aplorbust's comments

"Why would I want an Alexa app installed to potentially repurpose my phone?"

You wouldn't. However if you were ambivalent and did not care one way or the other, or unaware of the change, then of course you would not bother to opt-out. This is no doubt Amazon's strategy. And when you opt-out you are forced to install an app that may well have worse consequences than Sidewalk.

This strategy, so often used by "tech" companies, seems to take inspiration from direct mail.1 I have a well-educated friend who, many years ago, found himself working for a direct mail company early in his career. He did not stay long. The people he worked for sounded like dregs, and I think he had a crisis of conscience. Today, ethical standards seem to have fallen. Interesting how the word "hustle", as in "side hustle", has been repurposed by young people as something supposedly respectable. Usually that word implies some sort of con or other underhanded activity.2

1. https://en.wikipedia.org/wiki/Direct_mail

2. echo -e 'DEFINE all hustle\nQUIT\n'|nc -vvn 199.48.130.6 2628|tr -cd '\12\40-\176'|less

1. They have betrayed user trust in the past and continue to do so.

2. They have been sued by the FTC, paid millions in settlements, and failed to prove that they did not break the law.

3. They are currently being sued by the DOJ and many states attorney general.

4. They have made numerous settlements in private privacy-related litigation as opposed to proving they were not liable, despite having enormous cash reserves available for legal costs.

If someone were to suspect Google was "probably" breaking the law, this does not seem like an unreasonable suspicion.

Do the parents understand that spying on people is how the industry makes money? Surely, "the industry" would not spy on people without a "business" reason. There seeems to be a belief by every participant in "the industry" that they must learn things about users and they should not always have to ask permission to gather such information.

Sometimes people on HN try to analogise to something like a retail industry where a customer can be observed through their purchases. However there is a major difference. The purchase. That is the ultimate goal of the retailer attained. A purchase. The retail business is not some honeypot to gather information on people. It is trying to make sales. Users of "free" internet-connected products and services generally do not make purchases from the provider of those products/services. They are not fulfilling the goal of the business: to make money. Thus, the company must find paying customers somewhere else.

Particularly amusing is the oft-used "justification" of [we spy on you] "to make our ["free"] products and services better." Sometimes participants in "the industry" suggest they are trying to make products and services better for users. Other times it less clear exactly who the improvements are (purportedly) intended to benefit. Of course the ultimate goal, because this "industry" of spying is considered by them as a "business", is to make things better for paying customers. If they fail to collect information from users, they do not make money and the "business" fails. Even non-profits supported by deals with advertising companies feel compelled to conduct "telemetry". Not learning about users is deemed unacceptable.

"Spy or die".

Not sure. However theres various endpoints offering "dns looking glass" service that allow pipelined HTTP/1.1 queries.1

With this "DNS over HTTPS", given a page of HTML containing pointers to various domains, using a simple script one can filter out all the domainnames it contains, format them into HTTP requests, send them to the "dns-lg" endpoint over a single connection, parse the response and append the answers to /etc/hosts or a local authoritative zonefile. Then one can browse the page, including following any remote URLs without having to do any DNS lookups.

1 For example,

https://dns.google.com/resolve?name=example.com.

http://stat.ripe.net/data/dns-chain/data.json?resource=examp...

http://dns-lg.sidnlabs.nl/example.com/A?tcp=1

"... a MITM can simply reset the connection until the client retries with SNI."

That doesnt happen when I fetch https://example.com without sending a servername in ClientHello.

For the majority of TLS-enabled websites on the internet, that does not happen. I get the page content just fine witout sending a servername in ClientHello.

But I should send the servername in ClientHello anyway?

This reasoning I am too stupid to understand.

"They don't reply "hostname not found", or "nope, no such host", or anything similar..."

"hostname not found" was meant to be a general term for failure due to not sending the correct servername when it is required, not a specific protocol error. I apologise for not being more precise. What happens with the non-SNI clients I use in the rare case when absence of correct servername is fatal is that the connection fails. (Most times a correct servername, let alone any servername, is not required1 and the connection succeeds. Thats the point of the original comment: in a majority of cases, its possible to get the page content without using SNI.)

1 As in the case of example.com, for example.

However, I use a local forward proxy for TLS-enabled websites. The proxy returns HTTP 503 error when the connection fails due to SNI. Thus, I do get a consistent "server response" when this happens, albeit not from the remote server.

"There is no way to detect the ability to avoid SNI..."

Assuming one is using an SNI-enabled browser.

I dont use an SNI-enabled browser to make the first encrypted HTTP request.

In fact I didnt even say I was using a "browser". I said "https client".

For example, one can use an https client that has SNI disabled or which has no SNI code at all, or one can send any string as the servername in ClientHello.1 If the server responds with hostname not found, then retry using SNI and the desired hostname. IME, most TLS-enabled websites do not require SNI.

  1
  exec printf 'GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n'|exec openssl s_client -tls1_2 -no_ssl2 -no_ssl3 -ign_eof -connect 93.184.216.34:443 -servername SNI_NOT_REQUIRED

Not all TLS-enabled websites require SNI. I customised an https client so I dont use SNI unless a website requires it.

With all due respect, 100% adoption of SNI seems like some sort of popular myth among certain web forum commenters.

Perhaps we should do a survey of all websites found on HN on a given day and publish it. I would bet that the majority do not require SNI.

Stupid question: With -1, how would I suppress the return value? Use a function?

   k)a:{-1@?0:`:input;};a[]

Anecdote: I frequently use kdb+ for small tasks. For me, its in the "all-purpose" category. The limitations are only in the ability I have to use it.

For example, removing nonconsecutive, duplicate lines from a file, such as a CSV file:

   exec echo "k).Q.fs[l:0::\`:$1];l:?:l;\`:$1 0:l"|exec q >&2;

where Q.fs is a function in a script thats bundled with the interpreter; the chunk size for reading the file into memory is adjustable by editing the function.

I have always wanted to make a set of reusable, "erasable" index cards, perhaps constructed out of "whiteboard" material.

"... the skill most in demand among physicists, biologists, chemists, geologists, even anthropologists and research psychologists, is facility with programming languages and "data science" packages."

If I wanted to prove to someone this statement was true, what would be the most effective way to do that?

Is author basing this conclusion on job postings somewhere?

Has he interviewed anyone working in these fields?

Has he worked in a lab or for a company doing R&D?

How does he know?

What evidence (cf. media hype) could I cite in order to convince someone he is right?

When I look at the other articles he has written, they seem focused on popularised notions about computers, but I do not see any articles about the academic disciplines he mentions.

"patch will attempt to determine the type of the diff listing, unless over-ruled by a -c, -e, -n, or -u option.Context diffs (old-style, new- style, and unified) and normal diffs are applied directly by the patch program itself, whereas ed diffs are simply fed to the ed(1) editor via a pipe."

According to this, context diffs are not sent to ed.

Is the author suggesting that patch can be fooled to interpret a context diff as an ed diff?

Theres a file called pch.c with an excessive amount of parsing and "intuit" functions like intuit_diff_type().

patch has anthromorphised progress and error messages and tries to "guess".

However I am only a dumb end user. I should not question what I do not understand. Its all safe I'm sure.

/I wonder/s/HTTPS/TLS/

"A strategy devised by Myhrvold the salesman was just as significant. He laid it out in a memo to Gates in 1992: "Regular upgrades are important for both revenue and loyalty...A feeling of progress and improvement is necessary to keep users loyal...and an important way to produce revenue. Upgrades are the closest thing we have to an annual fee or subscription."

source: Profile of Nathan Myrvhold https://www.1843magazine.com/content/features/myth-buster

"It's their privacy being deprived."

I wonder if anyone will be surprised when they learn how HTTPS and HTTP/2 will be used to push more advertising to users and exfiltrate more user data from them than HTTP would ever allow.

Will these "advances" benefit users more than they benefit the companies serving ads, collecting user data and "overseeing the www" generally? Is there a trade-off?

To users, will protecting traffic from manipulation be viewed as a step forward if as a result they only see an increase in ads and data collection?

Even more, perhaps they will have limited ability to "see" the increase in data collection if they have effectively no control over the encryption process. (e.g., too complex, inability to monitor the data being sent, etc.)

The ECMAScript standard actually has a section on "Context- Free Grammars". In that section and subsequent sections there is discussion of tokens, terminals, nonterminals and productions. If a web application developer using Javascript read these sections of the language specification and became curious enough to do a little outside research on the terminology, then perhaps it is forseeable she might encounter the notion of a "state machine".

"One binary to rule them all."

But if one is using a shell to launch that binary, then IMO there are two userland binaries: the shell and the binary being launched. In that case, the second binary depends on the first.

Lets assume one really wants to use only a single binary for whatever reason. Could she use busybox? Does busybox have an openssl-like function? I am not sure.

However I can confirm that the BSD equivalent of busybox can easily be compiled, statically, to include an http client, openssl and the other utilities needed for these shell scripts. I use such a binary for daily work.

Note I am not a LetsEncrypt user and have no comment on ACME or these shell scripts or other programs. I am only commenting as an avid shell scripter and user of static, "multi-call" binaries.

Thanks for the answer.

That page acknowledges the issue, which is all I was curious about:

"Getting back to the online search, being conscious of not wanting to send the wrong message to people, immediately before the search box I put a very clear, very bold message: "Do not send any password you actively use to a third-party service - even this one!""

Remove Javascript and links to Javascript files that load ads, etc.

Preserve only the desired content: text describing the boards, links to manufacturers websites, links to images.