tyler_larson (u/tyler_larson)

tyler_larson commented on Google's Captcha in Firefox vs. in Chrome grumpy.website/post/0RzW4... · Posted by u/kojoru

yc12340 · 7 years ago

So rate-limiting is "user-hostile", but permanently hell-banning someone because their network is considered "seedy" is user-friendly?

Incidentally, you still need rate-limiting if you use Google's CAPTCHA. If you don't rate-limit CAPTCHA endpoint, an attacker can DDoS you (especially if your server-side captcha component uses low-performance single-threaded HTTP client). Furthermore, an attacker within the same AS as their target can purposefully screw over their account by performing attacks on Google's services until the reputation of the network hits rock bottom.

tyler_larson · 7 years ago

reCAPTCHA is a rate-limiting measure. Google handles all the heavy-lifting and attacker protection for you, and the slow fade you see in the video is that rate-limiting in action. But if you get a clean CAPTCHA result back from them, then that client is very unlikely to be an automated attacker. It's super easy and scales really well.

Conveniently, normal users with typical browser configurations get nothing but the animated checkbox. For nearly everyone, the whole experience is simple and easy. The only people who get inconvenienced are the low-grade privacy enthusiasts who think that preventing tracking is the path to Internet safety. Ironically, "tracking" is literally the mechanism by which legitimate users can be distinguished from attackers, so down that road lies a sort of self-inflicted hell for which the only sensible solution is to stop hitting yourself.

tyler_larson commented on Google's Captcha in Firefox vs. in Chrome grumpy.website/post/0RzW4... · Posted by u/kojoru

tyler_larson · 7 years ago

Congratulations, you played yourself.

It's not Firefox that's the problem; reCAPTCHA works just fine on Firefox. It's all those anti-tracking measures you installed and enabled -- they work by making your browser indistinguishable from a low-quality bot, kicking the website into self-defense mode. The slow fade is a rate-limiting measure. It's annoying to you, but it's more annoying to people trying to automate login attempts.

The site is attempting to protect your account by preventing automated attacks against it. Meanwhile your browser is doing it's best to look like a shell script, refusing to send any sort of behavioral feedback or distinguishing characteristics that might give away the fact that you're a human.

So the question is: is it really worth alienating those quirky, paranoid users who take extraordinary anti-tracking measures, just to protect your normal users from automated attacks?

Yes.

Of course it is.

tyler_larson commented on Goodbye, EdgeHTML blog.mozilla.org/blog/201... · Posted by u/__michaelg

jchw · 7 years ago

I still think this is a bit melodramatic. I'm biased but all the same, Microsoft having major foothold in Chromium seems like a good thing. EdgeHTML didn't really do any good for us because barely anyone used it anyways. It would've been a bigger loss had there been substantial market share, but from my understanding Edge barely took off even with very aggressive behavior to push it on us. (My default browser has been reset to edge nearly every major Windows update. Windows also resets "corrupt" file associations - magically, those "corrupt" file associations work without issue if I just forcibly uninstall the app it wants to reset them to.)

tyler_larson · 7 years ago

>> This may sound melodramatic...

Yeah. A bit.

Thing is, Blink is not Chromium, Chromium is not Chrome, neither of them is Google, and BSD-3-clause is a pretty damn solid bulwark against the monopolization of the "control of fundamental online infrastructure", were that to ever become a concern again.

And the other bit is that the building blocks that make up Chromium power a lot of technology that is totally independent of anything under Google's influence, including NodeJS, Cloudflare's Workers, Microsoft's VS Code, and Amazon's Firecracker. They use it because it's solid, well-engineered tech. And even though Google wrote it, Google can't control it or stop you from using it against them. Microsoft isn't ceding anything at all to Google, Google's not in control of anything here.

The uncomfortable truth is that the role of neither Gecko nor Firefox nor Mozilla is particularly critical in terms of protecting the free and open Internet. What prevents Google from going all IE6 with Chrome isn't Mozilla, it's Chromium. If IE had been a BSD-licensed open-source project since 1995, then all the BS we endured in 2002 could never have happened; explorerium would have been trivially forked to create a sensible competitor with no switching cost.

Google tied their own hands from the very beginning, and by ensuring Chromium doesn't lag behind, they're keeping their hands tied. Almost as if they were doing it on purpose. In fact, the fact that Microsoft is switching to Chromium locks both tech giants into an intriguing sort of bargain. Each can benefit from the other's work as long as neither strays too far from the open source codebase, as long as they both push their changes into the open. So you end up with a reasonable guarantee that the future of the Internet stays independent; not because of a nonprofit competitor with a strongly-worded manifesto, but because none of the the main players can afford to make it closed.

tyler_larson commented on Google May Have to Get Used to Third Place in the Cloud bloomberg.com/news/articl... · Posted by u/yannikyeo

tyler_larson · 7 years ago

I dug into the details earlier this year, and it turned out at the time that Microsoft counts some undisclosed but significant percentage of revenue from sales of Office 365 in their "Commercial Cloud" category, even if you buy it in a box at a store... because in theory that box entitles you to Office In the Cloud. This (Azure plus some percentage of Office) is the "Azure" revenue number that gets compared to AWS and GCP to determine the market share number that you see in all the graphs.

Can anyone confirm/deny? I'm reasonably certain this is right from my reading of financial reports, but I'm no accountant.

tyler_larson commented on Git is already federated and decentralized drewdevault.com/2018/07/2... · Posted by u/fagnerbrack

cjbprime · 7 years ago

None of these suggestions make sense. DKIM, SPF, and Docker are all irrelevant to whether Gmail will accept mail that is relayed to them through a broadband IP address. (They won't.)

tyler_larson · 7 years ago

The idea of SMTPing email out from your home ISP turned out to be problematic once spam became a business model. Gmail's not the only place that categorically won't trust it.

You need a mail server. You can run it yourself if you're in to that sort of thing, but you can't run it off a residential/consumer uplink. Sorry, this one's non-negotiable. Then your home server authenticates to your mail server as a client, and send email through your mail server. Your mail server is recorded as the IP address of origin, not your home address. MTAs are already designed to do this with nearly zero effort on your part, so you don't have to change your workflow, just your config file.

Don't want to pay for a mail server? Good news! There's like a gazillion services that actually do this for free. Gmail actually turns out to be one of them. Don't want to have to use Oauth? Good news! Gmail's not the only mail service. There's ten billion others.

tyler_larson commented on See all your purchases, subscriptions and reservations support.google.com/accoun... · Posted by u/petilon

olliej · 7 years ago

Yes. A better question would be “why does google itself need this information when it’s just a client side UI feature?”

tyler_larson · 7 years ago

Gmail's primary UI is a web browser. How... how do you think that _actually_ might work?

tyler_larson commented on Android has created more choice, not less blog.google/around-the-gl... · Posted by u/coollog

slededit · 8 years ago

Monopolists always have this response. Bell said similar things before their breakup - that their scale allowed them to provide a standard of service and price point otherwise impossible. History has repeatedly shown that its not true.

tyler_larson · 8 years ago

The thing is, in this case we HAVE a solid pictures of every alternative. There's no speculation necessary. We have the "before" and "after" story to point to, and we even have the "alternate universe" story along with it.

Before Android and iOS, the phone ecosystem was pretty mature already. There was more os-level diversity but a lot less choice. It was just half a dozen utterly crappy worlds of lock-in, with barriers to entry that kept newcomers strictly out, and removed any hint of incentive for the incumbents to improve their platform. Remember everything was SO BAD that blackberry actually looked good in comparison? It was practically a parody of monopolistic inflexibility. Regardless of platform, everyone universally hated their phone with such passion that it was a meme in its own right.

Google and Apple both poured a boatload of money into each making a phone platform people would actually like to use. That alone was revolutionary. But each company showed their philosophy in how they presented it:

In the Apple case, the iPhone was shiny and proprietary and carefully presented and DONT TOUCH THAT. You couldn't even write apps for it. You could have web pages, that was enough for you.

In the Google case, Android was open and messy and unconstrained. It wasn't locked down an any meaningful sense; Google originally just kept some basic control of their branding and their marketplace. But without rules, carriers went back to their old tricks, and the ecosystem started to crumble. Remember that almost nobody but Google ever ships "Android", every carrier and manufacturer ships their own fork of Android. And for a long while they were all pretty bloody awful as everyone in the supply chain tried to extract value with preloaded apps, ads, lock-in features, crap hardware, and egregious branding. So using their only leverage (the play store), Google has slowly and carefully been pulling Android back from the brink.

Ironically, sadly, it's exactly these actions Google took to save Android that the EU objects to. They can't see (they refuse to see) the whole picture; they just see the tiny bits they think are relevant. They're like a nearsighted sleuth who finds blood on the floor in a hospital, and arrests the first nurse they see for the murder of persons unspecified. Whatever you say of the evidence they found, they clearly don't even begin to understand the environment.

As for the two companies and their strategies: For Apple, their phone very literally saved the company from demise. They make so much money from selling iPhone hardware that nothing else they do is even important. For Google, going the "open" route with Android wasn't the strategic commercial miracle we like to pretend. But if (and only if) you look at Android as an investment in the future of their Search business, then you can justify the ongoing expense. If you think of how much money it _could_ cost Google in ads revenue to have Apple or Amazon monopolize and manipulate the market, now you've got something huge.

Android can't survive on its own. There's nothing even there to survive; it's not a business. But it can be part of the search and ads business. That's where it can find a niche.

Remember that Android was, and remains today, the ONLY successful open-source consumer operating system, ever. There isn't even a runner-up. Nothing. This is not a business model with legs.

tyler_larson commented on Android has created more choice, not less blog.google/around-the-gl... · Posted by u/coollog

volfied · 8 years ago

That GIF is incredibly misleading. It's not about hiding the app from home screen, it's about uninstalling it and not having it run in the background.

tyler_larson · 8 years ago

No, it's functionally equivalent to uninstalling; the only difference is that since the app was installed on a read-only filesystem, the apk can't be deleted. But it's gone as far as the OS cares; it can't be seen or used or run (even in the background) unless the user manually re-activates it.

Android added this capability specifically so that users can remove anything that's pre-loaded, regardless of what any company wants. There's no iOS equivalent because Apple doesn't want to to remove their stuff.

tyler_larson commented on 61% of “Entry-Level” Jobs Require 3+ Years of Experience talent.works/blog/2018/03... · Posted by u/giffarage

tyler_larson · 8 years ago

I guess it depends on how "experience" is defined. I had 8 years of "experience" programming before my first full-time paid job.

I am somewhat entertained every time a see jobs requiring 10+ years of experience with Go or Typescript or Swift. It's a sign of just how well-thought-out these postings are.

tyler_larson commented on OK Go Sandbox okgosandbox.org/... · Posted by u/artsandsci

tyler_larson · 8 years ago

Sponsored by Morton Salt? I knew it was too good to be true.

It seems like every free arts-promoting venture these days is just another opportunity for _Big Salinity_ to push their salty agenda on us!

Follow the money!