There's a lot of effort by browser developers to scope creep the browser into essentially being an OS-agnostic tech stack (one where, conveniently, code can be shipped across the network "as necessary", removing a lot of user agency for the software being ran); Chrome being the biggest driver of this, while Firefox has an extremely weak spine in trying to limit it.

It's fairly dire and I wouldn't be surprised if there's a lot more of these side channel attacks in a lot of web APIs.

Unfortunately Google isn't really exposing this to users, so you need something like App Ops or adb to set it up.

The biggest risk is incorrect usage of the default_server directive, the proper way in which to handle it isn't usually taught in most "here's how you use nginx" tutorials. Most usually just have you edit the default server blocks.

Tldr that covers 99% of all cases: you want 2 default server blocks, one on port 80 and one on port 443. The one on port 80 should only return 444 (an internal nginx status code that stops the connection immediately with no response), while the one on port 443 should use ssl_reject_handshake to terminate the SSL connection as quickly as possible without causing strange errors (you also need a self-signed certificate because otherwise openssl refuses to do protocol negotiation correctly, but the cert doesn't actually do anything). After that, specify your actual domains as separate server blocks using server_name (including a separate one for each to do the port 80->443 redirect).

Arguably this should be the default configuration shipped by distros, but it isn't for some reason, which doesn't help matters.

They should be stopping this attack at the door (even if only to clean out your logs from scraper door knocks), which is probably why it went unnoticed for years. I don't think anyone would be deploying {A,W}SGI servers on public facing ports these days. Even if only because SSL termination is much easier in the proxy layer.

Also good lord that ARS article is a mess. What the hell happened there? An ASGI server isn't unique to AI or anything, it's just a regular supply chain dependency. I kinda expect better from ARS on stuff like this.

Tying the process up in the courts for that period is also a political victory, since by the time it'd be resolved, Solvinity wouldn't have the contract anymore anyways.

The FSF wouldn't participate in a lawsuit like this because from the FSFs ideological perspective, the mistake is allowing Apple to have a closed source system to begin with (because they declared victory in the 90s and since then have shifted towards blaming users for not using Free Software); at most you'd see a head-up-ass press release after the lawsuit is settled, because that's what the FSF usually does; probably easier than actually putting in the effort to do anything to advance Free Software politically. The FSFe from what I can read in this post is actually cognizant that Apple actually has a market share and that opening up application development on Apple devices is a major step to ensuring a healthy Free Software ecosystem.

The FSF these days is a decrepit organization whose primary purpose in practice is to enable Richard Stallman to not have to participate in modern society and to host his philosophical screeds. It's issues are so specific to it that in terms of FOSS, they're a historical artifact at most. Even in the US, the SFC does more for the average free software developer (ref. the recent Bambu incident where they stepped up to help a developer from getting legal nastygrams from the company in question.)

Direct Debit is very nice, largely because your bank manages the subscription; companies have to declare the payment ahead of time and if you get balance mixed up for some reason, then the bank will just do the payment whenever your balance is correct if it happens within a week. I've had credit cards decline on subscriptions before because I didn't have enough loaded up on them. Never had that issue with SEPA.

Either that or "credit cards just work", so very few entities bothered until now.

(Something which got worse after Harris was picked, although every polling aggregator went barmy - there's suspicions that a lot of polling agencies aggressively normalized their data to avoid being seen as biased, leading to an almost 50/50 split.)

In general, use of npm ci is usually sparsely documented - most node projects you can find just recommend using npm install during the setup, suggesting a failure in promoting it's availability (I only know of it because I got frustrated that the lockfile kept clogging up git commits whenever I added dependencies with what looked like auto-generated build-time junk).

In practice, every OS has its preferred system and the rest has varying levels of "I guess this works", with FAT32 and exFAT being the only real cross-platform options.

To wit:

* NTFS is only really properly and fully supported on Windows. Apple mounts it read-only. Linux can certainly mount NTFS and do some basic reads and writes. Unfortunately for whatever reason, the Linux fsck tools for NTFS are absolutely terrible, poorly designed and generally can't fix even the most basic of issues. At the same time, mount refuses to work with a partially corrupted filesystem, so if you're dealing with dirty unmounts (where the worst case usually is some unclosed file handle rather than data loss, but this also happens if you try to mount a suspended Windows parititon, which isn't uncommon since Windows hibernates by default and calls it fast boot), that's a boot to Windows just to fix it.

* Apple filesystems basically only work on apple devices. It's technically possible to mount them on Linux, but you end up digging into the guts of a bunch of stuff that Apple usually just masks for you.

* ext4 is only properly read/write under Linux and requires external drivers under Windows (which may not work properly either, as corruption issues are common).

FAT32 is reliable in that any OS can fsck/chkdsk it and properly mount it without needing special drivers, but is hindered by ancient filesize limitations. exFAT, at least for most cases, is the only filesystem you can plug into most devices and expect more or less the same capabilities as FAT32 (read/write support, can fix filesystem corruption.)

Out of the os specific ones, NTFS seems like it has the most potential to be the one filesystem that works everywhere; it's modern, works good-ish on most devices, it's just that the fsck/chkdsk tooling is awful outside of Windows.

It's called a PUP, or Potentially Unwanted Program and most anti-viruses offer to remove them. They can be legitimately installed, but often aren't. (Usually they were shipped in the installers of legitimate software downloaded from sketchy distributors.)

Random AI models being shipped with Chrome is very much a PUP. The user wanted to browse the internet, not use a model. They'd install an extension if they wanted that.

The Ask toolbar was seen as a virus. Mozilla had massive user bleed in Firefox due to installing sponsored extensions in the browser. The only reason this shit isn't regarded the same way is because it's both done by Google and because it's labeled with AI, so all AI bros have to retroactively find an excuse to justify it.

VS Code is one notorious offender in that realm; it will try to commit settings.json, even if their gitignore's are set up to ignore all other cruft.

In general, the question of what should go in the source folder is a bit of a mess. Source code, README and License make enough sense, but what about files describing project governance or CI configuration logic? Or what about files that are used to make the forge you're using render the repository in a certain way (for example: bug tracker templates). Those are all cruft insofar that they have nothing to do with code, but it's generally agreed on that you're supposed to commit those, maybe in a dot-folder if necessary.

We've seen this sort of song and dance before, crypto jumps to mind. Remember when social media sites suddenly were all about those hexagonal avatars? Most of this stuff is really in that same vein.

(Which to be clear, users don't want this. AI pushes by pretty much all recent user feedback metrics are largely tiring out users and reek of corporate desperation to sell shit. It's only a very specific subsection of Silicon Valley that wants to stuff AI in everything like this.)

Decentralizing the code isn't an issue; cloning repo's between servers is so standard that any forge can import a code repo from any other forge.

The difficulty is ancillary stuff like issue trackers, wikis and MRs, but using a federated protocol for that seems ill-advised given the much weaker safeguards against spam. Mailing lists have a very large existing body of work on the matter of dealing with spam and a proven method of mirroring/archival. (Most git wikis are just git repositories with a different renderer.)

The main reason nobody likes doing git-over-email is mostly just because it's very user-unfriendly to set up (since modern mail clients typically aren't correctly configured to deal with them). It's a very developer oriented workflow in the worst way possible. A modernized mailing list program that automatically takes care of things like reformatting emails/not leaking email addresses to the general public would go a long way to make it easier to deal with.

* In early 2025, the previous dutch government lost majority coalition support. The previous government remains in power until a new one is elected, but isn't expected to make major decisions any more; they're effectively just stewards to ensure the country isn't totally leaderless[0] (this is also called a demissionary government here).

* In late 2025, a new second chamber is elected and work on a coalition begins. Until a new coalition is formed, the previous government remains in power.

* In November 2025, right around this, Kyndryl announces it's takeover of Solvinity. The demissionary government gives initial approval for the takeover and decides that the takeover won't mess with the DigiD contract.

* In January 2026, the deal begins to fall under scrutiny in IT/privacy circles and some political parties express their concerns, but not much media attention is drawn to it at first. The ACM (dutch antitrust authority) also gives it's approval for the sale. All this still happens under the demissionary government.

* In February 2026, the new coalition government is sworn in. Scrutiny on the deal is starting to intensify and media coverage becomes more public.

* In late April 2026 (as in, last week), parliament passes a motion to request to change away from Solvinity in 2028. At the same time, the minister responsible for the sale is answering press questions about the sale, indicating he doesn't intend to block the sale. Just four days ago, the minister publishes a formal letter to parliament, effectively saying that they aren't stopping anything and that the government already gave preliminary approval to extend the DigiD contract with Solvinity (a separate matter, but just as related) back in March (so under the current government). They expect to ink it before the end of next week (May 6th.)

Somewhere between March and April, some internal government employees also step to the press to warn them about the sale in terms of a national security threat, but I don't exactly recall when on the timeline that happened.

The reason why the government is getting the blame for it isn't just inaction; they aren't standing by and letting something they had no involvement with (since the previous government was demissionary) happen - they're actively choosing to continue the motions of the previous demissionary government - including signing contract extensions that the previous government wasn't involved with - in spite of the very clear pushback they're getting from doing so.

[0]: This is the abbreviated version - somehow the previous government managed to lose coalition support twice, even when it was already demissionary. It's not normal for two parties to pull out like that on separate occasions.

The dutch government has an authentication system called DigiD. It's effectively an OAuth protocol for government sites, and one of the few ways in which the Dutch government has centralized IT. Every dutch citizen can get access to it, and probably will need it at some point to deal with the government (paper options are meant to exist, but you can already guess on how easy the availability of that is.)

DigiD is currently hosted by a dutch company named Solvinity and developed by Logius (the governments in-house IT development organization). Solvinity is currently in the process of being bought out by another company, Kyndryl, which is based in the US. The government approved the takeover under the previous coalition (who are no longer in power.) The takeover currently is under extreme public scrutiny because of everything to do with the US - most people are at least vaguely aware of the deadly combination of the US CLOUD/PATRIOT laws, which would compel Kyndryl to hand over data on any dutch citizen to the US government for any reason[0]. The US government right now is not exactly behaving like a good steward with the powers it has, instead favoring maximum exploitation within (and outside, if the lawsuits are any indication) it's legal limitations, and is also verbally attacking it's own allies near constantly. Given DigiD is effectively a list of personal information on almost every dutch citizen, it's probably a bad idea to hand access to it over to a hostile foreign country.

On an employee level, the takeover is deeply unpopular - some government workers have actively reached out to the press to warn about the deal, something which very rarely happens as government workers aren't expected to publicly break with government policy. This has led to a motion in the second chamber (parliament) to change DigiDs hosting from Solvinity to another provider being passed... in 2028, for a deal set to go through in a much shorter timespan. At the same time, the government (this time: the elected politicians) is unwilling to reconsider it's stance on the Solvinity takeover, claiming that because it already said it was OK before, it can't change its mind now.

[0]: It's also, almost certainly illegal in a GDPR/AVG (local version of GDPR) sense. US/EU privacy laws are fundamentally incompatible with one another because of these two laws, and the courts keep shooting the international data transfer agreements to bits every time. Even on a basic level, having your government authentication systems legality tied to whether or not Max Schrems wins his court cases is a bad idea.

Alongside the class action, Jones was iirc also facing several separate lawsuits, so what you're seeing here is multiple lost lawsuits (I think he lost 4?) adding up.

The bankruptcy also doesn't wipe the slate clean for Jones afaiu, because he specifically was found to be malicious in his behavior. Court debts aren't wiped in that situation. He's still on the hook for that.

Data centers and most physical devices made the jump pretty early (I don't recall a time where the VPS providers I used didn't allow for IPv6 and every device I've used has allowed IPv6 in the last 2 decades besides some retro handhelds), but domestic ISPs have been lagging behind. Mobile networks are switching en masse because of them just running into internal limits of IPv4.

Domestic ISPs don't have that pressure; unlike mobile networks (where 1 connection needing an IP = 1 device), they have an extra layer in place (1 connection needing an IP = 1 router and intranet), which significantly reduces that pressure.

The lifespan of domestic ISP provided hardware is also completely unbound by anything resembling a security patch cycle, cost amortization or value depreciation. If an ISP supplies a device, unless it fundamentally breaks to a point where it quite literally doesn't work anymore (basically hardware failure), it's going to be in place forever. It took over 10 years to kill WEP in favor of WPA on consumer grade hardware. To support IPv6, domestic ISP providers need to do a mass product recall for all their ancient tech and they don't want to do that, because there's no real pressure to do it.

IPv6 exists concurrently with IPv4, so it's easier for ISPs to make anyone wanting to host things pay extra for an IPv4 address (externalizing an ever increasing cost on sysadmins as the IP space runs out of addresses) rather than upgrade the underlying tech. The internet default for user facing stuff is still IPv4, not IPv6.

If you want to force IPv6 adoption, major sites basically need to stop routing over IPv4. Let's say Google becomes inaccessible over IPv4 - I guarantee you that within a year, ISPs will suddenly see a much greater shift towards IPv6.

Windows has a much harsher approach to file locking than Linux and backup software like BackBlaze absolutely should be making use of it (lest they back up files that are being modified while they back them up), but that also means that the software effectively has to ask the OS each time to lock the file, then release the lock when the software is done with it. With a large amount of files, that does stack up.

Linux file locking is to put it mildly, deficient. Most software doesn't even bother acquiring locks in the first place. Piling further onto that, basically nobody actually uses POSIX locks because the API has some very heavy footguns (most notably, every lock on a file is released whenever any close() for that file is called, even if another component of the same process is also having a second lock open). Most Linux file locks instead work on the honor system; you create a file called filename.lock in the same directory as the file you're working on, and then any software that detects the filename.lock file exists should stop reading the file.

Nobody using file locks is probably the bigger reason why Linux chokes less on fast iteration than Windows, given that Windows is slow with loads of files even when you aren't running a virus scanner.

It's that to back up a folder on a filesystem, you need to traverse that folder and check every file in that folder to see if it's changed. Most filesystem tools usually assume a fairly low file count for these operations.

Git, rather unusually, tends to produce a lot of files in regular use; before packing, every commit/object/branch is simply stored as a file on the filesystem (branches only as pointers). Packing fixes that by compressing commit and object files together, but it's not done by default (only after an initial clone or when the garbage collector runs). Iterating over a .git folder can take a lot of time in a place that's typically not very well optimized (since most "normal" people don't have thousands of tiny files in their folders that contain sprawled out application state.)

The correct solution here is either for git to change, or for Backblaze to implement better iteration logic (which will probably require special handling for git..., so it'd be more "correct" to fix up git, since Backblaze's tools aren't the only ones with this problem.)