As a counter, I run a local LLM. It’s uncensored, and just answers what I ask. It’s more akin to a talking encyclopedia that I can have conversations with.
For example, I asked it how to build a nitrate based bomb. And it did so, with a curt response about safety, and summarily gave the instructions how to do so.
Do I want to? Nope. But the point is that I should have access to my own LLM that doesn’t refuse to answer questions for $reasons. I value curt honesty, not patronizing “no child, I won’t answer that now go away”
A laptop has: screen, keyboard, mouse, wifi, ethernet, battery backup, USB ports, other ports. And I can get a cheapo for $100 . If I need GPIO, I buy a clone arduino nano for $3.
A SBC has, well, barebones, until you buy all the new equipment for it.
If you’re going the route of compromise, there are more reasonable compromises: a single spacebar key with a good but not perfect stabilizer is fine for all but a rounding error of people.
The spacebar isn’t the only problem. On an US ANSI keyboard, there’s also both shift keys, enter and backspace. Anything larger than 1.75u needs a stabilizer to avoid the “seesaw” effect. So, if you’re sticking to a standard-ish rectangular format for your keyboard, you’ll be needing stabilizers.
That said: Spacebars have historically shrunk! Some old typewriters had 11u spacebars, the Commodore 64 had a 9u spacebar, modern US and European keyboards typically have 6.25u (and Japanese ones often have tiny 2-3u spacebars). Personally, when I realized that I only ever use my right thumb for space, I started using a split-spacebar layout (turning the 6.25u spacebar into a 2.25u - 2.75u - 1.25u combo - the leftmost is a function key, the middle is the spacebar, and the rightmost is a compose key). I’ve found that to be much more comfortable … but now I have two stabilizers there instead of one.
(I’ve used a little foam to dampen the noise, but they do still rattle a bit.)
That creates a new problem, of landing your thumb on one of the individual keys, instead of falling in the space between, which is uncomfortable and requires extra force to activate. The idea of the long space bar is that no matter where your thumb happens to be after pressing the last key, you can hit it without requiring a specific thumb movement. You can just whack it while one of your other fingers is moving to the next substantive key.
I think you just go back to the seesawing at that point, no? When you press it at one end, there’s nothing bringing it down at the other end — indeed, the other switches would actually intensify the seesawing!
edit: ah, I misunderstood what you meant by “remove the bar concept”. I’ve found that having two ~half space bars on a split keyboard is kinda most of the way there …
There’s nothing unstable about NixOS (unless you use unstable packages (flakes are officially unstable but good luck changing the spec or removing them)). There’s nothing immature about it really, either. It has less upstream meddling to make packages weird than Debian and has more packages than FreeBSD. It’s just going through some community drama, and that doesn’t really impact the technical results of Nix and NixOS.
It looks like someone was making a Nix Flake for the project and getting it to run in GitHub Actions, which took a bunch of pull requests to get working. Not sure why you think that means it’s breaking all the time.
It’s taken ~35 PRs since March 2023 (assuming it is done now). I suppose it wasn’t strictly broken in between, but I still think it’s weird how it takes so many PRs to make flakes run well in CI. I genuinely don’t understand.
Because of Nix, almost all of those changes could be tested locally, instead of being iterated on via pull requests. I’d guess the person just wanted to work this way. Focusing on PR count seems weird, since it’s about someone’s workflow.
I’ve explicitly disabled it at my gateway and internally.
Why? It’s double the complexity, double the networking stack, double the security problems… And for what benefit/gain? Not a damned thing.
Could I run IP6 correctly? Sure. Ive managed it before and can do it again. But therein lies a whole host of problems:, and none of them with me
Lots of high profile sites dont run it.
6->4 failover makes sites with no AAAA records take a inordinate amount of time to get an A record. (due to timeout)
Its a showstopper if a site runs their 4 and 6 DNS, but 6 has broken AAAA records. Makes site unusable until you disable 6
ISPs dont have experienced people to support IP6 related problems
Some local older hardware not running general OSes (think wifi based IoT) is only IP4. So stuck with both stacks.
But in the end, what do I get if I run IP6? Bragging rights? Insulting those “lessers” who only use IP4? Getting rid fo NAT? (HAHA nope theres already a IP6 NAT.)
Frankly, without a reasonable value proposition to run dualstack on ever local thing, and implement IP6 security everywhere, this seems like a great waste of my time for diddly.
I mean, do you care what operating system runs your microwave?
Yes, actually! Not in that I would be futzing with it day to day, but I’ve never had a product with software in it that I wouldn’t make at least some small changes to after getting to know it.
Truth be told I’m actually pretty happy with my microwave – but then the analogy, like the whole public positioning in this article and presumably elsewhere, is set up to trivialise the feelings of people who see what’s happening.
This is a company that has extracted value from a software commons for a long time defecting to another team. It’s an example of the downside of money people pulling the strings, and of the continued consolidation of systems software into one giant monoculture.
This may well be the right move for their particular team – although as a niche OS person myself I doubt very much that they’ll fix anything serious by switching. The least they could do is be honest about it with the people they’re leaving behind.
I remember taking stuff apart from the 1970’s, and you were more likely than not to find a piece of paper, either folded or glued, that provided full schematics of the thing.
I’ve always thought that was the 4th hidden “R” of ‘reduce, reuse, recycle’…. Repair.
But repair never fit into the consumption model. And now in the age of glues, ultrasonic welding, plastic snap-fits, and software where it shouldn’t be.. encourages only the first 3 Rs instead of the one that would actually be useful to us and the environment.
Reuse is when you “use it again” after a period of non-use, or you put it in a community shelf and someone else uses it.
Repair is when you put a small amount of resources to make it effectively new again (a new gear, software update, a 3d printed flap, etc), so you can continue to use it.
This is, charitably, a very unknowing take on what iXsystems has done for open source, including FreeBSD, Linux (including Slackware) and OpenZFS. The linked article contains a sober and balanced perspective on everything you raise issue with. Namely, the software is and continues to be open source, and they are not abandoning customers in one direction or the other. Anyone can take either TrueNAS and hack on it or fork it to heart’s content.
I would liken this to something like Apple’s switch from PowerPC to Intel. For fans of PowerPC, it marks the end of an era and is sad, but for the end users it can be done in a way that is measured and minimizes impact. If you remove the emotional response fans of one particular technology have to another it is ultimately a supply chain decision that can in fact change again as Apple demonstrates with Intel to ARM.
Yeah, I’m in no position to gauge how much value they extracted from FreeBSD and ZFS, but they provided me with a free version of a NAS OS that has worked wonderfully for years.
On the other hand, basing it on Linux makes it somewhat more interesting to current-time me because I could now run the things I couldn’t run as painlessly on my old NAS. (Namely some docker containers and a graphical VM).
I always think the best punishment for this level of corporate malpractice is simply the government seizing the company, replacing the entire management and selling it back on the stock market. Keep the factories and the R&D teams intact, but flush the entire ownership structure and management. Then the shareholders would think twice when a known crook is chosen as the CEO.
From what I’ve heard of stories with this sort of C*O level sabotage and fraud, it ends up some mid-level engineer or engineer team that’s blamed. And C-levels have plausible deniability, and proclaim extreme ignorance, and feign anger over these “completely evil engineers who did everything on their own!/s”.
The only case where things weren’t an abject failure was VW with dieselgate. But even there, people ended up with less of a vehicle than they thought they bought, with real emissions turned on.
…if they aren’t aware of this level of fraud, this speaks to their utter incompetence as executives, doesn’t it? A level of incompetence that would justify a sentence that would forbid them from sitting on a board for 10 years or so?
That’s the point of plausible deniability. They’re 100% aware of the fraud, but you can’t prove it.
I’ve also been subject to some upper management person coming to me in person, and asking for unconscionable/illegal/unethical thing. And of course, none of it’s written down. It’s a feature that the unconscionable demand is verbal. Means there’s no written artifacts to subpoena or otherwise corroborate.
That way, they can claim ignorance and blame the engineers who followed their instructions.
And regarding BoD memberships: it’s a tit-for-tat game played by the multi-milionaires and billionaires (read: CEOs of other orgs). They all know how the game is played. They all know how to ask verbally and get around evidentiary problems. And, they approve each other to further these schemes.
Yeah, I understand all of that and I don’t expect executives to admit blame. I would expect the justice system to consider the the legal entity’s board members to be responsible for that entity, and I believe the plausible deniability excuse should be an aggravating circumstance and sign of gross incompetence – “even if we can’t prove you criminally guilty of fraud, the fraud happened in your name without you being aware, which means you’re not competent to sit on a board of any company”
This seems to be a semi-clone of the basically failed attempt at Open Source Ecology. Pity, cause I thought that would survive. It’s basically a commune on life support, sadly enough (or appears that way).
Is there a way to disable “punycode” URLs in some way on Chromium? I don’t want to deal with this anymore. I hate that I have to second guess every URL in case it has some unicode display hack. I literally don’t click links from anyone anymore, I retype the domain I intend to visit.
If there is no way to disable this, I hope some effort is underway to disable these types of domains in one way or anything. This is a nightmare
The problem here is not punycode, in fact it’s almost the opposite - this exact problem is what punycode is designed to address. But neither the Google search result nor the browser are showing punycode, instead rendering the “real” unicode. Had they rendered the domain as punycode, the user would’ve seen xn--eepass-vbb.info which is very obviously something weird and fishy.
Someone could pretty easily create an extension that would flag URLs. Which ones to flag? Unsure. For me, I’d probably just flag any domain name that contains non-ASCII, maybe pop up a scary warning so I notice and I can ignore it if I know it’s a legit site?
Firefox does (or at least did, maybe it’s changed and I missed it) apply rules around symbols being from the same or non-confusable scripts. So a domain can be all cyrillic or all latin, latin + chinese, … and it’ll show normally, but if it e.g. mixes latin and cyrillic it’ll show the decoded form.
These special rules are a flawed heuristic and they probably always will be as long as Unicode continues to evolve. The exploit in the featured article uses a Latin character among other Latin characters to spoof keepass.info.
This is fine for people in Latin-alphabet countries. It isn’t so great for people in countries where most company names are non-ASCII. There, punycode domains are very common. Simply blocking them doesn’t help.
It might be interesting for browsers to see the language that the page provides and see if the characters in the domain name are from the character set used in that language. This would prevent Latin / Cyrillic confusion, in both directions, but wouldn’t help with some central / eastern European countries that use both forms. Or with French if you stick a random accent on a character in the domain.
I’ve seen them for French web sites. Sometimes the accent is really important and replacing it with the non-accented version can give a totally different word. DNS without punycode is not even full ASCII, it’s characters a through z, A through Z, digits 0 through 9, and hyphen. Most non-English European languages have characters outside of that range. North and South America includes countries where Spanish, French and Portuguese are spoke, for example, and all of these require characters outside of the DNS set.
I would heartily say that you’re a fool if you think Meta/Facebook cares about your privacy in any way. I mean, really?
And naturally, I would expect this sort of poison coming from a company whose roots were a “Harvard rate women hot or not” website.
Key anti-privacy highlights:
In 2014, Facebook faced criticism for conducting psychological tests on 70,000 unconsenting participants in 2012, removing certain words from users’ newsfeeds to test how that affected their reactions to posts.
Then came 2018, when news of the Cambridge Analytica scandal broke and revealed that the data-analytics firm improperly harvested data from tens of millions of Facebook users for ad targeting during the 2016 election.
2018 also marked one of the darkest moments in Facebook’s history, as reports revealed that the social network was used to incite genocide against the Muslim Rohingya minority in Myanmar by the country’s military officials.
In 2019, the FTC fined Facebook $5 billion over violations of user privacy, which was a record-breaking fine for a tech company.
In November 2019, over 4,000 pages of internal Facebook documents were released from a lawsuit by an app developer. The documents revealed how the company cut off developer access to data, planned to track locations of Android users, and considered charging developers for access to user data, among other things.
Meta cares about their privacy. The bug in Cambridge Analytica was that they got Meta’s targeting data without paying full price for it. Meta is happy to extend privacy in order to protect their data hoard from other companies. They just don’t want you to be able to hide from them.
Yeah, it’s pretty telling that this whole post is about securing a platform that Meta uses internally. They do mention private contact discovery towards the end at least, which to me is an obvious natural application of this technology. (At least I think they do, the word “client” in the bullet point is a little ambiguous…)
I’m more of a Matrix fan myself. Works well, interop with all matrix servers, and is fediverse.
IRC’s kind of long in the tooth. I would have enjoyed actually extending the protocol for things like federation, conversation logs, and other features that we now expect.
I don’t believe Matrix & the Fediverse are related other than being federated. Matrix’s chat resilience copying the entire chat history (+ attachments, edits, etc.) of all rooms and DMs from all of its users is often seen as a negative. Not only does the data duplication use a lot data on servers, but holding onto the entire history will lead some to treat the chat as something asynchronous & not ephemeral which leads us to important details be locked into chat logs instead of forums/mailing lists.
If you need more features, XMPP MUCs more than cover the gap while also consuming considerably less resources. Most MUCs are configured just to give you just the last 20 messages & that’s about perfect for getting the topic & being able to jump in without needing to hold onto the entire history or assume everyone should/needs to see it.
IRC supports a distributed system so long as all nodes trust each other. Federation was invented to solve that need for trust, but IRC never adopted the concept, choosing to shard into various silo’d “networks” instead
Right, the main issue with IRC is lack of namespacing. The usernames and channels names need to be globally unique and so the nodes need to trust each other to respect that etc
That trust requirement exists in ActivityPub as well. I don’t think there’s any mechanism to prevent a node from misrepresenting names or content from other nodes, even if the names have an @ in them.
An AP node can’t post content from anyone but itself/its own users usually. If you allow extensions to this then you lose the benefits of federation for sure
That is a meaningless statement. They have to trust each other to do what? And what can a malicious IRC server do that is so different from what a malicious AP server can do?
AP servers still have to trust each other to faithfully relay content between their users and other servers. A malicious server can misrepresent what I posted on my server to its users, or misrepresent posts from its users in what it sends to other servers. It can do the same for usernames of course. I don’t see why you think this is substantially different from IRC.
Any IRC server in the network can send a message claiming it is from any possible user in the network and everyone on every other server has no way to verify if this true or not. So if you allowed me to stand up my own IRC server as part of the network, I could impersonate every single other user. This is why no network allows me to do this
I see, thanks for clarifying. That explains why some people say IRC has “closed federation” while ActivityPub has “open federation.” But in practice, AP relays still do some vetting before allowing an instance, and the varied use of relays means the AP ecosystem still consists of disjoint shards/silos, like IRC.
AP servers must trust each other not to flood users’ feeds with spam, and if they do this it is easily detected and the offending server blocked. For IRC, user impersonations by a malicious server are also detectable by the user being impersonated, or by admins who can also identify the offending server.
Malicious IRC servers have more ways to undermine the service than malicious AP servers, but it’s a matter of degree, and AP/Matrix don’t get to claim the word “federation” for their particular approach to it.
Oh for sure, AP relays aren’t part of the federated system in the same way really, they’re some other thing using some parts of the same protocol and muh more system to the IRC distributed-but-sharded nature.
But relays are the main way AP nodes form a large scale federation, so without them the ecosystem is even more sharded/siloed/atomized. Besides, if two nodes want to federate directly, the vetting still happens, so my point still applies.
Normal AP federation uses a following/follower model and you get the content you follow. No siloing, global federation. Relays exist, as far as I understand, to power features which break this model and show content from people you don’t follow.
Back in 2014, I made a facial recognition suite. Was able to do CPU-only realtime recog 1280x720@15fps per core.
I could do webcams, IPCams, saved videos, and directories of pictures.
I initially set up this at a local maker convention to count how many uniques. I did so by using a facial hash, and then storing the hashes in a csv. At the end, I did a count of how many unique rows, and purged the face-hash data.
Naturally, this has some very stark and hard results if improperly used. So I unopen sourced it.
I believe there’s webassembly Linux images to run a single command like ffMpeg. Seems like those disk images could be cached, and used client side to do the thing.
The storage is still used on server side, but now with no extra CPUram load on conversions.
And I know more than a few admins use AWS S3 as a media content backing store.
I wish that the fediverse had a PGP-like trust system, where I can specify the trust of a given party to my fediverse instance, and then validate the trust of randoms relative to the explicit trust of parties I do trust. Preferably have the possibility to apply some ranking based on hop distance between me and the rando, and trust level (maybe decrementing as you further remove yourself from the rando). This would/could have a nice effect of reinforcing networks where you’re likely to have “actual contact” with the other parties, which is really what I want in a social network: stuff from people I know, or that the people I know can vouch for.
You can have some priorization of content based on “stuff I like”, a “recommendation engine”-sort, if you will, however you decide to implement that, but to me it would be more practical and desireable to have the social priorization first.
I think Urbit’s ID model goes a long way laying the ground work for this type of thing.
I think the federated approach will never work for reasons others describe here (even email and the web broadly are failures that primarily lead to centralized systems).
Unfortunately, Urbit has moldbug’s neofeudalism at its core, baked in the design of the protocol and language. And artificial choices like 2**32 systems (or whatever it’s nomenclature), choices of language to obfuscate ideas, and leadership - all of these show me the original designer’s “ideals” are inherent in that design.
If it was just because the founder was present, it’s one thing. He’s no longer there. However, the ideals of neo-feudalism apply at all levels of Urbit, specifically around “land ownership”, “disowning users on your land”, and the like.
The system forces an hierarchy where one shouldn’t necessarily exist. Instead, it instead forces it on everyone, in the way feudalism did so in history. That inherent design choice is what I wholly reject.
And the language all inherent of Urbit also serves to cover and distract from these core choices. And along with distracting, it also does a good job in making sure that ideas in that system are effectively land-locked in understanding their way of things, without a good translation.
As a corollary, Lobsters also has a feudalist-like invitation system. However, one above you cannot “disown” you or otherwise control you (unlike urbit), destroying your account. And I’d think that @jcs and other sysops here would also frown pretty greatly if I started selling invites here.
(Edit: as an aside, Mastodon and the fediverse is different. Sure, we’re running on someone else’s server. And they can boot us. However, I can move elsewhere, no longer under the influence of admins I don’t like. Or I can make my own. There’s no way to make your own “urbit” - it doesn’t federate, and it’s owned by someone who can deplatform you for no reason.)
The land metaphor doesn’t matter - it’s the IDs that enable moderation to actually be possible at the user level and it’s the mild scarcity of these IDs (4billion initially) and cheap, but non-zero cost that prevent the spam problems that cause things to recentralize.
Federated systems are worse about this - a handful of servers end up being actually feudalistic and capriciously enforce rules (see: https://twitter.com/LefterisJP/status/1593934653114785793?s=20&t=Pp1ZI6q-UstZEOwCksReyA). It will always be a handful of servers because these systems don’t solve the root problems that cause recentralization (spam, linux sysadmin complexity, true p2p). You end up in a worst of both worlds situation: a crappier experience than good centralized systems, but with even worse security. It doesn’t solve any of the problems it sets out to at scale due to incentives that lead to recentralization.
On Urbit there’s no distinction between user and ‘server’ so this doesn’t happen. The hierarchy only serves to route traffic updates to prevent version mismatch problems that plague federation (they’re more like ISP routers) as well as the ability to do public key lookups for setting up p2p connections between users. You could also just run urbits outside the hierarchy entirely if you wanted to for some reason and there’s a large number of traffic routing nodes, so there will be a lot of options along with the ability for users to push back (akin to web users pushing back on ISP routing).
The language/OS design is about solving complexity problems that lead to recentralization (which are hard to solve) that’s why separating the kernel from the OS it’s running on is important (and having it be a functional event log is important) - everything stems from that core idea.
I’d like to turn that on its head: email is a resounding proof that federation works. Same goes for the web. True, email and the web at large have largely coalesced into a handful of ginormous players. That being said, you still can send email to those even if you’re outside that oligopoly under very specific conditions. Within that oligopoly, it mostly works. I think for email and the web the problem is more the ease of access (or lack thereof) for the layperson. It has not been a commercial focus to make it easy for Everyone To Host Their Own Crap because I don’t think there is a whole lot of money to be made in it (relative to the costs of supporting Everybody).
It “technically” works, but it failed to achieve its goals (of the 90s cypherpunks anyway). My argument is that fixing the underlying system design could fix the incentives that lead everything to centralization, but it won’t happen via federation and it (likely) won’t happen with the existing tools.
email is a resounding proof that federation works.
I can’t even apply for a hCaptcha accessibility cookie using Yandex because I need to “use a real email address”. Handing the unstoppable deluge of spam email addresses (both servers and compromised accounts) is an entire industry. Gmail drops inbound and outbound mail effectively randomly. Email is an abject failure, which is why in developing countries most communication is done over centralised social media, be it WhatsApp, Facebook or their local thing. We only use email because it was good enough as the only option, and reliance on it ballooned.
HTML email is a result of network effect, and a world dominated by just one or two companies doing email (Microsoft and Google). There are technical solutions, like making the URL/link visible in the HTML email or using the MTAs’ computing resources to map the URL against a whitelist etc., but largely the problem is pushed onto the end users, who are then left to defend themselves.
And a rant: Incompetent CISOs’ also benefit immensely from this garbage, since they can run those “got phished” campaigns every quarter and generate useless reports for the management only the justify their existence.
If you are talking about the “awareness and training” control [1], then it can be satisfied by exactly that - training. Though I can imagine using the self-phishing campaigns…
This article about Cloudflare blocking is 1.5d old… But now DDoS Guard has also booted them off. Yes DDoSGuard is the same company that hosts repacker and major piracy sites… And KF was too unpalatable for even them.
KF now ONLY has an onion site, which is easy to DDoS. And to that I say: good riddance.
Edit: hey @pushcx you might want to bring this higher here, lest we see another post/flamewar.
As a counter, I run a local LLM. It’s uncensored, and just answers what I ask. It’s more akin to a talking encyclopedia that I can have conversations with.
For example, I asked it how to build a nitrate based bomb. And it did so, with a curt response about safety, and summarily gave the instructions how to do so.
https://infosec.exchange/@crankylinuxuser/113137057887489660
Do I want to? Nope. But the point is that I should have access to my own LLM that doesn’t refuse to answer questions for $reasons. I value curt honesty, not patronizing “no child, I won’t answer that now go away”
It’s hacks like these that make me wonder if we should have warranty for commercial hardware and software. (Key here is commercial, as in being sold.)
Sure, it’s AI slop. But that doesn’t mean that the people who bought this should be easily hacked. Worse yet, the company doesn’t seem to care.
I just buy cheap laptops on Ebay.
A laptop has: screen, keyboard, mouse, wifi, ethernet, battery backup, USB ports, other ports. And I can get a cheapo for $100 . If I need GPIO, I buy a clone arduino nano for $3.
A SBC has, well, barebones, until you buy all the new equipment for it.
Why not just make the “space bar” a whole bunch of individual switches and remove the bar concept?
You hit any of the space keys and you get a space. And doing so, you can get rid of the weird rectangular bar that causes all these problems.
If you’re going the route of compromise, there are more reasonable compromises: a single spacebar key with a good but not perfect stabilizer is fine for all but a rounding error of people.
The spacebar isn’t the only problem. On an US ANSI keyboard, there’s also both shift keys, enter and backspace. Anything larger than 1.75u needs a stabilizer to avoid the “seesaw” effect. So, if you’re sticking to a standard-ish rectangular format for your keyboard, you’ll be needing stabilizers.
That said: Spacebars have historically shrunk! Some old typewriters had 11u spacebars, the Commodore 64 had a 9u spacebar, modern US and European keyboards typically have 6.25u (and Japanese ones often have tiny 2-3u spacebars). Personally, when I realized that I only ever use my right thumb for space, I started using a split-spacebar layout (turning the 6.25u spacebar into a 2.25u - 2.75u - 1.25u combo - the leftmost is a function key, the middle is the spacebar, and the rightmost is a compose key). I’ve found that to be much more comfortable … but now I have two stabilizers there instead of one.
(I’ve used a little foam to dampen the noise, but they do still rattle a bit.)
That creates a new problem, of landing your thumb on one of the individual keys, instead of falling in the space between, which is uncomfortable and requires extra force to activate. The idea of the long space bar is that no matter where your thumb happens to be after pressing the last key, you can hit it without requiring a specific thumb movement. You can just whack it while one of your other fingers is moving to the next substantive key.
I think you just go back to the seesawing at that point, no? When you press it at one end, there’s nothing bringing it down at the other end — indeed, the other switches would actually intensify the seesawing!
edit: ah, I misunderstood what you meant by “remove the bar concept”. I’ve found that having two ~half space bars on a split keyboard is kinda most of the way there …
Some keyboards do this, e.g.
But in the latter two cases the keyboards still often have keys that are 2u or more wide, and therefore still need stabilizers.
Yeah, I looked at Nix a while back. I get what they’re trying to to accomplish, but felt just completely disorganized and bag-of-cats level crazy.
I’ll stick with Debian and FreeBSD. I prefer my OSes to be stable and mature.
There’s nothing unstable about NixOS (unless you use unstable packages (flakes are officially unstable but good luck changing the spec or removing them)). There’s nothing immature about it really, either. It has less upstream meddling to make packages weird than Debian and has more packages than FreeBSD. It’s just going through some community drama, and that doesn’t really impact the technical results of Nix and NixOS.
Look at how many commits there are in hackage-server related to Nix. If it were stable, how come it breaks all the time?
It looks like someone was making a Nix Flake for the project and getting it to run in GitHub Actions, which took a bunch of pull requests to get working. Not sure why you think that means it’s breaking all the time.
It’s taken ~35 PRs since March 2023 (assuming it is done now). I suppose it wasn’t strictly broken in between, but I still think it’s weird how it takes so many PRs to make flakes run well in CI. I genuinely don’t understand.
Because of Nix, almost all of those changes could be tested locally, instead of being iterated on via pull requests. I’d guess the person just wanted to work this way. Focusing on PR count seems weird, since it’s about someone’s workflow.
I’ve explicitly disabled it at my gateway and internally.
Why? It’s double the complexity, double the networking stack, double the security problems… And for what benefit/gain? Not a damned thing.
Could I run IP6 correctly? Sure. Ive managed it before and can do it again. But therein lies a whole host of problems:, and none of them with me
But in the end, what do I get if I run IP6? Bragging rights? Insulting those “lessers” who only use IP4? Getting rid fo NAT? (HAHA nope theres already a IP6 NAT.)
Frankly, without a reasonable value proposition to run dualstack on ever local thing, and implement IP6 security everywhere, this seems like a great waste of my time for diddly.
Yes, actually! Not in that I would be futzing with it day to day, but I’ve never had a product with software in it that I wouldn’t make at least some small changes to after getting to know it.
Truth be told I’m actually pretty happy with my microwave – but then the analogy, like the whole public positioning in this article and presumably elsewhere, is set up to trivialise the feelings of people who see what’s happening.
This is a company that has extracted value from a software commons for a long time defecting to another team. It’s an example of the downside of money people pulling the strings, and of the continued consolidation of systems software into one giant monoculture.
This may well be the right move for their particular team – although as a niche OS person myself I doubt very much that they’ll fix anything serious by switching. The least they could do is be honest about it with the people they’re leaving behind.
I remember taking stuff apart from the 1970’s, and you were more likely than not to find a piece of paper, either folded or glued, that provided full schematics of the thing.
I’ve always thought that was the 4th hidden “R” of ‘reduce, reuse, recycle’…. Repair.
But repair never fit into the consumption model. And now in the age of glues, ultrasonic welding, plastic snap-fits, and software where it shouldn’t be.. encourages only the first 3 Rs instead of the one that would actually be useful to us and the environment.
Repair is part of reuse?
I disagree.
Reuse is when you “use it again” after a period of non-use, or you put it in a community shelf and someone else uses it.
Repair is when you put a small amount of resources to make it effectively new again (a new gear, software update, a 3d printed flap, etc), so you can continue to use it.
👍
This is, charitably, a very unknowing take on what iXsystems has done for open source, including FreeBSD, Linux (including Slackware) and OpenZFS. The linked article contains a sober and balanced perspective on everything you raise issue with. Namely, the software is and continues to be open source, and they are not abandoning customers in one direction or the other. Anyone can take either TrueNAS and hack on it or fork it to heart’s content.
I would liken this to something like Apple’s switch from PowerPC to Intel. For fans of PowerPC, it marks the end of an era and is sad, but for the end users it can be done in a way that is measured and minimizes impact. If you remove the emotional response fans of one particular technology have to another it is ultimately a supply chain decision that can in fact change again as Apple demonstrates with Intel to ARM.
Yeah, I’m in no position to gauge how much value they extracted from FreeBSD and ZFS, but they provided me with a free version of a NAS OS that has worked wonderfully for years.
On the other hand, basing it on Linux makes it somewhat more interesting to current-time me because I could now run the things I couldn’t run as painlessly on my old NAS. (Namely some docker containers and a graphical VM).
Damn. I now know how others feel when some topic comes up and there’s that single person who doesnt know anything.
I know it’s English….
Garbage in garbage out.
I hope those responsible get sued to oblivion. This kind of stuff should result in a corporate death penalty.
I believe the best term for this sort of thing is “fraud”, yes.
Or even “sabotage” :-(
I always think the best punishment for this level of corporate malpractice is simply the government seizing the company, replacing the entire management and selling it back on the stock market. Keep the factories and the R&D teams intact, but flush the entire ownership structure and management. Then the shareholders would think twice when a known crook is chosen as the CEO.
From what I’ve heard of stories with this sort of C*O level sabotage and fraud, it ends up some mid-level engineer or engineer team that’s blamed. And C-levels have plausible deniability, and proclaim extreme ignorance, and feign anger over these “completely evil engineers who did everything on their own!/s”.
The only case where things weren’t an abject failure was VW with dieselgate. But even there, people ended up with less of a vehicle than they thought they bought, with real emissions turned on.
…if they aren’t aware of this level of fraud, this speaks to their utter incompetence as executives, doesn’t it? A level of incompetence that would justify a sentence that would forbid them from sitting on a board for 10 years or so?
That’s the point of plausible deniability. They’re 100% aware of the fraud, but you can’t prove it.
I’ve also been subject to some upper management person coming to me in person, and asking for unconscionable/illegal/unethical thing. And of course, none of it’s written down. It’s a feature that the unconscionable demand is verbal. Means there’s no written artifacts to subpoena or otherwise corroborate.
That way, they can claim ignorance and blame the engineers who followed their instructions.
And regarding BoD memberships: it’s a tit-for-tat game played by the multi-milionaires and billionaires (read: CEOs of other orgs). They all know how the game is played. They all know how to ask verbally and get around evidentiary problems. And, they approve each other to further these schemes.
Yeah, I understand all of that and I don’t expect executives to admit blame. I would expect the justice system to consider the the legal entity’s board members to be responsible for that entity, and I believe the plausible deniability excuse should be an aggravating circumstance and sign of gross incompetence – “even if we can’t prove you criminally guilty of fraud, the fraud happened in your name without you being aware, which means you’re not competent to sit on a board of any company”
I’ve also been subject to some upper management person coming to me in person, and asking for unconscionable/illegal/unethical thing.
You can wait until they leave, then write it all down with date, time, and signature.
Aside the terrible optics of using native terms….
This seems to be a semi-clone of the basically failed attempt at Open Source Ecology. Pity, cause I thought that would survive. It’s basically a commune on life support, sadly enough (or appears that way).
Is there a way to disable “punycode” URLs in some way on Chromium? I don’t want to deal with this anymore. I hate that I have to second guess every URL in case it has some unicode display hack. I literally don’t click links from anyone anymore, I retype the domain I intend to visit.
If there is no way to disable this, I hope some effort is underway to disable these types of domains in one way or anything. This is a nightmare
The problem here is not punycode, in fact it’s almost the opposite - this exact problem is what punycode is designed to address. But neither the Google search result nor the browser are showing punycode, instead rendering the “real” unicode. Had they rendered the domain as punycode, the user would’ve seen
xn--eepass-vbb.infowhich is very obviously something weird and fishy.I often do that as well. But then I might still be vulnerable to typo squatting…
The problem also exists in email as well.
I checked a few weeks ago, but Outlook doesnt expand the punycode in the desktop program, but it does in OWA.
Someone could pretty easily create an extension that would flag URLs. Which ones to flag? Unsure. For me, I’d probably just flag any domain name that contains non-ASCII, maybe pop up a scary warning so I notice and I can ignore it if I know it’s a legit site?
Firefox does (or at least did, maybe it’s changed and I missed it) apply rules around symbols being from the same or non-confusable scripts. So a domain can be all cyrillic or all latin, latin + chinese, … and it’ll show normally, but if it e.g. mixes latin and cyrillic it’ll show the decoded form.
These special rules are a flawed heuristic and they probably always will be as long as Unicode continues to evolve. The exploit in the featured article uses a Latin character among other Latin characters to spoof keepass.info.
Flag them all. I’ve literally never used a legitimate punycode site. I’m sorry but it’s just not worth it for me.
This is fine for people in Latin-alphabet countries. It isn’t so great for people in countries where most company names are non-ASCII. There, punycode domains are very common. Simply blocking them doesn’t help.
It might be interesting for browsers to see the language that the page provides and see if the characters in the domain name are from the character set used in that language. This would prevent Latin / Cyrillic confusion, in both directions, but wouldn’t help with some central / eastern European countries that use both forms. Or with French if you stick a random accent on a character in the domain.
They can deal with this if they’d like. Blocking those domains helps me because I have never used any such domain Ever.
Which countries use punycode? I’m certain nobody in Europe does, North and South America use mostly Latin script. Asia and Africa?
I’ve seen them for French web sites. Sometimes the accent is really important and replacing it with the non-accented version can give a totally different word. DNS without punycode is not even full ASCII, it’s characters a through z, A through Z, digits 0 through 9, and hyphen. Most non-English European languages have characters outside of that range. North and South America includes countries where Spanish, French and Portuguese are spoke, for example, and all of these require characters outside of the DNS set.
Plenty of websites in Sweden use non-ASCII characters. A lot of Latin script languages need things beyond ASCII.
I would heartily say that you’re a fool if you think Meta/Facebook cares about your privacy in any way. I mean, really?
And naturally, I would expect this sort of poison coming from a company whose roots were a “Harvard rate women hot or not” website.
Key anti-privacy highlights:
In 2014, Facebook faced criticism for conducting psychological tests on 70,000 unconsenting participants in 2012, removing certain words from users’ newsfeeds to test how that affected their reactions to posts.
Then came 2018, when news of the Cambridge Analytica scandal broke and revealed that the data-analytics firm improperly harvested data from tens of millions of Facebook users for ad targeting during the 2016 election.
2018 also marked one of the darkest moments in Facebook’s history, as reports revealed that the social network was used to incite genocide against the Muslim Rohingya minority in Myanmar by the country’s military officials.
In 2019, the FTC fined Facebook $5 billion over violations of user privacy, which was a record-breaking fine for a tech company.
In November 2019, over 4,000 pages of internal Facebook documents were released from a lawsuit by an app developer. The documents revealed how the company cut off developer access to data, planned to track locations of Android users, and considered charging developers for access to user data, among other things.
Meta cares about their privacy. The bug in Cambridge Analytica was that they got Meta’s targeting data without paying full price for it. Meta is happy to extend privacy in order to protect their data hoard from other companies. They just don’t want you to be able to hide from them.
Yeah, it’s pretty telling that this whole post is about securing a platform that Meta uses internally. They do mention private contact discovery towards the end at least, which to me is an obvious natural application of this technology. (At least I think they do, the word “client” in the bullet point is a little ambiguous…)
I’m more of a Matrix fan myself. Works well, interop with all matrix servers, and is fediverse.
IRC’s kind of long in the tooth. I would have enjoyed actually extending the protocol for things like federation, conversation logs, and other features that we now expect.
I don’t believe Matrix & the Fediverse are related other than being federated. Matrix’s chat resilience copying the entire chat history (+ attachments, edits, etc.) of all rooms and DMs from all of its users is often seen as a negative. Not only does the data duplication use a lot data on servers, but holding onto the entire history will lead some to treat the chat as something asynchronous & not ephemeral which leads us to important details be locked into chat logs instead of forums/mailing lists.
If you need more features, XMPP MUCs more than cover the gap while also consuming considerably less resources. Most MUCs are configured just to give you just the last 20 messages & that’s about perfect for getting the topic & being able to jump in without needing to hold onto the entire history or assume everyone should/needs to see it.
IRC has always supported federation.
s/always/never ftfy
IRC supports a distributed system so long as all nodes trust each other. Federation was invented to solve that need for trust, but IRC never adopted the concept, choosing to shard into various silo’d “networks” instead
There is no such binary distinction. When would you say email “adopted the concept” of federation?
When email addresses stopped containing routing info and became just user@server
That is quite orthogonal to the question of trust between nodes. IRC usernames don’t contain routing info either?
Right, the main issue with IRC is lack of namespacing. The usernames and channels names need to be globally unique and so the nodes need to trust each other to respect that etc
That trust requirement exists in ActivityPub as well. I don’t think there’s any mechanism to prevent a node from misrepresenting names or content from other nodes, even if the names have an @ in them.
An AP node can’t post content from anyone but itself/its own users usually. If you allow extensions to this then you lose the benefits of federation for sure
What do you mean “post”? Most AP users log into a node and expect to see content from other nodes in their feed, served by the node they log into.
Oh, you mean you have to trust your own server to not lie to you? Sure.
So how is that any different from IRC?
IRC the servers have to trust each other
That is a meaningless statement. They have to trust each other to do what? And what can a malicious IRC server do that is so different from what a malicious AP server can do?
AP servers still have to trust each other to faithfully relay content between their users and other servers. A malicious server can misrepresent what I posted on my server to its users, or misrepresent posts from its users in what it sends to other servers. It can do the same for usernames of course. I don’t see why you think this is substantially different from IRC.
Any IRC server in the network can send a message claiming it is from any possible user in the network and everyone on every other server has no way to verify if this true or not. So if you allowed me to stand up my own IRC server as part of the network, I could impersonate every single other user. This is why no network allows me to do this
I see, thanks for clarifying. That explains why some people say IRC has “closed federation” while ActivityPub has “open federation.” But in practice, AP relays still do some vetting before allowing an instance, and the varied use of relays means the AP ecosystem still consists of disjoint shards/silos, like IRC.
AP servers must trust each other not to flood users’ feeds with spam, and if they do this it is easily detected and the offending server blocked. For IRC, user impersonations by a malicious server are also detectable by the user being impersonated, or by admins who can also identify the offending server.
Malicious IRC servers have more ways to undermine the service than malicious AP servers, but it’s a matter of degree, and AP/Matrix don’t get to claim the word “federation” for their particular approach to it.
Oh for sure, AP relays aren’t part of the federated system in the same way really, they’re some other thing using some parts of the same protocol and muh more system to the IRC distributed-but-sharded nature.
But relays are the main way AP nodes form a large scale federation, so without them the ecosystem is even more sharded/siloed/atomized. Besides, if two nodes want to federate directly, the vetting still happens, so my point still applies.
Normal AP federation uses a following/follower model and you get the content you follow. No siloing, global federation. Relays exist, as far as I understand, to power features which break this model and show content from people you don’t follow.
That makes sense, I totally overlooked that. I wonder how it works with Matrix.
Back in 2014, I made a facial recognition suite. Was able to do CPU-only realtime recog 1280x720@15fps per core.
I could do webcams, IPCams, saved videos, and directories of pictures.
I initially set up this at a local maker convention to count how many uniques. I did so by using a facial hash, and then storing the hashes in a csv. At the end, I did a count of how many unique rows, and purged the face-hash data.
Naturally, this has some very stark and hard results if improperly used. So I unopen sourced it.
https://hackaday.com/2015/03/04/face-recognition-for-your-next-con/
Add profile field for fediverse username :)
TBH, putting your mastodon profile in the “homepage” field DOES qualify for verification with respect to Lobste.rs
Proof: https://infosec.exchange/@crankylinuxuser (I just did it minutes ago!)
I wonder if we’re approaching this incorrectly.
It would seem that it’d be easier to have the client do this and do the check, rather than offload it to the server.
And that project is here: https://github.com/ffmpegwasm/ffmpeg.wasm
I believe there’s webassembly Linux images to run a single command like ffMpeg. Seems like those disk images could be cached, and used client side to do the thing.
The storage is still used on server side, but now with no extra CPUram load on conversions.
And I know more than a few admins use AWS S3 as a media content backing store.
I wish that the fediverse had a PGP-like trust system, where I can specify the trust of a given party to my fediverse instance, and then validate the trust of randoms relative to the explicit trust of parties I do trust. Preferably have the possibility to apply some ranking based on hop distance between me and the rando, and trust level (maybe decrementing as you further remove yourself from the rando). This would/could have a nice effect of reinforcing networks where you’re likely to have “actual contact” with the other parties, which is really what I want in a social network: stuff from people I know, or that the people I know can vouch for.
You can have some priorization of content based on “stuff I like”, a “recommendation engine”-sort, if you will, however you decide to implement that, but to me it would be more practical and desireable to have the social priorization first.
I think Urbit’s ID model goes a long way laying the ground work for this type of thing.
I think the federated approach will never work for reasons others describe here (even email and the web broadly are failures that primarily lead to centralized systems).
To really solve this requires fixing problems earlier in the stack: https://zalberico.com/essay/2022/09/28/tlon-urbit-computing-freedom.html
Unfortunately, Urbit has moldbug’s neofeudalism at its core, baked in the design of the protocol and language. And artificial choices like 2**32 systems (or whatever it’s nomenclature), choices of language to obfuscate ideas, and leadership - all of these show me the original designer’s “ideals” are inherent in that design.
I’ll pass on that.
It’s worth a deeper look imo.
I don’t align with the politics of the founder, but the reasons for the system design are independent of that (and I think correct).
Smart people tend to prematurely undervalue things when they dismiss them for unrelated reasons - I think that’s largely the case here.
I was careful in how I said my response.
If it was just because the founder was present, it’s one thing. He’s no longer there. However, the ideals of neo-feudalism apply at all levels of Urbit, specifically around “land ownership”, “disowning users on your land”, and the like.
The system forces an hierarchy where one shouldn’t necessarily exist. Instead, it instead forces it on everyone, in the way feudalism did so in history. That inherent design choice is what I wholly reject.
And the language all inherent of Urbit also serves to cover and distract from these core choices. And along with distracting, it also does a good job in making sure that ideas in that system are effectively land-locked in understanding their way of things, without a good translation.
As a corollary, Lobsters also has a feudalist-like invitation system. However, one above you cannot “disown” you or otherwise control you (unlike urbit), destroying your account. And I’d think that @jcs and other sysops here would also frown pretty greatly if I started selling invites here.
(Edit: as an aside, Mastodon and the fediverse is different. Sure, we’re running on someone else’s server. And they can boot us. However, I can move elsewhere, no longer under the influence of admins I don’t like. Or I can make my own. There’s no way to make your own “urbit” - it doesn’t federate, and it’s owned by someone who can deplatform you for no reason.)
The land metaphor doesn’t matter - it’s the IDs that enable moderation to actually be possible at the user level and it’s the mild scarcity of these IDs (4billion initially) and cheap, but non-zero cost that prevent the spam problems that cause things to recentralize.
Federated systems are worse about this - a handful of servers end up being actually feudalistic and capriciously enforce rules (see: https://twitter.com/LefterisJP/status/1593934653114785793?s=20&t=Pp1ZI6q-UstZEOwCksReyA). It will always be a handful of servers because these systems don’t solve the root problems that cause recentralization (spam, linux sysadmin complexity, true p2p). You end up in a worst of both worlds situation: a crappier experience than good centralized systems, but with even worse security. It doesn’t solve any of the problems it sets out to at scale due to incentives that lead to recentralization.
On Urbit there’s no distinction between user and ‘server’ so this doesn’t happen. The hierarchy only serves to route traffic updates to prevent version mismatch problems that plague federation (they’re more like ISP routers) as well as the ability to do public key lookups for setting up p2p connections between users. You could also just run urbits outside the hierarchy entirely if you wanted to for some reason and there’s a large number of traffic routing nodes, so there will be a lot of options along with the ability for users to push back (akin to web users pushing back on ISP routing).
The language/OS design is about solving complexity problems that lead to recentralization (which are hard to solve) that’s why separating the kernel from the OS it’s running on is important (and having it be a functional event log is important) - everything stems from that core idea.
I’d like to turn that on its head: email is a resounding proof that federation works. Same goes for the web. True, email and the web at large have largely coalesced into a handful of ginormous players. That being said, you still can send email to those even if you’re outside that oligopoly under very specific conditions. Within that oligopoly, it mostly works. I think for email and the web the problem is more the ease of access (or lack thereof) for the layperson. It has not been a commercial focus to make it easy for Everyone To Host Their Own Crap because I don’t think there is a whole lot of money to be made in it (relative to the costs of supporting Everybody).
It “technically” works, but it failed to achieve its goals (of the 90s cypherpunks anyway). My argument is that fixing the underlying system design could fix the incentives that lead everything to centralization, but it won’t happen via federation and it (likely) won’t happen with the existing tools.
I can’t even apply for a hCaptcha accessibility cookie using Yandex because I need to “use a real email address”. Handing the unstoppable deluge of spam email addresses (both servers and compromised accounts) is an entire industry. Gmail drops inbound and outbound mail effectively randomly. Email is an abject failure, which is why in developing countries most communication is done over centralised social media, be it WhatsApp, Facebook or their local thing. We only use email because it was good enough as the only option, and reliance on it ballooned.
HTML email is a result of network effect, and a world dominated by just one or two companies doing email (Microsoft and Google). There are technical solutions, like making the URL/link visible in the HTML email or using the MTAs’ computing resources to map the URL against a whitelist etc., but largely the problem is pushed onto the end users, who are then left to defend themselves.
And a rant: Incompetent CISOs’ also benefit immensely from this garbage, since they can run those “got phished” campaigns every quarter and generate useless reports for the management only the justify their existence.
My metric is any company where the CTO does a self-phishing expedition you know that they don’t have enough real work and they should be laid off.
Selling services to the US federal government under “FedRAMP” requires companies to run these campaigns at regular intervals.
If you are talking about the “awareness and training” control [1], then it can be satisfied by exactly that - training. Though I can imagine using the self-phishing campaigns…
[1] NIST SP 800-53: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
This article about Cloudflare blocking is 1.5d old… But now DDoS Guard has also booted them off. Yes DDoSGuard is the same company that hosts repacker and major piracy sites… And KF was too unpalatable for even them.
KF now ONLY has an onion site, which is easy to DDoS. And to that I say: good riddance.
Edit: hey @pushcx you might want to bring this higher here, lest we see another post/flamewar.
Citation - https://twitter.com/ylitvinenko/status/1566762518093119489 - DDoS Guard came out with official response. ToS violations.
I use Twitter a lot, so I use “Bot Sentinel”. It’s a general “user quality measurement” to get an idea if you’re being baited in a convo or not.