average of one security issue that needs patching and fixing every 1.5 days. The team has to create the fix, test it, and roll it out in update channels that often, in addition to adding new features. Doing that while also being downstream from the company that is doing the work upstream is incredibly hard.
Doing that while also being downstream from the company that is doing the work upstream is incredibly hard.
I don’t deny that it’s hard but clearly it can be done if someone if willing to fund it. Many people are claiming that browser privacy etc. is an important feature for users that chrome is increasingly ignoring but if that were true, where is the demand for such a browser feature? It doesn’t exist in any significant way, at least enough to fund a browser that prioritizes this issue, therefore we must conclude that most users don’t really care about browser privacy and it isn’t an important feature.
It’s not just a matter of funding; it’s also a matter of time. No amount of funding is going to provide more hours in a day. The time it takes to maintain a project downstream is time spent away from family, friends, and those other things dearly held.
It’s not just a matter of funding; it’s also a matter of time.
Time is money. More salaries fundraised equates to more full time labor being allocated to working on this. There is nothing written in stone that privacy-oriented browsers must only be worked on during one’s free time.
This is way different in that the third party project doesn’t initiate the changes, and the upstream project is extremely big - there’s a massive, well-funded company working on this highly technical and complex project with lots of churn. And over here you have a handful of unpaid folks even just trying to parse what they’re doing upstream, and then having to rebase their own work onto those changes.
Sure that’s a pretty fair assessment of the situation. I agree.
We should ask “why” so few care. They can’t be bothered? Lack of tech education? Lack of interest? Probably a combination of all of that.
Would be awesome to attach the PR related things (approvers, comments, resolved conflicts, timeline, etc) to the PR commits. Or maybe it is already part of one of the forges?
Maybe I’m missing something, but there’s a bit of a contradiction here, IMHO.
When discussing the shortcomings of story points, the author acknowledges that anything the team provides will, at some point, be converted to time by the business, and that this is sorta inevitable:
People asking for estimates care about time, so points always get converted to some form of time / projection. Whether you see it or it’s happening behind the scenes.
And this is reasonable. I know, stay with me.
It’s even argued that the biggest problem with just straight up using time for estimates is not time estimates themselves, but that business will hear 2 weeks without the corollary of no interruptions, and we’ll only start after doing X.
And then, after presenting the idea of breaking down features into tasks and measuring queues sizes, we’re suddenly back in the land of I will give you a number and it’s up to you to convert that to time:
What if after starting work on Feature A, that was 250 tasks, we had a couple of rounds of feedback and the total task size had grown to 500 tasks? If you’re measuring your queues you can see that this feature is much larger than expected and potentially re-evaluate whether work should continue.
That’s all nice and good, but if I tell business our queue grew from 250 to 500 tasks, the first words out of their mouths/keyboards will be ok, how long will the extra tasks take?.
Besides that, it goes unsaid in the article (I think), but the effectiveness of measuring the queue size seems to be predicated on all the tasks being roughly the same size. In my experience, that’s almost never the case, and there’s no amount of breaking it down that can make it so. In fact, trying to make all tasks be the same size is, actually, just waterfall with a different pair of pants.
And this brings us back to the problem of adding 1 and 13 story points. If my queue has 20 tasks, but 5 of those are simple changes and the other 15 are intermittent bugs that only happen in production, every other Thursday, then 20 tasks in the queue is as useless a measure of work to be done as any amount of story points.
Now, I kinda like the idea of measuring the queue, with the implicit assumption that we will break down things to be as small as possible. But without any way of automatically converting that to some level of time estimate … it just doesn’t work in real life, unless business is INCREDIBLY on board with the whole thing, all the way up, which is very rare.
I got the feeling that the article would be 10x more useful if it was 90% about breaking down tasks and 10% about queue sizes, instead of how it actually is, 90% queue size and 10% breaking down tasks.
For me, it’s food for thought, but I won’t switch from time estimates any time soon. Estimating time, trying to communicate uncertainty to the business, and working things out as we go, still looks like the only plan that works, in practice.
Fwiw, we’re settling in to just counting issues and doing forecasting with https://screenful.com/.
There was an article way back detailing just looking at issues in/created, and time to completion - then doing monte-carlo simulation over that.
Turns out that if your weeks/months look similar enough (some big, some small, some issues exploding into many subtasks) - that’s pretty much all you need in order to do a (pretty good) estimate with a given confidence (50% likely we’re done in two months, 95% we’re done in six).
This sounds like #NoEstimates, Vasco Duarte made a presentation about the approach: https://yewtu.be/embed/7ud-4bKJr8k?rel=0 (from 26:00 with an example). Good thing is that you can verify retrospectively where you’d be if you haven’t used points, only count.
Only thing that seems to be missing (but I only skimmed the video) is combining dev velocity (issues solved pr iteration) with feature creep/issue growth (when 10 issues at the start of the iteration grow to 15 as the problem is better understood).
So in order to “complete” 10 issues per iteration, velocity needs to be higher than 10.
What we did was start working, then built up some data.
Ed: really - if you don’t know how the team works, it’s unlikely that any kind of estimation will be any good… Rather than waste time on wishful thinking - just get started.
Btw, a couple of basic links that do not account for work added, but demonstrate the gist:
This article resonates with me. A good chunk of visual programming doesn’t remove the user from playing computer in their head, and at its worst ends up as messes of wires and interconnections.
I can see, and read, code. I don’t need a visual representation of it. It may be convenient to have a visual representation, but what I want is..
A set of binoculars into the state of my program, or the arrangement and state of a system.
A way to turn diagrammatic data into data that I can use, and possibly back again. (This is why Excel is popular, among other reasons.)
A way to visualize relationships between the components of my program.
A way to test hypothetical situations.
All of these revolve around providing visibility where it doesn’t arise naturally, which visual programming systems haven’t really delivered. (If there are ones that deliver on the above, please let me know!)
Essentially, creating a software which behaves in a desired way, requires “playing computer in their head*”. No matter if it is source code or visual programming, they are just tools to reach the goal, which goal needs complex analythical thinking, abstraction, see everything in a system, etc.
*Why need to “play computer”? Because that is a deterministic machine, which you can’t talk in ideas, only pragmatically and exact. You need to think of a ton of edge cases and be fully aware of what’s required as an output.
“Regular users” can’t do that, only someone who can think in computer.
I fully disagree. “Playing computer in your head” is largely historical precedent. There’s no fundamental reason why we have to program with blindfolds on.
Yes, machines have operational models, but we don’t need to keep the state of the machine invisible or pretend we’re programming for punch card machines. We have the ability to peer into the state of the machine, explore hypotheticals, and encode ideas.
I’m even working on something that allows you to sketch programs who’s functionality is close to what you meant to write, coupled with tools to explore hypotheticals.
I’m not sure I get the “blindfold” metaphor properly.
I don’t have the statistics from the last 60 years of no-code attempts, but I have a safe bet that these tools were most effectively used by people capable of software development. We can change the “language” (or the form of expression) to something visual, something more close to natural speaking, but to phrase those words, you need to be aware of the ideas of “operational models”, “state of the machine”, abstraction, completeness, some basic programming structures (like iteration, condition, etc.). That’s what I call “playing computer in your head”, otherwise, where else are you using these skills?
To some degree you’re certainly correct, we cannot just go around guessing instructions, but I don’t think it’s fair to say that it is “essential”. You can now create programs using ChatGPT and run them and maybe some of them do what you want some of the time! This is not so different from how most programs are developed, which involves a bunch of guessing, making mistakes, testing and fixing until you have something that maybe does what you want enough of the time so you stop iterating. Also, logic programming and constraint solving and SQL-like languages don’t require that you play computer at all. You just have to specify what you want.
ChatGPT is a great example of why you need to “think in computer”. I hear a lot of PMs/POs, who cannot phrase the requirements properly. Then comes the dev team and they ask back questions to clarify what needs to be done exactly. ChatGPT doesn’t ask back questions, it assumes something and generates something. Then of course you’ll adjust your prompt to get better results, which needs you to understand how ChatGPT “works” (reacts) in the first place, which needs pattern-matching skill, so we end up in: you need analythical thinking to use it well. That’s actually “thinking in computer”.
They say the best specification is the software which works. That was made by developers. I don’t see that why anyone else would be better creating prompts to an LLM than developers.
Okay, to me “playing computer” is a more specific thing than analytical thinking. It is evaluating an imperative instruction and its impact on program state in your head.
I think it’s kind of a continuum, you can do it very strictly, like when debugging a segfault in a C program, or very high level, like when interacting with something like chatgpt, or in the middle, if you’re working with something like SQL, or Python, or Java.
Logic programming and constraint solving absolutely involve playing computer in your head, if you want your program to complete in any reasonable timeframe.
The concept of visual programming was appealing to me and noticing the failures in the fashion of the author, I too have a theory about it.
The main analogy I’d have is poetry. Great poems (at least some great poems, say Richard Brautigan) give the reader the impression “hey poetry is easy” because they say what needs to be said, imply what needs to be implied and don’t use any excessive or awkward constructions.
Essentially, if one looks at great UIs overall, they give the feeling that they are giving you all the information you need. But that feeling is actually the product of careful crafting of the symbol-system but taking into account the task-at-hand, the culture of the users and a whole variety of unsaid things.
It’s like spreadsheet. They are appealing in that they bridge data entry and programming. But a visual tool that gave you everything, data values, array subscripts and programmatic operations, would just be overwhelming and not useful.
I’d say that’s why “visual” tools have success haphazardly rather than universally,
I like the setup, but I’m slightly worried about having the review comments inline with the code. When you have 70k line commit touching 500 files, it can be easy for the discussion to be lost in the deluge of changes. Commits like that aren’t the common case, but they’re also the ones where I’m most concerned about ensuring that all the comments are addressed.
I might solve this by simply committing a REVIEW.org file in the root directory that contains my comments and links to the corresponding code. However, I’m suspecting that other people have considered more robust solutions?
Hi, yes this service is not going to be the greatest UX when you have massive PRs. Our goal is truly to create the simplest git collaboration service … which might mean at the expense of edge use cases, like massive, multi-year PRs. We still want to have a solution here.
Further, we are very much aligned on the review file. We are contemplating asking the owner to commit PR summaries to their repo to preserve history. Still brainstorming that one.
In fairness the entire thing seems like poor UX to me.
Why do you need to format-patch and push patches over ssh when you can just push content over ssh?
If as the maintainer you have to apply the patch to do a review and it doesn’t scale anyway, why review instead of just fixing what you don’t like?
Having to send patches for every back and forth sounds incredibly obnoxious.
And of course the reviews being patched in guarantees they will be committed
The entire thing sounds worse than sending patches over email. And I’m not talking any magical setup, just dropping patches in the attachments and downloading them on the other side.
Pushing patches is not very convenient indeed, I would love something closer to how we interact with gerrit for example, where we just push to refs/for/branch which means we can just have
And git push review to send something for review. This has however the drawback of needing some kind of identifier for changes, that gerrit solves by forcing a Change-Id: ... line in the commit message. This seems to also be an issue using patches and I am not quite sure how git pr solves it.
It doesn’t work well with changing code, but I see it can log review comments without touching the code. As far as I remember it stores the comments in a dedicated file in the source dir.
I think a good stress-test of this argument is a field which seems like it’d pay in blood for every abstraction: gamedev. It’s also a field where 1) many projects are made by one person, despite the “proverbial death of the individual developer”, and 2) they work on towers of abstractions “as a tool to avoid hard thoughts.”
And yet these solo devs keep putting out absolute masterpieces: Minecraft, Stardew Valley, Baba is You, Tunic, just to name a few. If anything, the pace has accelerated in recent years, and I regularly play a game and find out later it was made by 1-2 people. So any conjecture that abstractions make it harder for individuals make software should explain why that doesn’t seem true in the field it’d matter most.
Oddly enough, I started my journey in game development! And I agree with you on some points, but not in others.
On the one hand, I am incredibly enthralled that indie developers have platforms to stand on. My argument isn’t “no abstractions”, it’s “careful use of abstractions”. Game development is where performance does matter to an extent, so the environment mirrors early computing where you actually pay the cost of the abstractions you introduce.
On the other, I think that we’re seeing the results of a filter, rather than the actual results. A lot of people burn out in game development, even technical individuals, because they exhaust themselves scaling mountains. Want to ship a game? You’ll realistically be dealing with entire engines and shifting your mental model to work within them, or you’ll be tolerant and technical enough to build your own.
I think it’s a question of tolerance of the norm rather than the norm being sustainable. But, as always, data, data, data.
I think if I’m in a position to advocate for better conditions for individuals, and I’m capable of bringing awareness to that, I should. I really don’t want to abstract these people away if possible.
Is it going to actually make things better, or just change the status quo ?
You said “On the other, I think that we’re seeing the results of a filter, rather than the actual results. A lot of people burn out in game development, even technical individuals, because they exhaust themselves scaling mountains.”
We have infinitely better tools than 30 year ago, yet much more people get burnt out today. Why ? Because the availability of these better tools actually increases competition and thus stress. The better the tools, the higher the mountain gets for everyone as our expectations increase - we always want something that is going to be better than the “average” video game / pizza / movie.
That’s a pretty good point! And I think it’s in line with what I’ve said: the disconnect between release cycles and “time to mastery” grew as time went on, and those curves diverged. If I give you more power over a system, phrased in terms of abstractions, your demands very well might scale with it, leading to the requirement for more power, leading to more abstractions, etc. etc.
It’s partly why I don’t think the solution is purely a technical “throw new languages/software/hardware at it” one, but something that sits firmly between how individuals interact with computers that are embedded in their daily lives and the cumulative technical knowledge we’ve acquired in the past 40+ years.
Minecraft and SdV is not masterpiece because of the engineering. MC will drop to 4 fps if you add 4k textures to it, Starfield on the other hand can provide a smooth 100 fps on the same machine.
SdV is looking like a game from before the millenia. Gaming experience is not always related to the engineering efforts put in those games.
I think a good stress-test of this argument is a field which seems like it’d pay in blood for every abstraction: gamedev.
So, gamedev, as a field has definitely always pushed the bounds of what we know how to do with a machine. But the games you listed aren’t exactly AAA 3D graphics-porn. Not to say the devs aren’t good. You can definitely screw up bad enough to make those games run like trash if you’re incompetent. But you can definitely take on a couple abstractions to make things easier that a Crysis-level game can’t.
I think this post is a bit too long to say “every skill is technical (in their own area)” and totally misses the question, which sounds like, “if you had a good PM, did they understood software development in any level?”.
that bug could explain why I have .DS_Store, ..DS_Store and .._.DS_Store constantly appearing on my external drive I use to move files between windows and mac…
odd they chose a file for this, seems like a leaky abstraction, windows just puts this stuff in the registry
Because xattrs didn’t exist when 10.0 shipped, and because not every filesystem supports them even now.
As for a registry, keeping data about an arbitrary number of folders on an arbitrary number of disks in a single central place seems a bad idea. Especially since the settings are supposed to stick with the folder when someone else opens it.
You can’t point to the release of 10.0 as a reason for the current design and also say Apple isn’t leaving a longstanding issue unaddressed. Xattrs have been around for a long, long time now. What was it from, Tiger? (Wiki says, yes, Tiger.) They can still use .DS_Store on FAT systems if they want (or again, better just put a single SQLite file at the root), but it doesn’t still need to be in every folder on my APFS drive.
I don’t think it can run things. It’s the place the Finder stores the locations of icons and things like background images. When you open a disk image and it has a symlink to /Applications and a big arrow telling you to drag the .app there, that’s all done with the stuff in .DS_Store.
I’m not so sure, I think it’s fine, the settings are for my machine so I care about my folders but if I give someone a USB stick no one is going to care that the “sort by name” option wasn’t kept. If it keeps my folders from being cluttered with silly DS Store files I’m happy!
I’m also not super keen on the crappy looking AI generated “MacBook” branding on the site. Branding isn’t everything, but this feels like a firm departure from the “indie” feel of their original site.
edit: not sure crappy is the best word - I don’t want to come across as too harsh
Honestly I’m not even convinced that it’s about not spending time on the website as much as just keeping the website from looking too corporate (be that startup or big firm). That said, I wish them luck with this nonetheless.
A project can have maybe a little strange branding, but what ultimately matters is the end product and the values.
This is exactly my thinking! It kind of feels like they “high techified” what was a pretty sweet theme from before. The bird especially is nice, because it’s something that other “brands” don’t really have.
Normally I’m puzzled when people say “this word reminds me of this other bad word” or “this looks like that” (my brain doesn’t really work like that), but in this case, I have to say that it does have the same feeling.
I hate to be a peanut gallery person, but I really hope they reconsider the logo!
The new logo doesn’t connote “ladybird” or “ladybug” at all … it seems like there’s obvious room to make it more distinct with that kind of association
The new logo doesn’t connote “ladybird” or “ladybug” at all … it seems like there’s obvious room to make it more distinct with that kind of association
I also prefer the old logo, but I disagree that it “doesn’t connote ‘ladybird’ or ‘ladybug’ at all” – it does look to me like a highly abstract rendering of a ladybug in flight.
Ladybird really seems like a project I’d like to bet on. It revives a feeling that we really could have nice things. That there could be an oasis of respect in a desert of abusive dark patterns.
So why should a tiny logo distract me from that? It irks me, enough to write this stupid comment, why? I think it creates a bit of dissonance in my mind. It looks a little bit too familiar. It looks like these sleek, polished things. It looks like a lot of modern tech, pseudo-professional, just waiting to stab you in the back as soon as you let your guard down.
It’s not ladybirds fault my mind has been tainted this way, but please reconsider your logo. Have less branding and more personality.
Dependencies! What a nasty piece of software they are! :)
I’m not against dependencies, I’m against unjustified dependencies only. One time we had a frontend story to deliver (oh yeah, scrum): add “traceparent” header to every HTTP request we send to our APIs. How difficult that could be? Hook on the API handling layer, extend the existing header() defintions with one more line, commit, call it a day.
But wait! We have a library for that! Or, like a dozen! I swear we spent more time analyzing and trying out these packages than the actual work. It was me who insisted to analyze packages (on very reasonable conditions, btw), because my end goal was to avoid this dependency entirely because “How difficult that could be?”.
One of the deps were so bloated, it added 33% to the final production bundle (100k minified JS). I was horrified! One single header and 33% more bloat? You gotta be kidding me! It was a general purpose, full-fledged tracing/monitoring package which accidentally provided this pretty little function our junior dev found in it. I was lucky to catch that PR before it went production. I literally cannot imagine that many edge cases which justifies that +100k, no way.
The culture of mindlessly adding dependencies is definitely harmful. Every new dep should be carefully analyzed based on various conditions to be granted with the privilege to be our dependency.
(sorry for the tone, my PTSD is still very vivid from this particular project)
Another great story, transitive dependencies! One of our 5th layer deep dep had a security issue discovered. I spent a few hours tracking down who is responsible adjusting it, went thru github issues (because yeah, ~200 other issues) and found the golden comment from the maintainer: “sorry, I’m not in the mood of fixing it”. I don’t blame him, I often don’t have the mood myself to work on pet projects, but boy, if you have 200 of the fortune 500 companies relying on you and you’re proud of it (!), it is at least not the kindest thing to say. The issue sat there for a few months until it was fixed - till then, we had to justify every release for the holy corporate security, that our reponsibles are aware of the risk (it was a very narrow attack vector, but you know, processes).
So yeah, dealing with dependencies is vulnerability, if you don’t pay as much attention as to produce good code, you will have bad days ahead.
I’m not sure if this was supported by the browsers in 2015, but definitely not supported today.
I feel like I must be misunderstanding you, because that sounds obviously false. I’ve used HTTP Basic and Negotiate auth on websocket requests for years. Can you explain what you mean by this?
You can add custom headers in postman, in nodejs, but not in browser-initiated ws connection.
If the browser’s already used Basic auth with that server in that session, it’ll send the credentials with every request. That includes the GET that creates the WebSocket.
Also, note that the OP is an IoT developer, so they don’t care about what browsers do.
We’re not talking about random custom headers, though. If you do the standard 401 dance and ask for a type of auth that browsers support, they’re happy to include it on websockets just like on any other request.
Can you share the client-side snippet, please? I’ve seen k8s smuggle the token inside
Sec-WebSocket-Protocolfor some reason and I have failed to find a better solution myself.There’s no client-side work involved if you’re in a browser context. You return a 401 if the websocket request doesn’t include the auth you want, and the browser will retry with the auth header if it has appropriate credentials.
Looking at today’s instant messaging solutions, I think IRC is very underrated. The functionality of clients for IRC made years ago still surpass what “modern” protocols like Matrix have to offer. I think re-adoption of IRC is very much possible only by introducing a good UI, nothing more.
aka drawing the rest of the owl
More like upscaling an image drawn before the average web developer was born.
no UI will add offline message delivery to IRC
Doesn’t the “IRCToday” service linked in this post solve that? (and other IRC bouncers)
sure but that’s more than just a UI
Specs and implementations on the other hand…
I thínk “Lounge” is a really decent web-based UI.
About a year ago I moved my family/friends chat network to IRC. Thanks to modern clients like Goguma and Gamja and the v3 chathistory support and other features of Ergo this gives a nice modern feeling chat experience even without a bouncer. All of my users other than myself are at basic computer literacy level, they can muddle along with mobile and web apps not much more. So it’s definitely possible.
I went this route because I wanted something that I can fully own, understand and debug if needed.
You could bolt-on E2EE, but decentralization is missing—you have to create accounts on that server. Built for the ’10s, XMPP + MUCs can do these things without the storage & resource bloat of Matrix + eventual consistency. That said, for a lot of communites IRC is a serviceable, lightweight, accessible solution that I agree is underrated for text chat (even if client adoption of IRCv3 is still not where one might expect relative to server adoption)—& I would 100% rather see it over some Slack/Telegram/Discord chatroom exclusivity.
I dunno. The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower). I don’t see any newer software projects using IRC (a depressingly large number of them still point to Freenode, which just reinforces my point).
I like IRC and I still use it but it’s not a growth area.
There’s an ongoing effort to modernize IRC with https://ircv3.net. I would agree that most of these evolutions is just IRC catching up with features of modern chat plaforms.
The IRC software landscape is also evolving with https://lobste.rs/s/wy2jgl/goguma_irc_client_for_mobile_devices and https://lobste.rs/s/0dnybw/soju_user_friendly_irc_bouncer.
Calling IRCv3 an “ongoing effort” is technically correct, but it’s been ongoing for around 8 to 9 years at this point and barely anything came out of it - and definitely nothing groundbreaking that IRC would need to catch up to the current times (e.g. message history).
Message history is provided by this thing (IRC Today), and it does it through means of IRC v3 support.
I don’t know if that’s really the right conclusion. A bunch of communities that were on Freenode never moved to Libera because they migrated to XMPP, Slack, Matrix, Discord, OFTC, and many more alternatives. I went from being on about 20 channels on Freenode to about 5 on Libera right after Freenode’s death, and today that number is closer to 1 (which I’m accessing via a Matrix bridge…).
I guess it just depends what channels you were in; every single one I was using at the time made the jump from Freenode to Libera, tho there were a couple that had already moved off to Slack several years earlier.
IRC really needs end-to-end encrypted messages.
Isn’t that what OTR does?
Not really. It’s opt-in and it only works for 1:1 charts, doesn’t it?
It’s “opt-in” in the sense that if you send an OTR message to someone without a plugin, they see garbage, yes. OTR is the predecessor to “signal” and back then (assuming you meant “chats” above), E2EE meant “one-to-one”: https://en.wikipedia.org/wiki/Off-the-record_messaging – but it does support end-to-end encrypted messages, and from my memory of using it on AIM in the zeros, it was pretty easy to setup and use. (At one point, we quietly added support to the hiptop, for example.)
Someone could probably write a modern double-ratchet replacement, using the same transport concepts as OTR, but I bet the people interested in working on that are more interested in implementing some form of RFC 9420 these days.
In CS1.6, you could put a custom variable in the client’s config :)
https://github.com/deejayy/c4nn0n-cs-plugins/blob/6274abeb2bf41c7d76f72a33b1a270b4f9f72b2b/fairplay/fp_userflags.sma#L160
When I looked at the site on my phone earlier, it was unreadable. I’m glad I came back to it on a desktop. The site is a work of art, especially the little Arkanoid-like game at the bottom.
I’m definitely throwing this on my list of “Things that will be handy if I ever get ’round to a Game Jam again”.
If you find it worth bookmarking, I can add two more to the list I made:
https://webdraft.hu/fonts/classic-console/
https://webdraft.hu/fonts/nokja-original/
Thanks! That Nokja font would have been just the thing in this game.
Which is more likely?
My money continues to be on number 2.
Here’s the PDF pitch deck. My “this is a scam” sense is vibrating like crazy reading it: https://www.documentcloud.org/documents/25051283-cmg-pitch-deck-on-voice-data-advertising-active-listening
It’s a false dichotomy. This conspiracy can be real without all the others. It’s not all or nothing.
Cox? They’re a little more than that. These are the folks trying to sell me a Contour Voice Remote [1]. It’s not hard to imagine what they’re doing with the data.
[1] https://www.cox.com/residential/tv/learn/remote.html
I think you’re hitting the nail on the head here. I think the slides are getting crafty with language.
They flex the reader into an ingroup mentality with “our” to think they are talking about the devices we all have in our pockets. I think the reason their active listening occurs only once they’ve targeted a very specific geographic area is because it is their devices they are listening to in that area. I suspect they partner with stores, malls, car services, etc to host always-recording microphones attached to reliable power sources, with decent acoustics (i.e. not in someone’s pocket). Then they use BTLE signals, etc that stores already use for tracking consumers around stores to know which consumers are near the microphones and thus might be the ones talking about products they are about to buy. In other words, I think this is targeting people who are in Target (for example) and wondering if Amazon has a better price for the lotion they are standing in front of.
While less paranoia-inducing, this would also be a sleazy thing to do.
I think one team at Cox were lying to gullible ad customers, and they actually do nothing of the sort.
Alexa devices scan local networks to gather intelligence for targeted advertising. A printer exposing ink levels over SNMP results in relevant ads.
I’m honestly curious why you’d have such generous confidence in repeated convicts, multiple times fined by court for mistreating user data.
Because scanning local networks to gather intelligence for targeted advertising and exposing ink levels over SNMP are not the same thing as turning on a microphone and listening to what people are saying. Completely different levels of scandal.
“I can sense stuff you don’t expect and assume that implies consent to do so” is one level of scandal.
Can you source that SNMP bit? Sounds interesting. I can’t find a credible source. It feels important to provide sources for such an allegation.
Seriously, I’ve now actually looked around and I’m finding nothing. I’m going to go ahead and say “that’s not true” on that one. Perhaps a flag for “needs source” would be nice lol
While I’d love to be able to provide my own data for the above statement, I own no Amazon devices apart from Kindle Paperwhite 1. I have never confirmed this on my own (which I should have pointed out for clarity!) but here’s an old-ish reddit post about this: https://old.reddit.com/r/amazonecho/comments/ip5i1c/alexa_now_monitoring_working_with_my_ancient/
So a reddit post? Where someone connected a device to their network and it explicitly integrated with other devices on the network, because it is a home management device for managing devices on a network?
I’m dismissing this entire thing. I mean, I could easily justify this behavior, but I’m not going to even think about it when the evidence is a confused, non technical redditor.
I may have misremembered the source but I definitely read about it on some website, not reddit directly (even old.reddit.com doesn’t work for me anymore).
I have never owned an Alexa device, but I believe that this “integrating with other devices on the network” thing you mentioned, would make me ditch the device the moment I’d notice that it gathers intelligence to push me to towards making more purchases via Amazon.
But what’s the alleged “conspiracy”? I don’t think it takes a conspiracy to make this true
If people are saying that Facebook has a secret API in iOS and Android so they can listen to you when their app isn’t running and permissions are off, then I’d say “no that conspiracy requires too many parties to coordinate without it leaking”
If people are saying that apps that have permission overcollect data, including audio data, and that this information eventually makes it back to Facebook for ad targeting, then I’d say “that probably happens”
Why wouldn’t it happen?
The whole reason sites like Reddit have purposely let their website rot and push the app so hard is because a web browser is sandboxed in a way that a phone is not
I’m pretty sure the device ID is a huge thing for advertisers – if they didn’t have the device ID, they couldn’t join global profiles together, even when you are logged out
https://www.appsflyer.com/glossary/device-id/
https://stackoverflow.com/questions/2785485/is-there-a-unique-android-device-id
The way I think it works is that every there are a bazillion data streams of different apps, but you are not logged in on all the apps.
You might look like 20 or 30 different users to the advertisers
Now the trick is to find a fuzzy join key that can join most of your profiles together, because it’s shown to improve ad conversion rates
I think basically what happened over the last 10 years is that the joining got better. That’s why people noticed more things “following them around”
Hell I just got printed spam via snail mail from some company ZocDoc (who I have no relationship and never gave my mailing address or e-mail to), recommending a Dentist that lives with 3 blocks of me, because I’ve been using the web to search for dentists, and I guess all my profile data / location is leaking
There is so much damn data out there that this is sort of inevitable
Every damn company is pushing you to install their app, because when you do, it unlocks all the data from the other apps you use. They are pooling their data together, to “improve business for all”
I guess Apple noticed all this and locked it down a LITTLE, but not 100%. I’d be interested in details/corrections from people who know more
https://www.vox.com/recode/23045136/apple-app-tracking-transparency-privacy-ads
https://developer.apple.com/documentation/apptrackingtransparency
You may have seen in the news that there is implicit rental price collusion among landlords, via data sharing:
https://www.ftc.gov/business-guidance/blog/2024/03/price-fixing-algorithm-still-price-fixing
So I think that is analogous to what has happened in the ad industry. There is not necessarily an EXPLICIT secret agreement, but there is so much data sharing that it can give the EFFECT of coordinated action
i.e. an implicit “conspiracy” rather than than an explicit one
And no doubt SOME of that data is audio data, collected from phones (where the app has permission).
Also, the book “Chaos Monkeys” has some good detail on how Facebook came to join data in a way that Google doesn’t (or didn’t at the time)
As far as I remember it involved pre-Internet “offline” databases of consumer information
Right: that’s the thing. The rental price collusion among landlords is true. The way advertising companies merge data together from all sorts of different sources is also true. We need to know that those things are true so we can respond to them, because they are real threats to our privacy.
“Facebook apps listen to you through your phone’s microphone and target ads at you” is not true. Believing it’s true is a distraction from the things we should be reacting to.
What if I remove one word:
Apps listen to you through your phone’s microphone and target ads at you
Is that true from the average person’s perspective? I’d argue it is
In a different comment, you said
I’d say their phone is in fact untrustworthy. Why would they trust it? (honest question)
And I personally behave in a way that’s consistent with that – I have never installed a social media app on my phone ever. If I have to use social media, I use the web
I worked at Google for 11 years (not anywhere near ads), and I have only a rough idea how it all works, but I know that there is data sharing and tracking without any real consent
As the salesperson explained, your “consent” is part of the multi-page EULA
It’s also due to purposely grinding down the web experience and nagging you to death (and again I personally don’t consent by not using many apps on phones)
The average person doesn’t know what any of these things are
So again, if someone says, Apps listen to you through your phone’s microphone and target ads at you, then I’m not really going to disagree with them
Just like they can say landlords collude to fix prices – that also appears to be true, and is a new type of crime enabled by technology
On the iPhone there’s an orange circle that displays if an app has access to the microphone.
Yeah, I’ve seen variants of this argument before: phones do creepy things to target ads, but it’s not exactly “listen through your microphone” - but there’s no harm in people believing that if it helps them understand that there’s creepy stuff going on generally.
I don’t buy that. Privacy is important. People who are sufficiently engaged need to be able to understand exactly what’s going on, so they can e.g. campaign for legislators to reign in the most egregious abuses.
I think it’s harmful letting people continue to believe things about privacy that are not true, when we should instead be helping them understand the things that are true.
This discussion thread is full of technically minded, engaged people who still believe an inaccurate version of what their devices are doing. Those are the people that need to have an accurate understanding, because those are the people that can help explain it to others and can hopefully drive meaningful change.
(Rewrote 2 comments because I realized they conflated 2 things, and are too long)
On the question of whether the salesman is lying, we don’t need to invoke any conspiracy or technical inaccuracy. I think the most likely scenario is:
So the salesman is not lying when he says:
Just exaggerating. From experience, these companies don’t have the kind of engineering that FB/Google do.
(e.g. Google engineers bypassed Safari protections to collect more data (and paid a settlement); I don’t think most companies do that.)
Now, this single Cox Media Group incident does NOT necessarily justify widespread consumer perception that their phones are untrustworthy, or that they are being constantly spied on via audio.
But I would ask if you can rule that out.
You can consider the CMG app an instance of “grayware”. Surely it’s not the only one that exists. The incentive is there for thousands of such apps to exist.
It’s a question of degree, not “if it happens”. Trust is also not binary, and some users have experiences that rationally lead them to trust less than others.
This pitch deck does not read to me like the deck of a company that has actually shipped their own app that tracks audio and uses it for even the most basic version of ad targeting: https://www.documentcloud.org/documents/25051283-cmg-pitch-deck-on-voice-data-advertising-active-listening
They give the game away on the last two slides:
That’s not describing anything ground-breaking or different. That’s how every targeting ad platform works: you upload a bunch of “past consumer data”, identify top keywords and setup a tracking pixel.
I think active listening is the term that the team came up with for “something that sounds fancy but really just means the way ad targeting platforms work already”. And then they got over-excited about the new metaphor and added that first couple of slides that talk about “voice data”, without really understanding how the tech works or what kind of a shitstorm that could kick off when people who DID understand technology started paying attention to their marketing.
To be fair, I mostly agree with you but this is a tricky topic. There are like multiple ‘conspiracies’ & multiple claims..
I do not believe my personal iPhone has recorded any audio that’s made it “downstream” to the ad/behavior/intent market. That is seemingly not how the sausage gets made.
However, there are lots of audio sources that I believe feed the downstream: voice control remotes, video doorbells, anything I say in a supermarket. I do not think there’s much conspiracy in saying all that audio is fair game. If all that audio is on the table, so to speak, it’s going in the sausage; they’re not leaving it on the floor.
Other sources, I’m not sure. Hey Alexa, I’m not sure (I don’t own that stuff). Voicemail speech-to-text, I’m not sure. Baby monitors, I’m not sure.
So there’s the too-far-too-specific claims like your-iPhone-is-listening-always that they can confidently deny. (without mentioning they don’t even need that, as much as they’d like it) Is it bad journalism to jump to the (likely false) conclusion? Sure. I don’t know why they do that. It muddies the topic, and gives them an out. That is not a hill I wanna argue on.
But to claim the slides are faked ?? That’s wild, to me. There’s clearly legitimate sources for this audio, and business interest, and technical capability. The sausage does get made, it would seem. (the question is: out of what?) The slides do not say that your-iPhone-is-listening-always so it’s like there are 2 conversations going on. A tricky topic.
There are relevant laws to consider. The US has various federal and state level wiretapping and eavesdropping laws. There are privacy laws like GDPR in the EU and CCPA in California. Illinois even passed its own “Keep Internet Devices Safe” act, albeit with lobbyist alterations that will stir up skeptics even more.
Tech companies do a lot of bad things. That’s why I care about us accurately describing the bad things they do, rather than saying “Yeah, Facebook probably advertise to you based on listening to what you say through your microphone, that’s the kind of thing they would do.”
I couldn’t agree more. The technical aspects of option 1 are usually overlooked, especially when it comes to power usage. I have some experience with audio fingerprinting with smartphones (kind of like Shazam but for TV/Radio commercials). Even turning on the mic for one second every 10 will absolutely obliterate your battery. This is not just in terms of daily consumption, expect the overall battery life to be severely reduced. Back in the days you would have to swap your battery for a new one every other month. That is to say: people will notice if any app is sampling the microphone constantly.
Back in the day where I had a Google account and an Android phone (circa 2018), I did the experience of downloading all the data that Google had about me in their cloud. Inside, I found many audio records that appeared to be random part of every day.
I could hear myself playing with my children far from the phone. I had glimpse at several conversations with my wife.
Those were actual audio files stored on Google cloud. I had no knowledge of it. I had never asked anything to be recorded. In fact, I even had “Ok Google” disabled (because of false positives). Yet, those audio files were there and there was nothing preventing Google to analyse them.
In fact, for some snippets, I even suspected that my phone was in airplane mode while it was recorded (my phone is, by default, in airplane mode at home). So those were probably recorded and then sent afterward.
It was six years ago. At the time, I, like you, considered that phones could not listen all the time but I had to surrender to evidence : Android phones do listen all the time and send random audio excerpts of your life on Google servers. That’s a hard, indisputable fact.
How does “OK, Google” or “Hey Siri” work?
One thing is listening thru mic and another is sending it out from the device. I think simpe voice pattern matching with predefined and tailored set of keywords downloaded regularly to the device can be kept low enough to not make a notice of the additional power consumption.
There’s a dedicated low power chip for those “wake words”, at least on iPhones.
Only Apple can update the firmware for that.
supposedly, with almost no way to verify, and big co’s have used device exploits in the past for gain so I still default to zero trust with all devices, apple included.
Why burn a zero day on this?
Because it’s worth hundreds of millions in recurring monthly income?
I just don’t think it is.
If you want to make a ton of money effectively targeting ads at people, I think you want to know their age, gender, location and general demographics.
Snippets of conversations they had are so much less useful than that. What if they were sat in a coffee shop next to some loud talkers? What if they left the phone near the radio?
I’ll believe audio snippets from phones are valuable when they become a serious part of the conversation around selling ads (and I don’t mean the Cox team who briefly promoted this last year and then dropped all references to it).
I don’t believe Facebook is hacking anything, but in terms of using audio for targeting it’s quite doable.
Smart TVs already have ability to identify what you watch and listen to, and they’re not hiding it.
ML around sound recognition has gotten really good recently. Detecting radio or non-conversational speech is perfectly doable. It’s also possible to estimate age and gender of speakers.
Even without phone location access FB knows where its long-term users live from IPs & usage patterns + GPS clusters of photos.
Note that the data doesn’t have to be perfect, nor explicit. It’s just more features to throw into the big machine learning pile.
I think that’s a case in point: we all know smart TVs tell the mothership what TV shows you are watching. It’s not a conspiracy theory. It’s well known. (Incidentally, now that you can’t rely on public TV ratings anymore, this data is very valuable to the streamers to know which of their competitors shows are most popular.)
How would turning on microphones be secretly burning zero days and not telling anyone and yet still raking in sufficient money to make up for it? It doesn’t make sense. If they were doing it, it wouldn’t be a secret.
Yeah. If I were in charge of avoiding mic use detection, I’d use beacons/geofencing to only listen in commercial zones, to increase the likelihood of picking up something useful. Avoid the radio draining the battery by saving to upload only when wifi is available. And minimize/skip actual processing of audio on the phone, let remote servers handle that.
I am also suspicious of these claims for the same reasons as you. However, reading through the linked slides, the time when the microphone would need to be active seems pretty narrow. They claim to only do so after you’ve paid a daily rate for a specific area and once they know the ad metadata that is best associated with your product. They could pretty easily use other data sources to eliminate most potential targets in the area and be sure to only listen to each phone once for multi-day engagements. So this would look like one of those times where you thought you had half a battery but a few hours later you’re at 10% and you can’t quite remember if you did actually have half a charge.
The other reason I’m very suspicious of these claims is that voice data just doesn’t seem that helpful. I don’t talk to anyone about most of the things I buy. The shopping conversations I have with my wife are “did the toilet paper ship yet?” (well after a purchase) and “should I grocery shop on Saturday or Sunday?” (with no content about products). Intersect that with the probability of you listening when I happen to be talking about it and we must be near $0 expected value.
This is a good point, but the techcrunch article mentions smart TVs, which are conveniently plugged into the wall.
For some people it’s more comforting to believe that malevolent global powers are spying on you than to accept that you’re not that unique, and that using a few fairly public signals you can be characterized and have ads targeted at you fairly accurately.
Anecdotally, I spoke on the phone with my dad about an upcoming visit to a family member several states away in GA, and later that day told my wife in person that I needed to make a dentist appointment soon. Later that day I got a YouTube ad for dentists in the town I was going to visit in GA.
This isn’t proof of anything, but it’s a hell of a lot more than “you’re just not that unique, get over yourself”
You can visit https://myadcenter.google.com/u/0/home to see a bunch of information about what Google are using to target ads to you - and https://myactivity.google.com/myactivity for even more detail.
Oh interesting! There’s actually a setting on https://myactivity.google.com/activitycontrols?utm_source=my-activity for “Include voice and audio activity” which defaults to off - but the information panel about it explains that if you turn this on they use your “Hey Google…” audio snippets like this:
This scenario is explainable with phone company voice transcription.
You get a lot of ads for things other than dentists, and you probably don’t notice dentist ads when you’re not thinking about needing to make an appointment. As for the geographic specificity, I’d blame a web search or map lookup or a data broker buying your travel plans from an airline company or something.
I’ve worked on the audio stack for mobile devices and you really couldn’t justify the power consumption for always on recording, let alone voice recognition and uploading it to the cloud.
I’m not saying something didn’t listen to you and make targeted ads for you, but it seems odd to assume it was your cell phone.
Cell phones are battery powered and resource constrained. Much easier to use things that are always plugged in that are around you, or have someone in the middle of the communication path listen in. Where they are not as resource constrained.
It would be very interesting if you spent the time trying to figure out what if any device it might in fact be, and get network traces to prove it.
I’ve never had anything like this happen to me, but it’s also possible that it never will since I have little tech near me that could listen in and block almost all ads from reaching me anyway.
I don’t have any smart devices or assistants, so it would have been either my phone or my laptop ¯_(ツ)_/¯
I spent a good bit of time rapping my brain on what else could have brought that up but I hadn’t done any googling (already had a dentist) or maps searches (I’d been to that family members house before)
It would be really interesting to get some network traces though, I’ve considered setting something up to block ad trackers in genera
If you can come up with a reasonable explanation for why I get ads 5 minutes after talking about something that I am positive is:
I’ll listen. I just spoke of a product. Going to browse the web a bit and see if I get related ads.
(Edit: To be clear, I don’t believe the mic idea. I do think that human behavior is easy to manipulate, and engineer. But have, on numerous times, wondered what the odd set of steps were that lead to being served an ad for Rice-a-Roni — the product I spoke 30 minutes ago, and am now seeing ads for. Something caused me to believe I have no connection to that item—it’s not in the stores I shop at. Not something I can even eat.—yet, here I am being targeted for it. The explanation of “conspiracy” is just obvious, right?)
Coincidence.
Try this exercise: make a note of every time you say anything out loud within range of a microphone. Then note how often you see an ad related to the thing you said within the next five minutes. The goal here is to count how often you DON’T see an ad relating to a snippet of audio.
This exercise is deliberately absurd, because nobody would ever make notes that detailed about what they were saying… but if you did, I bet the number of times a relevant ad came up would be a fraction of a fraction of a percent.
And that’s what’s happening. We don’t notice all of the times that we say something and our devices DON’T then show us an advert - but when it does happen (purely out of coincidence, combined with our broad demographics: I see ads that a 40-something Californian male might be interested in) we instantly associate it with our recent conversations.
Why were you talking about it if you have no connection to it? How did it enter your mind?
Are you sure it’s not more simply explained by selective memory? I frequently catch myself looking at a TV at the gym and seeing an advertisement for something that seems targeted to me, only to realize it’s impossible. I don’t tend to remember the other ads.
I think your comment is a useful corrective, but I’ve only been hearing people I know talk about hyperspecific targeted advertising that can be connected to your speech for a few years. So it wouldn’t be that the industry was doing it for decades, but that they were doing it for a few years.
Here’s a podcast episode about this conspiracy theory from 2017: https://gimletmedia.com/shows/reply-all/z3hlwr
…I had one of those terrible moments where I started to say “yeah, just a few years ago”, but though my felt sense of time is wrong that 2017 is just a few years ago, it’s also not decades, meaning we were both off by a bit.
And to your point, keeping it a secret for 7 years is more work than for 3.
it’s not conspiracy when it’s true. If the code is closed source and the employees sign NDAs how are people supposed to get evidence? It’s not even that crazy to think that without evidence. It happened hundreds of times to me and people I know that after mentioning something in a conversation a related ad pops up on fb. Now I might not know the technical details, but it’s definitely not a coincidence if it happens every single time to everybody.
It doesn’t happen “every single time to everybody”.
If this has been going on for the past 5-10 years enough people know about it that somebody would have leaked - NDAs are one of the reasons journalists sometimes grant anonymity to their sources.
(Conspiracy theories can be true - but this one definitely isn’t.)
How would people even know? Everybody who cares about this is using an ad blocker, right? Right?
I don’t know why you insist on the conspiracy theory angle. It’s e.g. no state secret that google collects data of your every movement through google maps and google play services. The average person doesn’t care as long as they can get an uber. Same thing with FB, the average person won’t care that their audio data is collected without their consent as long as they can use facebook. People are far less concerned about data when they are asked to change their habits. FB doesn’t need to hide things, but what happens to fb if this comes out with evidence? Nothing. Because at best people don’t care. And those who care are not on facebook. So what’s the great conspiracy here? Data collection is old news
I spent some time yesterday digging through the Facebook and Google tools that allow you to view and export the data that they are using for targeting ads to you.
They are actually extremely transparent: You can see exactly what kind of location data they are keeping, plus lists of companies that they have identified you as interacting with.
There is no hint of the kind of audio data what we are discussing here. The closest is Google’s defaulted to off preference that allows them to use your “hey google” audio snippets for further improvements to that model.
Why would they be transparent about all of their other creepy location data, but entirely omit the audio stuff?
I think because they are not storing audio content in the first place.
More likely, who cares? We’re focused on finding which is more profitable, and it turns out misinformation is wildly more profitable than providing a useful and reliable service. Lying to people and making society dysfunctional is a small price to pay ;)
I care. This is such a damaging conspiracy theory.
The evidence seems to suggest we can’t, given humanity can’t even ameliorate its own rapidly approaching downfall.
People shouldn’t believe things the evidence keeps pointing away from. Are you aware of any instances of someone not getting away with this kind of thing in the last decade or two?
I’d say the real damage is 4. it further estranges folks from an understanding of their property, making it harder for them to control. On (1), phones shouldn’t be trusted by default, not as long as their manufacturers and carriers insist on being so undeserving of trust.
But you’ve talked to Facebook users, right? On (2), a close friend replied to learning that Facebook materially contributes to three genocides by explaining that they only use it to stay in touch with friends and family, and also Marketplace. On (3), they see anybody with phone discipline as engaging in some sort of illusory moral elitism rather than genuinely caring about health and safety. Facebook is a real threat and people invite it in anyway.
I also care and I think the right view here is that this is happening.
If there is a chance that ad-partners are injecting this kind of functionality into Facebook then Facebook needs to fix that. If there is a chance that people are giving shady apps too much access to their microphone then Apple and Google need to fix that.
It doesn’t really matter to me at what scale it’s happening, it should be next to impossible. I’m sure there will always be people with sufficiently low moral standards to do it if they can figure out how.
Is there any technical evidence this is happening, or conjecture based on “pattern recognition” (cognitive biases) and these slides?
I was being facetious, sorry if that wasn’t clear. This is dangerous misinformation.
Strong agree here. I got a major sense of deja vu from this story - pretty sure some other random marketing company made the same claim a few years ago and it was swiftly debunked?
I don’t know, this seems like a reasonably conducted experiment:
https://www.youtube.com/live/zBnDWSvaQ1I?si=61BmldbU8OStz9W_
From that video’s own description:
Well, someone should repeat the experiment without livestreaming then. What we’re doing instead is deliberating whether it’s a conspiracy theory or not while the truth is within reach of a scientific experiment.
The fact that nobody has successfully produced an experiment showing that this is happening is one of the main reasons I don’t believe it to be happening.
It’s like James Randi’s One Million Dollar Paranormal Challenge - the very fact that nobody has been able to demonstrate it is enough for me not to believe in it.
Yeah my bullshit detector has gone off on this every time it’s been “proven”. I understand that ad targeting is really good, but it just doesn’t pass the smell test to think that a weirdo marketing agency has figured out a way around Apple’s permission structure and not, say, the NSA
I’m not making a claim either way, but I think your logic is flawed there.
Finding out a “weirdo marketing agency” is doing it doesn’t say anything about if the NSA is doing it.
Funny, I was talking with my wife in the mall last week about Converse shoes, and said I loved them, but they were just a bit too narrow.
For the last week, my Twitter ads are all for explicitly “wide” shoes. Creepy.
How many times in the last few years did you have a conversation and then NOT spot ads relating to that conversation?
This kind of coincidence only has to happen once for people to suspect that their voice is being recorded and used to target ads.
Most of the time. But assuming the tech is real, they wouldn’t want to overuse it, so that makes sense. Overuse runs the risk of detection, and could spur users to aggressively disable their microphone permissions. Similar to how the Allies in WW2 had to be picky about what German intel they could act on, lest they give away what they knew. If they just do it occasionally, there’s sufficient doubt.
Personally, I’ve had some relevant ads appear after conversations on super-obscure topics that I only discussed once with my coworkers, and never searched for online. It felt too implausible to be a coincidence the human mind latched onto, like successfully guessing a specific UUID.
I can’t prove anything, but I don’t think Facebook deserves the benefit of the doubt here.
If this is real, people should go to jail over it.
I agree, but white-collar crime is rarely prosecuted, so jail is not much of a credible deterrent.
E.g., look at a similar case: Facebook during the Cambridge Analytica scandal. What were the consequences? Well, Facebook apologized a lot. Zuck went before Congress. And CA itself went bankrupt.
Facebook paid the SEC only $100 million, which is 0.02% of its then-market cap of $500 billion. A couple of years ago, they settled a class action lawsuit over CA for $725 million, which brings the percentage up to 0.1% of their market cap. Their stock prices dropped 24% at the time, but then recovered two months later.
Nobody went to jail.
Fine: if this is real, companies should be fined $100m by government agencies and their CEOs should be hauled in front of congress.
There were literally a news last week about google employees asking “is history enabled for this chat?” - and cut.
https://www.courtwatch.news/p/heres-22-examples-of-google-employees
Edit: added link, changed to “last week”.
Benefit of the doubt would be assuming they were sophisticated enough to build out a working system capable of listening like this and effectively using it to target ads without being caught. That seems far-fetched; it’s much more likely that they built some half-assed prototype, threw an LLM at it, and brag to their customers how advanced their “AI-driven technology” is. We’ve seen over and over that studies show that even “regular” targeted advertising is not remotely as effective as advertisers play it up as.
I have no doubt they would do this if they were actually capable of it.
Facebook has the engineers, the time, and the amorality to figure out how to make this work, even if it’s not subverting the iOS microphone. This honestly doesn’t seem like a stretch to me.
Maybe… but then that’s an incentive to get as much info as possible. It doesn’t eliminate the motivation, it enhances it.
The article is reporting on claims made by Cox Media Group. There have been no claims reported that Facebook has built this. Facebook is one of their alleged clients.
OK, but I thought we were talking about Facebook because of what I said above:
Fwiw, I think it less likely that CMG has pulled this off, but I wouldn’t be surprised if a company with the resources of Facebook had.
I’m far more willing to believe “mall/store has microphones installed everywhere and sells audio to data brokers” over “an ad agency managed to circumvent/get a backdoor in the iOS and Android permission systems”
FWIW I’ve been getting those wide shoe ads a lot recently too, and I never talked to anyone about shoes (or anything else to suggest that I’m shoe shopping, because I’m not).
Any chance your wife searched for [wide converge shoes] at some point to see if that’s a thing, and because you’re both under the same IP address it got linked back to you?
I just asked her, and she said no.
Personally, I wore Chucks for decades, and have never seen a wide version, so I wouldn’t bother to search for it, since I figure I already know the answer.
I’m absolutely unsure that the current HTTP methods are expressive enough for the various actions we can ask a backend to do. Given that situation, we always need to explain and distinguish between them. If we need to explain, it loses the semantic value, and really doesn’t matter from that point if we use POST for everything. Also, these semantics are important for devs only, end-users don’t really see the added value.
They’ve been good enough for me in my career!
I think QUERY is the only one I’ve been missing… but yes I agree.
I’m certain I’m unclear on something. How does GET not serve this function?
In a QUERY you can send a body but with a GET you have to use query parameters in the URL.
It’s useful for queries that take a lot of bytes to express. In the case of the article, you could imagine a moderately complicated search “form” using the body for payload.
Technically, there’s nothing preventing you from sending a request body in a GET.
The HTTP spec enumerates several ways that GET bodies are useless or outright broken:
Micro libraries are an unfortunate artifact of node’s decision a decade+ ago to ship without a robust standard library, in favor of micro libraries who would fill in the gaps.
The solution I’d like to see happen is shipping a JS runtime with a bigger library. Bun is doing this today but there is still room for improvement there.
I think this is too simplistic an answer to be particularly accurate here.
Firstly, NodeJS did ship plenty of standard library modules. Where NodeJS is weak (e.g. string manipulation or maths libraries), it’s usually because the language has always been weak in this regard. In that sense, NodeJS didn’t change anything that JS devs hadn’t already been dealing with for years.
Secondly, because this was an old and known problem, it has also had a fairly well-explored solution: third party standard libraries like underscore, lodash, rambda, etc. These have been used for years and were all accessible in NodeJS.
Thirdly, we don’t see the same issue in other languages. Rust also had a deliberately anemic standard library, and a robust package management system, but doesn’t have anywhere near the same issues as Javascript for small libraries. OCaml had also historically had a poor standard library, but there are multiple third-party options to choose from as an alternative.
So I don’t think this analysis tells enough of the story.
I suspect the issue is a lot more cultural. Javascript is used a lot on the web, and so a lot of the ways it is used have been informed by the pressures of the web - easy minification, simple bundling, small file size, etc. For as long as I’ve been doing web dev, there has been a push for small modules as an optimisation - originally in terms of loading smaller files, and later as a way of making things easier for bundlers. This philosophy became a part of the JS culture, even after bundlers became powerful enough to make it largely irrelevant.
Dependency hell is just as pervasive in Rust as in JavaScript. Every Rust package I’ve ever had to install had over 200 dependencies.
But a count of dependencies is not the issues JavaScript has.
Why didn’t people made the JS equivalent of C++’s boost (which I see as: a bigger, batteries included, stdlib and sometimes experimental sandbox for future specs) ?
I’m sure there were attempts at it, but people considered “having to download megabytes of data to run a webapp” as bad practice.
Funny thing, Rust is also full of micro libraries and yet its stdlib is quite good.
Isn’t what jQuery, lodash, etc. were doing?
I remember the time when we had a security red flag in our project for about half a year, because the maintainer of lodash (one of our transitive dependency, 4 levels deeper) couldn’t be bothered fixing a CVE in his library. So the next question would be the governance of those libs.
Were you paying him to do so?
That’s a pretty popular question to be asked nowadays in this context, feels like a flamebait. To answer it, no, I was ready to make a contribution in the form of adjusting the code (it was a single dep version bump, no big deal), when I realized there is already a PR open for the same purpose. It sat there for a long time, not even sure it was merged at the end.
This was the reason why I used “governance”: a language’s standard library should not be in a single maintainer’s hand. Not everything can be answered with money.
I didn’t mean it as flamebait, it is a thing that comes up repeatedly to illustrate how much we expect from maintainers for free. I do think you can expect a different level of support when you pay a maintainer for their time. We are lucky we have many of the free things we do have. When you look at things from that perspective, it explains the incentive structure that leads to the unsatisfying outcome. It’s not specifically you not-paying, it’s the system by which it’s exceedingly difficult to get paid enough to dedicate time to these things. I don’t know if governance (more people?) is the solution, as there are tradeoffs with that too.
C++ doesn’t have npm or cargo though. I think if it did maybe boost wouldn’t exist and it would be just as micro dependency heavy. I feel like the popularity of header only libraries supports that.
I think
all come out of “dependencies are a pain in the neck, one giant general purpose dependency is less painful than many smaller targeted ones.”
Boost is an interesting beast. One thing you get from it that you wouldn’t get from a bunch of separate packages as easily is the consistency (both API-wise and internals-wise). Things like the
boost::get<>function that feel a bit weird but are everywhere and once you get used to it it’s fine.It won’t have any one and official package manager, but tools like
conando the job fine. It has a good chunk of popular libraries in its index, and integrates with lots of build tools (cmake, meson, raw makefiles). It makes using thirdparty libs much easier.Yes conan exists, but so does vcpkg, build2, FetchContent, etc etc.
Node has npm and yarn, which uses npm’s registry.
If the library you want is in the package manager you use it absolutely is easier to consume. Having N package managers doesn’t make it easier to produce a library though.
It is much easier to launch a new updated C++ compiler or stdlib than ship a new ECMAScript standard to all mainstream browsers. It took a good amount of time for them to catch up with modern features that exists for years.
The target for JS is the browser which is notoriously difficult to get users on latest.
https://bower.sh/my-love-letter-to-front-end-web-development
I thought the stale browser problem was fixed about 10 years ago?
Nope. It’s still a problem. It’s even worse than that, ECMA is a specification that the browsers need to devote a lot of resources to implementing. There is drift, there is lag, there are edge cases. What other programming language runtimes do you know of that have 3 different production implementations? What do you think would happen to the stdlib if we had to wait for 3 different runtimes before we could use a new feature?
C++, Common Lisp, Scheme, Java…
I don’t know if you guys remember how the web development looked like in 2011, but let me share a screenshot from my desktop from that time: http://deejayy.hu/share/browser-landscape-2011.png
In case the link dies, or you don’t want to open it, it contains these shortcuts arranged on my desktop:
Firefox 1.5.0.12.lnk
Firefox 2.0.0.20.lnk
Firefox 3.0.lnk
Firefox 3.5.lnk
Firefox 3.6.23.lnk
Firefox 5.0.lnk
Firefox 6.0.lnk
Firefox 7.0.lnk
Firefox 8.0.lnk
IE 4.01 (4.72.3110.0).lnk
IE 5.01 (5.00.3314.2100).lnk
IE 5.55 (5.51.4807.2300).lnk
IE 6.0 (6.00.2800.1106).lnk
IE 6.0 (6.00.2900.2180).lnk
IE 7.0 (7.00.5730.13).lnk
IE 8.0 (8.00.6001.18702).lnk
Opera 7.10.lnk
Opera 7.50.lnk
Opera 8.50.lnk
Opera 9.10.lnk
Opera 9.64.lnk
Opera 10.50.lnk
Safari 3.1.lnk
Safari 3.2.3.lnk
Safari 3.2.lnk
Safari 4.0.lnk
Safari 5.0.1.lnk
Safari 5.1.lnk
Browser choice is not an ideology. It’s a pragmatic choice for nearly everyone. Chrome is simply consistently better. Shaming people for not using Firefox for ideological reasons won’t work.
If chrome disables the use of ad blockers, first of all most people won’t even notice. For the minority that do, chromium forks will emerge or they’ll switch to Firefox at that point.
I think this was true like … five years ago or so, but up to the point last year where I finally ditched Chromium altogether I wasn’t really seeing any difference whatsoever between the two.
Honestly this is kind of sad. Ad blocking technology right now is far and away the most important User Empowerment thing we’ve got going for us. You have Linux Zealots going around trying to convince people to switch operating systems for abstract reasons that no one actually finds convincing, or trying to get people to stop using Facebook which has some serious social isolation downsides, but meanwhile installing an ad blocker takes like two minutes, has really compelling and self-evident benefits, and no down sides.
Do you? Much like the Rust Evangelism Strike Force, I don’t see much of this, at least not in the last half decade or so.
I don’t want to let this statement go unchallenged. I think it’s a harmful fallacy. Social interactions via “traditional” channels like phone, email, text and video conference are excellent.
We may not promote or educate people about them enough anymore, but they are more social than the often semi-anonymous and harmful interactions platforms like FB foster.
GP is right unfortunately. You lose awareness of many in-person events, and even among people considered friends it can be difficult to make the transition to more direct contact and not have it be weird. I’ve doubled down and accepted the cost for long enough that there’s no going back, though I wonder sometimes if it was really worth it.
The way to make progress on these kinds of problems is coordinating lots of people to move together. This is why Jon Haidt promotes Wait Until Eighth to keep kids off social media and so on.
I deleted my FB account six or seven years ago. I have an anonymous account for tracking organizations that post events.
It may have been my personality, but I’ve been a lot happier since.
Every time I dip into some “social “ platform like reddit I’m reminded how terrible people are when they have masks on.
Fair, but Facebook, which requires the use of real names is equally terrible, just in a different flavor.
Those technologies are fine, but they don’t offer the sense of “ambient humanity” that Facebook, Instagram, Twitter, et al. do. Those platforms allow you to lurk. It’s a very different interaction model from a phone call, where at least one party has to explicitly initiate it, and then both parties have to continue participating (at least for the best results!).
I do agree that there are still ways to get meaningful social interaction outside the big platforms. I have a bunch of SMS and iMessage group chats that allow me to keep in touch with close friends and family, and I can participate more actively or more passively depending on my mood and whether or not I have something to say. You could set up the same kind of thing on any number of chat platforms. But my point is that Facebook was never just a substitute for calling a friend on the phone.
That lurking is the worst aspect. Its the one that prompts people to preen on social media and to envy others and then lapse into depression, negativity or anxiety.
If anything since deleting my FB account I have been more socially active, because whenever I want to communicate something I text people or call them and I have an actual conversation, while before I would have broadcasted the thing to a bunch of people in exchange for some like…
Yeah, I haven’t actually used facebook so admittedly I don’t know what I’m talkitg about here; I should have said “perceived downsides” because it doesn’t matter for the larger point if it’s true or not.
Not if you’re under 50. ;-)
So replace Facebook with Instagram then. It’s literally the same company.
And only have family and friends in the same range.
And are in certain countries.
There have been ups and downs in the competition between the two ever since chrome was released but chrome has always more or less held its own. It’s either been much better or about the same in this period. That’s why I used the word “consistently.”
Strong agree with all of your reasoning here. The ability to provide a practical benefit like avoiding ads is a huge selling point for FOSS but instead people are finger wagged for reasons they will never understand.
Using Firefox mobile was noticeable slower (on android at least). On my new-ish phone (Samsung S23) it’s fine, but I wouldn’t was it’s for everyone. I love having extensions and supporting an alternative browser, but not everyone can afford high-end phones to just do browsing.
I switched to Firefox for work a couple years ago and basically everything is fine except for a couple apps. For example, Grafana just cannot handle large queries on Firefox, it’s 90% of the reason I still have Chrome installed at all. I suspect that they only test it on Chrome and that there are just subtle differences in the JS implementations, so I wouldn’t say Chrome is “better”, but it certainly “works” in some cases where Firefox does not.
I find this use of the English language truly amazing.
When people talk about what “most people” think about a topic, I don’t get who they’re talking about. I think most of my friends would care if Adblock was removed, and they’re a very diverse set of people.
I think most people do care about these topics like privacy and diversity in browser space, if you take the time to educate them as to why they should. No one cared about the environment nor democracy initially either, it took a lot of campaigning to get people to start caring.
But that’s the entire point. The vast majority of chrome users dont use Adblock and don’t care enough to seek out education on Adblock. That’s just the reality.
The worst part of tech the past 20 years is consistently hearing over and over that technologists and their aesthetics don’t matter because the masses put up with whatever they’re force-fed.
If people want their browsers to track the crap out of them, that’s fine by me. I prefer a world of healthy alternatives. And I hate hearing that my values don’t matter. They do matter, and I know I represent a quiet but stubborn faction of people who see the internet not as five sites but the beautiful messy decentralized system it is.
We will take it back. It won’t be something that will be recognized by non-technologists for a long time. And that’s a feature.
Honestly, it’s not terribly surprising that webdevs allowed this to happen. They’re fed a steady diet of the web not being enough (just use Angle Reaction 24.8!) as is.
… until you realize that these people are helping data-hoarding-bigcos track the crap out of you as well. Your neighbours scan your wifi and bluetooth devices, your contacts share your phone number, name and whatever data they happen to know about you (maybe they fill in your DoB, workplace or upload your picture), when you called each other, meet each other and such.
Healthy alternatives exist and you’re free to use them. Your values likely don’t matter to the majority of other people in the world, they’re your values. The world is a big place.
I think you’re underestimating how many people are on the internet and how many of them don’t care about technology at all but simply use it to get from point a to point b. This isn’t the mid 90s anymore.
Large companies who must behave according to data to survive understand this.
At least that’s what Google believes (they wouldn’t go ahead with the breaking change if they thought it’d cause too many users would switch away from Chrome), and they surely know their users better than we do.
But some of the users who don’t care enough can be made to care with a bit of advocacy, like in this article. Just like with environmental issues, it can take a lot of explaining to understand how important a topic is.
That’s exactly what people said about Internet Explorer back in the day, and how it got to be such a nuisance… Once a monoculture has become entrenched, it’s very hard to get rid of it when it ceases to be the better option.
That will keep all of the manifest v2 stuff that Google is ripping out, and keep it working as the internal APIs change?
I can’t imagine anyone doing that vs. just switching to Firefox.
I agree it’s a pragmatic choice, but the main way in which Chrome is “better” in 2024 is that everyone is already using it. Your peers would look at you a little funny for using something else, switching takes effort, and it isn’t obviously worse such that you’d be motivated to switch. At this point Chrome inherited its dominant position; it isn’t particularly earning that position anew by better addressing user needs. Not unlike Google web search.
I think I’d get more funny looks for using Chrome to be honest.
So, just like modern webdev then? :)
Most privacy and/or security enhanced open source community effort forks of Chromium don’t last. See: Hexavalent, Chromite.
And why do you think that is?
Because maintaining a browser (or even, third party patches for a browser in this case) is a massive, time consuming, ongoing, never ending effort that requires constant reworking after every minor web change, or upstream change.
It’s simply not feasible for small open source communities to maintain a patchset as massive as this.
The same could be said of all work. Any serious endeavor requires constant labor, open source or not. The way we accomplish these things is by creating sustainable revenue streams so that we can fund the labor. The real problem here is that few people care about privacy enough to sustain this development effort. Ideology doesn’t pay the bills.
At a recent security event (National Academies thing on memory safety a couple of weeks ago, I think), someone mentioned that Chrome has an average of one security issue that needs patching and fixing every 1.5 days. The team has to create the fix, test it, and roll it out in update channels that often, in addition to adding new features. Doing that while also being downstream from the company that is doing the work upstream is incredibly hard.
Yes! This is exactly what I was getting at.
I don’t deny that it’s hard but clearly it can be done if someone if willing to fund it. Many people are claiming that browser privacy etc. is an important feature for users that chrome is increasingly ignoring but if that were true, where is the demand for such a browser feature? It doesn’t exist in any significant way, at least enough to fund a browser that prioritizes this issue, therefore we must conclude that most users don’t really care about browser privacy and it isn’t an important feature.
It’s not just a matter of funding; it’s also a matter of time. No amount of funding is going to provide more hours in a day. The time it takes to maintain a project downstream is time spent away from family, friends, and those other things dearly held.
Time is money. More salaries fundraised equates to more full time labor being allocated to working on this. There is nothing written in stone that privacy-oriented browsers must only be worked on during one’s free time.
This is way different in that the third party project doesn’t initiate the changes, and the upstream project is extremely big - there’s a massive, well-funded company working on this highly technical and complex project with lots of churn. And over here you have a handful of unpaid folks even just trying to parse what they’re doing upstream, and then having to rebase their own work onto those changes.
Why would nobody be willing to pay for such a privacy-focused chrome fork?
Perhaps when Firefox truly dies off…
It would have to be a true fork, not a Chrome-resynch-with-branches project. Otherwise Google will thrash you to death with upstream changes.
If you’re going to work on a truly different codebase, Firefox is right there. But then Mozilla will thrash you to death.
Sure that’s a pretty fair assessment of the situation. I agree.
We should ask “why” so few care. They can’t be bothered? Lack of tech education? Lack of interest? Probably a combination of all of that.
Would be awesome to attach the PR related things (approvers, comments, resolved conflicts, timeline, etc) to the PR commits. Or maybe it is already part of one of the forges?
Maybe I’m missing something, but there’s a bit of a contradiction here, IMHO.
When discussing the shortcomings of story points, the author acknowledges that anything the team provides will, at some point, be converted to time by the business, and that this is sorta inevitable:
It’s even argued that the biggest problem with just straight up using time for estimates is not time estimates themselves, but that business will hear 2 weeks without the corollary of no interruptions, and we’ll only start after doing X.
And then, after presenting the idea of breaking down features into tasks and measuring queues sizes, we’re suddenly back in the land of I will give you a number and it’s up to you to convert that to time:
That’s all nice and good, but if I tell business our queue grew from 250 to 500 tasks, the first words out of their mouths/keyboards will be ok, how long will the extra tasks take?.
Besides that, it goes unsaid in the article (I think), but the effectiveness of measuring the queue size seems to be predicated on all the tasks being roughly the same size. In my experience, that’s almost never the case, and there’s no amount of breaking it down that can make it so. In fact, trying to make all tasks be the same size is, actually, just waterfall with a different pair of pants.
And this brings us back to the problem of adding 1 and 13 story points. If my queue has 20 tasks, but 5 of those are simple changes and the other 15 are intermittent bugs that only happen in production, every other Thursday, then 20 tasks in the queue is as useless a measure of work to be done as any amount of story points.
Now, I kinda like the idea of measuring the queue, with the implicit assumption that we will break down things to be as small as possible. But without any way of automatically converting that to some level of time estimate … it just doesn’t work in real life, unless business is INCREDIBLY on board with the whole thing, all the way up, which is very rare.
I got the feeling that the article would be 10x more useful if it was 90% about breaking down tasks and 10% about queue sizes, instead of how it actually is, 90% queue size and 10% breaking down tasks.
For me, it’s food for thought, but I won’t switch from time estimates any time soon. Estimating time, trying to communicate uncertainty to the business, and working things out as we go, still looks like the only plan that works, in practice.
Fwiw, we’re settling in to just counting issues and doing forecasting with https://screenful.com/.
There was an article way back detailing just looking at issues in/created, and time to completion - then doing monte-carlo simulation over that.
Turns out that if your weeks/months look similar enough (some big, some small, some issues exploding into many subtasks) - that’s pretty much all you need in order to do a (pretty good) estimate with a given confidence (50% likely we’re done in two months, 95% we’re done in six).
This sounds like #NoEstimates, Vasco Duarte made a presentation about the approach: https://yewtu.be/embed/7ud-4bKJr8k?rel=0 (from 26:00 with an example). Good thing is that you can verify retrospectively where you’d be if you haven’t used points, only count.
link deobfuscation
https://youtu.be/7ud-4bKJr8k?t=1560Yep, that seems to be mostly the same thing.
Only thing that seems to be missing (but I only skimmed the video) is combining dev velocity (issues solved pr iteration) with feature creep/issue growth (when 10 issues at the start of the iteration grow to 15 as the problem is better understood).
So in order to “complete” 10 issues per iteration, velocity needs to be higher than 10.
Sounds interesting for long term, but what do you do if it’s a new project/team, and you don’t have the previous data to forecast on?
What we did was start working, then built up some data.
Ed: really - if you don’t know how the team works, it’s unlikely that any kind of estimation will be any good… Rather than waste time on wishful thinking - just get started.
Btw, a couple of basic links that do not account for work added, but demonstrate the gist:
https://youtu.be/F507_UiCOyU?si=AcTFXLRjhLHBMiV5
https://www.scrum.org/resources/blog/monte-carlo-forecasting-scrum
Hehe, who would have thunk, uh? =P
But thanks for the links =)
This article resonates with me. A good chunk of visual programming doesn’t remove the user from playing computer in their head, and at its worst ends up as messes of wires and interconnections.
I can see, and read, code. I don’t need a visual representation of it. It may be convenient to have a visual representation, but what I want is..
All of these revolve around providing visibility where it doesn’t arise naturally, which visual programming systems haven’t really delivered. (If there are ones that deliver on the above, please let me know!)
Essentially, creating a software which behaves in a desired way, requires “playing computer in their head*”. No matter if it is source code or visual programming, they are just tools to reach the goal, which goal needs complex analythical thinking, abstraction, see everything in a system, etc.
*Why need to “play computer”? Because that is a deterministic machine, which you can’t talk in ideas, only pragmatically and exact. You need to think of a ton of edge cases and be fully aware of what’s required as an output.
“Regular users” can’t do that, only someone who can think in computer.
Btw, for the 3rd bullet point: https://github.com/deejayy/ts-depgraph
I fully disagree. “Playing computer in your head” is largely historical precedent. There’s no fundamental reason why we have to program with blindfolds on.
Yes, machines have operational models, but we don’t need to keep the state of the machine invisible or pretend we’re programming for punch card machines. We have the ability to peer into the state of the machine, explore hypotheticals, and encode ideas.
I’m even working on something that allows you to sketch programs who’s functionality is close to what you meant to write, coupled with tools to explore hypotheticals.
We can just take the blindfold off.
I’m not sure I get the “blindfold” metaphor properly.
I don’t have the statistics from the last 60 years of no-code attempts, but I have a safe bet that these tools were most effectively used by people capable of software development. We can change the “language” (or the form of expression) to something visual, something more close to natural speaking, but to phrase those words, you need to be aware of the ideas of “operational models”, “state of the machine”, abstraction, completeness, some basic programming structures (like iteration, condition, etc.). That’s what I call “playing computer in your head”, otherwise, where else are you using these skills?
“Playing computer in your head” usually means “simulating what the computer will do as you write code”.
In the past, we needed to keep track of registers, the stack, memory locations, etc. It hasn’t gotten much better, just more abstract.
Role-playing as a computer, simulating its operations as you specify what it should do, isn’t how things have to be.
To some degree you’re certainly correct, we cannot just go around guessing instructions, but I don’t think it’s fair to say that it is “essential”. You can now create programs using ChatGPT and run them and maybe some of them do what you want some of the time! This is not so different from how most programs are developed, which involves a bunch of guessing, making mistakes, testing and fixing until you have something that maybe does what you want enough of the time so you stop iterating. Also, logic programming and constraint solving and SQL-like languages don’t require that you play computer at all. You just have to specify what you want.
ChatGPT is a great example of why you need to “think in computer”. I hear a lot of PMs/POs, who cannot phrase the requirements properly. Then comes the dev team and they ask back questions to clarify what needs to be done exactly. ChatGPT doesn’t ask back questions, it assumes something and generates something. Then of course you’ll adjust your prompt to get better results, which needs you to understand how ChatGPT “works” (reacts) in the first place, which needs pattern-matching skill, so we end up in: you need analythical thinking to use it well. That’s actually “thinking in computer”.
They say the best specification is the software which works. That was made by developers. I don’t see that why anyone else would be better creating prompts to an LLM than developers.
Okay, to me “playing computer” is a more specific thing than analytical thinking. It is evaluating an imperative instruction and its impact on program state in your head.
I think it’s kind of a continuum, you can do it very strictly, like when debugging a segfault in a C program, or very high level, like when interacting with something like chatgpt, or in the middle, if you’re working with something like SQL, or Python, or Java.
Logic programming and constraint solving absolutely involve playing computer in your head, if you want your program to complete in any reasonable timeframe.
The concept of visual programming was appealing to me and noticing the failures in the fashion of the author, I too have a theory about it.
The main analogy I’d have is poetry. Great poems (at least some great poems, say Richard Brautigan) give the reader the impression “hey poetry is easy” because they say what needs to be said, imply what needs to be implied and don’t use any excessive or awkward constructions.
Essentially, if one looks at great UIs overall, they give the feeling that they are giving you all the information you need. But that feeling is actually the product of careful crafting of the symbol-system but taking into account the task-at-hand, the culture of the users and a whole variety of unsaid things.
It’s like spreadsheet. They are appealing in that they bridge data entry and programming. But a visual tool that gave you everything, data values, array subscripts and programmatic operations, would just be overwhelming and not useful.
I’d say that’s why “visual” tools have success haphazardly rather than universally,
I like the setup, but I’m slightly worried about having the review comments inline with the code. When you have 70k line commit touching 500 files, it can be easy for the discussion to be lost in the deluge of changes. Commits like that aren’t the common case, but they’re also the ones where I’m most concerned about ensuring that all the comments are addressed.
I might solve this by simply committing a
REVIEW.orgfile in the root directory that contains my comments and links to the corresponding code. However, I’m suspecting that other people have considered more robust solutions?Hi, yes this service is not going to be the greatest UX when you have massive PRs. Our goal is truly to create the simplest git collaboration service … which might mean at the expense of edge use cases, like massive, multi-year PRs. We still want to have a solution here.
Further, we are very much aligned on the review file. We are contemplating asking the owner to commit PR summaries to their repo to preserve history. Still brainstorming that one.
Or allow-empty commits could be used to leave a comment with no code
Maybe notes could be an option too?
Git notes are called out in the readme for poor UX
In fairness the entire thing seems like poor UX to me.
Why do you need to format-patch and push patches over ssh when you can just push content over ssh?
If as the maintainer you have to apply the patch to do a review and it doesn’t scale anyway, why review instead of just fixing what you don’t like?
Having to send patches for every back and forth sounds incredibly obnoxious.
And of course the reviews being patched in guarantees they will be committed
The entire thing sounds worse than sending patches over email. And I’m not talking any magical setup, just dropping patches in the attachments and downloading them on the other side.
Pushing patches is not very convenient indeed, I would love something closer to how we interact with gerrit for example, where we just push to
refs/for/branchwhich means we can just haveAnd
git push reviewto send something for review. This has however the drawback of needing some kind of identifier for changes, that gerrit solves by forcing aChange-Id: ...line in the commit message. This seems to also be an issue using patches and I am not quite sure howgit prsolves it.I’ve come by a promising vscode plugin which seems to be fit for this job: https://marketplace.visualstudio.com/items?itemName=trailofbits.weaudit
It doesn’t work well with changing code, but I see it can log review comments without touching the code. As far as I remember it stores the comments in a dedicated file in the source dir.
I think a good stress-test of this argument is a field which seems like it’d pay in blood for every abstraction: gamedev. It’s also a field where 1) many projects are made by one person, despite the “proverbial death of the individual developer”, and 2) they work on towers of abstractions “as a tool to avoid hard thoughts.”
And yet these solo devs keep putting out absolute masterpieces: Minecraft, Stardew Valley, Baba is You, Tunic, just to name a few. If anything, the pace has accelerated in recent years, and I regularly play a game and find out later it was made by 1-2 people. So any conjecture that abstractions make it harder for individuals make software should explain why that doesn’t seem true in the field it’d matter most.
Oddly enough, I started my journey in game development! And I agree with you on some points, but not in others.
On the one hand, I am incredibly enthralled that indie developers have platforms to stand on. My argument isn’t “no abstractions”, it’s “careful use of abstractions”. Game development is where performance does matter to an extent, so the environment mirrors early computing where you actually pay the cost of the abstractions you introduce.
On the other, I think that we’re seeing the results of a filter, rather than the actual results. A lot of people burn out in game development, even technical individuals, because they exhaust themselves scaling mountains. Want to ship a game? You’ll realistically be dealing with entire engines and shifting your mental model to work within them, or you’ll be tolerant and technical enough to build your own.
I think it’s a question of tolerance of the norm rather than the norm being sustainable. But, as always, data, data, data.
Isn’t that true for every business though ? For every success there is a thousand people burnt out or living in terrible conditions.
I think if I’m in a position to advocate for better conditions for individuals, and I’m capable of bringing awareness to that, I should. I really don’t want to abstract these people away if possible.
Is it going to actually make things better, or just change the status quo ?
You said “On the other, I think that we’re seeing the results of a filter, rather than the actual results. A lot of people burn out in game development, even technical individuals, because they exhaust themselves scaling mountains.”
We have infinitely better tools than 30 year ago, yet much more people get burnt out today. Why ? Because the availability of these better tools actually increases competition and thus stress. The better the tools, the higher the mountain gets for everyone as our expectations increase - we always want something that is going to be better than the “average” video game / pizza / movie.
That’s a pretty good point! And I think it’s in line with what I’ve said: the disconnect between release cycles and “time to mastery” grew as time went on, and those curves diverged. If I give you more power over a system, phrased in terms of abstractions, your demands very well might scale with it, leading to the requirement for more power, leading to more abstractions, etc. etc.
It’s partly why I don’t think the solution is purely a technical “throw new languages/software/hardware at it” one, but something that sits firmly between how individuals interact with computers that are embedded in their daily lives and the cumulative technical knowledge we’ve acquired in the past 40+ years.
Minecraft and SdV is not masterpiece because of the engineering. MC will drop to 4 fps if you add 4k textures to it, Starfield on the other hand can provide a smooth 100 fps on the same machine. SdV is looking like a game from before the millenia. Gaming experience is not always related to the engineering efforts put in those games.
So, gamedev, as a field has definitely always pushed the bounds of what we know how to do with a machine. But the games you listed aren’t exactly AAA 3D graphics-porn. Not to say the devs aren’t good. You can definitely screw up bad enough to make those games run like trash if you’re incompetent. But you can definitely take on a couple abstractions to make things easier that a Crysis-level game can’t.
I think this post is a bit too long to say “every skill is technical (in their own area)” and totally misses the question, which sounds like, “if you had a good PM, did they understood software development in any level?”.
that bug could explain why I have .DS_Store, ..DS_Store and .._.DS_Store constantly appearing on my external drive I use to move files between windows and mac…
odd they chose a file for this, seems like a leaky abstraction, windows just puts this stuff in the registry
Because xattrs didn’t exist when 10.0 shipped, and because not every filesystem supports them even now.
As for a registry, keeping data about an arbitrary number of folders on an arbitrary number of disks in a single central place seems a bad idea. Especially since the settings are supposed to stick with the folder when someone else opens it.
You can’t point to the release of 10.0 as a reason for the current design and also say Apple isn’t leaving a longstanding issue unaddressed. Xattrs have been around for a long, long time now. What was it from, Tiger? (Wiki says, yes, Tiger.) They can still use .DS_Store on FAT systems if they want (or again, better just put a single SQLite file at the root), but it doesn’t still need to be in every folder on my APFS drive.
I’m sure Apple will drop everything to fix your little pet peeve now that you’ve aired it.
It’s not a little pet peeve. It’s against common sense to litter filesystems, including external ones, with these files.
Really ugly and so un-Apple I never understood why this wasn’t fixed long ago.
LOL, after you make a trillion dollars, you’ve got to spend it, right?
I do see an attack vector there (tho’ I’m not familiar with DS_Store’s capability), like autorun.inf in Windows…
I don’t think it can run things. It’s the place the Finder stores the locations of icons and things like background images. When you open a disk image and it has a symlink to /Applications and a big arrow telling you to drag the .app there, that’s all done with the stuff in .DS_Store.
I’m trying to keep my mind open since NSO’s ForcedEntry tricks :D
Nope. Nothing executable at all, it’s just a list of GUI settings like the view style, icon size, sort order…
I’m not so sure, I think it’s fine, the settings are for my machine so I care about my folders but if I give someone a USB stick no one is going to care that the “sort by name” option wasn’t kept. If it keeps my folders from being cluttered with silly DS Store files I’m happy!
Isn’t having it in a file more Unix-y?
oh yeah I suppose so, maybe that’s why they did it that way
Great news except the new logo.
I’m also not super keen on the
crappy lookingAI generated “MacBook” branding on the site. Branding isn’t everything, but this feels like a firm departure from the “indie” feel of their original site.edit: not sure crappy is the best word - I don’t want to come across as too harsh
Exactly my feeling. Really liked the old logo which conveyed a sens of “light and not too serious firefox”.
Also like the “we spend the minimal possible time on our website” vibe (kudo to OpenBSD for that)
Honestly I’m not even convinced that it’s about not spending time on the website as much as just keeping the website from looking too corporate (be that startup or big firm). That said, I wish them luck with this nonetheless.
A project can have maybe a little strange branding, but what ultimately matters is the end product and the values.
They explicitly called attention to that on their old website, even! “This page is not fancy because we are focusing on building the browser. :^)”
This is exactly my thinking! It kind of feels like they “high techified” what was a pretty sweet theme from before. The bird especially is nice, because it’s something that other “brands” don’t really have.
The cynic might say it isn’t fancy because this is all our web browser can render.
You can do that w/o looking like it was last updated in 1997.
can you? updating it after 1997 takes more time than not updating it in that period.
Somehow they do update it
oh yeah
I wasn’t familiar with the old logo, but then someone linked it on Hacker News.
https://web.archive.org/web/20240630172605/https://ladybird.dev/
https://news.ycombinator.com/item?id=40845951
And several people noted that the new one looks like a the Meta logo or Apple AI.
Designing our new company brand: Meta - https://design.facebook.com/stories/designing-our-new-company-brand-meta/
Apple AI logo is intended to look unthreatening, and non-anthropomorphic - https://9to5mac.com/2024/06/17/apple-ai-logo/
Normally I’m puzzled when people say “this word reminds me of this other bad word” or “this looks like that” (my brain doesn’t really work like that), but in this case, I have to say that it does have the same feeling.
I hate to be a peanut gallery person, but I really hope they reconsider the logo!
The new logo doesn’t connote “ladybird” or “ladybug” at all … it seems like there’s obvious room to make it more distinct with that kind of association
Personally, I think the one at https://ladybird.dev/ladybirb.png is fantastic.
The new one has absolutely no personality and is boring as can be.
This one is AI generated and it has that distinct AI shading/texture to it, but it’s a great design and I’d love a human redraw of it
I also prefer the old logo, but I disagree that it “doesn’t connote ‘ladybird’ or ‘ladybug’ at all” – it does look to me like a highly abstract rendering of a ladybug in flight.
I kinda like the old logo!
Ladybird really seems like a project I’d like to bet on. It revives a feeling that we really could have nice things. That there could be an oasis of respect in a desert of abusive dark patterns.
So why should a tiny logo distract me from that? It irks me, enough to write this stupid comment, why? I think it creates a bit of dissonance in my mind. It looks a little bit too familiar. It looks like these sleek, polished things. It looks like a lot of modern tech, pseudo-professional, just waiting to stab you in the back as soon as you let your guard down.
It’s not ladybirds fault my mind has been tainted this way, but please reconsider your logo. Have less branding and more personality.
It’s like a meta Meta logo
Yeah I usually like being supportive of new projects and their branding, but the old logo was way better.
Thankfully the old logo is still used on the icon, at least for Mac OS builds as of about half an hour ago:
https://pasteboard.co/MajbI8TkRkrA.png
and the bigotry.
Yeah. :|
These guys are working on a new browser engine - I don’t even give a heck how the logo looks like.
I feel like time traveling :) (check the date)