maxt's comments

Belongs here: https://news.ycombinator.com/show

I never knew you could style custom elements like <awesome> with CSS.

I wonder however about the compatibility with different browsers. Could potentially break some sites on older browsers / those on legacy machines / those still surfing the web on dusty old Windows 2000 machines.

I doubt it affects them that much, as there's always going to be powerusers. They get a lot of their telemetry from unsuspecting users / laymen buying those cheap Windows10 tablets you see everywhere now.

No that's the only caveat. I much prefer to use scripts, as these programs are a bit of a black box. But at least they're digitally signed and recommended by the wider Windows 'powertoy' community so you're allowed to trust them.

If you prefer a Batch script there's also Make Windows 10 Great Again: https://gist.github.com/IntergalacticApps/675339c2b805b4c9c6...

Nice haven't tried that. I use Shutup10 https://www.oo-software.com/en/shutup10

It's editable. There's a lot of stuff in there I had to remove. I still want Store functionality because I like the look and feel of the apps on there, especially the Twitter client.

I recall about a week after the Snowden disclosures some people saying the Snowden leaks were deliberate and that NSA has kept up this tradition of false flag disclosures. If anything, the whole web is certainly more secure now, and Snowden is even quoted as saying: "I still work for the NSA" after the leaks. I don't buy the rhetoric that NSA is simply all about slurping up plaintext. They have a duty to secure the web too. It's a weird paradox that they both want more security and want all the plaintext they can salvage.

Most of their servers are encrypted I imagine, so a seizure just means a TLA gets a bunch of encrypted disks to have fun with. My only worry is that a TLA can just ask for the keys to these disks and get Riseup rubberhosed¹.

¹ — https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

Worth reading up about Key Disclosure Law too: https://en.wikipedia.org/wiki/Key_disclosure_law

Expensive mass doxing if you follow the proper procedures for doxing, like feeding names into Axciom[1]

[1]: https://en.wikipedia.org/wiki/Acxiom

How does one scrape this list? What tools can I use, without signing into Twitter?

I agree. There's no accountability for such neglect. There should be a fine, or even better, a tax on bad security.

I've started to use PaaS (Platform as a service) because it's way more convenient and reduces the headache of getting a simple blog up and running. VPSes are often difficult to harden and many of the recipes online for spinning up servers are not tried and tested and often leave gaping security holes in the installation. At least with PaaS these holes are patched because they are widely deployed on many machines and have to be secure by design. Here's a few to get you started:

https://www.ctl.io/appfog/

https://bitnami.com/

https://www.cloudfoundry.org/

https://www.openshift.com/

I love Chyrp[1] but have since moved away from PHP and am looking into static solutions like Jekyll, or Ghost[2].

I always make sure to proxy Ghost through a CDN because it lessens the load on my server.

For digital products, I use Sellfy and Selly[#]

[1] https://github.com/chyrp/chyrp

[2] https://github.com/TryGhost

[#] https://sellfy.com/

[#] https://selly.gg/

    "TLS has exactly one performance problem: it is not used widely enough"

https://istlsfastyet.com/

Here's a Mashable article about adopting HTTPS served via plain old HTTP:

http://mashable.com/2011/05/31/https-web-security/

It worries me that major websites like this have still not made the switch to HTTPS/TLS yet. Quite irksome are the reasons (actually, excuses) site owners sometimes give like overhead, claiming switching over to HTTP/TLS will be costly and annoying, or even worse - that their threat model doesn't include HTTPS, and the burden is on the visitor to encrypt their connection to the site. The onus is on both parties to encrypt, instead of shunting the encryption to the visitor. As for threat models, the news can be a sensitive topic for some, and HTTPS can be of great service to visitors who enjoy their privacy.

I enjoy initiatives like Secure The News[1] which is a small public awareness campaign urging news outlets to adopt HTTPS/TLS. Initiatives like Google's HTTPS Transparency Report[2] are great too and give us great insight into the adoption rate of HTTPS/TLS:

[1] https://securethe.news/

[2] https://www.google.com/transparencyreport/https/grid/

Something similar here: http://youhavedownloaded.com/

Now and then I like to revert back to first principles. The moment things become refined, elegant, or complex, is usually when I have to see the woods from the trees and apply first principles to it.

One principle I live by is minimalism. With technology it's easy for things to become rapidly complex. It's worth applying mindfulness to technology and seeing the results. Most of my solutions are easy solutions with no cruft, instead of complex solutions with bells and whistles galore.

Another principle I try to apply is doing one thing at a time, which ties into minimalism. It's so easy to fall into the trap of distractions and multitasking. I've trained myself over the years to cull distractions, and segmented my workflow into discrete single duty units of work. If I'm on Skype, then I'm on Skype, & I'm not checking my email or Twitter too. If I'm on Hackernews, then I'm just on Hackernews, and not lurking in Reddit too, etc. It seems obvious, but focusing actually requires training.

Virtualization has helped with this, and it's not uncommon seeing me spinning up a new VM for the sole purpose of video conferencing, and having an entire operating system just for Twitter, etc

Interesting that the site uses TLS, but most of the servers containing the download use plain old HTTP, which as we know, can be easily subjected to a MITM attack.

https://linuxmint.com/edition.php?id=225

Only a few of the ISOs are delivered with TLS/HTTPS, like this one:

https://mirrors.c0urier.net/linux/linuxmint/iso/stable/18.1/...

There's underblocking and overblocking. Underblocking is allowing TOR traffic through, but also letting TOR traffic flood your servers.

It's obvious that if you have a flood of nefarious traffic like this then you should throttle the TOR traffic. Overblocking is outright blocking TOR with no reason other than because you can, and it leaves many legitimate users frustrated and feeling like the site just self-censored itself.

It would be suitable in these cases to strike a happy medium and allow some TOR traffic through, but throttle suspicious-looking requests like mini 'swarms' of TOR exit IPs hitting the site all at once, which I think HN does, because some TOR idens work, whilst others do not.