Llevel (u/Llevel) - Readit News

Llevel commented on Ask HN: What do you think about websites that won't work without JavaScript? · Posted by u/WildGreenLeave

StuieK · 9 years ago

So we built slant.co with the philosophy that all the reading should work ok with JS off, but the contributing systems require JS. The problem is testing, we're a tiny team so I'm not sure the last time we made sure the no js experience works as expected.

Llevel · 9 years ago

This is the trouble with web dev. There are a million factors in play, and it's very tough to create tests for them all, not to mention potentially financially restrictive with the need for multiple browser testing VMs. You have to test cross-browser, make sure all the versions of IE you want to support play nicely with your JavaScript and CSS. The site also needs to be responsive and handle resizing gracefully. Then how about making your site accessible, making sure all the aria tags are where they should be, and that screen readers will read, or not read, your content properly. When there is time to polish, it's often in the form of CSS transitions or animations.

Making my site fallback to no-js gracefully affects so few people, that it falls by the wayside since there's so many other higher priorities that affect a lot more people.

Llevel commented on Backblaze hard drive reliability stats for Q3 2016 backblaze.com/blog/hard-d... · Posted by u/sashk

leejoramo · 9 years ago

How are people using Backblaze's excellent hard drive reliability reports in making purchasing decisions?

For example when I search for HGST HMS5C4040ALE640 on Amazon I get a dealer selling old out of warrantee drives as new.

https://www.amazon.com/HGST-MegaScale-HMS5C4040ALE640-Coolsp...

I get similar results with many of the other drives listed and with other websites such as NewEgg.

Llevel · 9 years ago

I chose to get 4 ST4000DM000 drives based on previous reports. Sure HGST drives never die, but it's cheaper to RMA or buy a single new drive if one fails, than the added cost of 4 reliable drives. Assuming only one fails, which is a risk I'm willing to take with my very non-mission-critical data.

I don't read this as 'which drive to buy' but more as 'which drive not to buy'.

Llevel commented on Switching from macOS: The Basics blog.elementary.io/post/1... · Posted by u/SunShiranui

mohanmcgeek · 9 years ago

They caught a lot of flak when they first introduced it. Not only did they introduce this, but they also shamed the people who did not pay

http://m.slashdot.org/story/213469

Llevel · 9 years ago

Here is the correct link to the full text of that blog post.

http://blog.elementary.io/post/110645528530/payments

Llevel commented on Realistic alternatives to Apple computers onebigfluke.com/2016/10/a... · Posted by u/josephscott

votr · 9 years ago

I have this fantasy of starting a company dedicated to building Linux laptops for developers. Great displays and keyboard, generous ports, beefy specs, with a willingness to trade off size and weight.

I think it hasn't happened yet because it's probably economically not viable.

Llevel · 9 years ago

Isn't that along the lines of System 76 [1]? I haven't tried any of their machines, and they aren't exactly trying to compete with Apple, but they are Linux first.

[1] https://system76.com/

Llevel commented on 2017 Chevrolet Bolt EV caranddriver.com/reviews/... · Posted by u/jseliger

enjo · 9 years ago

The Bolt supports quick charging at CCS stations tho. It's right in the article.

Llevel · 9 years ago

My mistake, I didn't see it on the official Bolt website, so I assumed it wasn't included.

Llevel commented on 2017 Chevrolet Bolt EV caranddriver.com/reviews/... · Posted by u/jseliger

arviewer · 9 years ago

That's 375 km for the rest of the world.

Anyway, how quick does it charge, either to full or 50 or 80%?

Llevel · 9 years ago

40km per hour of charge time, 9 hours for a full charge.[1] It doesn't look like it has the ability to use superchargers, or charge quickly in any way.

[1] http://www.chevrolet.ca/bolt-ev-electric-vehicle.html

edit: I am wrong, the article mentions quick charging, but the official website doesn't.

Llevel commented on 2017 Chevrolet Bolt EV caranddriver.com/reviews/... · Posted by u/jseliger

BBTN6 · 9 years ago

For many people this won't have the mythos or upstart appeal of the upcoming Tesla Model 3-- and that's a shame, cause they did a real good job on it.

Yet I do believe the 200+ mile range and price will get enough people in one and really start to shift the EV from being an early adopter accessory to a viable everyday car.

Good on ya, GM.

Llevel · 9 years ago

The biggest drawback for me would be the inability to charge quickly.

With a Tesla you can take it on a road trip, as long you plan it around hitting supercharging stations. In the bolt, you can go 200 miles, but have to stop for the night to grab a full charge.

But if you aren't the type of person to drive more than 4 hours a day, or have an alternative vehicle for longer trips, this could be a great choice.

Llevel commented on Ask HN: What's the current state of XSS attacks? · Posted by u/gorpomon

Llevel · 10 years ago

This post didn't gain much traction, but XSS attacks are still pretty popular and Google awards up to $7500 for XSS attacks[1]. React and Angular may help prevent XSS attacks, and while I don't know specifics, they likely do have some ingrained tools to prevent it occurring. I wouldn't be surprised if a XSS exploit could find a way around client-size sanitization though. In a perfect world, all strings coming from your server would be pre-escaped.

Rails is 'immune' in the sense that it doesn't let you directly drop HTML onto pages from strings without escaping it first, and if you would like to do so, you have to explicitly mark the string as safe[2]. This isn't to say that XSS is no longer an issue though, Rails and other frameworks help prevent these occurrences in many cases in simple applications, but larger scale applications have a lot more code and a lot more ways to punch holes in that protection. In fact using Express with with Node.js doesn't sanitize your strings by default (as far as my quick research has shown), which leaves a potential attack vector.

While XSS is a very well known vector, XSS attacks are not uncommon in non-boilerplate web applications. Fortunately sanitization is easy and bugs can often be fixed quickly.

Browsers can prevent some methods of XSS, such as by preventing loading JS from a remote untrusted source. If you find a way to drop JS directly onto a page that the browser can't catch (such as the entire JS source being delivered by the server), there's still vulnerability.

OWASP tends to be the place to go to learn about web security[3]. They have lots of examples of potential exploits.

[1] https://www.google.ca/about/appsecurity/reward-program/ [2] http://stackoverflow.com/a/3932440 [3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Llevel commented on Encrypting Windows Hard Drives schneier.com/blog/archive... · Posted by u/jron

sliverstorm · 11 years ago

BestCrypt sounds like it's cross-platform, at least.

Llevel · 11 years ago

Their store looks like they only have volume encryption on Windows, and container encryption for Mac, Linux and Windows, unless I'm mistaken.

https://www.jetico.com/online-shop/shop/index/all-products

Llevel commented on Making Connections to Facebook More Secure facebook.com/notes/protec... · Posted by u/jboynyc

mike-cardwell · 11 years ago

It concerns me that they were able to brute force a key for facebookcorewwwi.onion. If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.

Looks like Tor hidden services are now broken to me...

[edit] What's to stop Facebook from brute forcing a key for any of the existing hidden services?

[edit2] If Facebook can brute force keys like this, so can the NSA and GCHQ. Tor hidden services are officially broken.

[edit3] A colleague of mine suggested that this might be simply Facebooks way of making it public knowledge that Tor hidden services can no longer be relied upon.

[edit4] Facebook are saying (on the Tor Talk list) that they generated a load of keys starting "facebook" and then just picked the one which looked most memorable, and were extremely lucky to get such a good one:

http://archives.seul.org/tor/talk/Oct-2014/msg00433.html

Llevel · 11 years ago

> If they can do that, what's to stop somebody else coming along and brute forcing a key for the same hostname.

The .onion URL is created by hashing the public key (and possibly more information), and then it is stored in Tor's database of hidden service descriptors as noted by this[1]. This would indicate to me that if there's a hash conflict, such as the NSA trying to take over FB's .onion URL, the database of hidden service descriptors would reject the duplicate insertion to the database.

[1] https://security.stackexchange.com/questions/23241/how-are-t...