HN posters love talking gangster shit when something goes offline but never walked a mile in their boots.
I most recently remember sifting through gloating that 4chan - a shoestring operation with basically no staff - was offline for a couple weeks after getting hacked.
I've worked at a shop that had DR procedures for EVERYTHING. The recovery time for non-critical infra was measured in months. There are only so many hands to go around, and stuff takes time to rebuild. And that's assuming you have procedures on file! Not to mention if there was a major compromise you need to perform forensics to make sure you kick the bad guys out and patch the hole so the same thing doesn't happen again a week after your magical recovery.
And if you don't know, you shut it down till it's deemed safe. How do you know the backups and failover sites aren't tainted? Nothing worse than running an e-commerce site processing customer payment card data when you know you're owned. That's a good way to get in deeper trouble.
RFID isn't smart; it's just a little chip that harvests energy from being illuminated by a radio wave signal from the terminal, and reflects back a code. (Well, that's a passive tag; there are self-powered ones also.)
Smart cards contain a considerable embedded system for transactional processing; it's quite different from just transmitting an ID.
Correct; an RFID tag cannot hold a cryptographic secret and perform a calculation with it to prove that it knows the secret, without revealing the secret. It has no compute capability. It's just a kind of reflective beacon.
RFID: Radio Frequency Identification: passive powered by RF, returns data when powered.
NFC: Near Field Communications, is a protocol for communications, built on RFID, includes polling for readers and protocols for defined crypto and data storage/retrieval.
EMV: Eurocard/Mastercard/Visa standard for the data and crypto operations for an EMV chip, extended from physical by the use of NFC for contactless payments, primarily by replicating the data on the magstripe and adding some additional crypto and dynamic elements.
EMV is one standard for how to use an NFC card, there are others, primarily used for transit.
I wish we had those hanko. Signing off on any parcel is complete bullshit at the moment. Most delivery drivers neglect to ask for one (or that code you are supposed to give them for some delivery services), and when they do, you just make some arbitrary squiggle on their handheld device — it's not like you can actually do a faithful reproduction of your signature on those, even in 2025, and I certainly can't using my finger instead of a pencil or pen.
Yesterday a courier brought a pallet with my new drill press costing over €500. Signature required, but when I asked he told me not to worry, there was no need…
The fundamental problem with deliveries is that you, as the recipient, are not the customer.
The merchant pays for thousands of deliveries, but you on the receiving end are at best getting a handful.
So the courier is incentivised to offer the best rates to the merchant while completely ignoring the requirements or preferences of the recipient.
Your only recourse is to complain to the shop, who might do something if the volume of complaints is high enough, but most likely they’ll just pass the buck to the courier…
The recipient getting their stuff stolen is a big deal for the merchant too, though.
Certainly for an expensive item, the customer may be out their time, but they are going to ask for a replacement or a refund or do a chargeback, the merchant is generally going to have to accede to the request, and the merchant ends up being out money.
So if the merchant decides to trade off security for delivery cost (by choosing a courier with a slack approach to verification), that's their prerogative and they are economically incentivized to make the right decision on that.
For delivery problems that don't result in a chargeback (the courier leaves it somewhere inconvenient, or claims you weren't in, etc, but it eventually gets to you) that's the situation where it becomes your problem and the merchant isn't much empowered or incentivized to fix it.
Agreed about the signing.. that's useless. But at least for some shipments with value we have to show an ID (not just any ID - I always carry my passport though), back in my home country. Just signing is worthless, in particular when that implies trying to "write" something on a touch screen using your finger.
Here in Japan there's typically this little circle where you're supposed to stamp you hanko.. but I just sign my name, with a pen, whether the parcel is for me or for my wife. But at least the delivery guy will have me read the form to verify that it's actually for someone in the household.
Not that I would prefer the hanko.. that idiocy just have to go. I can see no safety in the system, it's just a made-up stamp after all. It has no place in a modern world. And it's on the way out, as far as I understand, but I still hear stories about people forgetting the hanko when they go to the bank, and despite having passports and other IDs they're denied service. And you need to bring that thing everywhere for contracts and the like.. and everything has to be done by physical presence.
Most delivery companies enacted signature exemption rules for covid and are in no hurry to rescind them. Getting signatures takes time, which affects their bottom line.
UPS closed my local facility to the public last month. Now I can only drop packages off at third parties for a fee, and the nearest hold location is over an hour away.
UPS was very unfriendly for consumer dropoffs for ages. That changed a bit. But seems to be headed back and I rarely get deliveries of Amazon stuff via UPS any longer.
I suppose it depends on your assessment of the risk. For me, taking an extra 30-45 minutes to pick something up is a pretty high bar. I've had a couple mis-deliveries at home but it's rare and think I eventually got the items. That's versus hundreds of other deliveries.
If your drill press had been delivered to the wrong person, and the sender had chosen insured delivery (which automatically requires a signature), it would be easy to prove that the signature on file with the transporter did not match the actual signature of the recipient (i.e. you) (unless a fraudster forged your signature, that is).
Mind you, from what I understand, the seller is legally responsible up to the point of delivery in the Netherlands*. Therefore, even if your drill press hadn’t been sent with required signature, the shop would still be responsible in case it had been lost (but then the loss would come out of their own pocket, rather than that of the transporter).
Disclaimer: not a lawyer.
* Assuming you’re from the Netherlands due to your user name.
All that means is that as the receiving party there is absolutely no reason for me to sign anything, or even use my actual signature.
Indeed, if the pallet was delivered to the wrong address and someone just took it, the burden of proof would lie with the selling party. Of course, a reputable transporter will make sure the address is right (plus, people generally don't act as if they were indeed expecting a pallet delivered by lorry).
> All that means is that as the receiving party there is absolutely no reason for me to sign anything, or even use my actual signature.
Yes, but this actually doesn’t matter.
The only time when the signature on file is actually relevant is when the sender lodges a claim for non-delivery. In that case, it could be compared to your actual signature.
Conversely, if no claim is lodged, the package must have been successfully delivered.
I bought a Steam Deck off amazon and they sent me a code on the day of delivery telling me to only provide this code to the delivery person face to face while receiving the parcel.
That seems like the perfect system because if you assume Amazon isn't trying to steal from you, the system can prove if the parcel was properly delivered or not.
It's a pain in the ass here with Polish Post with such screens - my signature doesn't even resembles one on the paper. Private delivery companies just call you to see if you're at home; you also have mobile apps and most of the time is possible to redirect packages to parcel machines. And these spawn like "shrooms after rain", as we say. They cared for codes, manual signing during pandemic but now - not really.
Things have changed in the recent past, and you very rarely need your hanko. Maybe for marriage? Nowadays you cab register your signature at a bank and use it for any activity as well.
Having had that a few times, and recently relaxing Firefox's referer policy for some other site compatibility which had avoided it before, I came to this workaround with uBlock Origin:
Oh sorry, I did not know that was the guy who hates being linked to from HN. Copy the link manually to read it if you still care to learn what he wrote.
"US Person" has a very specific definition in government parlance. It includes citizens and green card holders, a few very specific exceptions like those granted permanent asylum, but NOT visa holders.
The genius of Slashdot's moderation system is that it forced you to be fastidious with how your limited mod points were allocated, only using them on posts that really deserved them.
As opposed to tearing through a thread and downvoting any and everything you disagree with.
Slashdot encouraged more positive moderation, unless you were obviously trolling.
The meta-moderators kept any moderation abuse in check.
It's sad to see we have devolved from this model, and conversations have become far more toxic and polarized as a direct result of it. (Dissenting opinions are quickly hidden, and those that reinforce existing norms bubble to the top.)
I believe HN papers over these problems by relying on a lot of manual hand-moderation and curation which sounds very labor intensive, whereas Slashdot was deliberately hands-off and left the power to the people.
I remember slashdot being full of "M$ is teh evill111!!" and other childish nonsense. At the end of the day what matters is the results, and i much prefer the discusions on hn than /.
For HN, replace M$ with Musk and you'll still see parallels. Although to be fair HN is much more even-keeled than most commenting systems, like Ars and Electrek.
Slashdot is struggling a bit these days. The lower the comment count, the worse the moderation, so it's a bit of a snowball effect. The UI could use some help; there are many who don't want it to change at all, but it would be nice if an alternate UI were available, hitting the same API.
> For HN, replace M$ with Musk and you'll still see parallels.
I think HN leans towards deriding both MS and Musk (see any thread on MS and FOSS). In any case, I think that part of being well-spoken is that you speak out against severely bad actors often. It's never useful to reflexively criticize something, but people may contemplate and still decide they're right. Making a comment is the bare minimum of accountability for bad actors who should know better. It may not be to your taste that HN is such a platform, but that's not up to your decision any more than it is mine. There are many problems from a society that struggles to speak well or ill as a subject deserves, which is to say to speak the truth when it should be spoken, and not to speak mistruths except in exceptional circumstances. It would surely be best if one reasoned critique solved the problem and we never would hear of it again, but alas.
I use comments as a barometer for general sentiment, and what I'm seeing is that it's much more popular to repeat aggressive condemnatory statements than it is to analyze and provide counterpoints. This is not a surprise but I expect better of HN (and on most topics, HN provides this).
I don't expect HN commenters to change their minds necessarily, but I do wish they would elevate posts with more consideration and objectivity, and less low-effort outrage.
Certainly, but sometimes I'm just in the mood for "I'll take what I can get". Probably not the best position, but I haven't found it effective to try to change everyone's minds all the time.
> For HN, replace M$ with Musk and you'll still see parallels. Although to be fair HN is much more even-keeled than most commenting systems, like Ars and Electrek.
I don't really see it. /. had this basically every single thread and the criticism was very not substantive. Musk is unpopular here, but the criticism at least has a bit more meat to it and is not on every single post.
It's not a special case at all. 20 years ago this was standard architecture (hell, HN still caches static versions of pages for logged-out users).
No, what changed is the industry devolved into over-reliance on mountains of 'frameworks' and other garbage that no one person fully understands how it all works.
The "this won't scale" dogma pushed by cloud providers via frameworks has actually scared people into believing they really need a lot more resources than they actually do to display information on the web.
It's really dumbfounding that most devs fell for it even as raw computing power has gotten drastically cheaper.
I was having a conversation with some younger devs about hosting websites for our photography hobbies. One was convinced hosting the photos on your own domain would bankrupt you in bandwidth costs. It's wild.
I very much enjoyed the Vercel fanboys posting their enormous bills on Twitter, and then daring people to explain how they could possibly run it on, you know, a server for anything close to the price.
I took the bait once and analyzed a $5000 bill. IIRC, it worked out to about the compute provided by an RPi 4. “OK, but what about when your site explodes in popularity?” “I dunno, take the other $4900 and buy more RPis?”
Static HTML and caching aren't special cases by any means, but a message board where literally nothing changes between users certainly seems like a special case, even twenty years ago. You don't need that in order to make a site run fast, of course, but that limitation certainly simplifies things.
1. People that were using the in-kernel SMB server in Solaris or Windows.
2. Samba performance sucks (by comparison) which is why people still regularly deploy Windows for file sharing in 2025.
Anybody know if this supports native Windows-style ACLs for file permissions? That is the last remaining reason to still run Solaris but I think it relies on ZFS to do so.
Samba's reliance on Unix UID/GID and the syncing as part of its security model is still stuck in the 1970s unfortunately.
The caveat is the in-kernel SMB server has been the source of at least one holy-shit-this-is-bad zero-day remote root hole in Windows (not sure about Solaris) so there are tradeoffs.
OpenBSD has a dead-simple lightweight ACME client (written in C) as part of the base OS. No need to roll your own. I understand it was created because existing alternatives ARE bloatware and against their Unixy philosophy.
Perhaps the author wasn't looking hard enough. It could probably be ported with little effort.
When I last checked this client is a classic example of OpenBSD philosophy not understanding why security is the way it is.
This client really wants the easy case where the client lives on the machine which owns the name and is running the web server, and then it uses OpenBSD-specific partitioning so that elements of the client can't easily taint one another if they're defective
But, the ACME protocol would allow actual air gapping - the protocol doesn't care whether the machine which needs a certificate, the machine running an ACME client, and the machine controlling the name are three separate machines, that's fine, which means if we do not use this OpenBSD all-in-one client we can have a web server which literally doesn't do ACME at all, an ACME client machine which has no permission to serve web pages or anything like that, and name servers which also know nothing about ACME and yet the whole system works.
That's more effort than "I just install OpenBSD" but it's how this was designed to deliver security rather than putting all our trust in OpenBSD to be bug-free.
I said it was dead-simple and you delivered a treatise describing the most complex use case possible. Then maybe it's not for you.
Most software in the OpenBSD base system lacks features on purpose. Their dev team frequently rejects patches and feature requests without compelling reasons to exist. Less features means less places for things to go wrong means less chance of security bugs.
It exists so their simple webserver (also in the base system) has ACME support working out of the box. No third party software to install, no bullshit to configure, everything just works as part of a super compact OS. Which to this day still fits on a single CD-ROM.
Most of all no stupid Rust compiler needed so it works on i386 (Rust cannot self-host on i386 because it's so bloated it runs out of memory, which is why Rust tools are not included in i386).
If your needs exceed this or you adore complexity then feel free to look elsewhere.
Or uacme [0] - litle bit of C that's been running perfectly since endless battery failures with the LE python client made us look for something that would last longer.
Another feature no one asked for, meeting its technological grave. For those few users of Pocket this function could have been easily handled as an extension.
If Mozilla spent the engineering hours wasted on this toward fixing the ever growing mountain of existing bugs they might have more than 1% market share.
Except for the vast majority of normal people, uBlock Origin Lite is enough. And Blink alternatives like Brave or Vivaldi have them built-in while using the "preferred" engine, which is even more convient.
So, to them, Firefox is a worse performing browser with missing features that sometimes doesn't work for certain websites. There's no "killer app" to be seen.
I'm continually amazed at the lengths people will go to live in a mid-century matchbox in a Bay Area suburb.
For the amount of money this guy spent turning his garage into the Ghostbusters protection grid, he could have moved to a part of the country that has basements and pushed his homelab down cellar where it's a consistent 66° year-round.
Ah yes...because the simple solution is always "just pack up your life, leave behind your family and friends, and relocate half way across the country".
Unironically that is what cost-of-living is forcing a lot of people to do in coastal cities. If you have a cushy six figure salary you aren't faced with that reality, but it's different for median-income.
That's the most ridiculous claim I've seen in a while.
Giving up one foot of space along one garage wall is not a big deal. And if you're worried about physically getting the batteries into place, hiring people would still be cheaper than movers.
Also, a basement that removes cooling costs for the home lab would not make a big difference. If the 800W A/C unit runs 8 hours a day for 4 months out of the year, then it's only about 10% of the home lab power use. Since it's not needed at night it's probably even less.
Yeah sorry but thats the most insane take anyone could have. You're again quite litterally saying upping sticks and moving across country, so new job, losing friends and family, etc is the best option, vs losing a big of garage space...
I most recently remember sifting through gloating that 4chan - a shoestring operation with basically no staff - was offline for a couple weeks after getting hacked.
I've worked at a shop that had DR procedures for EVERYTHING. The recovery time for non-critical infra was measured in months. There are only so many hands to go around, and stuff takes time to rebuild. And that's assuming you have procedures on file! Not to mention if there was a major compromise you need to perform forensics to make sure you kick the bad guys out and patch the hole so the same thing doesn't happen again a week after your magical recovery.
And if you don't know, you shut it down till it's deemed safe. How do you know the backups and failover sites aren't tainted? Nothing worse than running an e-commerce site processing customer payment card data when you know you're owned. That's a good way to get in deeper trouble.