very cool.

@mcc @ariadne @lina i think this is a reasonable way to view the problem domain but i don't entirely agree—i think the web is about as close to "fully granular permission model, without vendor lock-in" as we ever got and perhaps will ever get, and that it's valuable that i can give a webpage access to a USB device while denying it everything else on the computer, like "filesystem"

unfortunately, i cannot in good faith say that the fully granular permission model works. technically it could be made to work, sure, but getting people to understand the exact consequences of granting X permission is probably a lost cause—it would take someone a lot smarter than me to figure out how to do it

unfortunately#2 the actual, real-world alternative to doing that is "download and run an .exe" or "curl | bash" which is strictly worse. so i just don't know

@ariadne @lina it's not a reason to expose information useful to, like, 1 site you might maybe use, to every of them, and frankly i am not aware of any material benefit from running more than 4 of p&r threads in parallel so it could probably be capped to that. but i think this is a legitimate reason

@ariadne @lina i ship an FPGA toolchain in the browser. it can* use multithreading. it needs to know how many threads to run to not contend on resources uselessly

* currently not built in that configuration for a variety of reasons that is not specifically tied to the web

@ariadne anti-fingerprinting feels like a pyrrhic victory to the extent it can be achieved

sure, random webpages probably don't need to know how many cores you have (and thoughtful design could keep this available to those few which maybe do). but the thing that made me conclude this is Accept-Language:, a feature that is intentionally made worse for bilingual users in service of reducing fingerprintability. i think i'd rather have that than a (in practice) false promise about privacy

inspired by actual events

@mntmn still salty about kde removing them

@mcc I have never encountered or heard of issues related to cross-OS GPT use

@poppyhaze poppy

@ariadne I've watched competent engineers get less competent after spending a bunch of time vibe-coding, so I am not actually convinced that what you're saying is generally true except on the shortest timescales. But, again, this is in addition to what you're saying.

@ariadne i think the way the tool is marketed and presented, as a sort of glorified slot machine for code, actively encourages and rewards people for becoming worse engineers. this is in addition to your reasoning.

@filippo oh that's really useful

i bit a corner off of it because the cross-section looks kind of like cake

(epoxy sponge and glass raisins! yum)

https://upload.whitequark.org/1772312997-20260228_204550.JPG

@0xabad1dea awww ^{^}

@mcc yes (partly based on knowing people working for WD)

hey do you wanna see a ludicrously high resolution image of a microSD card i'm deprocessing? enjoy

https://upload.whitequark.org/1772302728-20260228_175143.JPG

@magnetic_tape

• I find using hardware tokens onerous in general (it is difficult for me to stand up and walk around the house)
• if I lose a token I must re-register a new one everywhere, which is a huge cognitive tax on top of that

upon closer examination of the traffic it seems more likely that someone downloaded the cloudflare top 1M domain list and then hit grebedoc with spoofed Host: header for a big chunk of them

doing a quick and surface-level post-mortem it looks like most incoming requests were handled fine but the outgoing (storage) requests started piling up after a while

if i end up getting hit by these waves a lot i'll have to invest either in beefier machines or some sort of fast domain set inclusion check

this time it looks like actual targeted abuse with an endless stream of random domains none of which resolve to my A/AAAAs

(that or someone failed writing a scraper really hard maybe)

@jackeric I'm hosting a service like github pages and one of the backend nodes received 40K requests per minute for half a hour straight, totally saturating the CPU