Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:
Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.
Emphasis mine.
A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.
His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.
Re:Missing the point AND arrogant. Nice twofer.
on
SOPA and PIPA So Far
·
· Score: 1
And Fark, Reddit, and Wired are for digital neophytes who aren't well informed about the topic?
Surprising as it may be, Fark, Reddit, and Wired are for people less technical than your average Slashdotter. I mean, it's certainly plausible that your average Reddit user who goes on/r/f7u12 for "meme pics" might be unaware of it. Slashdot, on the other hand, has little to offer people who aren't technically-minded. Even Wired tends to be pretty "casual"; I doubt they have articles on the latest releases of the Linux kernel.
Yes, I agree with everything you said, and with your original post as well. I just wanted to reply because you asked "When's the last time you saw a swastika?" and the last time I had seen a swastika, it had nothing to do with Nazi Germany.
And also because I, too, would love to see the swastika reclaimed to its original meaning of good fortune in the West, and educating users on Slashdot is certainly a valid avenue.:D
There are many replies making this point, so I'll just reply to this one.
The swastika was indeed associated with good luck in the West as well, which is why I said "didn't have as much meaning" rather than "had no meaning". The idea I was trying to get across was that the association was much weaker, though. The swastika in the East is a religious symbol with thousands of years of history. In the West, it was much more minor.
It's like the Christian cross. The Crusades and the Spanish Inquisition used that symbol and killed tons of people, but the cross has not lost its meaning. If the Spanish Inquisition had used, say, four-leaf clovers, instead, though, modern St. Patrick's Day would probably not use that motif.
Sorry, I should have been more clear. The local flea markets and local temple were local to my home back in China, before I moved to the US.
However, I find your tone a bit unnerving. I did say "I'm not saying that banning swastikas in Xbox Live was a bad decision. It was probably the correct decision, especially if the majority of the Xbox Live users in question are American - though I agree with metrix007 that this guy could have had a better tone about it."
Again, I was disagreeing with the guy acting like the swastika-Nazism association was universal. I had nothing wrong with the premise of TFA.
Let me try to list all the recent times I've seen swastikas:
- once, in a screenshot of 4chan trying to be funny - three times, in a world history textbook, talking about the Third Reich - at least fifty times, at the local Buddhist temple - at least thirty times, in various good-luck charms sold at local flea markets - once before every important exam I take in school, in a good-luck charm passed down to me from my mother (it looks a lot like the one I linked to) - at least twice, in friends' houses, where they are said to bring good luck
Perhaps, wherever you live, swastikas aren't commonly used, and perhaps you have no interest in other cultures. There's nothing wrong with that. But to assume that your experience holds true for the entire world - and that the swastika universally no longer holds any meaning besides that which was ascribed to it by Nazi Germany - is laughable.
In Western Europe and North America, the swastika didn't have very much meaning before World War II, so after World War II, it became strongly associated with Nazism. But in Southeast Asia, the swastika has been a symbol of good fortune for thousands of years, and a fleeting decade-long regime in some far-off country did very little to change that.
Even in the West, such as in the United States, there are many immigrants from Asian countries. I am one of those people, and if someone showed me a swastika (and it wasn't enclosed in a white circle on a background of red), I would think "good luck" before I thought "Nazis", and I bet a significant number of other people in Western countries would, as well.
I'm not saying that banning swastikas in Xbox Live was a bad decision. It was probably the correct decision, especially if the majority of the Xbox Live users in question are American - though I agree with metrix007 that this guy could have had a better tone about it. I am, however, saying that the association between the swastika and nothing but Nazi Germany is far from universal.
Erm, I don't think you know what "properly extracted" means.
exa­mple.com doesn't lead to example.com, it leads to xn--example-nka.com, so if you extract the former instead of the latter, you're doing it wrong.
Chrome 6+ adapts to Ubuntu 10.04+'s close/maximize/minimize button positions; Chrome 5 doesn't. I'm guessing they were using Chrome 5, and you were using Chrome 6/7.
Every single modern browser comes with a JavaScript debugger with the ability to set breakpoints, inspect variables, and single-step through code (except Firefox, which requires an extension to do it).
(Sadly, most developers are only aware of Firebug, and say things like "Firebug can inspect elements" and "Firebug can set breakpoints just by clicking on the line number" as if it weren't true that every other browser can do the same thing without having to install an extension.)
I said "given the option to prevent the change", not "ratify the change". There is no such thing as ratifying changes. It would work something like this:
1. Spambot adds the email address of one of the botmaster minions. 2. You receive an e-mail notifying you that you added a new e-mail address to your old e-mail address, with a link to reverse the change. 3. Spambot changes the account password. 4. You receive another e-mail notifying you changed your password, with a link to reverse the change. 5. You click either link. Facebook makes you reset your password (no need to know the spambot's changed password), and the new e-mail address is removed.
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
Should have RTFA I guess, I now realize Mr Pike just talks in circles and really didn't have anything of value to say other than 'programming is hard'.
No, he doesn't. TFA-writer Joab Jackson talks in circles and doesn't have anything of value to say. Mr. Pike, on the other hand, appears to be saying that Google Go fixes a lot of unnecessary complexity in Java and C++.
It doesn't catch every single resource -- ad blocking plugins for Chrome admit that it won't catch everything and still has to just hide some ads.
It looks like the resource blocking not working in some cases is an accepted bug, and thus will be fixed soon.
And it's not nearly powerful enough for NoScript to work.
Chrome has that built-in. Go to "Preferences" -> "Under the Hood" -> "Content Settings" -> "JavaScript" -> "Block all". You can also manage per-site blocking from that screen. On websites that use JavaScript, a "JavaScript blocked" icon will appear in the toolbar, and you can click on it and click "Allow JavaScript on this site".
A lot of the really useful selectors, for instance, aren't available in IE6. Not to mention min-width/max-width, and white-space:pre. And using left and right in the same rule makes IE6/IE7 ignore right. In IE6/IE7, there's plenty that goes unimplemented, like:active and:before and outline and display:table; and border-style:dotted; and vertical-align:middle; and background-position:fixed;.
These aren't obscure features no one uses, these are all features I've wanted to use while designing my webpages that are supported by every other browser that IE6 and IE7 don't support.
What are my obligations as a human being to run an open proxy for IP addresses that come from China? (i.e. drop the rest of the IPs to keep freeloaders out); I am torn between the trouble *I* can get in for blindly proxying traffic, versus the feel good vibe from letting someone get onto the unfiltered net. Thoughts?
Well, let me tell you a story.
Way back in 2006 or so, I went on a trip to China. This was back when the Great Firewall blocked Wikipedia, and a few weeks in, I was suffering from Wikipedia-withdrawal. So I called one of my friends, who was a coder for an online MUD, and got him to set up a web proxy on the MUD's website.
Anyway, three days later, the site was blocked. Nothing else happened. I mentioned it to my mom, and she said that's usually how it goes. The government passively adds blocks and deletes messages you make that it disapproves of, but it doesn't actively seek you out and tell you to stop, or otherwise punish you.
I suspect that's how it'll go if you set up a proxy. It gets blocked quickly, nothing else happens.
because TFA doesn't explain that google wrote it themselves. Heck, even the google blog announcement doesn't explain that google wrote it themselves. Guess what, it turns out google did not write it themselves, they're using libpdf.so which is libpdf
I was referring to the Google blog post, which is linked from the Slashdot summary and thus counts as "TFA".
It says "Currently, we do not support 100% of the advanced PDF features found in Adobe Reader, such as certain types of embedded media" and "We would also like to work with the Adobe Reader team to bring the full PDF feature set to Chrome using the same next generation browser plug-in API", which I took to mean that:
1. it clearly isn't being written by Adobe, and 2. even if Google didn't write it, they are maintaining and improving it, so they "wrote it" in the same sense that Apple "wrote" WebKit.
As for the "libpdf.so", part, I assume you're looking at the part of the code that says
#if defined(OS_WIN)
cur = cur.Append(FILE_PATH_LITERAL("pdf.dll")); #elif defined(OS_MACOSX)
cur = cur.Append(FILE_PATH_LITERAL("PDF.plugin")); #else// Linux and Chrome OS
cur = cur.Append(FILE_PATH_LITERAL("libpdf.so")); #endif
Which means that they're using a file called libpdf.so on Linux. As another one of your replies points out, this is doubtful to be the 9-year-old unmaintained incomplete C library you link to, and judging from the Windows and Mac filenames, this is nearly definitely a library written (or at least maintained) by Google.
Why should they be inconsistent? Why should HTTP be hidden but HTTPS and FTP and other protocols be shown?
I've never found the protocol being displayed in my browser to somehow "distract" me or reduce my productivity. Is this seriously a concern?
It reduces your productivity because there's more to read. Instead of being able to look to the leftmost side of the address bar to see the domain, you have to look to the leftmost side, then scan right until you find the domain. It's really minor, but it's there.
I also like to resize browser windows sometimes. Especially since Chrome makes it easy to drag tabs into new windows, I often drag a tab out, and then resize it into a narrow sidebar I can refer to while doing something else. In cases like that, I'd much rather see "google..." than "http://g..."
The inconsistency of still showing "https://" is actually helpful. It's a lot easier to see the difference between nothing and "https://" than between "http://" and "https://". Since http is most common, it makes sense that a departure from that protocol should be easily visible.
And there's also the "Why not?" I haven't really heard any reasons why httpshould be kept.
From a security point of view, I'd feel better if Google wrote their own PDF implementation. Far be it for me to read TFA, but I get the impression that this code comes from Adobe, whose software generally makes me nervous.
I've read it for you. The code doesn't come from Adobe, Google wrote it themselves. It also uses Google's new sandboxed plugin API, so it would be less of a security concern even if it did.
(I'm surprised you got two replies who also didn't RTFA.)
Everyone knows about them removing http:/// from the URL bar already. Their reasoning was, to put it politely, complete horseshit. That was a change they never should have made.
Erm... why not? Please, enlighten us. Personally, I find it great. If I'm at the Google.com homepage, I should see "google.com" in the address bar; everything else is just unnecessary and distracting. I don't really need "http://" there to remember that it's a web site; the fact that I'm using a web browser is kind of enough.
What if you're recording a movie, and a naked person walks past the spot you're recording, and you accidentally record it, so you apologize and offer to delete what you've recorded, and then five governments intervene?
Chrome/Chromium still doesn't have an adblocker that actually blocks ads instead of just hiding them. Adblock Plus saves bandwidth, finishes loading a page quicker because you'll never get hung up on a slow/dead ad server, and neatly reformats the page to work without the ads.
"Finishes loading a page quicker" isn't necessarily true. Most of the sites I frequent either don't have ads, or let me turn off ads, and even the ones that don't, ads load asynchronously, so Chrome is usually still faster than Firefox+ABP.
It's been a while since I've used either AdBlock (again, the sites I frequent are usually reasonable about them), but the last time I checked, ABP for Chrome is better at reformatting the page than ABP for Firefox, so that doesn't apply either.
Bandwidth is the only real objection, and if you're regularly hitting your ISP's bandwidth limits, your ISP is either worse than the US's (which is fairly rare) or blocking ads isn't going to help. If you care about bandwidth anyway, well, see below.
Once THAT level of functionality in an adblocker arrives with Chrome/Chromium, only then will I consider switching. And don't tell me to use a HOSTS file; what if I want to whitelist certain sites?
"But Mr Dent, the plans have been available in the local planning office for the last nine month."
"Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything."
"But the plans were on display..."
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."
Likewise in software, where upgrades are mandatory even though the current software works just fine. "But it's old tech!" the developer shouts at his utterly stupid users. "Why won't you upgrade? I really enjoyed working on this!" I recently asked a question on a support forum about Drupal. I didn't get my question answered, as the developers immediately discussed the fact I was using the "old tech" version (5) and the entire discussion became about when I was going to upgrade to the latest greatest version (7). Why should I? My software works just fine and customers are happy.
Your software clearly doesn't "work just fine" if you're asking a support question.
Okay, developers have many reasons for wanting users on the latest version (e.g. userbase fragmentation, which especially sucks if what you're making is multiplayer), but the biggest one is that it's hella frustrating to get bug reports about old versions. I've heard users ask "Why isn't this bug fixed yet?" about bugs that were fixed ages ago. You want to use an old version, that's fine, but if you want support, you should be using the newest version.
Especially with open-source software. We're not getting paid to support old versions, so we're going to keep on working on the latest and greatest. Even if it's not a bug report, it's just a question about how to do something - we're not going to remember how we implemented the feature two versions and three years ago. We just know how it's done now, which is probably a better way, anyway.
And in open-source software, upgrading is generally a good thing. Sure, in proprietary software, they often just release new versions to draw money out of customers even though nothing's actually improved, but in open-source, if we release a new version, it's generally because it's actually better. If you disagree, go ahead and use the old version, maybe even fork it if it's that popular, but, again, you're not going to get any support from us guys working on the newest version.
Security upgrades are more like obscurity upgrades. "Because it's last year's fashion, daaahling"
Okay, see, normally, I don't really care how much you screw up your own computer. You generally don't notice when you have security problems, since it's in malware's best interest not to be noticed - if it gets noticed, it gets removed. Instead, it sits there, silently being a part of a botnet, and, at that point, you're not just screwing up your own computer, and you better be taking responsibility for all the DDoSing and spamming your computer is doing because you're too lazy to apply a #^%$ing security update.
Slashdot Mirror
Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:
Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.
Emphasis mine.
A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.
His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.
default opt-out
The word you're looking for is "opt-in". ;)
And Fark, Reddit, and Wired are for digital neophytes who aren't well informed about the topic?
Surprising as it may be, Fark, Reddit, and Wired are for people less technical than your average Slashdotter. I mean, it's certainly plausible that your average Reddit user who goes on /r/f7u12 for "meme pics" might be unaware of it. Slashdot, on the other hand, has little to offer people who aren't technically-minded. Even Wired tends to be pretty "casual"; I doubt they have articles on the latest releases of the Linux kernel.
Yes, I agree with everything you said, and with your original post as well. I just wanted to reply because you asked "When's the last time you saw a swastika?" and the last time I had seen a swastika, it had nothing to do with Nazi Germany.
And also because I, too, would love to see the swastika reclaimed to its original meaning of good fortune in the West, and educating users on Slashdot is certainly a valid avenue. :D
There are many replies making this point, so I'll just reply to this one.
The swastika was indeed associated with good luck in the West as well, which is why I said "didn't have as much meaning" rather than "had no meaning". The idea I was trying to get across was that the association was much weaker, though. The swastika in the East is a religious symbol with thousands of years of history. In the West, it was much more minor.
It's like the Christian cross. The Crusades and the Spanish Inquisition used that symbol and killed tons of people, but the cross has not lost its meaning. If the Spanish Inquisition had used, say, four-leaf clovers, instead, though, modern St. Patrick's Day would probably not use that motif.
Sorry, I should have been more clear. The local flea markets and local temple were local to my home back in China, before I moved to the US.
However, I find your tone a bit unnerving. I did say "I'm not saying that banning swastikas in Xbox Live was a bad decision. It was probably the correct decision, especially if the majority of the Xbox Live users in question are American - though I agree with metrix007 that this guy could have had a better tone about it."
Again, I was disagreeing with the guy acting like the swastika-Nazism association was universal. I had nothing wrong with the premise of TFA.
When's the last time you saw a swastika in a movie or a flier or a tattoo or a T-shirt, and it wasn't this bad boy or a reference to it?
The last time I saw a swastika, it looked something like this: http://www.religionfacts.com/buddhism/images/symbols/swastika-chinese-amulet-cc-rubicon-200.jpg
Let me try to list all the recent times I've seen swastikas:
- once, in a screenshot of 4chan trying to be funny
- three times, in a world history textbook, talking about the Third Reich
- at least fifty times, at the local Buddhist temple
- at least thirty times, in various good-luck charms sold at local flea markets
- once before every important exam I take in school, in a good-luck charm passed down to me from my mother (it looks a lot like the one I linked to)
- at least twice, in friends' houses, where they are said to bring good luck
Perhaps, wherever you live, swastikas aren't commonly used, and perhaps you have no interest in other cultures. There's nothing wrong with that. But to assume that your experience holds true for the entire world - and that the swastika universally no longer holds any meaning besides that which was ascribed to it by Nazi Germany - is laughable.
In Western Europe and North America, the swastika didn't have very much meaning before World War II, so after World War II, it became strongly associated with Nazism. But in Southeast Asia, the swastika has been a symbol of good fortune for thousands of years, and a fleeting decade-long regime in some far-off country did very little to change that.
Even in the West, such as in the United States, there are many immigrants from Asian countries. I am one of those people, and if someone showed me a swastika (and it wasn't enclosed in a white circle on a background of red), I would think "good luck" before I thought "Nazis", and I bet a significant number of other people in Western countries would, as well.
I'm not saying that banning swastikas in Xbox Live was a bad decision. It was probably the correct decision, especially if the majority of the Xbox Live users in question are American - though I agree with metrix007 that this guy could have had a better tone about it. I am, however, saying that the association between the swastika and nothing but Nazi Germany is far from universal.
Erm, I don't think you know what "properly extracted" means.
exa­mple.com doesn't lead to example.com, it leads to xn--example-nka.com, so if you extract the former instead of the latter, you're doing it wrong.
I think you're talking about 12 Angry Men.
Chrome 6+ adapts to Ubuntu 10.04+'s close/maximize/minimize button positions; Chrome 5 doesn't. I'm guessing they were using Chrome 5, and you were using Chrome 6/7.
Chrome Developer Tools.
Opera Dragonfly.
Firebug.
Internet Explorer Developer Tools.
Safari Developer Tools.
Every single modern browser comes with a JavaScript debugger with the ability to set breakpoints, inspect variables, and single-step through code (except Firefox, which requires an extension to do it).
(Sadly, most developers are only aware of Firebug, and say things like "Firebug can inspect elements" and "Firebug can set breakpoints just by clicking on the line number" as if it weren't true that every other browser can do the same thing without having to install an extension.)
I said "given the option to prevent the change", not "ratify the change". There is no such thing as ratifying changes. It would work something like this:
1. Spambot adds the email address of one of the botmaster minions.
2. You receive an e-mail notifying you that you added a new e-mail address to your old e-mail address, with a link to reverse the change.
3. Spambot changes the account password.
4. You receive another e-mail notifying you changed your password, with a link to reverse the change.
5. You click either link. Facebook makes you reset your password (no need to know the spambot's changed password), and the new e-mail address is removed.
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
Should have RTFA I guess, I now realize Mr Pike just talks in circles and really didn't have anything of value to say other than 'programming is hard'.
No, he doesn't. TFA-writer Joab Jackson talks in circles and doesn't have anything of value to say. Mr. Pike, on the other hand, appears to be saying that Google Go fixes a lot of unnecessary complexity in Java and C++.
His keynote isn't linked from either the Slashdot summary or TFA, but can be seen here: http://www.youtube.com/watch?v=5kj5ApnhPAE
It doesn't catch every single resource -- ad blocking plugins for Chrome admit that it won't catch everything and still has to just hide some ads.
It looks like the resource blocking not working in some cases is an accepted bug, and thus will be fixed soon.
And it's not nearly powerful enough for NoScript to work.
Chrome has that built-in. Go to "Preferences" -> "Under the Hood" -> "Content Settings" -> "JavaScript" -> "Block all". You can also manage per-site blocking from that screen. On websites that use JavaScript, a "JavaScript blocked" icon will appear in the toolbar, and you can click on it and click "Allow JavaScript on this site".
A lot of CSS2 features don't even work correctly in IE6 and IE7: http://en.wikipedia.org/wiki/Comparison_of_layout_engines_(Cascading_Style_Sheets)
A lot of the really useful selectors, for instance, aren't available in IE6. Not to mention min-width/max-width, and white-space:pre. And using left and right in the same rule makes IE6/IE7 ignore right. In IE6/IE7, there's plenty that goes unimplemented, like :active and :before and outline and display:table; and border-style:dotted; and vertical-align:middle; and background-position:fixed;.
These aren't obscure features no one uses, these are all features I've wanted to use while designing my webpages that are supported by every other browser that IE6 and IE7 don't support.
We should really be looking to fix those, first.
What are my obligations as a human being to run an open proxy for IP addresses that come from China? (i.e. drop the rest of the IPs to keep freeloaders out); I am torn between the trouble *I* can get in for blindly proxying traffic, versus the feel good vibe from letting someone get onto the unfiltered net. Thoughts?
Well, let me tell you a story.
Way back in 2006 or so, I went on a trip to China. This was back when the Great Firewall blocked Wikipedia, and a few weeks in, I was suffering from Wikipedia-withdrawal. So I called one of my friends, who was a coder for an online MUD, and got him to set up a web proxy on the MUD's website.
I even made an edit on that proxy: http://en.wikipedia.org/w/index.php?title=Business_Professionals_of_America&diff=prev&oldid=68970071 - that's how I discovered their server had mod_rewrite on, and the proxy software didn't have a workaround for that. Had to get my friend to fix the quote escaping.
Anyway, three days later, the site was blocked. Nothing else happened. I mentioned it to my mom, and she said that's usually how it goes. The government passively adds blocks and deletes messages you make that it disapproves of, but it doesn't actively seek you out and tell you to stop, or otherwise punish you.
I suspect that's how it'll go if you set up a proxy. It gets blocked quickly, nothing else happens.
because TFA doesn't explain that google wrote it themselves. Heck, even the google blog announcement doesn't explain that google wrote it themselves. Guess what, it turns out google did not write it themselves, they're using libpdf.so which is libpdf
I was referring to the Google blog post, which is linked from the Slashdot summary and thus counts as "TFA".
It says "Currently, we do not support 100% of the advanced PDF features found in Adobe Reader, such as certain types of embedded media" and "We would also like to work with the Adobe Reader team to bring the full PDF feature set to Chrome using the same next generation browser plug-in API", which I took to mean that:
1. it clearly isn't being written by Adobe, and
2. even if Google didn't write it, they are maintaining and improving it, so they "wrote it" in the same sense that Apple "wrote" WebKit.
As for the "libpdf.so", part, I assume you're looking at the part of the code that says
#if defined(OS_WIN) // Linux and Chrome OS
cur = cur.Append(FILE_PATH_LITERAL("pdf.dll"));
#elif defined(OS_MACOSX)
cur = cur.Append(FILE_PATH_LITERAL("PDF.plugin"));
#else
cur = cur.Append(FILE_PATH_LITERAL("libpdf.so"));
#endif
Which means that they're using a file called libpdf.so on Linux. As another one of your replies points out, this is doubtful to be the 9-year-old unmaintained incomplete C library you link to, and judging from the Windows and Mac filenames, this is nearly definitely a library written (or at least maintained) by Google.
Why should they be inconsistent? Why should HTTP be hidden but HTTPS and FTP and other protocols be shown?
I've never found the protocol being displayed in my browser to somehow "distract" me or reduce my productivity. Is this seriously a concern?
It reduces your productivity because there's more to read. Instead of being able to look to the leftmost side of the address bar to see the domain, you have to look to the leftmost side, then scan right until you find the domain. It's really minor, but it's there.
I also like to resize browser windows sometimes. Especially since Chrome makes it easy to drag tabs into new windows, I often drag a tab out, and then resize it into a narrow sidebar I can refer to while doing something else. In cases like that, I'd much rather see "google..." than "http://g..."
The inconsistency of still showing "https://" is actually helpful. It's a lot easier to see the difference between nothing and "https://" than between "http://" and "https://". Since http is most common, it makes sense that a departure from that protocol should be easily visible.
And there's also the "Why not?" I haven't really heard any reasons why http should be kept.
From a security point of view, I'd feel better if Google wrote their own PDF implementation. Far be it for me to read TFA, but I get the impression that this code comes from Adobe, whose software generally makes me nervous.
I've read it for you. The code doesn't come from Adobe, Google wrote it themselves. It also uses Google's new sandboxed plugin API, so it would be less of a security concern even if it did.
(I'm surprised you got two replies who also didn't RTFA.)
Everyone knows about them removing http:/// from the URL bar already. Their reasoning was, to put it politely, complete horseshit. That was a change they never should have made.
Erm... why not? Please, enlighten us. Personally, I find it great. If I'm at the Google.com homepage, I should see "google.com" in the address bar; everything else is just unnecessary and distracting. I don't really need "http://" there to remember that it's a web site; the fact that I'm using a web browser is kind of enough.
What if you're recording a movie, and a naked person walks past the spot you're recording, and you accidentally record it, so you apologize and offer to delete what you've recorded, and then five governments intervene?
Chrome/Chromium still doesn't have an adblocker that actually blocks ads instead of just hiding them. Adblock Plus saves bandwidth, finishes loading a page quicker because you'll never get hung up on a slow/dead ad server, and neatly reformats the page to work without the ads.
"Finishes loading a page quicker" isn't necessarily true. Most of the sites I frequent either don't have ads, or let me turn off ads, and even the ones that don't, ads load asynchronously, so Chrome is usually still faster than Firefox+ABP.
It's been a while since I've used either AdBlock (again, the sites I frequent are usually reasonable about them), but the last time I checked, ABP for Chrome is better at reformatting the page than ABP for Firefox, so that doesn't apply either.
Bandwidth is the only real objection, and if you're regularly hitting your ISP's bandwidth limits, your ISP is either worse than the US's (which is fairly rare) or blocking ads isn't going to help. If you care about bandwidth anyway, well, see below.
Once THAT level of functionality in an adblocker arrives with Chrome/Chromium, only then will I consider switching. And don't tell me to use a HOSTS file; what if I want to whitelist certain sites?
Okay. How about Privoxy?
"But Mr Dent, the plans have been available in the local planning office for the last nine month."
"Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything."
"But the plans were on display ..."
"On display? I eventually had to go down to the cellar to find them."
"That's the display department."
"With a torch."
"Ah, well the lights had probably gone."
"So had the stairs."
"But look, you found the notice didn't you?"
"Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."
From HHGG
Likewise in software, where upgrades are mandatory even though the current software works just fine. "But it's old tech!" the developer shouts at his utterly stupid users. "Why won't you upgrade? I really enjoyed working on this!" I recently asked a question on a support forum about Drupal. I didn't get my question answered, as the developers immediately discussed the fact I was using the "old tech" version (5) and the entire discussion became about when I was going to upgrade to the latest greatest version (7). Why should I? My software works just fine and customers are happy.
Your software clearly doesn't "work just fine" if you're asking a support question.
Okay, developers have many reasons for wanting users on the latest version (e.g. userbase fragmentation, which especially sucks if what you're making is multiplayer), but the biggest one is that it's hella frustrating to get bug reports about old versions. I've heard users ask "Why isn't this bug fixed yet?" about bugs that were fixed ages ago. You want to use an old version, that's fine, but if you want support, you should be using the newest version.
Especially with open-source software. We're not getting paid to support old versions, so we're going to keep on working on the latest and greatest. Even if it's not a bug report, it's just a question about how to do something - we're not going to remember how we implemented the feature two versions and three years ago. We just know how it's done now, which is probably a better way, anyway.
And in open-source software, upgrading is generally a good thing. Sure, in proprietary software, they often just release new versions to draw money out of customers even though nothing's actually improved, but in open-source, if we release a new version, it's generally because it's actually better. If you disagree, go ahead and use the old version, maybe even fork it if it's that popular, but, again, you're not going to get any support from us guys working on the newest version.
Security upgrades are more like obscurity upgrades. "Because it's last year's fashion, daaahling"
Okay, see, normally, I don't really care how much you screw up your own computer. You generally don't notice when you have security problems, since it's in malware's best interest not to be noticed - if it gets noticed, it gets removed. Instead, it sits there, silently being a part of a botnet, and, at that point, you're not just screwing up your own computer, and you better be taking responsibility for all the DDoSing and spamming your computer is doing because you're too lazy to apply a #^%$ing security update.