asterius's comments

There is some interesting Q&A at the end of Pascal's talk. My schoolboy French is not fast enough to do a proper translation unfortunately. He was asked about parallel (software) decoding and I think the gist was he thought it would be a bit difficult because of the dependencies between region images.

https://parisvideotech.com/pvt-4-les-formats-et-codecs-du-fu...

I'm not sure how battle hardened Mastodon is, obviously they don't have the resources of Twitter or Facebook. Probably easy to DDOS an individual server. However, it might be possible for other nodes to transparently cache updates.

As to spoofing, we've got to move beyond humans memorizing unicode strings or profile pictures as a means of identity validation. Its shambolic enough that twitter users constanly change their display string, obscuring the twitter handle, but even without that problem, how many people send bitcoin/ethereum to @eloon_musk?

Oblique to the predictable Slack XMPP decision, but relevant to federation: Mastondon is a facinating federated social network. It addresses the identity/reputation issues without embracing fb-fascism or one-site-to-rule-them-all nonsense.

https://joinmastodon.org/

How it works Anyone can run a server of Mastodon. Each server hosts individual user accounts, the content they produce, and the content they subscribe to.

Each user account has a globally unique name (e.g. @[email protected]), consisting of the local username (@user), and the domain name of the server it is on (example.com).

Users can follow each other, regardless of where they’re hosted — when a local user follows a user from a different server, the server subscribes to that user’s updates for the first time.

Doh, you're right. I looked at the site earlier and forgot to click on the red triangle and click "re-enable warnings". Mea culpa.

I checked firefox and it works correctly too.

Unlikely to be extradited for an extra-territorial claim. But the members of the executive and the board might not want to strike Germany from their list of travel destinations forever.

I tested going to a https link via gmail. On desktop chrome, it immediately opens the link (and hence passes the link parameters). On mobile it pops up a privacy error, "Attackers might be trying to steal your information" (NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do. Still have to try it on Office365 and Outlook.

It seems grandiose to call that 'certificate pinning' when it is just hard coding, e.g. a self-signed CA cert or (worse) a particular server cert.

Makes me suspect that a lot of client side validation is happening with mobile apps.

Certificate pinning is going away: http://www.zdnet.com/article/google-chrome-is-backing-away-f...

I think we can be confident that sites that don't even use CSP won't be implementing Expect-CT any time.

If you look at https://track.emirates.email you will see that it isn't emirates either, but a service provided by Mandrill, an add-on for MailChimp, and the cert is valid for https://mandrillapp.com. Surely they could have figured out how to use SNI.

The fact that your mail client / embedded browser takes you happily to sites with broken certs, giving them a tracking token (and in this case, total access to your booking) is also quite a problem.

@minimaxir for your list: - Not possible to downvote some posters, as the authors have extreme karma (e.g. >10,000, though I don't know the exact number), even if you have >>500 karma.

It is notable that HN does not support blocking particular users, or indeed annotating that you like them. Though plenty of fans will upvote well known authors, it is not possible for you to keep a list of people who you think have written well in the past. I'd love it if I could, e.g., mark favourite author names in green.

HN is also notable from my perspective for having some people with good technical sense and clear writing, but very extreme views on other matters, to the extent that they would be pariahs in RL situations.

You know you can get a support contract right? Where you pay the experts at Qt and they help you?

Maybe this was the case with Qt4, but Qt5 (that is, QML) is a dream.

You really think the memo was "starting a meaningful conversation"? Did you even read it?

That memo was never intended to remain private correspondance. And I'd hope that Google would have terminated his employment in any case.

They might not have paid for a source code licence. or they did, but they never made sure they had a copy, just left it with the developer. Surprsingly common for companies to get a big binder of paperwork, an installer disk, and consider it done.

The real benefit from this work is not exfiltrating from airgapped computers, but from code running inside Intel SGX or similar isolated computation modes.

Projector fiddling has been replaced with VTC fiddling. I hate Polycom/Skype with a far greater passion than any printer.

There is no particular reason to expect that qemu has any greater security that vbox. All of these systems have a significant amount of very critical code; I particularly sceptical of the hardware emulation part.

AWS recently started moving from a custom Xen to a custom KVM, but it doesn't seem it was for security reasons. Xen certainly is heavily used by public cloud providers.

The investors didn't want standard returns, the valuation was based on them growing rapidly for years, which means new markets.

They could have made money from their drone product line by diversifying beyond 'toy'. But that would have required integration partners, different sales channels etc, and they didn't have the skills to build that.

No one who cares about latency even has 10GBASE-T hardware, because it introduces a vast amount of coding latency. It is also very power inefficient.