Lambda the Ultimate

Accessing the site in Safari I'm seeing a very long (5s+) delay after pressing the post button with no visual feedback. It looks like no input has been recognised, but pressing post again results in a double post. Is anybody else seeing this behaviour?

With the new hosting solution I'm observing that we don't have HTTPS connections on the page where people are logging in. This exposes LtU logins to HTTP eavesdroppers.

Given that lots of people use the same password across multiple sites (even though everybody already knows they oughtn't) this probably also exposes a number of users' ALT, Amazon, Ashley Madison, Banking, BeNaughty, Bing, BoingBoing, Buddybang, Craigslist, DeviantArt, Diaspora, Digg, Discord, Douyen, Ebay, EstablishedMen, Facebook, Fark, Fetlife, Flicker, Foursquare, Friendica, Gab, Glee, GnuSocial, Google, Grindr, Imgur, Instagram, Limewire, LinkedIn, LINE, LiveJournal, Mastodon, Meetup, MySpace, OKCupid, Patreon, Parler, Pinterest, PlosOne, Reddit, QQ, Qzone, Quora, ResearchGate, SecondLife, Seeking, Slack, SocialCast, Snapchat, SomethingAwful, SoundCloud, Stack Overflow, Sharesome, Steam, Telegram, Tiktok, Tinder, Truth social, Tumblr, TV Tropes, Twitch, Twitter, Vimeo, WeChat, Weibo, Viber, WattPad, WhatsApp, Wikipedia, WordPress, Yahoo, Yammer, Yelp, and Youtube passwords.

Though probably not all of them for any one person.

Just sayin, this ought to be corrected.

I've just published a blog article about the hidden cost of exception handling that may interest some of the readers here.

During a meeting today, a colleague of mine shared the belief that exception handling had no impact on optimizations in modern C++. While we did everything we could 20+ years ago to ensure that all kinds of optimizations were possible, there is a residual cost that you can trigger.

In this post, I show cases where there is zero cost for exception handling in the primary execution path, but also build a few pathological cases where the compiler cannot preserve that property, and where just enabling exceptions markedly changes the primary code path, for reasons that may be related more to correctness than to optimizations, in other words, where it may not ever be possible to fully optimize without violating C++ semantics.

I recently have major problem with accessing the site. Posting comments fails randomly with no data, some request returns no data at all. Reloading page fails 1/3 of time. And so on.

This happen in different browsers and with and without VPN, so I'm quite sure that the problem is on LtU server side. The problem happens whether I logged in or not. The problem started to happen relatively recently. Few month ago everything was ok.

Does anyone else have such problems?

I suspect there is a problem is with hosting provider, or some "optimization" is involved like turning off VM when there is a little traffic.

POLA Would Have Prevented the Event-Stream Incident by Kate Sills

The JavaScript world was rocked this week by news that the popular npm package event-stream included malicious code that attempted to steal the private keys of certain Bitcoin users.

Since the attack was discovered, both the JavaScript community and the cryptocurrency community have been passionately debating how to prevent such an attack. At Agoric, we think this attack was entirely preventable, and the answer is POLA, the Principle of Least Authority.

This npm / event-stream debacle is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries. My talk Securing EcmaScript, presentation to Node Security explained many of these issues prior to this particular incident.

For LtU, my best explanation of POLA is Verify What? Navigating the Attack Surface given to the "Formal Methods Meets JavaScript" workshop at Imperial College.

Chromium has already started to report this site as "insecure" in its title bar.

Firefox will do in the next release, I think.

It's already a chore to even sign in because the browsers require extra confirmation for filling in forms (passwords) for anything non-HTTPS nowadays.

I have no idea about the hosting details of LtU, but good hosting providers already offer some sort of Let's Encrypt intregration these days, so please opt in to that, if you can. If you're self-hosting I think there should be a reasonably approachable solution to this issue. Feel free to contact me privately (you have my e-mail!) and I'll try to connect you with someone who knows exactly what to do.

EDIT: I had a brief look around for relevant admin email adresses on the site and didn't find any. Hence my post. (Plus formatting.)

Update: The migration of LtU to new servers is complete.

If you notice any issues with the site, please post in this thread (if you can), or email me at antonvs8 at (gmail domain).

Original announcement appears below:

This evening (Sunday, US Eastern time), Lambda the Ultimate will be migrated to new servers.

The site will be offline for around 30 minutes, while this migration and some database maintenance is in progress.

The new platform is a shiny new Kubernetes cluster, which will enable some long-overdue improvements to the site in 2018.

An update will be posted in this thread once the migration is complete.

Currently LtU offers the input options "Plain Text + HTML" and "HTML". I have grown to find them rather irritating for several reasons:

- having to manually use HTML escape codes for < and > makes some things almost unusable for me (this comes a lot in the current Frank discussion). It is painful to write, and painful to read back when editing a post.
- the syntax for inline code, namely <code>..&lt/code> is goofy and impractical in practice, compared to `...` in Markdown.
- other parts of the HTML syntax have less overhead, but still prevent me from using them more often: links and lists come to mind. (As I'm writing this, I realize that I am writing a textual list. I'll leave it as is for the example, although I would usually rewrite my posts in full <ul><li>...</li><li>...</li><ul> clad.)

(some form of) Markdown has gathered consensus among websites that expect user comments, for example Github and Reddit. I would be very happy if we could have a Markdown input option in LtU. Because it does "the right thing" with text by default, and also supports raw HTML fragments, I think this option should be the default.

P.S.: Ehud, in 2010 you were of the opinion that technical information on the website platform are off-topic, even in the "Site operations discussions" forum. Is it still the case? I started by looking for technical information on where the site's source could be found, to see if I could consider contributing Markdown support myself (or at least evaluate the effort that would be involved), but was unable to find any information. Would you consider sharing a bit of information on the site's internals to encourage people to lend a hand from times to times?

It looked like LtU was down a bit today at least. Anything we can do to help? Should we all throw money at somebody to get a revamped server or anything?

I'm interested in playing around with ways to render large discussions, to see what is readable / easy to navigate. This is motivated by part in the 500-comment+ discussions that span indented posts across multiple pages. I've already hacked together something that parses the html on the site (Drupal generates really nicely structured html) and rebuilds the comment database, but it seemed a bit rude to spider the whole site.

My first question is do you mind people pulling off copies of the site to experiment with, maybe building a tool to render the site in a different format? Which may then lead to technical questions such as:

• Is it possible to export the Drupal comment database in some way?
• What format?
• Can it export smaller slices, e.g. something like particular days?