1. 3

    heh i’m seeing this posted everywhere!

    even the work chat!

    1. 2

      You mean to tell me you don’t feel nostalgia over this and don’t want to share it everyone?

      1. 2

        heh that’s not quite what I said, but fair point!

    1. 1

      The tilde.json example for protocol.club leads to a 404, classy!

      1. 1

        too real… but try explaining that to the marketing departments…

        1. 2

          “what do you mean we can’t track our customers’ every move?”

          1. 2

            While I’m not a fan of tracking, the bloated bit of pages was that it loads megabytes of transpiled javascript. Trackers / ads can be done in less code and asynchronously to make for a less bloated web experience where we all “win”.

            1. 1

              heh i wouldn’t call that a “win” but yes there are many better ways to do it.

              1. 1

                I’d call a less bloated Internet a win. Did we win everything? Certainly not, but I don’t believe any of us believe there will ever be a singular motion to absolve all of our qualms with the Internet in one fell swoop.

                1. 1

                  A less bloated spying apparatus is still a spying apparatus. Just one that hides itself better.

                  That’s not a win in any fashion.

                  1. 1

                    Unless if I’m mistaken, the article we’re replying to is against a bloated Internet in favor of a more slimmed down version where we aren’t downloading megabytes of data to read a blog.

                    Now with that in mind, this thread was about how we cannot attain this from the perspective of running ads / tracking software. So my proposal is that megabytes of JavaScript is not needed to serve ads / track users, which brings us closer to the win of “a less bloated Internet” where a pivot to handle the finances of websites through ads / user data is not needed.

                    I’m not advocating here that ads or tracking is good, but rather it’s something many sites are using and the current state of the web makes those sites bloated, which this article is wanting to encourage the reduction of. So if we could have those companies provide less bloated scripts, this would be a win for “a less bloated Internet” (and not “a no tracking / ads Internet” that it appears you and ben are considering to be the only way to win here).

                    1. 1

                      Better, and more efficient spying on people isn’t a “win” in any way, shape, or form.

                      1. 1

                        The current state of the Internet is you either lose money hosting a site, you have some paywall / sell content on the site, or you run ads on it to fund the site. So if you want to not charge your users but still find a way to keep the website online, you’re probably using ads (e.g. most of the Internet). What I’m saying is that the path of least resistance to making the Internet faster is to remove the bloat from ads, not to tell everyone to just bleed cash for their sites on principle by removing ads from their sites.

                        If your opinion is that a faster Internet is not a win in any way, shape, or form; I think we’re at an impasse.

                        1. 1

                          You can run ads, without javascript, and without bloat, have a faster internet, and not spy on your users.

                          1. 1

                            Sure, but not all ad companies adhere to that standard of running without javascript/bloat, which is what I was proposing.

                            1. 1

                              Sadly, almost none do. And that’s the problem.

                              I don’t mind ads. I mind remote execution of untrusted code on my machine, that spies on me and tracks me.

                              1. 1

                                I don’t want remote execution of untrusted code on my machine either that spies and/or tracks me. However, that has nothing/little to do with making the Internet less bloated, which is what I was originally discussing in terms of wins/loss.

                                1. 1

                                  Um, not sending 30MB of client-side executable scripts has everything to do with a bloated internet.

                                  1. 2

                                    By remote execution I thought you were referring to remote code execution the security vulnerability, not JavaScript as a whole.

                                    In any case, my argument is that if people stopped transpiling / browserifying client-side projects and just wrote what was needed we wouldn’t be pushing down megabytes of JavaScript down the pipeline, and if this was done it’d be a win for the Internet as it’d be faster / less bloated.

                                    1. 2

                                      Now everything you wrote here, I can agree with :)

              2. 1

                people get paid to do something “that works” as fast and as cheap as possible, not “something that works well”

                1. 1

                  This is not always the case, some companies (mine included) work to making things that work well at the cost of being a bit more premium than the cheaper alternatives and business is still running good for us.

            2. 1

              I gave up on that.

            1. 2

              Also, if you’re looking for Hacktoberfest-related issues on GitHub to make pull requests to, check here.

              1. 1

                lol my gmail was in 9 breaches. good thing i don’t use that anymore!

                1. 1

                  I’m assuming you don’t have that email listed as a recovery email for your other emails and didn’t re-use the password for that email to other services?

                  1. 2

                    correct. password manager too!

                1. 1

                  The problem I have with security tokens is the same as their strength: it cannot be done remotely. That means that no work can be done remotely, which seems to be bad.

                  1. 2

                    what do you mean no work can be done remotely? it totally can. use gpg-agent to provide your ssh key. you can forward your gpg-agent on and use it to sign commits etc on remote machines.

                    1. 1

                      While adding the requirement of having to physically insert or touch a device to a username and password may seem simple, it is something one can not do remotely.

                      1. 1

                        This makes it a highly effective and simple way to greatly limit damage and data theft from remote attackers.

                        1. 1

                          At the same time, though, how do we know that someone is a remote attacker vs. a legitimate user attempting to log in remotely?

                          1. 1

                            when they have the right credentials?

                            1. 1

                              but an attacker can get the credentials. Isn’t that why we’re using security tokens?

                              1. 1

                                the credentials don’t leave your yubikey

                                1. 1

                                  but why is that advantageous? what if you lose the yubikey?

                                  1. 1

                                    if your private key is on disk or even in ram, it’s relatively easy to grab it.

                                    keep a backup on a usb key in a safe somewhere. i broke one and recovered it.

                                    1. 1

                                      The same thing that happens to everyone who goes through life without making any backups, sorrow and lots of heartache when trouble hits.

                      2. 1

                        This is kinda within the sphere of the problems I’ve been working on the security space: manifesto

                      1. 1

                        HTTP 418, never go away

                        1. 3

                          TL;DR: The Internet was shocked to discover that the GPS device we all carry in our pocket was sending our GPS data to a company we know tries to spy on us whenever possible.

                          1. 2

                            is this a surprise to anyone?

                          1. 1

                            Oh my god, I love this! xD

                            1. 1

                              Comment to test out the comment mirror

                              1. 1

                                Reminds me of Enterprise FizzBuzz

                                1. 1

                                  Will this finally be The Year Of The Linux Desktop? :P

                                  1. 3

                                    Every year is the Year of the Linux Desktop!

                                    1. 1

                                      Especially this one!

                                  1. 2

                                    sounds kinda like Bryan Lunduke’s arguments against https, “I can’t view it on netscape navigator, and of course properly setting stuff up is UNTHINKABLE”

                                    1. 2

                                      Right, right, fuck people who are stuck on old systems or have slow satellite internet. It’s not like they’re deserving of any information on the internet, right?

                                      1. 1

                                        Well, the issue isn’t exactly black and white here. There’s also the problem that many ISPs are none to inject other files (e.g. JavaScript files that do some non-sense) into HTTP sites, but are unable to do so with HTTPS. So it’s not just about user security, but also to ensure the delivered site is not tampered with along the way. Also, the web should be secure by default, not the other way around, so while this does hold back the always shrinking population of old/slow systems, this is the best route forward.

                                        The real answer is to push for faster Internet to be available to users, not to hold back the progress of the Internet for the lowest common denominators. Which, is something we might be seeing in the near future: https://www.fcc.gov/document/fcc-authorizes-spacex-provide-broadband-satellite-services

                                        1. 2

                                          The thing is, though, that jan6’s argument against this seems so much like “hurr duh durr go go progress”. I agree, we should focus on pushing for faster Internet to more people and not hold back for the “lowest common denominators”, but at the same time, we shouldn’t completely ignore them for the sake of progress.

                                          Also, I disagree that the web should be secure by default. The web was never meant to go this far. It was originally intended as a way for people at ARPA to connect between computers across the US. The infrastructure should have been designed security first if that was the goal.

                                          1. 1

                                            did you even read comments of the original link?
                                            also @“it wasn’t designed to be secure”…totally agree, but just TRY to get another protocol widely accepted…especially a “designed to be secure” one… the web’s a pretty new place though, it was never meant to be accessible by billions of people either, nor attract the interest of capitalists and need special laws to be created, and such…

                                            1. 1

                                              I did, did you?

                                              One guy stated:

                                              I’ve always found this whole “https everywhere” silly. Even when I had a web site with content on it, I didn’t want to pay for a certificate, and for https hosting, and I had no content deserving of being encrypted end-to-end.

                                              And every response to him was “yes you need HTTPS, everyone needs HTTPS”. one person even linked to a site that was exclusively about why absolutely every site in existence needs HTTPS or else!!!!1!11!(one)!1(eleven)!

                                              1. 1

                                                the easy solution to all of https is to properly use it…
                                                just don’t force-redirect to https
                                                let the browsers default to it, but not by force… maybe show a little banner that says “we have https for you to use” but no rules that redirect http to https… also,

                                                The above statement from Seth is not true. With services like Let’s Encrypt. It is no longer a cash grab and provides people with free certificates with key rotation but I digress.

                                                and

                                                the ISPs themselves can execute man-in-the-middle attacks to:

                                                • insert their own advertising into your site
                                                • collect data on what your readers are viewing, and sell that data to whoever or whatever
                                                • censor/block/rewrite parts of your site

                                                The first two are happening already; the third may be. If you’re cool with that, OK. I certainly wouldn’t be. I completely agree that this is a harsh penalty to impose on sites that are relatively static and simple or sites that are run by groups that don’t have the technical ability to implement https.

                                                HTTPS is a solution – not a good one, I’ll grant, but I don’t think we have a better one.

                                                (also I’ve yet to see a single hosting place that DOESN’T support hosting https)

                                            2. 1

                                              I suppose I should amend my statement to “the modern web should be secure by default”. There’s no way we can un-open the Pandor’a box of people using the web for anything and everything including their kitchen sin. Since everyone is dumping information into it at an ungodly rate, of which includes personal/private information and sensitive information like bank card info, the default should be all this information being secure and encrypted until specified otherwise.

                                              And the only way those without the latest and greatest are being left behind are in services where the vendor doesn’t care, no one has removed HTTP or preventing people from using it, for those who need it it’s there for developers to make light services for. Also, there seems to be new trends in trying to lighten up services anyways with things like this: https://medium.com/@addyosmani/the-cost-of-javascript-in-2018-7d8950fbb5d4 Showing the real-world cost of having sites be bloated and slow.

                                              1. 2

                                                I still disagree with the idea that any web, modern or in general, should be “secure by default”. There’s no real reason to encrypt, say, a page on my thoughts about some drama somewhere that is inconsequential. Will an ISP attach ads? Do I care? It’s just something inconsequential about some drama. If an ISP wants to make money off it so be it.

                                                Also, one thing that rubbed me the wrong was about your previous comment was the implication that the class of people with outdated tech is “always shrinking”:

                                                …while this does hold back the always shrinking population of old/slow systems…

                                                In a system where tech is always advancing, doesn’t it make more sense for the population of old and slow systems to grow, rather than shrink? For example, I have a Motorola Droid Bionic in my room. If something happens to my phone I may have to use it as a daily driver. It’s really slow. Now imagine people who don’t have or can’t get upgraded tech. Do we leave them behind for the sake of the “greater good”?

                                                1. 1

                                                  What I meant my an always shrinking of slow/old systems is systems right now that cannot load sites quickly. While many don’t like to acknowledge it, the Moore’s law is reaching a theoretically plateau with the issue of 10nm being too small to make accurate processors that are faster and continue to shrink in that direction. So even moving forward, all future devices should be able to handle rendering sites quickly, and older/slower systems are always breaking and being replaced (I.e. shrinking in population).

                                                  When I say secure should be the default, I mean that people should assume they’re putting HTTPS into their product rather than adding it later upon realizing that security is important at that layer, not that everyone should blindly follow that idea for sites like a blog.

                                      1. 2

                                        I’m personally a fan of having it on a separate instance. I’d personally like the links instance to be a place to provide links that further the tilde philosophy (see here). I don’t particularly believe that world news fits into that category, especially given the wide range of political views and potential alienation that could lead to drama in the community.

                                        1. 2

                                          That sounds good to me. I didn’t really give this much thought when I set it up. I should definitely have another look at the bbj thread too!

                                        1. 1

                                          Testing comments With

                                          Newlines

                                          wew!

                                          1. 1

                                            Test comment!

                                            New lines testing, wew!

                                            1. 1

                                              Test comment