Blog

How YouTube Helped Kill IE6

When I am old and have grandkids, I'm going to regale them with stories of IE6 compatibility. IE6 was an important part of the formative years of my programming experience. You would write some HTML/PHP/JS/CSS and make it fast and gorgeous and everything was great. Then, you'd show it to someone and they'd see something totally broken because they were using IE6.

IE6 defined a generation of web developers. There are those for whom "quirks mode" triggers vivid memories and those for whom it is a piece of history. Microsoft apologized for IE6 in its IE9 campaign around 2011. Their apology wasn't to users for holding back web development for a decade – it was to developers for the suffering it inflicted.

A Conspiracy to Kill IE6 has a less gentle introduction to the topic:

Nobody joining the team could be expected to know that in early versions of IE, the browser would load the root path "/" for empty src attributes. The <img> tag would suddenly behave like an <iframe>, loading our homepage and all of its dependent resources in what could become an exponentially expanding recursive loop.

Maybe the introduction is brutal because Chris was supporting IE6 professionally whereas, by the time I started coding for pay, IE6 was on its way out.

This story has another interesting cultural component to it, though.

The early YouTube engineers [...] With their penchants for gray-hat hacking, fast cars, and hard whiskey and an uncommon number of piercings, tattoos, and minor arrest records, many had been rejected during previous Google interviews. [...]

the early engineers created a specialized permission set called "OldTuber". OldTuber granted you the ability to completely bypass the new Google-oriented code enforcement policies, enabling anyone holding it to commit code directly to the YouTube codebase, with only the most glancing of code reviews from anyone.

And of course, my initial reaction is "but the code quality 😨"! But then I am reminded that with great power comes great responsibility to deprecate old browsers.

High-performance Potato Chips

Pringles are serious business.

"We make them very, very, very fast," said Lange. "We make them fast enough so that in their transport, the aerodynamics are relevant."

Practical Personal Security

As Mickens laments, sometimes security professionals are a little out of touch with what average users deal with. In their defense, they're only hired by people with enough money to have something worth defending professionally, so by "people", I mean "companies, mostly". In Mickens' defense, he reads too many papers by cryptologists. Also, he's pretty funny.

I feel the same thing too. Sometimes, I'm about to give someone advice on how to do a computer thing but then I stop and realize that the crazy and finnicky setup I have is probably not what they want. Instead of telling them to write some scripts and think very carefully about how to use them, I generally end up telling them to use something that costs a little money instead (use 1password instead of a homebrew password generator keyed off the domain).

There's just nothing as good as getting a penetration test done, though (well, except maybe saving the thousands of dollars it would cost you). So I'm glad Alex did it and wrote it up (there's also a recording of a talk). I'm especially glad it's written in "Alex"'s style ("Alex" is Alex's hacker name).

I try to use my ~hacker connections~ to get a copy of the Tumblr database. I meet a someone whose forum handle is like d4rkrayne or whatever in a local park at 11pm. A colossal vape cloud leads me to him, waiting under a tree, puffing furiously. [...]

…I download the Tumblr database from a publicly accessible, unauthenticated, absolutely non-dark web website. I scramble to get back in my black hoodie, and whip on a second pair of sunglasses over the first. I'm in.

Phishing

Ichthyology (the study of fish) is such a good name for phishing research.

Phishing is traditionally seen as the easy way out when conducting penetration tests: of course you can socially engineer your way in, that's always possible.

So (some) people have gotten more serious about dealing with phishing. Some of that is just phishing your own users as a form of training.

But some of that is also apparently using AI to help detect phishing! @PhishingAi is a twitter account that points out phishing and tries to get the attention of the services that are being imitated.

zsh by default on macOS

I've always told people that

1. zsh is better (than bash)
2. you can probably just start by cp .bashrc .zshrc since compatibility is pretty good

And so I'm glad it's become the default on macOS.

zsh (Z shell) is the default shell for all newly created user accounts, starting with the macOS Catalina beta, currently available only to members of the Apple Developer Program.

But why? Armin claims

apple does not ship any gplv3 software so they did not update bash after the license switch. That's why you have a heavily outdated bash on macs.

And sure, I do remember that time I just wanted to append stdout and stderr to a file so I wrote &>> file.log and it didn't work on a co-worker's Mac and I was pretty confused. But also, the release notes say

Scripting language runtimes such as Python, Ruby, and Perl are included in macOS for compatibility with legacy software. Future versions of macOS won't include scripting language runtimes by default, and might require you to install additional packages.

And there are a lot of reasons to do this and a lot of reasons not to, but it seems Apple is making a pretty big round of breaking changes in pursuit of something. I could just be imagining things instead of reading between the lines, but characterizing software that depended on system scripting runtimes (instead of bundling their own) as "legacy software" seems like a strong stance to take.