What if there were a browser that you have to pay $20/month to use. For that expenditure, the browser legally guarantees to
NOT use your data
NOT feed your data into an LLM
It could still be open-source. But I trust a product more when I know up front how it’s monetized and what the incentive structure is for the developer(s).
Yeah but the people left on the outside of the profitable business model still matter, and deserve to have options that don’t exploit them. It’s part of the solution, but it can’t be the whole solution
So, look. Every single internet-connected thing that involves anything that could even be considered user-generated content, and has lawyers, sooner or later inserts a clause into its terms saying you grant them a royalty-free, non-exclusive, non-revocable (etc. etc.) license to copy and distribute things you, the user, input into it.
This is like the most standard boilerplate-y clause there is for user-generated content. It’s a basic cover-your-ass to prevent someone suing you for copyright violation because, say, they just found out that when you type something in the built-in search box it makes a copy (Illegal! I’ll sue!) and transmits the copy (Illegal! I’ll sue!) to a third party.
But about every six months someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then it sweeps through the internet with huge highly-upvoted threads full of angry comments from people who have absolutely no clue what the terms actually mean but who know from the tone of discussion that they’re supposed to be outraged about it.
After a few days it blows over, but then about six months later someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then…
@pushcx this should not be allowed on lobste.rs. It’s 100% outrage-mob baiting.
That’s the point. GDPR has not been that well tested in court. As long as it hasn’t, people will stick to legal boilerplate to make it as broad as possible. This is why all terms of services look like copypasta.
Saying that everyone else does it does not make it okay.
Putting words in my mouth doesn’t make a counterargument.
What do you think is not OK about this boilerplate CYA clause? Computers by their nature promiscuously copy data. Online systems copy and transmit it. The legal world has settled on clauses like this as an alternative to popping up a request for license every time you type into an online form or upload a file, because even if nobody ever actually would sue they don’t want to trust to that and want an assurance that if someone sues that person will lose, quickly. They’ve settled on this because copy/pasting a standard clause to minimize risk is a win from their perspective.
Why is this evil and bad and wrong from your perspective? Provide evidence.
The system we currently have may be structured in a way which makes clauses like this necessary or expedient in order to do business, but the validity of such a clause for that reason doesn’t excuse the system that created it.
Every single internet-connected thing that involves anything that could even be considered user-generated content, and has lawyers, sooner or later inserts a clause into its terms saying you grant them a royalty-free, non-exclusive, non-revocable (etc. etc.) license to copy and distribute things you, the user, input into it.
But Firefox isn’t a web service. It’s a program that runs on my computer and sends data to websites I choose to visit. Those websites may need such legal language for user generated content, but why does Mozilla need a license to copy anything I type into Firefox?
This. I’ve chatted with a few lawyers in the space and this is literally the first time we’re seeing that interpretation to apply to a local program you choose to run that is your agent.
Firefox integrates with things that are not purely your “local agent”, including online services and things not owned by Mozilla. And before you decide this means some sort of sinister data-stealing data-selling privacy violation, go back and look at my original example.
When you upload something to the python package index you do so because you intend for the python package index to create copies of it and distribute it, which needs a license.
When you make a comment on pull request for work you don’t intend for Mozilla to have anything to do with that. You don’t intend for Mozilla to receive your post. Nor to have any special rights to view it, distribute it, make copies of it, etc. They do not need a license because they shouldn’t be seeing it. Moreover you don’t even necessarily have the right to grant them said rights - someone else might own the copyright to the material you are legitimately working with.
When you make a comment on pull request for work you don’t intend for Mozilla to have anything to do with that.
If you use their integrated search which might send things you type to a third party, Mozilla needs your permission to do that.
If you use their Pocket service which can offer recommendations of articles you might like, Mozilla needs your permission to analyze things you’ve done, which may require things like making copies of data.
If you use their VPN service you’re passing a lot of stuff through their servers to be transmitted onward.
There’s a ton of stuff Mozilla does that could potentially be affected by copyright issues with user-generated/user-submitted content. So they have the standard boilerplate “you let us do the things with that content that are necessary to support the features you’re using” CYA clause.
you grant them a royalty-free, non-exclusive, non-revocable (etc. etc.) license to copy and distribute things you, the user, input into it.
The question for random people reading these clauses is what does that mean? Legalese can be hard for lawyers to understand. It’s much harder for mere mortals.
I think everyone is OK with Firefox (the browser) processing text which you enter it into. This processing includes uploading the text to web sites (which you ask it to, when you ask it to), etc.
What is much more concerning for the average user is believing that the “ royalty-free, non-exclusive, non-revocable (etc. etc.) license” is unrestricted.
Let’s say I write the worlds most beautiful poem, and then submit it to an online poem contest via FireFox. Will Mozilla then go “ha ha! Firefox made a copy, and uploaded it to the Mozilla servers. We’re publishing our own book of your work, without paying you royalties. And oh, by the way, you also used Firefox to upload intimate pictures of you and your spouse to a web site, so we’re going to publish those, too!”
The average person doesn’t know. Reading the legalese doesn’t help them, because legalese is written in legalese (an English-adjacent language which isn’t colloquial English). Legalese exists because lawsuits live and die based on minutiae such as the Oxford Comma. So for Mozillas protection, they need it, but these needs are in conflict with the users need to understand the notices.
The Mozilla blog doesn’t help, because the italicized text at the top says: It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice
OK, what does the Privacy Notice say?
(your) …data stays on your device and is not sent to Mozilla’s servers unless it says otherwise in this Notice
Which doesn’t help. So now the average person has to read pages of legal gobbledygook. And buried in it is the helpful
Identifying, investigating and addressing potential fraudulent activities,
Which is a huge loophole. “We don’t know what’s potentially fraudulent, so we just take all of the data you give to FireFox, upload to our US-based servers, and give the DoJ / FBI access to it all without a warrant”. A lawyer could make a convincing and possibly winning argument that such use-cases are covered.
The psychological reason for being upset is that they are confused by complicated things which affect them personally, which they don’t understand, and which they have no control over. You can’t address that panic by telling them “don’t panic”.
The psychological reason for being upset is that they are confused by complicated things which affect them personally, which they don’t understand, and which they have no control over. You can’t address that panic by telling them “don’t panic”.
Could you explain why the concern is necessarily born of confusion rather than accurate understanding?
you said the reason for being upset is that they are confused. sorry if I was changing your meaning by adding “necessarily.” why do you say the concern is because of confusion or lack of understanding? what understanding would alleviate the concerns?
I don’t see a lot of difference between confusion and lack of understanding. Their upset is because the subject affects them, and they’re confused about it / don’t understand it, and they have no control over it.
This is entirely normal and expected. Simply being confused isn’t enough.
What would alleviate the concerns is to address all three issues, either singly, or jointly. If people don’t use Firefox, then it doesn’t affect them, and they’re not upset. If they understand what’s going on and make informed decisions, then they’re not upset. And then if they can make informed decisions, they have control over the situation, and they’re not upset.
The solution is a clear message from Mozilla. However, for reasons I noted above, Mozilla has to write their policies in legalese, when then makes it extremely difficult for anyone to understand them.
but who does “they” refer to? are you saying this describes people in general who are concerned about the policy, or are you just supposing that there must be someone somewhere for whom it is true?
what about people who have an accurate layman’s understanding of what the policy means, and are nonetheless concerned?
The psychological reason for being upset is that they are confused by complicated things which affect them personally, which they don’t understand, and which they have no control over. You can’t address that panic by telling them “don’t panic”.
The actual reason for them being upset is that someone told them to be afraid of the supposedly scary thing and told them a pack of lies about what the supposedly scary thing meant.
I propose to deal with that at the source: cut off the outrage-baiting posts that start the whole sordid cycle. Having a thread full of panicked lies at the top of the front page is bad and can be prevented.
And if you really want to comfort the frightened people and resolve their confusion, you should be talking to them, shouldn’t you? The fact that your pushback is against the person debunking the fearmongering says a lot.
The actual reason for them being upset is that someone told them to be afraid of the supposedly scary thing and told them a pack of lies about what the supposedly scary thing meant.
i.e. you completely ignored my long and reasoned explanation as to why people are upset.
which explains clearly just how nefarious and far-reaching the new policy is.
At best that comment points out that a consolidated TOS for Mozilla “services” is confusingly being linked for the browser itself. Nothing has been proven in the slightest about it being “nefarious”, and the fact that you just assert malicious intent as the default assumption is deeply problematic.
So your position is completely unconvincing and I feel no need to address it any further.
But you’re not debunking the fear mongering. You’re conspicuously ignoring any comment that explains why the concern is valid. Don’t hapless readers deserve your protection from such disinformation?
You’re largely describing boilerplate for web services, where the expectation is that users input content, and a service uses that content to provide service.
Firefox is a user agent, where the expectation is that users input content and the agent passes that content through to the intended service or resource.
When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information
You can call this boilerplate if you like, but it certainly gives Mozilla unambiguous rights relative to what you put into it.
This is like the most standard boilerplate-y clause there is for user-generated content. It’s a basic cover-your-ass to prevent someone suing you for copyright violation because, say, they just found out that when you type something in the built-in search box it makes a copy (Illegal! I’ll sue!) and transmits the copy (Illegal! I’ll sue!) to a third party.
This really does beg the question: Firefox is 20 years old. Why did they only feel the need to add this extremely standard boilerplate-y clause now?
what exactly does that mean? Were they already actively doing this, and the lawyers “won” by updating the TOS to cover that behavior? Or did the lawyers “win” because they were pushing for a business decision to change Firefox’s data gathering activities?
I disagree. I think this is actionable, relevant, and very on-topic. I’d even argue about that with you here, except that you in particular have a very solid history of bad-faith arguing, and I have better things to do.
Anyway, so far 84 of us have upvoted it, vs 7 “off-topic” flags and 8 hides, for a ratio of about 5:1, if we care about user opinions. Your paternalism isn’t a good look. Just hide it, flag it, and move on!
I wouldn’t say that the site rules don’t mean anything–I would say that many users and even admins have disregarded them for political expediency.
The long-term effects of this, of course, are deleterious…but that doesn’t matter when gosh darnit, the outgroup is wrong right now.
In the case of Apple, there’s a weird sort of thing where a release tag covers what is technically marketing. They also are both a large software and hardware vendor and, like it or not, have a large userbase. I’m not saying we should see a constant dripfeed of Apple propaganda, but it isn’t entirely without precedent.
I wouldn’t say that the site rules don’t mean anything–I would say that many users and even admins have disregarded them for political expediency.
Of course. I adopted the parent comment’s hyperbole to avoid getting bogged down in minutia. But there’s nothing wrong with more clarity and precision.
I’m really surprised to see anyone pay even the slightest of attention to this on Lobsters. It’s something my granddad would post to Facebook (example)
I received the lecture once, in 1994. It was a few minutes of discussion about the nature of trust, ethics, and the responsibility of running services that other people were depending on.
I have given a similar talk to junior folks, and had conversations with new-but-senior folks that were effectively: I’m trusting you. You will eventually screw up, but hopefully not too badly. I won’t fire you for screwing up, but I will if you don’t learn from your mistakes or you act unethically.
Reasoning LLMs are still fundamentally flawed. The flaw may surface less often, but it does. I don’t use any LLM day to day, but from time to time I try to see if they got better. Yesterday I tried to find out how to connect an ipv4+ipv6 vps to a wirguard vpn that’s only on ipv4. GPT 4o-mini (AFAIK, reasoning) created an invalid response and when I asked for sources it gave me 4: 2 were general WG tutorials and 2 were 404s.
I fail to see any real progress in the field. It’s cheaper - sure. But still not production ready.
I’m not sure “it can get the answer wrong” is a solvable problem. Even humans can get the answer wrong. The best we can maybe do is tune the personality to be a bit less confident…
Does everyone know that SpamAssassin and rspamd are existing technologies that already do this ten to a thousand times faster? Or have they become a secret?
I know, its like we’ve re-invented the hammer, everything becomes a nail.
Though, with large mail providers making their spam detection shittier by the minute (I’m looking at you Google!) I can see why people would presume “throwing AI at it will solve the issue”.
At least in my experience, rspamd does an amazing job when configured correctly, spam is truly something of the past for me.
Yes, but it does not mean you cannot use both of the technologies at the same time.
Say you got an email with link to usps.com.phishing.com, will the Spam filter mark it as spam, if this email is 1:1 similar to USPS email? Probably not. How about AI assistant? Highly likely that it can catch it.
I am mostly annoyed with cold sales emails, but protection from phishing is another very good use case for this tool.
Testing is clearly needed. Since you’re advocating the computationally expensive, slow tool, please feel free to go ahead and supply evidence. There’s a lot of existing work.
if you’re going to send a magic link, and then have the browser remember a passkey for them, what are you gaining over having the browser remember a cookie?
the main one i can think of is that if your cookie db gets leaked, people could log in with those. if it’s just a list of public keys, people can’t log in with them
Right. But this causes a problem: while it cannot be leaked, it also cannot be exported. Want to change your laptop or phone? Gotta login everywhere again. Backup impossible.
And there’s another problem: we have no pushed a lot of responsibility to the user. Because the email is the only way to login on a new device now. This might be good, because now we only have to secure the email account really well. On the other hand, losing access to the email account is terrible now. No way to regain access. In the old world, you could get access with either password or email. Since availability is part of security, this is not necessarily a change that makes things more secure - it’s a different trade-off.
In a nutshell: passkey have severe advantages and also severe disadvantages compared to the classic email/password approach.
But at least with email there’s a chance I can phone up support, do a KYC check and get my account back. Depending on the quality of that support of course, I can maybe use my phone, home address, passport, etc to verify I am the owner. Which obviously comes with its own social-engineering vulnerabilities but I suppose I’d rather that than losing access to everything with no backchannel (similar issue with web3/crypto wallets, if you lose the key you’re screwed, there’s nobody to call as it’s just math all the way down!)
Logging in is one thing. But should you break your device or lose access, you can’t even login anymore. And there is no way to change that.
If you have an email recovery method then no breaking one device is not going to lock you out of everything. It will simply prevent you from having a faster login process for the next login. Loosing access to the email on the other hand you will need to have a device which is already signed in/setup with a passkey. Which is also true of accounts which only support magic link so I don’t see a huge difference. Email/Password setup along with a password manager and 2fa is probably the safest in terms of recovery, the email doesn’t need to be live nor accessible to you in order to login and change away from the email. But then you have the issue of a bad actor accessing the account and changing the email along with the password, hopefully 2fa is avalable and setup to keep them out but that depends on their determination and the 2fa involved.
For any number of recovery options n, it is possible to argue “someone might lose all n of them simultaneously”. This does not necessarily justify infinitely moving to n + 1 recovery options each time the argument is made.
The scenario we were talking about was that you lost access to your email account. E.g. Google blocked your account. No recovery here.
And this was after you started off above that one with:
But should you break your device or lose access, you can’t even login anymore. And there is no way to change that.
If you’re doing passkeys on a single device with email as the recovery, losing either the device XOR the email account does not permanently lock you out. If you lose the device but NOT the email, you recover with email and set up on a new device. If you lose the email but NOT the device, you use the device to log in and change the recovery email address to something else. Your disaster thus requires losing BOTH the device AND the recovery email, since either one alone rescues you.
Unless you are logging in on a device where you already set up a passkey. In which case you can log in with the passkey and change your account’s email address.
So now you have to lose both your email account and the device where you usually log in from in order to completely lose access. The odds of both happening should be negligible.
Just to confirm we are on the same page: meaning if someone gets access to my device and is able to e.g. fake my fingerprint or deceive the face scanner (and that has happened before) then they can take over all my accounts?
In that case, yeah, the availability is good again, but the security is now lower in that scenario. Because with passwords/cookies, while they could access the service with the cookie, they couldn’t change the email/password because they would need to enter the current password to do so in most service implementations.
So now for a breach scenario you need the attacker to first physically access your device and fake your fingerprint or face scan. This is sounding more and more like Mission: Impossible than reality. Let’s come back down to earth for a second and think about the scenario that passkeys are meant to solve: you accidentally give your credentials to a phishing site or scammer because you thought they were legit.
So now for a breach scenario you need the attacker to first physically access your device and fake your fingerprint or face scan. This is sounding more and more like Mission: Impossible than reality.
Windows Hello and it’s passkey stuff can be protected by a 4 digit pin only which is easy enough to spy.
Same with most smartphones. Someone can look over your shoulder as you type the PIN and then grab your phone (even at a later date). You can’t protect against every single eventuality, you have to make a stand somewhere.
So now for a breach scenario you need the attacker to first physically access your device
Well, in the absence of a software bug, yes. But since the same bug-scenario can happen for passwords as well, I ignored it since there is no difference to passkeys then.
This is sounding more and more like Mission: Impossible than reality.
In other words: you agree that this is an additional danger scenario? Good.
I’m not going to argue over how likely that scenario is with you. Clearly you deem it unimportant and I disagree. We won’t reach any agreement here and that’s okay.
If you honestly think that scammers and phishers are going to go Ethan Hunt on their victims, you don’t have a realistic threat model. And I am starting to doubt your grasp on reality itself 🤷♂️
I’m curious how this threat model works with shared devices, as might be present within a family. If I share a computer with my spouse, and perhaps that relationship turns abusive, now I have a much more serious challenge than for passwords. Obviously there’s a lot to this situation besides authentication security, but at the end of the day with passwords I can log out of my sessions and my partner can’t login to read my DMs, chat history, or whatever that I might be needing in order to figure out my exit from the situation. With passkeys, a sufficiently long PIN might provide comparable security to a password with MFA (but why not just use a password with MFA?) but if we’re using biometrics then I don’t know that the OS has a good way to figure out that my spouse and I are different people when we both have local admin on the device and might even share an OS-level user account. Sure, a clever spouse might install a keylogger to get my passwords, but that can’t be done one night on an angry whim (and yield same-day access), plus it requires a certain level of technical know-how that most people don’t have.
Yes, passkeys are not great for shared devices. For example, if you use a computer in a public library, you are not going to be using passkeys. Let’s operate under the assumption that everyone involved either has their own device or uses a separate OS-level account.
I mean fair enough, it’s just not a realistic assumption if the goal is to force people to stop using passwords. As an additional option? Sure. As a default? Maybe. But passkeys+magic links as the only option leaves out a huge chunk of the real world if it can’t support shared devices.
passkeys+magic links as the only option leaves out a huge chunk of the real world if it can’t support shared devices.
Wait, who said passkeys+magic links can’t support shared devices? I said that you won’t be using passkeys on shared devices. You can still use magic links! As long as you log in to your webmail account on the shared device, you can get into the account that way.
I think you are greatly overestimating the risk for ordinary people of losing their email account, but even in that case we can still offer a fallback mechanism: a bunch of long random recovery keys that they can save somewhere, preferably offline. This is already what accounts with MFA do so nothing surprising.
Most of the non-technical users in my circles do not know their email password. They don’t have MFA on their personal accounts. They will sign up for a service at work with their personal account, and sign up for a personal service with their work address.
These events cause turmoil:
being forced to change their password (and prove they know the old one)
changing employers
moving to a new ISP, if they used an ISP’s mail service
changing to a new computer without access to the old one
None of them will save long random recovery keys to a place they will remember it.
This has been the best and most realistic comment on this entire thread.
TLDR:
security is hard
usability is even harder
there is no amount of security and usability that a user can’t break
the final recovery step is always legal
email still sucks
My partner (who has written robotic vision systems) just logs in via password reset for everything, with basically the same passwords wherever possible.
Your security system is just an annoyance she has to go through to get whatever done.
It was only after a serious stint in the hospital that she has begun to see our shared password manager as an essential tool in our family continuity.
It behooves us as the technorati to remember we serve the technically disinterested.
In my experience even non-technical people can manage to retain and properly use a personal web-based email across the span of time even when moving jobs or ISPs. And given that web-based emails are the vast majority of personal emails, I think it’s the most common case.
For every service? Seems like quite the hassle. But, yeah, every service should offer that mechanism. On top of passwords and passkeys. Then users can choose.
The point of passkeys is to get rid of passwords, so that would defeat the purpose. ‘Users can choose’ is the thing we are trying to avoid here–we don’t want to present users with a slew of highly technical choices and ask them navigate through and set it all up.
Remember, we are making UX flows that should work for ordinary, non-technical people, not just highly technical people like yourself.
i was comparing magic-link+passkey vs magic-link+cookie, since they’re similar from the user’s perspective
it seems like a passkey might be better in almost all cases (except for early-adoption friction, like maybe browser support and web framework libraries)
in the old world, recovery with a password doesn’t really work, if you use magic links as the default. you have to remember the password, but people won’t remember it if they never use it. it requires being proactive and memorizing it on purpose, or storing it somewhere, which you can presumably do with a passkey too
Passkeys work across browsers and across devices (via platform or password manager sync and via the QR/BLE hybrid protocol), are more permanent, and require user verification to use. But if you prefer to think of them as more secure, portable, and permanent cookies, instead of more secure and usable passwords, you can do that.
Given how straightforward the exploit was, using only standard techniques, I have to wonder: how can you be so sure?
Having reported a few vulnerabilities and gotten similar responses from companies, my answer would be: you can’t, but there comes a point where you’re going to have to just say what they say and trust they’ve done the due diligence.
Could I make a stink and say “the company claimed X, but it doesn’t seem right?” Sure, and the company might then start to come after me for hurting their bottom line if I don’t have any proof. Could I hide behind freedom of speech rights, sure, but then I’m still spending time and money in courts fighting a law suit. All I can do is say what the company said.
I didn’t mean to say there was anything wrong with the disclosure. I think this was a great writeup, very professional, and the lines are easy to read between.
My takeaway is: never buy a car that has a system like this. Never allow a loved one to buy such a car. Full stop.
That’s great… but I suspect that you cannot buy a single car from any major automaker in the US which doesn’t have a similar issue. Some of them will tell you about them; some of them will obfuscate it.
Happily, the US market is well-stocked with good used vehicles that don’t include malware. I can’t imagine buying a new car anyway. Europeans, YMMV – I’ve been given to believe that this intrusive BS is mandated for some of you. Get better politicians!
Seriously. While I’m glad randos can’t pull off this exact exploit anymore, that still presumably leaves every customer service rep or dealer or whomever is “supposed” to have access!
In Massachusetts, Subaru complied with our Right to Repair telematics law by turning off Starlink. I hope disabling Starlink was done in such a way that this data isn’t collected, not just hidden.
Between that and the 3G cell network deprecation bricking the modem, hopefully my older Crosstrek is no longer reporting data. Pulling the DCM fuse also disables the microphone, making Android Auto way less useful :/
In the spririt of hoping to be corrected: it appears that most of these depend on either a running rsyncd (which I haven’t seen in 20 years) or the attacker having access to the source filesystem while an rsync is in progress.
Many vendors, especially those of open source operating systems, use rsync in daemon mode to sync build artifacts to various mirrors. HardenedBSD is one such vendor.
Edit[1]: Clarify how the daemon is run (rsyncd -> rsync in daemon mode.)
Their is a similar question open on the mailing list about whether the code is only active in rsyncd or maybe also when invoking rsync --server --sender via ssh (currently unanswered): https://marc.info/?l=oss-security&m=173688743232255&w=2
Would appreciate people pointing out most interesting parts. I don’t have 1h to spent on basically flat-earth-rationale talk, but that doesn’t mean there isn’t something interesting there.
Asking someone else to summarize the video because you’d rather not spend compute cycles on it implies their time is worth less than the compute cycles. The point of having compute is to use it; it’s not like fish populations where we have to avoid overfishing.
I looked at Ergo a few months ago, and was disappointed to see that server-to-server federation – you know, the “network” in “IRC network”, i.e., the hard part – is not supported. (This is mentioned in the operator’s manual, but not in the project README, which IMNSHO is a bit dirty.)
As such, for my purposes, I can’t call this much more than a toy. Useful for testing IRCv3 client support, I guess?
@dsr’s answer is correct, but to say more about what this means for a user or admin: having multiple servers on your IRC network means one or more of those servers can go down, the users who were on that server reconnect somewhere else, and life goes on. This is important for crappy little IRC networks like the one I participate in most, where parts are hosted out of people’s basement or DigitalOcean droplets or whatever. This is also very nice for large IRC networks, where e.g., updating system software would otherwise mean a few tens of thousands of users being forced offline until the single server comes back up.
a normal, full-featured IRC server can become part of a network where every server relays every channel; people on #somechannel who are on server A can see and talk to the people in #somechannel on server B.
Ergo can’t participate in such federated networks.
It’s worth noting IRC used to be part of a larger federation, but the lack of operator security features in the protocol led to abuse and the federation splitting apart. The vestigial federation stuff is basically used for load balancing between trusted nodes now.
… It split apart, but there are several viable networks now. And most clients let you connect to multiple networks at once, and switch between them easily.
Ergo can’t participate in such federated networks.
There’s no single standardized server to server protocol so it couldn’t do that anyway. In practice every network runs only a single IRCd implementation, plus services servers that specifically support whatever IRCd they’re using.
IRC, like actually quite a few earlier protocols did handle HA in a different way.
IRC connects a bunch of servers, hence the term IRC Network (Freenode, LiberaChat, EFNet, etc.). You connect to one server and talk to any person on any connected server. If one server goes down, becomes unreachable, you go to a different one. Sometimes Server to Serve Connections might have issues and then you get the famous netsplit, which will result in a people on the other side becoming invisible, until they connect again.
The following is somewhat off-topic, but how people did HA and federations back then is fun.
Usenet/NNTP[1] is also interesting. There you got federation, because News Servers might host some newsgroups but also subscribe to ones hosted on other servers. So if the hosting server is down, you could still use it on other servers (sometimes) until it would resync.
And then of course there is stuff how you still tend to have multiple DNS servers, where the load balancing/failover basically happens on the client. And some protocols using the SRV DNS record to define failover services, which funnily enough popped up again in the context of service discovery in cloud setups. But technically pretty much every protocol can use that.
Sometimes I think in the context of the internet it’s kind of wrong to have centralized services and especially use centralized services for things like failover and load balancing. Or running “distributed systems” on a bunch of servers at Amazon. There are some reasons (especially surrounding latency) but for a big part what “distributed” means today in the industry feels not distributed at all and at best what people used to call a cluster or something.
IRCs and NNTP are from the 80s. In the 90s there were projects like distributed.net, in the early 2000s BOINC was created, etc. and now what we call distributed systems sometimes accidentally runs on a single system (in different VMs). And then there are P2P file sharing applications, and the fact that things like the Tor projects are also pretty distributed. Or the fact that email is highly federated, has its own system similar to the SRV record in the form of MX records and XMPP/Jabber too.
Would be nice to have things more distributed on the server front too and not have to debate on how much it makes sense to call Bluesky, etc. distributed or not.
[1] What people used before web forums/social media. Basically a protocol for boards/news, sometimes moderated, often not.
Usenet/NNTP[1] is also interesting. There you got federation, because News Servers might host some newsgroups but also subscribe to ones hosted on other servers. So if the hosting server is down, you could still use it on other servers (sometimes) until it would resync.
It’s actually simpler than that.
Usenet servers form a mesh network, an arbitrary graph. They flood articles between each other, so every server eventually gets a copy of every article.
Some newsgroups have restricted distribution, eg, a university might have a local hierarchy of newsgroups which are not propagated to the university’s NNTP server’s peers. But there’s no notion in the protocol that restricted groups belong to a particular server.
There’s no expectation that users are able to talk directly to any NNTP servers other than their local one. Usenet came from the dial-up uucp network, when connectivity was intermittent at best.
There are also moderated groups. Every usenet server is configured with a list of email addresses of the moderators of each moderated group. When someone posts to a moderated group their message is forwarded over email by their own local NNTP server to the group’s moderators. The moderators configuration is simplified somewhat by having a few centralized email forwarding servers that know the real moderators’ email addresses so that they don’t have to be updated everywhere.
Yeah, that’s the biggest trade-off right now. I believe there are some long term plans but not much progress yet.
The feature set makes it a really great pick for relatively small self-contained instances though which is not an uncommon use case. It’s how I use it too.
So I guess it’s either a toy or the bee’s knees depending on what you need :)
The obvious end stage of this trend is to have a centralized authority that verifies every transaction independently, which will:
create a SPOF for the entire Net
enable per-interaction tracking
enable per-site censorship at a scale never before seen
increase the cost of every interaction
I imagine CloudFlare, Google and Amazon are all salivating. I’m not.
(And it was predicted by Daniel Keys Moran in his 1989 novel The Long Run – which ended up being about enabling a revolution by attacking the global key verification infrastructure.)
Markets with fewer than seven suppliers are unstable and prone to collusion and corruption. Let’s Encrypt is now too big. It would serve the public interest more to split it into a dozen competing/cooperating structures.
Wow, lots and lots of minor fixes, I love this :-) And Thunar got nice new features like tree views :-D
Lock screen management was massively simplified and “Light Locker” was dropped.
I could never get xfce4-screensaver to work stably so I’ve been on light-locker, I hope they ironed out the bugs before dropping support for the alternative..
Minimal support for xdg-desktop-portal was added by registering for a wallpaper, screenshot and background xapp.
This seems like it should be good for flatpaks and wayland stuff? Being able to give programs fewer capabilities of changing their environments, instead directing such “outside” requests through portals.
There should be a big asterisk on the slides about deployment. Much of this advice applies to low-risk deployments that are easy to roll back. In projects where a bad deploy can eradicate millions of dollars, you generally don’t give everyone in your org the right to push to prod.
Do you also have your deploy-gurus take a drug test beforehand and pay them enough to get sufficient amount of sleep? Do you make sure they are not overly stressed by their family circumstances? I think the point should be to try to make the process itself self, not to cluster people.
A single data point: my work for the past decade or so dealt with “million dollar” deploys (I like that term).
The most successful** team I led
‘generally’ didn’t give everyone in our org the right to push to prod
BUT we
engineered everything (everything) from that perspective: could a new-hire (substitute “anyone in our org” here) sit down, minutes after accepting the job offer, and deploy to production?
I could go for days about the specific things we did, but I’ll spare you the details (for now).
But what you mentioned is really (I think) one of the unsaid points of the article: anything that would make you throw up your hands and go, “WHOA, no, we cannot have just anyone doing this,” - anywhere where the very idea fills you with anxiety - is precisely where there’s an opportunity to improve.
** where “successful” is defined as (non-comprehensive list):
lowest number of production incidents (zero)
lowest number of actual currency lost (zero)
highest level of job satisfaction and satisfaction with work/life balance (gleaned from quarterly, anonymous, org surveys)
We spent our free time building everything we needed to in terms of monitoring, test suites, et cetera to make that safe for them to do. Everyone rejoiced and got shit done. Nothing bad happened
If your deploys can actually eradicate millions of dollars, a potential bad change will be caught via CI, code review, staging envs, code review, QA, gradual rollout, blue-green deployments, or any of the countless ways that you make deployment safe, easy and boring.
And please please please find a way to map these boring deployments to dollars so that management can make the case to continue funding them (and by extension your salary).
If you can show a Big Red Number to your boss and then demonstrate how you keep making those terrifying losses go away, then their even less technical managers might be even more impressed.
Learn the language of all those homeopathic IT SaaS startups and wield that dark magic for good.
I strongly believe in testing. I really, really do. I work on Google’s testing infrastructure. But nothing can catch everything. You’re gonna have a bad push, and the chances do increase as you go to less and less experienced workers. The goal is to try and limit the rate of how much the chances increase.
Rollbacks won’t save you every time, e.g. I would bet high 90-percentile that, industry-wide, a database schema change pushed to prod has no rollback plan. Even if there is a plan, there’s going to be a lag where companies of particular size/business function can be hemorrhaging money during the rollback.
The only safe deployment is no deployment.
@dist1ll is simply saying there are degrees of severity, which a spicy thought-provoking talk won’t put in because hedging things doesn’t make for a fun talk. I think they are right.
Get your sitting, viewing and typing ergonomics right. Everything else follows from that.
This works for me; I assume it will not work for anyone else in particular, and I offer it as inspiration for figuring things out yourself rather than as a prescription.
Chair: supportive and adjustable and scaled properly. I’m 6’5” (195cm) and heavy.
Desk: above your knees! Below your chest. Somewhere comfortable. I used to think I liked big desks, but then I would fill them with clutter. Now I have a smallish desk - 48” (122cm) wide, 30” (76cm) deep.
Sitting on the desk: I have an Ergotron mechanical (spring+weight) standing desk adapter which I got for free. For free, it’s worthwhile. I don’t use it much, but it makes a nice change.
Keyboard: I think the most important factor in a keyboard is programmability via QMK or VIA. After that, it’s all preferences – but programmability affords more preferences. I’m using an X-Bows Knight. It’s OK. I have envious thoughts about a Keyboardio Model 100 or a ZSA Moonlander.
Mouse: I advocate switching mouse technologies several times a day. I have an Elecom EX-G Pro trackball (excellent, but needs many hours of breakin on the scrollwheel), a Logitech M510 wireless mouse, and an Apple trackpad.
Sight: I have a 42” (107cm) 4K TV straight ahead, and a 24” 1920x1200 monitor in portrait on an arm to the right. I keep chat and calendar on the side monitor, and what I’m working on straight ahead. There’s a webcam on top of the TV.
Sound: Topping MX3S serves as USB DAC, headphone amp and stereo amp. I switch between three sets of cans regularly: Superlux 668B (open), Sennheiser 280HD (closed) and Truthear Zero (in-ear). Each of them have their own equalization to bring them basically to the Harman curve with a little extra sub-bass, so they all sound alike – the swapping is because I need different levels of isolation and to keep my ears from getting uncomfortable. I have a Blue Yeti USB mic which is completely adequate for anything I ever do with it. Finally, my speakers in here are Paradigm Monitor 3 Mark 3, on stands to bring the tweeters slightly above ear level when I’m sitting.
Cabling: power goes to a surge suppressor strip on the left. 2 USB3 extenders end in 4 port USB hubs on the desk; the keyboard is on its own long USB cable right now. The computer is off on a shelf on the right, hiding behind the portrait monitor.
There are lights reflecting off the wall behind the monitor, not directly shining at me or the monitor. Controls are close at hand. There’s a big window to my left, and I stop to look out of it frequently.
I do like them, but at the same time why do I have to encrypt my recipe site? I would like the option in my browser to not warn about sites that don’t use TLS. Or at least to be presented with an option? Oh, this is a reference recipe site. Would you like not to use encryption? Encryption is such a pita for simple things. I do think that sites that accept credentials always need to be encrypted, but why go through the hassle for things that are public? I am very thankful to let’s encrypt and the caddy web server for making certificates. A non-issue, but at the same time I kind of get tired of oh no it’s not encrypted properly warnings which everyone will ignore anyway.
Back in ~2012 users of our startup’s iPhone app complained that it crashed when they were on the London Underground (I think, I may be misremembering the details).
It turned out the WiFi down there was modifying HTML pages served over HTTP, and our app loaded HTML pages that included comments with additional instructions for how the app should treat the retrieved page… and those comments were being stripped out!
We fixed the bug by switching to serving those pages over HTTPS instead. I’ve used HTTPS for everything I’ve built since then.
I can sort of understand that since bandwidth was a premium in 2012, so if they could remove as many bytes from the payload as possible, then they increase their network bandwidth overall. Still surprising, but I could at least rationalize it.
No matter how much bandwidth you (an ISP) have, there are always schemes which promise to reduce your usage and thus improve the end-user experience – or invade their experience and make you money.
(Some of those schemes actually work. CDNs, for example.)
Interesting. I wonder if my memory is just off. NYC had really bad internet back then, as I recall, because our infrastructure is buried and expensive to upgrade. But I could swear we had like 100Mbps.
It’s not just ISPs, it’s any malicious actor, such as the operator of the wireless access point you’ve connected to (which may not be the person you think it is). You have a choice of either protecting visitors to your site from trivial interception and tampering or leaving them vulnerable. No one is forcing you to choose either way.
I originally chose to not enable TLS for our game’s asset CDN because checking certs on arbitrary Linux distros is ~unsolvable and we have our own manifest signing so we don’t need TLS’s security guarantees anyway, then we found some ISPs with broken caching that would serve the wrong file for a given URL, so I enabled it and disabled cert verification in the Linux client instead.
ISPs don’t even have to be malicious, just crappy…
It’s sort of self explanatory. Confidentiality and Integrity.
I know that I’m getting exactly the recipe that you are serving from your site
I know that no one else can see which recipe I’m cooking
I know that no one can inject ads, malicious code, tracking, malicious/ abusive images, etc.
If you aren’t willing to give those two things to your users I’m really convinced that you just aren’t in a position to host. Recipe site or not, we all have basic obligations. If you can’t meet them, that’s okay, you don’t have to host a website.
HTTPS leaks a lot less metadata than HTTP. With HTTP, you can see the full URL of the request. With HTTPS, you can see only the IP address. There’s a huge difference between knowing that I visited Wikipedia and that I read a specific Wikipedia page (the latter may be possible to determine based on the size of the response, but that’s harder). With SNI, the IP address may be shared by hundreds of domains and so a passive adversary doesn’t even see the specific host, let alone the specific page.
Usually SNI is sent in the clear, because the server needs to know the server name to be able to choose the right cert to present to the client, and it would require an extra round trip to do key exchange before certificate exchange.
There’s ongoing work on encrypted SNI (ESNI) but it requires complicated machinery to establish a pre-shared key; it only provides meaningful protection for mass virtual hosters (ugly push to centralize); and it’s of limited benefit without encrypted DNS (another hump on the camel).
Thanks, SNI does not work how I thought it worked. I assumed there was an initial unauthenticated key exchange and then the negotiated key was signed with the cert that the client said it wanted. I believe QUIC works this way, but I might be wrong there as well.
QUIC illustrated shows that the initial packet is encrypted with keys derived from a nonce that is sent in the clear in the initial packet; inside the wrapper is a TLS/1.3 client hello
I suppose this makes sense in that QUIC is designed to always encrypt, and it’s harder to accidentally send a cleartext packet if there aren’t any special cases that need cleartext. RFC 9000 says, “This protection does not provide confidentiality or integrity against attackers that can observe packets, but it does prevent attackers that cannot observe packets from spoofing Initial packets.”
Tangential question: Anyone knows any news sites that provide RSS feeds? I know the spectrum of what comprises news is huge, but any examples to start with would be appreciated.
There’s a shocking number of paid aggregators which do everything online. I don’t understand the use cases. I’m perfectly fine with newsboat (though it needs a few small features namely a way to view/edit feeds within newsboat, though an alias works fine) but the devs are quite responsive to bug issues, so maybe I’ll try requesting such a feature!
Newsboat updates when you want and persists everything, so you can read offline etc. What else do you need?
If I understand the original request correctly: maintaining state across several browser sessions and/or devices. e.g. if you read today’s XKCD on your laptop, it’s marked read on your phone and desktop too.
Similarly put: nobody cares about high availability until you are one person deploying an app for yourself and all of a sudden it broke.
It annoys me when high availability is feature gated to enterprise customers. Enterprises can afford a support team to operate the software. I can’t.
The problem is the same as for these chat protocols: people don’t care how it works, they want it to work, and working easy high availability (multiple single nodes that agree enough on the state of play) becomes really important.
Nobody cares about HA: people care that their stuff works. HA is a major route for getting there. The tradeoff is complexity.
Nobody cares about backups: people care desperately that their data is safe. Backups are a major method of ensuring that. The tradeoff is increased cost and having to do the work.
Nobody cares about government: people care about not being attacked, having their neighbors be reasonable, and a million other things that are generally provided by government. The tradeoff is taxation and laws.
And nobody cares about decentralization, but people care about all sorts of things that decentralization can provide. There are tradeoffs…
I have a simple way of looking at it. If I, as a reader, am allowed to read a web page, then I am allowed to read it in whatever user agent I like. Most of the time, this would be with a browser on my computer. But there is nothing wrong with using something else. So if I want to use your service as a user agent, and read the page from within that app, why would that be wrong?
Archiving is the same. I can save a page on my hard drive, or on some cloud storage, so why not on your cloud service?
But this only works if you perform these actions directly on behalf of a user. If you move outside that, and, for instance, start using the archive for analytics, then it becomes questionable. IMHO.
So if I want to use your service as a user agent, and read the page from within that app, why would that be wrong?
Well, for one, my service would not reproduce the page 100% as the author intended. If the author had a script or an ad or “subscribe to my newsletter” form, it may not render correctly. Sure, it’s like using lynx or just a different/outdated/customized browser, but here me, the author of we Reader, has made that decision on behalf of the user, and I also benefit from the content because the user stays on my website. Moreover, the user might not even realize that they are missing some content.
I’m building a product and I want users to use it. So, the amount of users and the amount of time they spend on my service is a benefit for me. It’s the same kind of reasoning that Google tries to show its own widgets, “answers”, etc. instead of encouraging people to leave Google and visit someone else’s website.
indeed, and I would be wary of using Google as the standard for ethics.
how concretely do you expect to offset the costs associated with having users on your site? are users conscious of this flow of value or are they led to believe that the service is offered freely for their benefit alone?
I plan to monetize the service. Reading, subscribing, and following users would be free; creating lists, commenting, exporting lists/favorites, and starting a new blog at Minifeed (it’s also a simple blogging platform, yeah) would be behind a cheap subscription.
What if there were a browser that you have to pay $20/month to use. For that expenditure, the browser legally guarantees to
It could still be open-source. But I trust a product more when I know up front how it’s monetized and what the incentive structure is for the developer(s).
Then millions of people around the world would not be able to afford it.
Yes, but that could still be a profitable business model. Hey.com isn’t free, but it’s thriving.
Yeah but the people left on the outside of the profitable business model still matter, and deserve to have options that don’t exploit them. It’s part of the solution, but it can’t be the whole solution
Oh, it’s this again.
So, look. Every single internet-connected thing that involves anything that could even be considered user-generated content, and has lawyers, sooner or later inserts a clause into its terms saying you grant them a royalty-free, non-exclusive, non-revocable (etc. etc.) license to copy and distribute things you, the user, input into it.
This is like the most standard boilerplate-y clause there is for user-generated content. It’s a basic cover-your-ass to prevent someone suing you for copyright violation because, say, they just found out that when you type something in the built-in search box it makes a copy (Illegal! I’ll sue!) and transmits the copy (Illegal! I’ll sue!) to a third party.
But about every six months someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then it sweeps through the internet with huge highly-upvoted threads full of angry comments from people who have absolutely no clue what the terms actually mean but who know from the tone of discussion that they’re supposed to be outraged about it.
After a few days it blows over, but then about six months later someone notices once of these clauses, misinterprets it, and runs around panicking and screaming OH MY GOD THEY CLAIM COPYRIGHT OVER EVERYTHING EVERYONE DOES WHY WOULD THEY NEED THAT PANIC PANIC PANIC PANIC PANIC OUTRAGE OUTRAGE PANIC.
And then…
@pushcx this should not be allowed on lobste.rs. It’s 100% outrage-mob baiting.
Saying that everyone else does it does not make it okay. Are there court cases or articles describing the limits you say are implicit?
If you are as right as you think you are, then you could be educating instead of complaining to moderators.
That’s the point. GDPR has not been that well tested in court. As long as it hasn’t, people will stick to legal boilerplate to make it as broad as possible. This is why all terms of services look like copypasta.
Putting words in my mouth doesn’t make a counterargument.
What do you think is not OK about this boilerplate CYA clause? Computers by their nature promiscuously copy data. Online systems copy and transmit it. The legal world has settled on clauses like this as an alternative to popping up a request for license every time you type into an online form or upload a file, because even if nobody ever actually would sue they don’t want to trust to that and want an assurance that if someone sues that person will lose, quickly. They’ve settled on this because copy/pasting a standard clause to minimize risk is a win from their perspective.
Why is this evil and bad and wrong from your perspective? Provide evidence.
The system we currently have may be structured in a way which makes clauses like this necessary or expedient in order to do business, but the validity of such a clause for that reason doesn’t excuse the system that created it.
But Firefox isn’t a web service. It’s a program that runs on my computer and sends data to websites I choose to visit. Those websites may need such legal language for user generated content, but why does Mozilla need a license to copy anything I type into Firefox?
This. I’ve chatted with a few lawyers in the space and this is literally the first time we’re seeing that interpretation to apply to a local program you choose to run that is your agent.
Firefox integrates with things that are not purely your “local agent”, including online services and things not owned by Mozilla. And before you decide this means some sort of sinister data-stealing data-selling privacy violation, go back and look at my original example.
So clearly rejecting their TOS should just toggle off all of those services, right?
None of these are activities falling under copyright, so a license is meaningless.
The list of data subprocessors is short and well documented: https://support.mozilla.org/en-US/kb/firefox-subprocessor-list
So it also can’t be an issue of “let’s be blanket because we can’t give you the list”.
The Python Package Index has almost exactly the same clause in its terms of service for things you voluntarily choose to send to them.
I guess their legal advisers are just bad or something. Maybe you could go see about getting hired to replace them.
When you upload something to the python package index you do so because you intend for the python package index to create copies of it and distribute it, which needs a license.
When you make a comment on pull request for work you don’t intend for Mozilla to have anything to do with that. You don’t intend for Mozilla to receive your post. Nor to have any special rights to view it, distribute it, make copies of it, etc. They do not need a license because they shouldn’t be seeing it. Moreover you don’t even necessarily have the right to grant them said rights - someone else might own the copyright to the material you are legitimately working with.
These scenarios are not even remotely similar.
If you use their integrated search which might send things you type to a third party, Mozilla needs your permission to do that.
If you use their Pocket service which can offer recommendations of articles you might like, Mozilla needs your permission to analyze things you’ve done, which may require things like making copies of data.
If you use their VPN service you’re passing a lot of stuff through their servers to be transmitted onward.
There’s a ton of stuff Mozilla does that could potentially be affected by copyright issues with user-generated/user-submitted content. So they have the standard boilerplate “you let us do the things with that content that are necessary to support the features you’re using” CYA clause.
More specifically, their recommendations are at odds with the interests of users.
The question for random people reading these clauses is what does that mean? Legalese can be hard for lawyers to understand. It’s much harder for mere mortals.
I think everyone is OK with Firefox (the browser) processing text which you enter it into. This processing includes uploading the text to web sites (which you ask it to, when you ask it to), etc.
What is much more concerning for the average user is believing that the “ royalty-free, non-exclusive, non-revocable (etc. etc.) license” is unrestricted.
Let’s say I write the worlds most beautiful poem, and then submit it to an online poem contest via FireFox. Will Mozilla then go “ha ha! Firefox made a copy, and uploaded it to the Mozilla servers. We’re publishing our own book of your work, without paying you royalties. And oh, by the way, you also used Firefox to upload intimate pictures of you and your spouse to a web site, so we’re going to publish those, too!”
The average person doesn’t know. Reading the legalese doesn’t help them, because legalese is written in legalese (an English-adjacent language which isn’t colloquial English). Legalese exists because lawsuits live and die based on minutiae such as the Oxford Comma. So for Mozillas protection, they need it, but these needs are in conflict with the users need to understand the notices.
The Mozilla blog doesn’t help, because the italicized text at the top says: It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice
OK, what does the Privacy Notice say?
(your) …data stays on your device and is not sent to Mozilla’s servers unless it says otherwise in this Notice
Which doesn’t help. So now the average person has to read pages of legal gobbledygook. And buried in it is the helpful
Identifying, investigating and addressing potential fraudulent activities,
Which is a huge loophole. “We don’t know what’s potentially fraudulent, so we just take all of the data you give to FireFox, upload to our US-based servers, and give the DoJ / FBI access to it all without a warrant”. A lawyer could make a convincing and possibly winning argument that such use-cases are covered.
The psychological reason for being upset is that they are confused by complicated things which affect them personally, which they don’t understand, and which they have no control over. You can’t address that panic by telling them “don’t panic”.
Could you explain why the concern is necessarily born of confusion rather than accurate understanding?
I didn’t say the concern is necessarily born of confusion. I said that the concern was because they didn’t understand the issues.
you said the reason for being upset is that they are confused. sorry if I was changing your meaning by adding “necessarily.” why do you say the concern is because of confusion or lack of understanding? what understanding would alleviate the concerns?
I don’t see a lot of difference between confusion and lack of understanding. Their upset is because the subject affects them, and they’re confused about it / don’t understand it, and they have no control over it.
This is entirely normal and expected. Simply being confused isn’t enough.
What would alleviate the concerns is to address all three issues, either singly, or jointly. If people don’t use Firefox, then it doesn’t affect them, and they’re not upset. If they understand what’s going on and make informed decisions, then they’re not upset. And then if they can make informed decisions, they have control over the situation, and they’re not upset.
The solution is a clear message from Mozilla. However, for reasons I noted above, Mozilla has to write their policies in legalese, when then makes it extremely difficult for anyone to understand them.
but who does “they” refer to? are you saying this describes people in general who are concerned about the policy, or are you just supposing that there must be someone somewhere for whom it is true?
what about people who have an accurate layman’s understanding of what the policy means, and are nonetheless concerned?
The actual reason for them being upset is that someone told them to be afraid of the supposedly scary thing and told them a pack of lies about what the supposedly scary thing meant.
I propose to deal with that at the source: cut off the outrage-baiting posts that start the whole sordid cycle. Having a thread full of panicked lies at the top of the front page is bad and can be prevented.
And if you really want to comfort the frightened people and resolve their confusion, you should be talking to them, shouldn’t you? The fact that your pushback is against the person debunking the fearmongering says a lot.
i.e. you completely ignored my long and reasoned explanation as to why people are upset.
Alternatively, you could look at the comment above in https://lobste.rs/s/de2ab1/firefox_adds_terms_use#c_yws3nv, which explains clearly just how nefarious and far-reaching the new policy is.
I haven’t seen you debunk anything. In order to “debunk” my argument, you would have to address it. Instead, you simply re-stated your position.
I explained why your position wasn’t convincing. If you’re not going to address those arguments, I don’t need to respond to your “debunking”.
At best that comment points out that a consolidated TOS for Mozilla “services” is confusingly being linked for the browser itself. Nothing has been proven in the slightest about it being “nefarious”, and the fact that you just assert malicious intent as the default assumption is deeply problematic.
So your position is completely unconvincing and I feel no need to address it any further.
But you’re not debunking the fear mongering. You’re conspicuously ignoring any comment that explains why the concern is valid. Don’t hapless readers deserve your protection from such disinformation?
You’re largely describing boilerplate for web services, where the expectation is that users input content, and a service uses that content to provide service.
Firefox is a user agent, where the expectation is that users input content and the agent passes that content through to the intended service or resource.
You can call this boilerplate if you like, but it certainly gives Mozilla unambiguous rights relative to what you put into it.
This really does beg the question: Firefox is 20 years old. Why did they only feel the need to add this extremely standard boilerplate-y clause now?
Their lawyers won the debate this time.
why though?
what exactly does that mean? Were they already actively doing this, and the lawyers “won” by updating the TOS to cover that behavior? Or did the lawyers “win” because they were pushing for a business decision to change Firefox’s data gathering activities?
Please, If you could reflect for a moment on your own comment that you have written could you determine if comes off as outraged?
I am incredibly tired of this sort of thing sparking ignorant outrage on a regular basis. It should not be permitted on this site.
There’s a “hide” button just for you. You can be the ninth lobster to click it!
This post is
Many much more mild examples have been removed on this site without hesitation. This one has to be, too, if the site rules mean anything.
I disagree. I think this is actionable, relevant, and very on-topic. I’d even argue about that with you here, except that you in particular have a very solid history of bad-faith arguing, and I have better things to do.
Anyway, so far 84 of us have upvoted it, vs 7 “off-topic” flags and 8 hides, for a ratio of about 5:1, if we care about user opinions. Your paternalism isn’t a good look. Just hide it, flag it, and move on!
I will note that we have both a
privacytag andlawtag, which are explicit carveouts for this sort of content.Now, whether or not we should retire those or not is a bigger question.
We already know the site rules don’t mean anything. The same rules are regularly violated for Apple marketing presentations.
What would a post that is not meant to whip up outrage look like? Presumably the blog author did their best to write such a post.
I wouldn’t say that the site rules don’t mean anything–I would say that many users and even admins have disregarded them for political expediency.
The long-term effects of this, of course, are deleterious…but that doesn’t matter when gosh darnit, the outgroup is wrong right now.
In the case of Apple, there’s a weird sort of thing where a
releasetag covers what is technically marketing. They also are both a large software and hardware vendor and, like it or not, have a large userbase. I’m not saying we should see a constant dripfeed of Apple propaganda, but it isn’t entirely without precedent.Of course. I adopted the parent comment’s hyperbole to avoid getting bogged down in minutia. But there’s nothing wrong with more clarity and precision.
then don’t express the ignorant outrage?
I’m really surprised to see anyone pay even the slightest of attention to this on Lobsters. It’s something my granddad would post to Facebook (example)
Such an ad-hominem argument is something my grandma would post on Instagram.
It’s not an ad hominem. I’m not attacking anyone instead of their argument.
Going to protest my government in the hopes that I won’t lose the right to protest my government.
Thanks!
Thank you!
I received the lecture once, in 1994. It was a few minutes of discussion about the nature of trust, ethics, and the responsibility of running services that other people were depending on.
I have given a similar talk to junior folks, and had conversations with new-but-senior folks that were effectively: I’m trusting you. You will eventually screw up, but hopefully not too badly. I won’t fire you for screwing up, but I will if you don’t learn from your mistakes or you act unethically.
Reasoning LLMs are still fundamentally flawed. The flaw may surface less often, but it does. I don’t use any LLM day to day, but from time to time I try to see if they got better. Yesterday I tried to find out how to connect an ipv4+ipv6 vps to a wirguard vpn that’s only on ipv4. GPT 4o-mini (AFAIK, reasoning) created an invalid response and when I asked for sources it gave me 4: 2 were general WG tutorials and 2 were 404s.
I fail to see any real progress in the field. It’s cheaper - sure. But still not production ready.
I’m not sure “it can get the answer wrong” is a solvable problem. Even humans can get the answer wrong. The best we can maybe do is tune the personality to be a bit less confident…
I need my tools to be more reliable than humans, and I don’t work with humans who spout bullshit.
Lucky
Does everyone know that SpamAssassin and rspamd are existing technologies that already do this ten to a thousand times faster? Or have they become a secret?
I know, its like we’ve re-invented the hammer, everything becomes a nail. Though, with large mail providers making their spam detection shittier by the minute (I’m looking at you Google!) I can see why people would presume “throwing AI at it will solve the issue”. At least in my experience, rspamd does an amazing job when configured correctly, spam is truly something of the past for me.
Yes, but it does not mean you cannot use both of the technologies at the same time.
Say you got an email with link to usps.com.phishing.com, will the Spam filter mark it as spam, if this email is 1:1 similar to USPS email? Probably not. How about AI assistant? Highly likely that it can catch it.
I am mostly annoyed with cold sales emails, but protection from phishing is another very good use case for this tool.
Testing is clearly needed. Since you’re advocating the computationally expensive, slow tool, please feel free to go ahead and supply evidence. There’s a lot of existing work.
if you’re going to send a magic link, and then have the browser remember a passkey for them, what are you gaining over having the browser remember a cookie?
the main one i can think of is that if your cookie db gets leaked, people could log in with those. if it’s just a list of public keys, people can’t log in with them
Right. But this causes a problem: while it cannot be leaked, it also cannot be exported. Want to change your laptop or phone? Gotta login everywhere again. Backup impossible.
And there’s another problem: we have no pushed a lot of responsibility to the user. Because the email is the only way to login on a new device now. This might be good, because now we only have to secure the email account really well. On the other hand, losing access to the email account is terrible now. No way to regain access. In the old world, you could get access with either password or email. Since availability is part of security, this is not necessarily a change that makes things more secure - it’s a different trade-off.
In a nutshell: passkey have severe advantages and also severe disadvantages compared to the classic email/password approach.
Not quite. If you lose access to email and to all of your devices, then you can’t log in.
But at least with email there’s a chance I can phone up support, do a KYC check and get my account back. Depending on the quality of that support of course, I can maybe use my phone, home address, passport, etc to verify I am the owner. Which obviously comes with its own social-engineering vulnerabilities but I suppose I’d rather that than losing access to everything with no backchannel (similar issue with web3/crypto wallets, if you lose the key you’re screwed, there’s nobody to call as it’s just math all the way down!)
I don’t understand this. Passkeys don’t prevent other out-of-band recovery processes existing.
Logging in is one thing. But should you break your device or lose access, you can’t even login anymore. And there is no way to change that.
If you have an email recovery method then no breaking one device is not going to lock you out of everything. It will simply prevent you from having a faster login process for the next login. Loosing access to the email on the other hand you will need to have a device which is already signed in/setup with a passkey. Which is also true of accounts which only support magic link so I don’t see a huge difference. Email/Password setup along with a password manager and 2fa is probably the safest in terms of recovery, the email doesn’t need to be live nor accessible to you in order to login and change away from the email. But then you have the issue of a bad actor accessing the account and changing the email along with the password, hopefully 2fa is avalable and setup to keep them out but that depends on their determination and the 2fa involved.
The scenario we were talking about was that you lost access to your email account. E.g. Google blocked your account. No recovery here.
For any number of recovery options
n, it is possible to argue “someone might lose allnof them simultaneously”. This does not necessarily justify infinitely moving ton + 1recovery options each time the argument is made.That’s not the point. The point is: it’s easier to lose a single recovery option at once rather than losing two recovery options at the same time.
You said, in the comment I was replying to:
And this was after you started off above that one with:
If you’re doing passkeys on a single device with email as the recovery, losing either the device XOR the email account does not permanently lock you out. If you lose the device but NOT the email, you recover with email and set up on a new device. If you lose the email but NOT the device, you use the device to log in and change the recovery email address to something else. Your disaster thus requires losing BOTH the device AND the recovery email, since either one alone rescues you.
Unless you are logging in on a device where you already set up a passkey. In which case you can log in with the passkey and change your account’s email address.
So now you have to lose both your email account and the device where you usually log in from in order to completely lose access. The odds of both happening should be negligible.
Just to confirm we are on the same page: meaning if someone gets access to my device and is able to e.g. fake my fingerprint or deceive the face scanner (and that has happened before) then they can take over all my accounts?
In that case, yeah, the availability is good again, but the security is now lower in that scenario. Because with passwords/cookies, while they could access the service with the cookie, they couldn’t change the email/password because they would need to enter the current password to do so in most service implementations.
So now for a breach scenario you need the attacker to first physically access your device and fake your fingerprint or face scan. This is sounding more and more like Mission: Impossible than reality. Let’s come back down to earth for a second and think about the scenario that passkeys are meant to solve: you accidentally give your credentials to a phishing site or scammer because you thought they were legit.
Windows Hello and it’s passkey stuff can be protected by a 4 digit pin only which is easy enough to spy.
Same with most smartphones. Someone can look over your shoulder as you type the PIN and then grab your phone (even at a later date). You can’t protect against every single eventuality, you have to make a stand somewhere.
Well, in the absence of a software bug, yes. But since the same bug-scenario can happen for passwords as well, I ignored it since there is no difference to passkeys then.
In other words: you agree that this is an additional danger scenario? Good.
I’m not going to argue over how likely that scenario is with you. Clearly you deem it unimportant and I disagree. We won’t reach any agreement here and that’s okay.
If you honestly think that scammers and phishers are going to go Ethan Hunt on their victims, you don’t have a realistic threat model. And I am starting to doubt your grasp on reality itself 🤷♂️
I’m curious how this threat model works with shared devices, as might be present within a family. If I share a computer with my spouse, and perhaps that relationship turns abusive, now I have a much more serious challenge than for passwords. Obviously there’s a lot to this situation besides authentication security, but at the end of the day with passwords I can log out of my sessions and my partner can’t login to read my DMs, chat history, or whatever that I might be needing in order to figure out my exit from the situation. With passkeys, a sufficiently long PIN might provide comparable security to a password with MFA (but why not just use a password with MFA?) but if we’re using biometrics then I don’t know that the OS has a good way to figure out that my spouse and I are different people when we both have local admin on the device and might even share an OS-level user account. Sure, a clever spouse might install a keylogger to get my passwords, but that can’t be done one night on an angry whim (and yield same-day access), plus it requires a certain level of technical know-how that most people don’t have.
Yes, passkeys are not great for shared devices. For example, if you use a computer in a public library, you are not going to be using passkeys. Let’s operate under the assumption that everyone involved either has their own device or uses a separate OS-level account.
I mean fair enough, it’s just not a realistic assumption if the goal is to force people to stop using passwords. As an additional option? Sure. As a default? Maybe. But passkeys+magic links as the only option leaves out a huge chunk of the real world if it can’t support shared devices.
Wait, who said passkeys+magic links can’t support shared devices? I said that you won’t be using passkeys on shared devices. You can still use magic links! As long as you log in to your webmail account on the shared device, you can get into the account that way.
I think you are greatly overestimating the risk for ordinary people of losing their email account, but even in that case we can still offer a fallback mechanism: a bunch of long random recovery keys that they can save somewhere, preferably offline. This is already what accounts with MFA do so nothing surprising.
Most of the non-technical users in my circles do not know their email password. They don’t have MFA on their personal accounts. They will sign up for a service at work with their personal account, and sign up for a personal service with their work address.
These events cause turmoil:
None of them will save long random recovery keys to a place they will remember it.
This has been the best and most realistic comment on this entire thread.
TLDR:
My partner (who has written robotic vision systems) just logs in via password reset for everything, with basically the same passwords wherever possible.
Your security system is just an annoyance she has to go through to get whatever done.
It was only after a serious stint in the hospital that she has begun to see our shared password manager as an essential tool in our family continuity.
It behooves us as the technorati to remember we serve the technically disinterested.
In my experience even non-technical people can manage to retain and properly use a personal web-based email across the span of time even when moving jobs or ISPs. And given that web-based emails are the vast majority of personal emails, I think it’s the most common case.
For every service? Seems like quite the hassle. But, yeah, every service should offer that mechanism. On top of passwords and passkeys. Then users can choose.
The point of passkeys is to get rid of passwords, so that would defeat the purpose. ‘Users can choose’ is the thing we are trying to avoid here–we don’t want to present users with a slew of highly technical choices and ask them navigate through and set it all up.
Remember, we are making UX flows that should work for ordinary, non-technical people, not just highly technical people like yourself.
You could allow the user to enable password authentication in the settings. Then the “ordinary, non-technical person” will never do that anyways.
Sure, as I said, what I wrote is my personal recommendation. Others will obviously have their own opinions.
i was comparing magic-link+passkey vs magic-link+cookie, since they’re similar from the user’s perspective
it seems like a passkey might be better in almost all cases (except for early-adoption friction, like maybe browser support and web framework libraries)
in the old world, recovery with a password doesn’t really work, if you use magic links as the default. you have to remember the password, but people won’t remember it if they never use it. it requires being proactive and memorizing it on purpose, or storing it somewhere, which you can presumably do with a passkey too
Passkeys work across browsers and across devices (via platform or password manager sync and via the QR/BLE hybrid protocol), are more permanent, and require user verification to use. But if you prefer to think of them as more secure, portable, and permanent cookies, instead of more secure and usable passwords, you can do that.
Given how straightforward the exploit was, using only standard techniques, I have to wonder: how can you be so sure?
Also, this level of systemic, architecture-level cheesiness is not the sort of thing one can patch within 24 hours.
My takeaway is: never buy a car that has a system like this. Never allow a loved one to buy such a car. Full stop.
Having reported a few vulnerabilities and gotten similar responses from companies, my answer would be: you can’t, but there comes a point where you’re going to have to just say what they say and trust they’ve done the due diligence.
Could I make a stink and say “the company claimed X, but it doesn’t seem right?” Sure, and the company might then start to come after me for hurting their bottom line if I don’t have any proof. Could I hide behind freedom of speech rights, sure, but then I’m still spending time and money in courts fighting a law suit. All I can do is say what the company said.
I didn’t mean to say there was anything wrong with the disclosure. I think this was a great writeup, very professional, and the lines are easy to read between.
That’s great… but I suspect that you cannot buy a single car from any major automaker in the US which doesn’t have a similar issue. Some of them will tell you about them; some of them will obfuscate it.
Happily, the US market is well-stocked with good used vehicles that don’t include malware. I can’t imagine buying a new car anyway. Europeans, YMMV – I’ve been given to believe that this intrusive BS is mandated for some of you. Get better politicians!
Seriously. While I’m glad randos can’t pull off this exact exploit anymore, that still presumably leaves every customer service rep or dealer or whomever is “supposed” to have access!
In Massachusetts, Subaru complied with our Right to Repair telematics law by turning off Starlink. I hope disabling Starlink was done in such a way that this data isn’t collected, not just hidden.
Between that and the 3G cell network deprecation bricking the modem, hopefully my older Crosstrek is no longer reporting data. Pulling the DCM fuse also disables the microphone, making Android Auto way less useful :/
In the spririt of hoping to be corrected: it appears that most of these depend on either a running rsyncd (which I haven’t seen in 20 years) or the attacker having access to the source filesystem while an rsync is in progress.
Many vendors, especially those of open source operating systems, use
rsyncin daemon mode to sync build artifacts to various mirrors. HardenedBSD is one such vendor.Edit[1]: Clarify how the daemon is run (
rsyncd->rsyncin daemon mode.)Anecdotal,
rsyncdis used by of the Tier 0 and some Tier 1 package mirrors in Arch Linux.Infrastructure source: https://gitlab.archlinux.org/archlinux/infrastructure/-/tree/master/roles/dbscripts?ref_type=heads
Their is a similar question open on the mailing list about whether the code is only active in rsyncd or maybe also when invoking
rsync --server --sendervia ssh (currently unanswered): https://marc.info/?l=oss-security&m=173688743232255&w=2Synology uses rsync (and I think rsyncd but maybe not?) to migrate/sync data between their NAS boxes.
Would appreciate people pointing out most interesting parts. I don’t have 1h to spent on basically flat-earth-rationale talk, but that doesn’t mean there isn’t something interesting there.
Slides 15 through 24.
aren’t the ai tools at that point already ? summarize-video-as-a-service :o)
But then you’re using incredibly compute-wasteful tools.
Asking someone else to summarize the video because you’d rather not spend compute cycles on it implies their time is worth less than the compute cycles. The point of having compute is to use it; it’s not like fish populations where we have to avoid overfishing.
Compute is zero-sum. The more you use, the more warming occurs. Asking someone who has already watched it to provide a pointer is not the same.
And one of the points of having an interconnected network of computers is to centralise effort rather than unnecessarily repeating it.
I looked at Ergo a few months ago, and was disappointed to see that server-to-server federation – you know, the “network” in “IRC network”, i.e., the hard part – is not supported. (This is mentioned in the operator’s manual, but not in the project README, which IMNSHO is a bit dirty.)
As such, for my purposes, I can’t call this much more than a toy. Useful for testing IRCv3 client support, I guess?
I’m sorry, as an IRC dilettante, I don’t know what federation means here. I can see the relevant line from their documentation:
Could you (or anyone else) say a little more about what this means for a user or admin?
@dsr’s answer is correct, but to say more about what this means for a user or admin: having multiple servers on your IRC network means one or more of those servers can go down, the users who were on that server reconnect somewhere else, and life goes on. This is important for crappy little IRC networks like the one I participate in most, where parts are hosted out of people’s basement or DigitalOcean droplets or whatever. This is also very nice for large IRC networks, where e.g., updating system software would otherwise mean a few tens of thousands of users being forced offline until the single server comes back up.
a normal, full-featured IRC server can become part of a network where every server relays every channel; people on #somechannel who are on server A can see and talk to the people in #somechannel on server B.
Ergo can’t participate in such federated networks.
It’s worth noting IRC used to be part of a larger federation, but the lack of operator security features in the protocol led to abuse and the federation splitting apart. The vestigial federation stuff is basically used for load balancing between trusted nodes now.
… It split apart, but there are several viable networks now. And most clients let you connect to multiple networks at once, and switch between them easily.
And it’s still useful for load balancing and failover of servers.
There’s no single standardized server to server protocol so it couldn’t do that anyway. In practice every network runs only a single IRCd implementation, plus services servers that specifically support whatever IRCd they’re using.
IRC, like actually quite a few earlier protocols did handle HA in a different way.
IRC connects a bunch of servers, hence the term IRC Network (Freenode, LiberaChat, EFNet, etc.). You connect to one server and talk to any person on any connected server. If one server goes down, becomes unreachable, you go to a different one. Sometimes Server to Serve Connections might have issues and then you get the famous netsplit, which will result in a people on the other side becoming invisible, until they connect again.
The following is somewhat off-topic, but how people did HA and federations back then is fun.
Usenet/NNTP[1] is also interesting. There you got federation, because News Servers might host some newsgroups but also subscribe to ones hosted on other servers. So if the hosting server is down, you could still use it on other servers (sometimes) until it would resync.
And then of course there is stuff how you still tend to have multiple DNS servers, where the load balancing/failover basically happens on the client. And some protocols using the SRV DNS record to define failover services, which funnily enough popped up again in the context of service discovery in cloud setups. But technically pretty much every protocol can use that.
Sometimes I think in the context of the internet it’s kind of wrong to have centralized services and especially use centralized services for things like failover and load balancing. Or running “distributed systems” on a bunch of servers at Amazon. There are some reasons (especially surrounding latency) but for a big part what “distributed” means today in the industry feels not distributed at all and at best what people used to call a cluster or something.
IRCs and NNTP are from the 80s. In the 90s there were projects like distributed.net, in the early 2000s BOINC was created, etc. and now what we call distributed systems sometimes accidentally runs on a single system (in different VMs). And then there are P2P file sharing applications, and the fact that things like the Tor projects are also pretty distributed. Or the fact that email is highly federated, has its own system similar to the SRV record in the form of MX records and XMPP/Jabber too.
Would be nice to have things more distributed on the server front too and not have to debate on how much it makes sense to call Bluesky, etc. distributed or not.
[1] What people used before web forums/social media. Basically a protocol for boards/news, sometimes moderated, often not.
It’s actually simpler than that.
Usenet servers form a mesh network, an arbitrary graph. They flood articles between each other, so every server eventually gets a copy of every article.
Some newsgroups have restricted distribution, eg, a university might have a local hierarchy of newsgroups which are not propagated to the university’s NNTP server’s peers. But there’s no notion in the protocol that restricted groups belong to a particular server.
There’s no expectation that users are able to talk directly to any NNTP servers other than their local one. Usenet came from the dial-up uucp network, when connectivity was intermittent at best.
There are also moderated groups. Every usenet server is configured with a list of email addresses of the moderators of each moderated group. When someone posts to a moderated group their message is forwarded over email by their own local NNTP server to the group’s moderators. The moderators configuration is simplified somewhat by having a few centralized email forwarding servers that know the real moderators’ email addresses so that they don’t have to be updated everywhere.
Yeah, that’s the biggest trade-off right now. I believe there are some long term plans but not much progress yet.
The feature set makes it a really great pick for relatively small self-contained instances though which is not an uncommon use case. It’s how I use it too.
So I guess it’s either a toy or the bee’s knees depending on what you need :)
The obvious end stage of this trend is to have a centralized authority that verifies every transaction independently, which will:
I imagine CloudFlare, Google and Amazon are all salivating. I’m not.
(And it was predicted by Daniel Keys Moran in his 1989 novel The Long Run – which ended up being about enabling a revolution by attacking the global key verification infrastructure.)
Markets with fewer than seven suppliers are unstable and prone to collusion and corruption. Let’s Encrypt is now too big. It would serve the public interest more to split it into a dozen competing/cooperating structures.
I’m literally having trouble thinking of a market in tech that has even seven meaningful competitors. Ugh.
Exactly. websites without encryption must keep working for that reason.
Wow, lots and lots of minor fixes, I love this :-) And Thunar got nice new features like tree views :-D
I could never get xfce4-screensaver to work stably so I’ve been on light-locker, I hope they ironed out the bugs before dropping support for the alternative..
This seems like it should be good for flatpaks and wayland stuff? Being able to give programs fewer capabilities of changing their environments, instead directing such “outside” requests through portals.
I was endlessly frustrated by lightlocker so I switched over to xscreensaver (the JWZ original as packaged by Debian) and never had an issue again.
There should be a big asterisk on the slides about deployment. Much of this advice applies to low-risk deployments that are easy to roll back. In projects where a bad deploy can eradicate millions of dollars, you generally don’t give everyone in your org the right to push to prod.
Do you also have your deploy-gurus take a drug test beforehand and pay them enough to get sufficient amount of sleep? Do you make sure they are not overly stressed by their family circumstances? I think the point should be to try to make the process itself self, not to cluster people.
A single data point: my work for the past decade or so dealt with “million dollar” deploys (I like that term).
The most successful** team I led
BUT we
I could go for days about the specific things we did, but I’ll spare you the details (for now).
But what you mentioned is really (I think) one of the unsaid points of the article: anything that would make you throw up your hands and go, “WHOA, no, we cannot have just anyone doing this,” - anywhere where the very idea fills you with anxiety - is precisely where there’s an opportunity to improve.
** where “successful” is defined as (non-comprehensive list):
I think the notes cover that:
If your deploys can actually eradicate millions of dollars, a potential bad change will be caught via CI, code review, staging envs, code review, QA, gradual rollout, blue-green deployments, or any of the countless ways that you make deployment safe, easy and boring.
And please please please find a way to map these boring deployments to dollars so that management can make the case to continue funding them (and by extension your salary).
If you can show a Big Red Number to your boss and then demonstrate how you keep making those terrifying losses go away, then their even less technical managers might be even more impressed.
Learn the language of all those homeopathic IT SaaS startups and wield that dark magic for good.
I strongly believe in testing. I really, really do. I work on Google’s testing infrastructure. But nothing can catch everything. You’re gonna have a bad push, and the chances do increase as you go to less and less experienced workers. The goal is to try and limit the rate of how much the chances increase.
Rollbacks won’t save you every time, e.g. I would bet high 90-percentile that, industry-wide, a database schema change pushed to prod has no rollback plan. Even if there is a plan, there’s going to be a lag where companies of particular size/business function can be hemorrhaging money during the rollback.
The only safe deployment is no deployment.
@dist1ll is simply saying there are degrees of severity, which a spicy thought-provoking talk won’t put in because hedging things doesn’t make for a fun talk. I think they are right.
Get your sitting, viewing and typing ergonomics right. Everything else follows from that.
This works for me; I assume it will not work for anyone else in particular, and I offer it as inspiration for figuring things out yourself rather than as a prescription.
Chair: supportive and adjustable and scaled properly. I’m 6’5” (195cm) and heavy.
Desk: above your knees! Below your chest. Somewhere comfortable. I used to think I liked big desks, but then I would fill them with clutter. Now I have a smallish desk - 48” (122cm) wide, 30” (76cm) deep.
Sitting on the desk: I have an Ergotron mechanical (spring+weight) standing desk adapter which I got for free. For free, it’s worthwhile. I don’t use it much, but it makes a nice change.
Keyboard: I think the most important factor in a keyboard is programmability via QMK or VIA. After that, it’s all preferences – but programmability affords more preferences. I’m using an X-Bows Knight. It’s OK. I have envious thoughts about a Keyboardio Model 100 or a ZSA Moonlander.
Mouse: I advocate switching mouse technologies several times a day. I have an Elecom EX-G Pro trackball (excellent, but needs many hours of breakin on the scrollwheel), a Logitech M510 wireless mouse, and an Apple trackpad.
Sight: I have a 42” (107cm) 4K TV straight ahead, and a 24” 1920x1200 monitor in portrait on an arm to the right. I keep chat and calendar on the side monitor, and what I’m working on straight ahead. There’s a webcam on top of the TV.
Sound: Topping MX3S serves as USB DAC, headphone amp and stereo amp. I switch between three sets of cans regularly: Superlux 668B (open), Sennheiser 280HD (closed) and Truthear Zero (in-ear). Each of them have their own equalization to bring them basically to the Harman curve with a little extra sub-bass, so they all sound alike – the swapping is because I need different levels of isolation and to keep my ears from getting uncomfortable. I have a Blue Yeti USB mic which is completely adequate for anything I ever do with it. Finally, my speakers in here are Paradigm Monitor 3 Mark 3, on stands to bring the tweeters slightly above ear level when I’m sitting.
Cabling: power goes to a surge suppressor strip on the left. 2 USB3 extenders end in 4 port USB hubs on the desk; the keyboard is on its own long USB cable right now. The computer is off on a shelf on the right, hiding behind the portrait monitor.
There are lights reflecting off the wall behind the monitor, not directly shining at me or the monitor. Controls are close at hand. There’s a big window to my left, and I stop to look out of it frequently.
I do like them, but at the same time why do I have to encrypt my recipe site? I would like the option in my browser to not warn about sites that don’t use TLS. Or at least to be presented with an option? Oh, this is a reference recipe site. Would you like not to use encryption? Encryption is such a pita for simple things. I do think that sites that accept credentials always need to be encrypted, but why go through the hassle for things that are public? I am very thankful to let’s encrypt and the caddy web server for making certificates. A non-issue, but at the same time I kind of get tired of oh no it’s not encrypted properly warnings which everyone will ignore anyway.
Because your viewers don’t want their ISP to serve them ads in the content.
Back in ~2012 users of our startup’s iPhone app complained that it crashed when they were on the London Underground (I think, I may be misremembering the details).
It turned out the WiFi down there was modifying HTML pages served over HTTP, and our app loaded HTML pages that included comments with additional instructions for how the app should treat the retrieved page… and those comments were being stripped out!
We fixed the bug by switching to serving those pages over HTTPS instead. I’ve used HTTPS for everything I’ve built since then.
I can sort of understand that since bandwidth was a premium in 2012, so if they could remove as many bytes from the payload as possible, then they increase their network bandwidth overall. Still surprising, but I could at least rationalize it.
Bandwidth was a premium in 2012? That can’t be right, I feel like 2012 had plenty of bandwidth.
No matter how much bandwidth you (an ISP) have, there are always schemes which promise to reduce your usage and thus improve the end-user experience – or invade their experience and make you money.
(Some of those schemes actually work. CDNs, for example.)
Of course, but in 2012 I’m pretty sure even homes could get gigabit networking. I don’t think of it as being a bandwidth constrained time.
I lived in Cleveland at the time (major US city) and was still limited to sub-5 megabit ISP service.
Interesting. I wonder if my memory is just off. NYC had really bad internet back then, as I recall, because our infrastructure is buried and expensive to upgrade. But I could swear we had like 100Mbps.
Dunno. Crazy to think that 2012 was so long ago.
I looked through my inbox to find what speeds I have had over time.
I both understand and resent this. Bad actors are making my life worse, and for some unfathomable reason it’s legal?!
If your ISP is manipulating your data it should be sued into oblivion, in a just world.
It’s not just ISPs, it’s any malicious actor, such as the operator of the wireless access point you’ve connected to (which may not be the person you think it is). You have a choice of either protecting visitors to your site from trivial interception and tampering or leaving them vulnerable. No one is forcing you to choose either way.
Well, it’s not a just world in every country.
I originally chose to not enable TLS for our game’s asset CDN because checking certs on arbitrary Linux distros is ~unsolvable and we have our own manifest signing so we don’t need TLS’s security guarantees anyway, then we found some ISPs with broken caching that would serve the wrong file for a given URL, so I enabled it and disabled cert verification in the Linux client instead.
ISPs don’t even have to be malicious, just crappy…
Why didn’t you just ship your own root certificate? :p
It’s sort of self explanatory. Confidentiality and Integrity.
If you aren’t willing to give those two things to your users I’m really convinced that you just aren’t in a position to host. Recipe site or not, we all have basic obligations. If you can’t meet them, that’s okay, you don’t have to host a website.
https://doesmysiteneedhttps.com/
because IPSEC failed so it’s up to application protocols to provide secure communication instead of the network layer.
Because the some entities are passively monitoring all traffic worldwide.
Other than ad networks?! /s
But then again, those entities only really need metadata.
HTTPS leaks a lot less metadata than HTTP. With HTTP, you can see the full URL of the request. With HTTPS, you can see only the IP address. There’s a huge difference between knowing that I visited Wikipedia and that I read a specific Wikipedia page (the latter may be possible to determine based on the size of the response, but that’s harder). With SNI, the IP address may be shared by hundreds of domains and so a passive adversary doesn’t even see the specific host, let alone the specific page.
Usually SNI is sent in the clear, because the server needs to know the server name to be able to choose the right cert to present to the client, and it would require an extra round trip to do key exchange before certificate exchange.
There’s ongoing work on encrypted SNI (ESNI) but it requires complicated machinery to establish a pre-shared key; it only provides meaningful protection for mass virtual hosters (ugly push to centralize); and it’s of limited benefit without encrypted DNS (another hump on the camel).
Thanks, SNI does not work how I thought it worked. I assumed there was an initial unauthenticated key exchange and then the negotiated key was signed with the cert that the client said it wanted. I believe QUIC works this way, but I might be wrong there as well.
Gosh, I thought QUIC is basically TLS/1.3 with a different transport, but it’s weirder than either of us believed!
TLS/1.3 illustrated shows the SNI in the client hello in the clear
QUIC illustrated shows that the initial packet is encrypted with keys derived from a nonce that is sent in the clear in the initial packet; inside the wrapper is a TLS/1.3 client hello
I suppose this makes sense in that QUIC is designed to always encrypt, and it’s harder to accidentally send a cleartext packet if there aren’t any special cases that need cleartext. RFC 9000 says, “This protection does not provide confidentiality or integrity against attackers that can observe packets, but it does prevent attackers that cannot observe packets from spoofing Initial packets.”
Browsers are application runtimes, and plenty of bad actors are all too happy to include their JS software in your pages
I mean if people are going to ignore the warnings it sounds like you don’t need to enable encryption anyways
Tangential question: Anyone knows any news sites that provide RSS feeds? I know the spectrum of what comprises news is huge, but any examples to start with would be appreciated.
http://feeds.bbci.co.uk/news/rss.xml
https://www.to-rss.xyz/wikipedia/current_events/
http://www.npr.org/rss/rss.php?id=1001
https://news.google.com/rss/search?q=when:24h+allinurl:reuters.com&ceid=US:en&hl=en-US&gl=US
http://feeds.washingtonpost.com/rss/national
Newsboat
There’s a shocking number of paid aggregators which do everything online. I don’t understand the use cases. I’m perfectly fine with newsboat
(though it needs a few small features namely a way to view/edit feeds within newsboat, though an alias works fine) but the devs are quite responsive to bug issues, so maybe I’ll try requesting such a feature!Newsboat updates when you want and persists everything, so you can read offline etc. What else do you need?
If I understand the original request correctly: maintaining state across several browser sessions and/or devices. e.g. if you read today’s XKCD on your laptop, it’s marked read on your phone and desktop too.
Yeah, RSS is my version of scrolling social media so I read it 50/50 in my phone and PC.
I’m on the newboat boat too.
So, like an internal editor and not just SHIFT+E to open the URL file in $EDITOR?
Precisely, thank you for sharing! I now have no complaints about Newsboat.
I’m also a newsboat user (from back when it was newsbeuter) but I’m considering a UI/browser based one just because there’s so much visual content.
Similarly put: nobody cares about high availability until you are one person deploying an app for yourself and all of a sudden it broke.
It annoys me when high availability is feature gated to enterprise customers. Enterprises can afford a support team to operate the software. I can’t.
The problem is the same as for these chat protocols: people don’t care how it works, they want it to work, and working easy high availability (multiple single nodes that agree enough on the state of play) becomes really important.
Nobody cares about HA: people care that their stuff works. HA is a major route for getting there. The tradeoff is complexity.
Nobody cares about backups: people care desperately that their data is safe. Backups are a major method of ensuring that. The tradeoff is increased cost and having to do the work.
Nobody cares about government: people care about not being attacked, having their neighbors be reasonable, and a million other things that are generally provided by government. The tradeoff is taxation and laws.
And nobody cares about decentralization, but people care about all sorts of things that decentralization can provide. There are tradeoffs…
I have a simple way of looking at it. If I, as a reader, am allowed to read a web page, then I am allowed to read it in whatever user agent I like. Most of the time, this would be with a browser on my computer. But there is nothing wrong with using something else. So if I want to use your service as a user agent, and read the page from within that app, why would that be wrong?
Archiving is the same. I can save a page on my hard drive, or on some cloud storage, so why not on your cloud service?
But this only works if you perform these actions directly on behalf of a user. If you move outside that, and, for instance, start using the archive for analytics, then it becomes questionable. IMHO.
Well, for one, my service would not reproduce the page 100% as the author intended. If the author had a script or an ad or “subscribe to my newsletter” form, it may not render correctly. Sure, it’s like using
lynxor just a different/outdated/customized browser, but here me, the author of we Reader, has made that decision on behalf of the user, and I also benefit from the content because the user stays on my website. Moreover, the user might not even realize that they are missing some content.HTML is specifically designed not to allow “as author intended” to be meaningful. User agent serves the user
Are you making money from removing their ads and replacing them with your own? Even inadvertently?
What benefit do you get from the user staying on your website? Doesn’t every page accessed by the user cost you money?
I’m building a product and I want users to use it. So, the amount of users and the amount of time they spend on my service is a benefit for me. It’s the same kind of reasoning that Google tries to show its own widgets, “answers”, etc. instead of encouraging people to leave Google and visit someone else’s website.
indeed, and I would be wary of using Google as the standard for ethics.
how concretely do you expect to offset the costs associated with having users on your site? are users conscious of this flow of value or are they led to believe that the service is offered freely for their benefit alone?
I plan to monetize the service. Reading, subscribing, and following users would be free; creating lists, commenting, exporting lists/favorites, and starting a new blog at Minifeed (it’s also a simple blogging platform, yeah) would be behind a cheap subscription.
But they’re getting fame. Name recognition. “Personal brand” awareness. Sidelinks to projects they’d like to promote.
What benefit does the user get? Not sure, they “just wanted the article”. Probably.