Is your contention here that there's somehow a human male with two Ethernet ports that is manipulating HTTPS traffic and I'm just too "lazy" to admit that?
1. I landed this fix because there was a policy that did not work properly. We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
2. This policy only can be set on managed machines.
3. This policy, in isolation, is trivially circumvented. Managed environments block many things, including many of the proposed circumventions here.
4. I've built one of the world's most popular tools for viewing and modifying web traffic. The narrative that this feature has broad implications for anything is absurd.
Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that. This curiosity needs to be encouraged, not stopped.
The young generation in IT already has issues because many of them don’t understand files, and many of them can’t even use a computer anymore.
They grow up with tech all around them, but because all of it is closed and proprietary and restricted, they never even try to look behind the curtain.
We call ourselves software engineers, then we also need to take on the ethical responsibility of our actions just like engineers do.
If you contribute to this culture of closed technology, you are just as well at fault as developers of DRM tech or Android SafetyNet.
Amen to that! Sadly, it's easier to persuade the population (and hence squeeze the $$$ out of them) when they are kept docile, unknowing, and unquestioning. Knowledge is power, and they don't want you to have too much.
Some students get a managed device from their school - and are allowed to take it home.
There have been already some scandals revolving around those devices. From school accessing their webcam - and trying to discipline someone for taking drugs when they ate jelly beans.
Most of the students using chromebooks at university or school do not have own computers at home. These devices are all they've got to access the internet.
Every experience they'll make during their teenage years with computers is shaped by these managed experiences.
Just because it's legacy, doesn't mean it's not a powerful tool.
Files have multiple advantages over other approaches, such as being independent from the application that created them (even if the company subsequently goes under), being editable with a different application from the one that created them (though imperfectly sometimes), and being self-contained bundles of data that need no infrastructure to support them other than a local application (compared to other approaches, where a large cloud infrastructure is basically mandatory and you're SOL if it goes away for you).
Recency bias is a thing. Try to work counter to it.
First of all: thank you for taking the time to respond to the irate crowd.
Second: It's still a really bad idea, because it feeds into the narrative that inherently unsafe client side restrictions are a viable security barrier e.g. dangerously incompetent politicians like Mike Parson already want to put the F12 key behind bars rather than admit to leaking PII on official websites.
You guys are giving administrators way too much power without any good reasons.
I realize that if they really wanted, they could give up on Chrome and use something else, but for many of them, they will simply lock everything down out of laziness and probably wouldn't without a convenient way of doing so.
An example out of many: why give admins a simple way to disable the built-in password manager? This just enables dumb and archaic password policies for no good reason.
As to your last question, many organizations have a central password management system that lets them audit who uses which password and when. Having the passwords stored in a secondary system makes the audits useless.
> > "NOTE: [RFC7258] treats pervasive monitoring as an attack, but it doesn’t apply to managed devices."
> We don't think this is adequate. Given the power dynamics at play in an employer-employee relationship, the UA should still be working in the best interests of the end-user (the employee) even if the device being used is managed by an administrator. That is to say, pervasive monitoring is never a feature.
Chrome may not consider it part of the "web-exposed platform", since the code doesn't live in blink/, but the same logic applies to view-source. The needs of the users are more important than the security theatre you wish to put on for their teacher's benefit.
> We could instead document that the URLBlocklist policy works for every scheme but one, or we could fix it. Fixing it makes more sense.
What makes more sense - a small documentation update to explain an edge case scenario, or a breaking change across the web? Hint: it's not the one that involves code changes.
>2. This policy only can be set on managed machines.
What about kids in school? So only the poor kids who don't have access to their own hardware will be subject to these rules that prevent them from viewing source? Sounds pretty insane.
What's truly absurd is the apparent lack of critical thought that went into this decision.
Keep patting yourself on the back though, Eric. You're obviously totally 100% right on this one /s
I don't know how to phrase this without it sounding like an attack which I absolutely do not mean it to sound like. But when considering if I would like to receive this same message, I would be more discouraged if someone didn't try to respond because they were afraid to upset me, than if they said something I (or wy ego) didn't want to hear. This preamble is only to make it clear that I'm not trying to be mean, for whatever small value that may be.
I've responded here https://news.ycombinator.com/item?id=29213370 I'd bet it's pretty obvious the internet thinks this was a mistake (and we all know how sound and reasonable the internet always is :D ) but I thought the why it's so infuriating was important to point out too.
You're, a moron, I guess? I mean, you work for Microsoft, so you clearly have 0 qualms about supporting the legacy of a robber baron college drop out who plagiarized actual researchers in the field of computer science, multiple times.
Have you ever been a LISA scale administrator? A K-12 level County Office of Education administrator? Have you ever helped patch embargoed bugs in codebases such as BIND, used billions of times per hour by oh, more or less everyone online?
Were you buddies with Doug Engelbart?
Do you have anything personally signed by Dr. Marshall Kirk McKusick?
Have you ever even met Tim Berners-Lee?
What about John Gilmore?
I'm guessing, your answer to those rhetorical questions would be no, but please: surprise me!
What uhh, "world's most popular tools for viewing and modifying web traffic" did you build? Because, this is the first time I have ever encountered you, and I have been root/Enterprise Admins/enable/etc/sudoers/wheel/etc. for the company which runs the cross-browser development framework utilized by Fortune 1 among others. I know a lot of people in this field going back to the 1970s, at least, and you found about the worst wage imaginable to become known to my periphery.
Moreover, since this is not NNTP, and I am guessing you are too young to even know what it means when someone writes: "welcome to my .killfile" do you want to have a career in this, or any other solar system in the next several lifetimes?
Because I am betting on: you will be in the realm of: no one, anywhere, ever, will want to hire you, ever, again from what I have read from you so far, and yes, I spent the time to peruse your pathetic commits since 2019 on Chromium too.
Know spoonm? I helped him get a job at Google, back before it became Alphabet, he worked on Chrome's V8 engine, among other things. I knew him before he even had a commit in the Metasploit Project. Ever heard of Chris Palmer? Because I was root/etc. at iSEC Partners, which is one of the places he worked before he went over to Google/Alphabet to supposedly help with Chrome's security, among other things.
How young were you when even NIST got on board with recommending against "security through obscurity"?
Bonus: others have already found workarounds, and begun to document them publicly. However, that seems to be begging the question: why make them jump through extra hoops unnecessarily? If it can be "trivially circumvented" then it is, IMHO, better to avoid, entirely.
Learn from your elders: “Simple things should be simple, complex things should be possible.”ーAlan Kay
You attempting to change the "narrative" and discount others' to fit your perspective, is worse than mere abject ignorance of how discourse and comments function, or did you forget that RFCs built the intergalactic network of computers? It’s down right rude, dehumanizing even. You do not get to unilaterally decide that people objecting to your boneheaded idiocy are uncertain of the implications, when I know quite well how GPOs and other draconian centralized ACL management systems operate at scale. I haven’t just deployed some, I am personal friends with the authors of firewall engines used in places best not to mention by name at the moment and am versed in a panoply of configuration management languages they do not tend to even teach at postgraduate levels, but hey, at least some of them have source code readily available and are, IMHO, far more critical to network operations than a browser has ever been, or will ever be.
If you wanted to get clout and attention and make a bunch of enemies from people you have never bothered to learn about, you sure picked a hell of a way to do it, emphasis on hell. I do not envy your karma.
It's not ok to post like this to HN. I've banned the account.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
You know whats funny dang that you let misinformation about vaccination and other made up shit from old accounts go without even giving warnings. You know what lets do a little test and mirror this site for 4 weeks lets say every 5 minutes just to look what your agenda really is. see you in a month.
I have no idea who you are but i guarantee he knows more about web protocols, standards and tooling than you. He’s been doing this for 20 years and enormous amounts of the web are better because of his completely free tool.
You have no idea who this person is and yet you decide to make aspersions about his skill set and background? Sounds cool.
It's not impossible because the author of the article themselves admit that there are many ways to fix this. I can already think of one possible way they could speed up the copy-paste from the zip file; by waiting until all files have been copied to the file system before deleting files from the zip in one go. The fact that solutions do not require a change to the interface is a sign that this is not a problem with the abstraction.
Is it the abstraction which is forcing the files to be copied 1 byte at a time? It doesn't seem like it. It's an implementation issue. The interface allowed the plugin to have been implemented in many other ways, the implementer of the plugin just happened to go about it the wrong way.
