Slashdot Mirror

What doesn't make sense is [appliances on LANs] using https with default certificates just to tick of the "it's secure" checkbox.

That's partly a reaction to browser implementation of Secure Contexts, a W3C spec that reserves certain web APIs for HTTPS sites.

Does your combination kill a motion JPEG player written in pure CSS, without using any specific rules for the domain it's on?

To use a federated open protocol, so that I can communicate with users who do not use the same provider. Again, with email I can communicate with people who host their own service, people who use an employer-provided service, people who use a free service such as GMail or Hotmail, without any problems.

In a federated protocol, other providers can refuse to communicate with a provider that they deem abusive. SMTP servers, for example, often use RBLs to refuse messages from dynamic IP addresses on grounds that the vast majority of home MTAs are spam zombies, not especially technical home users who host their own service on a home ISP. Instead, they accept messages only A. from data centers (on port 25) or B. from their own subscribers (on port 587 with authentication). So how does a provider convince other providers that the provider is not abusive?

Oh, and in an ideal world it wouldn't involve PHP. Anywhere.

I'm told PHP running on Zend Engine 3 is faster than the equivalent Python running on CPython 3. What makes PHP any worse than, say, ECMAScript? Many of Eevee's complaints against mirror Douglas Crockford's against JavaScript, as I've described elsewhere.

I set media.autoplay.enabled in my copy of Firefox ESR 52 (default browser on Debian 9) to false, but this horse was still animated. What did I do wrong?

You thought that a 15-frame image loop that is less than 1MB is the same thing as the 5 x 30MB videos that autoload on some sites. We should be lucky if advertisers are forced to use the mpeg-css - the extra work might result in fewer ads.

I set media.autoplay.enabled in my copy of Firefox ESR 52 (default browser on Debian 9) to false, but this horse was still animated. What did I do wrong?

Good luck finding a way to "provide users with a way to block video auto-play that doesn't break websites", especially if it's muted. Site operators will fall back to less efficient methods to display video, which include a canvas displaying video decoded in JavaScript, animated GIF, or even a pure CSS motion JPEG player.

Facts: Linus never named his kernel "linux kernel", the kernel's name is linux, as in Mach, NT, e.t.c., there's no such thing as Linux, a family of operating systems, because Linux refers to a kernel and is a registered trademark as "Linux".

Wikipedia's policy of a neutral point of view causes editors to use the name most commonly used by third-party reliable sources and teach the controversy, as in the "GNU/Linux naming controversy" article.

My own writing style is to use "GNU/Linux" for typical desktop and server distributions to distinguish them from Android, BusyBox-based small distributions, and other specialized operating environments built around Linux that contain little or no code from the GNU project. I have found "GNU/Linux" or "X11/Linux" the most succinct way to satisfy fans of Richard Stallman while ducking some Slashdot users' insinuation that a tablet running Android with a paired keyboard or a laptop running Chrome OS can adequately substitute for a laptop running Ubuntu. But because this writing style happens not to match that of the scholarly and mainstream media that Wikipedia relies on, Wikipedia does not use it.

Blocking animation in ads isn't a very easy problem for two reasons. First, how would you distinguish desirable animations, such as the main video on the video's description page, from ads? Second, CSS can animate a JPEG.

Summarizing my list of unresolved axes to grind:

preogresive Mpeg

I've heard of progressive JPEG and Adam7-interlaced PNG for still images, but not progressive MPEG. The closest thing I can think of is a CSS trick to display a JPEG filmstrip as an animation, where the underlying JPEG is stored progressively.

I think Anonymous Coward #56004133's point is that just setting image.animation_mode to once would not stop animation driven by CSS or JavaScript that arranges the frames of an animation as CSS sprites.

I am assuming your version of APK Hosts File Engine 10++ 32/64-bit is MALWARE.

I'm guessing others have tested it in a sandbox for malicious behavior. Do you assume Intel and AMD CPUs contain malware? And if you do, do you use them despite said assumption?

So why not just open source it

If this post is to be believed, APK doesn't want people adding malware, building it, and distributing it, like eFast did with Chromium.

The other option is for some Slashdot user to make a free replacement. Does the functionality described in this specification appear useful?

But what I want to watch isn't available on Netflix streaming or Netflix DVD. Let me know when the film Pinocchio and the Emperor of the Night, the film Song of the South, or the TV series Spartakus and the Sun Beneath the Sea gets released on region 1 DVD. The streaming metasearch sites just say "is not available now.".

You failed to address the elephant in the room: Javascript is the language of the web browser platform.

I think the idea is that a lot of people who regularly post comments on Slashdot and SoylentNews don't want the web browser to be an application platform. They see the web as documents, not applications. They point out that much is achievable through link navigation, form submission, and CSS, such as a script-free version of the "Fast Good Cheap" 2-of-3 checkbox demo. If they wanted an application more sophisticated than that, they would download its source code, compile it, and install it.

the objective was not "free tv", (most of us can get that with an antenna) or even "free tv on demand", but to watch a certain collection of titles that either (a) weren't conveniently available

Case in point: I picked two movies and a TV series, all produced prior to 1990, and looked for them on three different websites offering information about legit streaming options in the United States. I ended up with "not available" across the board.

I agree with you that the specific issue of HSTS .dev is a non-issue for internal servers not in .dev.

But the larger issue of unavailability of browser-recognized certificates for internal TLS servers is an issue for internal servers not in .dev. I don't see most home users as willing to spend $15 per year on registering a domain in a public zone just to be able to use HTTPS over the LAN. Using cleartext HTTP becomes less of an option over time as more HTTP elements and JavaScript APIs become unavailable outside secure contexts.

Install fdroid

That might work for a calculator or a flashlight. But it doesn't help much for things like games, for reasons that have been explained elsewhere.

Or has a viable business model emerged for developing video games for distribution as free software from day one? If the model involves developing the engine as free software but everything but the engine as non-free and paywalled, F-Droid currently considers that an anti-feature called NonFreeAssets .

using https over tor is just stupid.

I can see two main reason why a site operator might try using HTTPS to connect to a web server over an otherwise secure channel, such as a hidden service on Tor or I2P.*

One reason is that not all parts of all browsers are aware that hidden services are secure channels. The W3C has published a spec titled Secure Contexts, which recommends that web browsers block use of sensitive JavaScript APIs by non-secure sites. Even script-free sites cause the browser to show a warning about an insecure context if a document contains a form, such as a login form or an editing form. Until user agents start treating hidden services (*.i2p and *.onion) as potentially trustworthy origins, sites using these APIs must use HTTPS to build a secure context.

Another reason relates to typosquatting. If a user mistypes a hidden service's hostname, such as facebookcorewwwi.onion, the user might end up connecting to a server controlled by an entity other than Facebook. To fight this, some certificate authorities have begun to offer Extended Validation certificates that apply to hidden services, assuring the user of the real-world identity of a hidden service's operator.

* The I2P community refers to hidden services as "eepsites".

My web browsers work just fine without an internet connection.

Mind you I can only reach servers on my internal network

How do you obtain TLS certificates for the HTTPS servers on your internal network without an Internet connection? Cleartext HTTP doesn't work for a lot of things nowadays because of the Secure Contexts requirement that browsers have implemented. Even if you use an ACME client elsewhere to get a certificate from Let's Encrypt and sneakernet it to your internal network, you still have to buy a domain for your internal network in order to have a name for the certificate, and you have to keep paying to renew it.

The console advantages, as I understand them, revolve around ease of use.

• No mods means less cheating in online pickup matches.
• Software whitelist means no need for an antivirus.
• Developer and game approval process means less chaff to sort through in the console's app store, avoiding analysis paralysis and cheap knockoffs.
• Standardized hardware means less chance of game misbehavior due to inadvertent reliance on un- or underspecified driver behavior.
• Games tend to be more integrated with a single platform-wide achievement tracker.
• Though same-screen multiplayer has become less common than it was in (say) the Nintendo 64 era, it was still more common than on PC last I checked.
• Some entire genres tend to be underrepresented on PC. Take platform fighting: The PlayStation 3 counterpart to Super Smash Bros. series is PlayStation All-Stars Battle Royale, but what's the PC counterpart?

Then how does one obtain a certificate for a domain in .test and use it on all devices on a home LAN? I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package. Chrome for Android appears to opt in, but Firefox for Android is untested. Using cleartext HTTP is not an option because more sensitive APIs are unavailable outside secure contexts.

One reason is that in order to run a web server on a Raspberry Pi computer on your LAN, you have to buy a domain and keep it renewed. Otherwise, several JavaScript APIs will throw security exceptions because they work only in secure contexts. No domain name, no certificate. No certificate, no HTTPS. No HTTPS, no secure context. No secure context, no sensitive JavaScript APIs.

Javascript is similar enough to PHP, without having the bone headed "Zero is "" is empty is null" type decisions that make PHP such a dangerous language to develop in.

Those who think ECMAScript lacks the brain-deadness of PHP have another think coming. Appendix B of Douglas Crockford's JavaScript: The Good Parts lists a few examples.

• == is as brain-dead as PHP: 0 == '0' and 0 == '' but '' != '0'
• The hard-to-predict with statement (which thankfully got cut from later versions of ECMAScript)
• Any use of eval or new Function other than detection of ECMAScript 6+ syntax, which is prone to even more serious errors than the SQL injection endemic in beginners' PHP code
• Boxed types such as new Boolean(false)

However, Crockford is known for holding idiosyncratic opinions. In appendix B, he continues that the following elements are bad:

• Early exit from an iteration of a loop using continue; Crockford considers it preferable to refactor the loop's body into a function that exits early with return
• Fall-through in switch if break is missing; Crockford considers it preferable to refactor the repeated portion into a function
• The if, while, do, and for statements allow a form without braces
• The ++ and -- operators
• The presence of bitwise operators &amp | ^ ~ << <<< >>, which Crockford deems more likely to be typos for && || Math.pow() ! < < > respectively than actual bit manipulation because ECMAScript lacks a distinct integer type and "is rarely used for doing bit manipulation."
• Declaring a function using a function statement rather than a function lambda expression
• Operator new rather than factory functions

Android 8 "Oreo" has moved "Install apps from unknown sources" from a system-wide setting to a finer-grained permission for each app. This means F-Droid users won't need to put the whole operating system's shields down anymore. So if you have Oreo, and you don't download from Google Play Store, and you "Uninstall updates/Disable" any carrier-installed crap that's not part of AOSP or other core functionality, then you sacrifice a few genres of apps but gain the theoretical safety of publicly auditable software that F-Droid's inclusion policy enables.

As for the install permission on Google Play Store, on the one hand, you'd want to leave it off to keep kids from installing crap. On the other hand, you'd want to leave it on to apply security updates to core OS components, such as Google Chrome and Gboard. But until Oreo gets delivered OTA, I don't know how to find out whether this setting would even work for Google Play Store.

When I download an App from iOS App Store, I don't have to worry about this kind of shit.

Instead, you have to worry about there not being any apps at all for a particular task when the App Store Review Guidelines block iOS apps from performing certain tasks.

That's what my laptop is for.

When I download an App from iOS App Store, I don't have to worry about this kind of shit.

Instead, you have to worry about there not being any apps at all for a particular task when the App Store Review Guidelines block iOS apps from performing certain tasks.

Historically copyright tends to get extended retroactively when it is about to expire for work of value.

That's a coincidence. The 1978 extension was to align U.S. copyright term with the Berne Convention that had been the law in other countries for several decades, and the 1998 extension was to reconcile the copyright term with the advances in health care of the twentieth century. The underlying rationale behind the term remained unchanged, namely the life of the author's grandchildren. But when uphelding the 1998 extension, the Supreme Court warned Congress against a third extension: unless Congress gives a damn good reason, the Court may find "legislative misbehavior."

Is 2.3 MB for a whole month's worth of blog posts, including several photos and/or CGI renderings, likewise too heavy? If so, what change would you recommend for a page like this one?

I wouldn't change anything. This is 2.3 MB worth of content, not 2.3 MB worth of scripts, fonts, stylesheets, oversized pictures, etc...
I don't have a problem with large pages, I have a problem with low content/size ratio.

We are talking about sites weighting several megabytes for the equivalent of a single blog post, with scripts creatively breaking browsers. With a 2.3MB / 66 object webpage, the author is definitively guilty of this.

Is 2.3 MB for a whole month's worth of blog posts, including several photos and/or CGI renderings, likewise too heavy? If so, what change would you recommend for a page like this one?

Please, for the love of God, look upon my 16 DIMM slots ye Mighty frugal HTTP server, and load the whole damn document all at once, SVP.

Even a PC with double digit GB of RAM can be connected to a satellite or cellular upstream connection whose ISP charges $5 to $10 per GB. Though a non-AMP page like this still loads fast because it's so simple, I imagine people aren't going to be happy to pay the ISP to load images that won't be viewed.

SSL is now completely free via let's encrypt.

Let's Encrypt requires a fully qualified domain name (FQDN) under a well-known top-level domain (TLD), not an IP address in RFC 1918 space or a name under a made-up TLD such as .local or .internal. So do all other CAs whose root certificates are included in Mozilla NSS, as a FQDN is one of the Baseline Requirements adopted by the CA/Browser Forum.

Domains are cheap.

Cheap enough for every head of household to buy and to continue to renew in perpetuity? Because buying a domain is the only way to get a certificate for hosts on your LAN that visitors' devices will trust, and a certificate is the only way you're going to satisfy the "Secure Contexts" requirement for recently introduced JavaScript APIs.

Free ones are available.

Namely?

If you're referring to subdomains offered by dynamic DNS providers, these providers have to be on Mozilla's Public Suffix List (PSL). If a domain isn't already on the PSL, and 20 other users of subdomains under the same domain have obtained certificates in the past week, Let's Encrypt will deny you a certificate, citing its rate limit policy. If a domain is on the PSL, each subdomain gets its own separate rate limiting bucket of 20 certificates per subdomain per week. In addition, submissions to the PSL must be made by the dynamic DNS provider as a pull request through GitHub.com, and use of GitHub.com requires running proprietary software written in JavaScript on your computer.

I have the most secure operating system ever. It does nothing but play minesweeper.

Let me guess: You run Luminesweeper.

Try playing these videos in Safari. If they fail to play, then please recommend to me a royalty-free video codec that does play in Safari.

Where's your free content?

Selected editorials by Damian Yerrick are free as in without charge and as in CC BY.

Detachable tablets such as Microsoft's Surface line and Apple's iPad Pro will lead the growth as consumers have turned away from laptops in favor of these more versatile computing devices.

Surface Pro perhaps. But I don't see how an iPad Pro, constrained by the App Store Review Guidelines, is "more versatile" than a PC that can run anything. In particular, the ban on time-limited free trials has hindered ports of applications from macOS to iOS. And even if you stick to free applications, it'll cost you $499 extra if you want to be able to compile them from source because loading applications onto an iPad Pro requires a Mac, which starts at $499.

An impossibility of using sensitive JavaScript APIs that are restricted to secure contexts.

And are you related to the late Dr. Florence Goodenough, who invented the Draw-A-Person intelligence test in the 1920s?

I ask because Simon Baron Cohen, who invented the Sally-Anne test for autism, is the cousin of the comedian who played Borat.

Why are you encrypting traffic within your own private network?

To avoid loss of functionality once the Fullscreen API becomes limited to secure contexts. Browsers no longer support sensitive JavaScript APIs over cleartext HTTP. There are plans to make Fullscreen API unavailable over cleartext HTTP because of demonstrated phishing attacks. Without the Fullscreen API, streaming video from a home NAS will be limited to a window.

Though the first version of Dr. Florence Goodenough's "Draw-A-Person" intelligence test wasn't perfect either, it was still good enough for sorting children into tracks for gifted, normal, or intellectually disabled students.

Are you gay? You make lots of references to anal sex? Perhaps a member of GNAA, are you? You were shot, stabbed and beaten with bats? I am completely shocked given your award winning personality! Did you APK spam the wrong forum? You know those Unix guys don't put up with much crap. Sigh, 50 years old and still so much to learn...

Remember the promise you made here: https://pineight.com/mw/?title...? Act on it! Today is not too late!

Since you lie about everything, it shall be taken with a grain of salt that, "I've been stabbed, shot @ (took one in leg) & yes been in battles w/ bats". Assuming this is true, we are 110% positive that you deserved it. You are a fucking asshole on the internet, and likely an even bigger fucking asshole in real life? Do you drink, Mr. Kowalski? Vodka, I'd bet. How many bottles of that have you had hurled at your empty skull?

Quoting the douchebag Alexander P. Kowalski, " /.'ers disagree unidentifiable lying pussy"
7 slashdotters out of over 4 million accounts agreed with you?

[sarcasm]Holy fuck! 0.00000175% support! Fuck me, you are programming god, a gift to mankind, one to be looked up to! [/sarcasm]
(Sarcasm tags included because you really do think you are a fucking god to programmers....I woudn't want to hurt that last brain cell you have.)

Why so mad anon doesn't reveal him/herself? What would little APK do if he met anon? I bet you'd try to hurt anon with a verbal wall of APK spam!
Didn't you say back in 2015 that in 2016 you weren't going to spam Slashdot anymore? Let me fucking remind you: https://pineight.com/mw/?title...
(Apologies for the sheer wall of APK spam that will be inflicted upon you!)

"APK EDIT: Tepples, I'll incorporate MY thoughts now - for my NEW YEARS RESOLUTION (one of them) It's "adios" to /. - I've left slashdot for a New Year's Resolution. Why? See above & the antics you yourself notice from my detractors."
You are a fucking fraud and your 'hosts' file solution can't do fucking jack shit when an attacker uses IP addresses instead of domain names. HOW FUCKING STUPID ARE YOU???

Also, Malwarebytes didn't recommend your shitty program - they endorsed using a host file as a filter - you filthy disgusting lying piece of shit.

P.S. You sound like a fucking baby with these lameass comments:
[Wall of APK spam] and then this: "validly technically disprove my points"
[Yet another wall of APK spam] containing this gem: "I validly combatted & disproved their points"

Let's be very fucking clear: Your shitty hosts 'program' has been disproved, shot down, stomped on and completely destroyed, time and time again. Here and at Ars, in particular .

Now validly, technically combat everything that was in the ACs post where he/she deservedly piled shit all over you.
P.P.S Suicide. Consider it, today.

figure out all those Tool lyrics

Why are your hands covered in sheep blood and gum?

It seems like there is really nothing special about a Wii that makes it a good target for homebrew development.

I asked a similar question. Let me summarize the reply I got and other articles I've written about the topic (1 2 3). In no particular order:

1. Wii had SDTV out and PC didn't, which was important in the mid-2000s when the largest monitor in a home was likely to be standard definition.
2. Wii is smaller and quieter than a typical tower PC.
3. Wii plus the Super Smash Bros. Brawl disc and SD card to launch Smash Stack was cheaper than a typical PC.
4. The pointing device bundled with a Wii could be used from a couch; the one that came with a desktop PC required a desk.
5. Lower latency audio API by default.
6. Many don't want to have to lug the family PC back and forth between the computer desk and the living room, as if you were going to a LAN party every day, or to tie it up while a game is being played.
7. Predictability of hardware capability eases evaluation of a program's system requirements.

It seems like there is really nothing special about a Wii that makes it a good target for homebrew development.

I asked a similar question. Let me summarize the reply I got and other articles I've written about the topic (1 2 3). In no particular order:

1. Wii had SDTV out and PC didn't, which was important in the mid-2000s when the largest monitor in a home was likely to be standard definition.
2. Wii is smaller and quieter than a typical tower PC.
3. Wii plus the Super Smash Bros. Brawl disc and SD card to launch Smash Stack was cheaper than a typical PC.
4. The pointing device bundled with a Wii could be used from a couch; the one that came with a desktop PC required a desk.
5. Lower latency audio API by default.
6. Many don't want to have to lug the family PC back and forth between the computer desk and the living room, as if you were going to a LAN party every day, or to tie it up while a game is being played.
7. Predictability of hardware capability eases evaluation of a program's system requirements.

It seems like there is really nothing special about a Wii that makes it a good target for homebrew development.

I asked a similar question. Let me summarize the reply I got and other articles I've written about the topic (1 2 3). In no particular order:

1. Wii had SDTV out and PC didn't, which was important in the mid-2000s when the largest monitor in a home was likely to be standard definition.
2. Wii is smaller and quieter than a typical tower PC.
3. Wii plus the Super Smash Bros. Brawl disc and SD card to launch Smash Stack was cheaper than a typical PC.
4. The pointing device bundled with a Wii could be used from a couch; the one that came with a desktop PC required a desk.
5. Lower latency audio API by default.
6. Many don't want to have to lug the family PC back and forth between the computer desk and the living room, as if you were going to a LAN party every day, or to tie it up while a game is being played.
7. Predictability of hardware capability eases evaluation of a program's system requirements.

I kill off all media sites that don't provide for a comment section

That depends on what you call "media sites". Do Netflix, Hulu, Amazon Video, and the like have public comment sections? And who do you expect to pay for engineering, securing, and moderating each site's comment section? Would you blacklist my website because pages outside the wiki area have no comment section?

I don't generally kill off advertisers unless they misbehave

I rely on the blocking list used by Firefox Tracking Protection, which mostly consist of advertisers that "misbehave" by tracking users.

Any auto-play video is enough to get me to add a source to the hosts file

Including sites like YouTube.com?

Actually been thinking about publishing the "doesn't allow comments" section

I just wonder what use such a list would be. At least one other Slashdot user has claimed that, for example, because Disqus makes money from tracking users across sites, Disqus comments are worse than not bothering to engineer a commenting module at all.

I've written programs, but not programs to build hosts files. I have, however, written an article about the pros and cons of using programs like APK's.

The following assumes the jurisdiction of the home country of Google, Microsoft, and Slashdot:

who gets decide whether something really is a copyright infringement or not?

The U.S. Constitution grants the power to define copyright infringement to Congress within the limits of the First Amendment. Congress has created statutory limits on copyright, some specific and others largely left up to the judicial branch.

Someone with an economical interest?

Is the issue a conflict of interest arising from congressional election campaign finance and in-kind donations of positive publicity?

putting each url on separate lines instead of grouping them logically by SLD

Some hosts parsers do not understand more than one hostname per line, though recent Windows supports up to nine.

inconsistent ordering of the bare versions and the www. versions

Ideally, a hosts parser would use a Bloom filter to cache a large file. But because most operating systems instead use a linear scan, more frequently accessed hostnames should go near the top. If you're using it to work around flaky ISP DNS, hostnames you use frequently should go above hostnames you're blocking. Thus the output of a tool that automatically sorts entries by access frequency might look inconsistent in this manner.

Silent audio won't necessarily work, as browsers are already detecting whether a video's audio is silent. In Firefox 51, this video that has intermittent audio causes the speaker icon in the tab to blink on and off whenever the game plays a sound effect.

Easy solution, the audio file will be a constant tone at 100 kHz. The user wouldn't notice it since it is well outside human hearing range, and the sound is playing 100% of the time.