1. 1

    The interesting fact is that while they didn’t use all the tricks described in the Mozilla bug report, they are looking for tools that could make the JavaScript attacks detectable despite the use of the HTTP cache control.

    1. 1

      Color me skeptical of this author’s view, as he is a mouthpiece for Bain Capital, one of the most predatory vulture capitalist firms in the world.

      1. 1

        Case in point, if they really cared about using an open source license, the AGPL is already there to do exactly what they say the aim to do, while protecting the 4 freedoms.

        1. 1

          I agree with you that they are trying to exploit a vacuum in the Free Software licensing option.

          The fun fact is that they are debating with OSI that have alwaya beem very keen to please corporations. I followed the debate about SSPL on the OSI mailing list and some of their point holds.

          They are trying to force OSI to “stay relevant” in a way that serves their business model, not Free Software.

          On the other hand, the more we move towards a distributed computing system, the more AGPL is becomes a weak copyleft like LGPL: linking becomes less and less relevant while the right to self-host applications composed of several programs becomes more important.

          A totally different license that address these issues without trying to exploit developers is the Hacking License.

          The fun fact is that people who don’t want to listen about honest attempts to fix these issues will end supporting venture capitalist that will exploit them.

          1. 1

            I don’t see how the AGPL is weakened, as it appears to be the perfect license to use: All code used by Amazon, for example, to deliver a product using an AGPL’d license would need to be released back to the community. It’s one of the issues that counter dot social is running into right now: They are not in compliance right now with the AGPL, because all of the interconnected code used to deliver the site is not open sourced.

            The problem with the Hacking License, last I knew, was a lack of lawyer review, and it is very confusing and many terms are nebulous in their usage. Perhaps in a few years, with much refinement, it could be a suitable license.

            The problem is orgs like Bain Capital don’t care about free software, or open source, for that matter. They only care that their investments retain value so they can gut it out piecemeal. Them working on a license is enough to make me want to run far, far away, as fast as possible.

            There’s not really a vaccuum in the Free Software licensing options. The AGPL suits perfectly in this case.

            1. 1

              With all respect I’m afraid your reading of AGPL is widely extending its reach.

              An provider of AGPL based SaaS doesn’t need to provide sources of all software interconnected with the application.

              The only difference with GPLv3 is that IF the software is used through a network, the sources of THAT specific software (and its modifications) must be provided to the users.

              But if grep was AGPLv3 and used by GMail, Google should only provide users a way to download their modified grep, but nothing more than that.

              To me this limit the social benefit of a gift. To a venture capitalist this reduce their return of investment.

              Obviously, since we start with different concerns, we look for different solutions to the same problem.

              I’m pretty sure no VC would adopt the Hacking License just like I would never adopt the SSPL.

      1. 1

        I agree with the title.

        To me, the rest seem pretty obtuse.
        In 2018 people should be talking of self-hosting, not about paying web hosting (that are likely to resell cloud services)

        1. 2

          I think paying for web hosting is one step above letting FB control your data.

          Of course, self-hosting is the best position to be in, but not everyone has a stable internet connection or the technical know-how to do that. Although, I would love for both of those to start moving in the right direction, baby steps first.

          1. 2

            there are literally web/ssh/vnc/ftp/etc server apps for android… hosting your own servers is easier than ever… tho stable net is one obstacle, the bigger one is ISPs not allowing incoming traffic…

            1. 1

              It sucks that ISPs have made it so difficult to have a home server - not impossible, just more difficult than it needs to be.

              If there was an iOS/Android app made to turn a phone into a server, that’d be incredible – I’d love to have people dial into my cellphone which hosts a BBS, but alas that’s only a dream.

              1. 1

                dialing part might be a dream, but server part definitely isn’t…tho your server will probably not reach the internet cause dam ISPs deciding so…

          1. 2

            I hope someday that Microsoft will give up on trying to create a working browser, and focus on creating a working operating system.

            1. 2

              I don’t know their strategy, but given WSL, I suspect they will soon give up on trying to create a working operating system.

              1. 2

                “… a buggy set of drivers…” is my hope, but with less “buggy” :)

            1. 1

              I’m pretty impressed.

              I’m considering to add an additional NES mode to my website (after the recently added Dark mode).

              It shows pretty well how creative the web can be with “just” CSS.

              1. 1

                In Plan 9 the default filesystem is pretty different:

                • all programs are bound to /bin
                • / contains several folder dedicated to the various supported architectures
                • $path usually contains just /bin and .
                • /usr is what /home is to Unix

                In Jehanne I moved all architectures in /arch (to reduce name clashes in /) and renamed /bin in /cmd (since several comands are not really binaries).

                This sort of changes are usually disregarded as bikeshadding, but since I want to build the simplest possible operating system, it’s important to fix them before the OS is actually used.

                1. 1

                  Impressive!

                  I have no idea about the process one need to follow to get assigned a TLD.

                  1. 1

                    Either a pull request to the repo, adding your zone file, or an email to ubergeek at yourtilde dot com will do it.

                  1. 2

                    According to the homepage of tilde.team anything that people here learn, try (either with success or not) or hack.

                    1. 2

                      This looks very interesting.

                      De Vault explicitly name operating systems as target and I have had a lot of annoyance with travis-ci.

                      I will give a try through the free alpha, but the service seems worth of 20 $ a year.

                      1. 2

                        I really appreciate that it’s all open source and self-hostable as well.

                        I dropped the $20 just to support further development on it.

                        1. 1

                          Yes… and no JavaScript!

                          It really looks like a service designed for hackers.

                          1. 1

                            any ideas on how to submit a form with ctrl+enter without using javascript?

                            task on sr.ht

                      1. 1

                        I’m never going to refer to the site as a “safe space” or ban anyone just for occasionally acting like a jerk in an argument—I’d probably have to ban myself fairly quickly. However, it will also never be described as anything like “an absolute free speech site”.

                        I love this passage.
                        On one hand he acknowledge his own personal responsibility.
                        On the other he call for dialogue and good sense.

                        A question though: what’s the relationship between the different tildes? I thought I was reading something about tilde.team (and was surprised by the pastel colours :-D ) till I realized that I was on a different domain.

                        1. 2

                          It turns out that the relationship between the tildes.net site and tilde GNU/Linux boxes like tilde.team is mostly coincidental. Deimos wrote about it in an FAQ: https://docs.tildes.net/faq#why-is-the-site-named-tildes

                        1. 1

                          Cool! I didn’t know Phrack has a papers feed.

                            1. 1

                              Not Everyone Should Code

                              Indeed! Everybody should be a hacker!

                              Programming now is what writing was 5000 years ago

                              1. 3

                                I disagree. Just like not everyone should know how to tear down a car engine, and rebuild it, not everyone needs to learn to code.

                                Personally, I think some other skills are more important than coding. ie, starting a fire without matches. Construction of a basic water filtering system. Wood and metal craft. etc etc etc

                                1. 1

                                  The problem is that while water filtering is something you do, a programmer is something you are.

                                  Programming is a fundamental way of expressing one freedom.

                                  We don’t see it as such, we see it as a job, just because it is still too primitive in itself (like writing was during Ancient Egypt). But we should work to make programming simpler (not necessarily easier) and teach everybody how to do that.

                                  Think of this: in the very moment the majority of people will be able to hack, proprietary software will stop to have an advantage over free software: free software will have most programmers and a competitive advantage over ANY closed source solution.

                                  Even better: imagine a dumb politician facing hacker crews wherever he talk! :-D

                            1. 2

                              I think replacing it with something else is the wrong way of looking at it. We should not encourage any “perceived safe” way of allowing others to execute code on our machine in a drive by fashion.

                              1. 2

                                Totally agree.

                                With Adrian Cochrane (the author of Odisseus Web Browser) and a couple other guys, we are brainstorming on the principles that should drive the design and development of a better web (in no order… sorry):

                                Unfortunately the mastodon ui is not great for brainstorming.

                                The idea is to go back to a JS-free web, with an better designed markup to support cool HyperTexts but not applications.

                                That is, forums but not chats.

                                We are still brainstorming, but you are welcome to join.

                                1. 1

                                  It’s also worth noting that artical does not presume there’s a “safe” way to allow others to execute code on our computers. We really just have to trust the developers.

                                  The suggestions from the artical (to sum it up) are basically to 1) make link targets more powerful and 2) allow CSS to be made conditional on the presence of another selector.

                                  I find these suggestions very intriguing and should be more than enough to, say, recreate this site’s interface, though it would be a little heavier on the server. Which could probably be fixed without reintroducing clientside scripting.

                                1. 2

                                  I hacked my own license: https://tildegit.org/murii/ETUL-License

                                  1. 2

                                    Be careful that it lacks a NO WARRANTY disclaimer, and afaik without it you could be sued for demage that one of your users pretend the software caused them.

                                    Also, without it, many companies wouldn’t modify your software to avoid the risk.

                                    1. 2

                                      NO WARRANTY disclaimer

                                      Thanks, I’ll add it!

                                      Edit 1: Could you check it out and tell me if it’s alright? Thanks!

                                      1. 2

                                        Well… I’m not a lawyer!

                                        I can’t really say if it’s alright, but I don’t see any serious issue in it.

                                        It seems a simple and permissive license. (which is a good thing)

                                        1. 2

                                          That’s exactly my intention! Thanks!

                                  1. 1

                                    Do I have it correct that if I make a Derived Work the Hackers of the Inspiring Hack have the copyright of my Derived Work???? I personally am really opposed to this…

                                    1. 1

                                      Yes, you share the copyright of your Derived Work with the Hackers of the Inspiring Hack.

                                      Note however that such grant is

                                      • non-exclusive: you can grant it to others too and you still hold the copyright over your changes plenty, differently from what happens with CLAs (that this way become less sustainable)
                                      • such upstream hackers need your Hack to use it in any way, so they become Users of your hack and thus such grant terminates if they use it to violate the rights of other users of your Hack (see Conditions, par 6)
                                      • it can be transferred to third parties only with the Hack, its Source or any Derived Work but for no charge.

                                      Maybe the wording is not clear enough? Or you are still opposed to this?

                                      1. 2

                                        Oh, you share it. So could I terminate any copyright the Hackers of the Inspiring Hack have on it?

                                        1. 1

                                          No. But they can lose it by violating the license.

                                          Edit: to be clear, they can lose the rights you share with them, over your own modifications. They cannot lose the rights over the code or contents they created.

                                    1. 2

                                      Not a fan, personally. This is like the GPL, but with a sever ability and termination clause not very conducive to the 4 software freedoms.

                                      1. 1

                                        Actually it’s intended to be an AGPLv3 on steroids, but designed so that

                                        • you can profit from the Hack but not from rights over such Hack (since I think such rights should be automatically granted to everybody)
                                        • all users share such rights (independently of how they interact with the Hack)
                                        • it forces corporations to share wrappers with a compatible license
                                        • it move trusts from the License’s author (me or FSF for the AGPL) to the Hackers who created the Hack removing the need to use an “or later version”

                                        It has a strong and definitive termination because I don’t want to let corporation use their power to get fix their sin.

                                        not very conducive to the 4 software freedoms

                                        I’d really like if you could elaborate. What do you mean?

                                        1. 1

                                          Well, the 4 software freedoms, as defined by the FSF are:

                                          The freedom to run the program as you wish, for any purpose (freedom 0). The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this. The freedom to redistribute copies so you can help others (freedom 2). The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

                                          I “feel” (No legal theory) that the severability clause precludes #0.

                                          1. 1
                                            5. Severability

                                            The invalidity or unenforceability of any provision of this License does not affect the validity or enforceability of the remainder of this License. Such provision is to be reformed to the minimum extent necessary to make it valid and enforceable.

                                            Mind to elaborate?
                                            Maybe a language barrier, but I don’t undestand what you mean.

                                        2. 1

                                          To be honest, I don’t like it heaps either, but I can see where it would be used. Personally I license most of my projects under the MIT License.

                                          1. 1

                                            Personally I license most of my projects under the MIT License.

                                            Which is totally fine!
                                            I’m not against permissive licenses: they are even defined as compatible for wrappers in the Hacking License.

                                            But may I ask what you don’t like about it?
                                            Are you against copyleft in general? Or maybe against AGPLv3 reach?
                                            Or is it just something related to this licence?

                                            I really appreciate feedbacks.

                                            1. 2

                                              I’m not against the idea of copyleft, I’m just against some of the extremes a license goes to. I’d prefer a permissive license over copyleft for a personal project, however copyleft over closed-source; copyright. The GPL and AGPL are a bit too extreme for me - the LGPL is ok. It’s just my opinion - nothing to do with your license. Your license is great for it’s intention.

                                        1. 1

                                          This is one of my favourite reads!

                                          1. 2

                                            Yet another reason that js is Bad.

                                            Javascript is a security hole by design.

                                            I suppose the issue here is that it’s not a problem that affects just firefox.

                                            1. 1

                                              AFAIK it affects all browsers from WHATWG’s members, but in slightly different ways, depending on implementation details.

                                              Firefox was just the one I thought was more interested in protecting users. But I was wrong, they prefer to build safety ports that everyone can admire without giving a shit about the missing walls in their house.

                                              Anyway, I know JS pretty well as my daily job is mostly developing web applications with it (and looking for workarounds to weird bugs in JS frameworks).

                                              JavaScript sucks in many ways.
                                              WebAssembly can make it even worse.

                                              But this are browser problems: had they used Rust instead of JS it would have been exactly the same.

                                            1. 2

                                              So the gist of it is that you brought a flaw in the design of the internet up as a bug on a browser that implements the flawed design? That’s what I read from this.

                                              1. 1

                                                Well, to be precise these bugs are in the design of a Web protocol (HTTP) and a Web standard (JavaScript).
                                                The Internet (which is way more than the Web) is fine.

                                                Anyway yes, I opened a bug report to Firefox as suggested by a Mozilla developers.

                                                Mozilla (like Google, Microsoft and Apple) is a founding member of WHATWG, they write these Living Standards, so they are responsible for those bugs.

                                                Also, be it standard or not, if the users of your application can have their firewalls bypassed through it, its your fault.

                                                And it’s your responsibility to inform the users of the risks you are exposing them to.

                                                Stating that it’s a problem in the standards (that you wrote), without informing them is not what I expected from Mozilla.
                                                This is particularly weird becauae the fixes are technically easy to implement for a browser vendor and AFAIK there is no line in the WHATWG standard imposing Javascript to be opt-out instead of opt-in.
                                                So to be even more precise only the HTTP cache control usagw I described is a problem in the standards: the JS issue is more a hole in the standard.

                                                Indeed that’s why I started informing Mozilla of the attacks in the first place. To fix the Living Standards that follow the implementations you need to fix an implementation first.

                                              1. 1

                                                How did you get here, why were you banned, who the f* are you anyway?

                                                1. 3

                                                  I was invited by @ben.

                                                  Basically I asked several times to members of Mozilla Security if their users were vulnerable to a wide class of attacks I described in a bug report (and have been then proved with 2 exploit).
                                                  For the full story you should read the article, but you can find here a short summary.

                                                  My name is Giacomo Tesio, I’m a father, a husband and a programmer.
                                                  I’m from Italy. I am a hacker too. Actually I’m also many other things… it’s a bit complex to answer the last question properly.
                                                  On tilde.team you can find me as giacomo.