Show HN: Hacker News' “most unique support email of 2014”
While digging around in drawers that hadn't been touched for decades, I found a wonderful piece of history. The Palm Treo 600 [1] was the Mercedes-Benz of the cellphone 10 years ago, and I was lucky enough to rediscover one.[2]
So I decided to restore it to working order, slapping in a T-Mobile SIM[3] and a fresh battery. It worked! It could browse the Internet[4], send/receive text messages[5], make phone calls...[6] The onboard browser even passed Acid1[7,8] and could do some level of JavaScript![9]
Unfortunately, most websites were a little heavy on this poor thing's CPU. One site that I knew wasn't heavy was Hacker News!
Unfortunately again, it didn't work. It "didn't work" in an odd way, though: it raised a "Communication Error" that would never occur on other pages, just Hacker News. So I did what any inquisitive individual would do: record a video, and ask HN support!
This is what I sent: https://www.youtube.com/watch?v=Nqn-EmU5KPw
This is what they got back to me with: http://i.imgur.com/LuPHqiN.png
I am truly honored to accept this award. I'd like to thank Palm, for making such an incredible phone (10 days of battery life!), as well as the Academy. And also my parents. And you, dear reader. Thank you so much!
PS: kogir :)
PPS: I've always wanted to do some teardowns of old device UIs and see what our mobile device forefathers thought up. I have a couple of really cool archeological finds that I could share.
[1]:http://en.wikipedia.org/wiki/Treo_600 (gallery of 2-6,8-9 here: http://imgur.com/a/Gu70R) [2]:http://i.imgur.com/xVdpUST.jpg [3]:http://i.imgur.com/2Yy8fkM.jpg [4]:http://i.imgur.com/nZ7GwC1.jpg [5]:http://i.imgur.com/OJuZmh3.jpg [6]:http://i.imgur.com/z9mNkHt.jpg [7]:http://en.wikipedia.org/wiki/Acid1 [8]:http://i.imgur.com/9VKcxlY.jpg [9]:http://i.imgur.com/5KeI9TI.jpg
119 comments
[ 2.7 ms ] story [ 199 ms ] threadVery interesting, and congratulations on your award!
I imagine the issue is that we only support TLS 1.0+ and not SSLv2 or SSLv3. https://www.ssllabs.com/ssltest/analyze.html?d=news.ycombina...
You say they can guess what you're looking at with HTTPS.. well if you use SRI without HTTPS, then they don't need to guess.. they absolutely know what you're looking at.
Also, if they can change the page (which they can if it's over http), they can change the hash as well.
Also, SRI is like 9 months old since the first draft... which means it does nothing for the visitor unless they are using the newest version of one of the major browsers.
And I think, of the browsers that do support SRI (possibly in prerelease versions or behind feature flags), they require the page to be delivered over SSL anyway.
Take a look at that HTTPS certificate that you think means you're talking to the site of your choice. If it says "cloudflare.com", "incapsula.com", "edgecastcdn.com", "palmwebservices.com", "cdnetworks.net", there is a man in the middle of your HTTPS connection. This is the case for at least 38,000 sites we know about. There are probably more. (The list: http://john-nagle.github.io/certscan/whoamitalkingto04.pdf)
HTTPS Everywhere was well-intentioned, but the people behind it didn't realize that high-volume use of HTTPS forced less secure use of HTTPS. That's why it's a form of security theater.
I still trust the link between CloudFlare and Hacker News more than I trust the link between a dodgy ISP and Hacker News. Further, there's no reason that a CDN can't use SSL to the backend, so in that case the only weak point is the CDN and the original site, not any of the links.
Using HTTPS to a CDN is still far better than using HTTP to a CDN or to the original site.
Nothing forces sites to use a CDN. HTTPS, by itself, does not massively increase load. If the limiting factor of your web server is how fast you can do cryptographic operations for HTTPS, you're doing rather well; most of the time that won't be your limiting factor.
Using a CDN is not wildly less secure than using a hosting service, and numerous sites use hosting services. "Secure to the CDN" is still a net improvement over "completely insecure".
By all means, complain about sites using a CDN that you don't trust. That's not an argument against universal adoption of HTTPS, though.
Proxies are not a common setup; approximately zero home users use them, and a subset of corporate networks do (only the obnoxious ones).
In any case, caching proxies are far less important than caching browsers, and HTTPS does not in any way break caching browsers.
Even with CDN terminating SSL, it protects you from injected malware and ADs between you and the CDN by your ISP.
If you want to work on a spec to make cacheable, signed hypertext documents, I will be totally down for helping. But no such spec exists today.
Unless my understanding of SRI is totally wrong, it is to protect against malicious changes to third-party resources, usually by the hosts of those resources (or someone attacking them) or a poisoned cache thereof, not to guard against MITM.
Subresource integrity can protect against changes done on the server, while TLS can protect against changes done by a man-in-the-middle. They protect against different things, and do not significantly overlap.
For example, example.com (delivered over HTTPS) could use jquery, and include in the page it delivers to you both the URL and a hash of the jquery scripts; you could then fetch those scripts over untrusted channels or from untrusted servers, and be sure that they are the ones that the administrators of example.com intended to reference. If example.com were not using HTTPS at all, then they could just be the resources that the Man In The Middle of your channel to example.com intended you to see.
So, how you defend "SSL everywhere".. I don't buy it. I feel more for what the commenter you responded to said, because your counter argument comes with a lot of assumptions that have more problematic implications. A false sense of being secure does seem much worse than knowing that most of the stuff you do is actually insecure to begin with.
Plain text is not a bug. It's a feature! Cheesy, I know.
It may feel so, but it certainly isn't. Some security (against anyone but the top 0.X% of "bad guys") is certainly better than no security (random script kiddie in your coffee shop injecting 0-days from exploit-db straight to your browser).
And regarding the hopelessness of SSL/TLS - the CA problem exists and is pretty huge. But we know the solution[1]: it's called certificate pinning. When you control clients (Google/Chrom[e/ium]) can just pin your own certs/CA and refuse anything signed by the Hong Kong office. For the rest of us that don't, there's HSTS (to tell the browser to refuse http:// redirects from a MiTM, overriding TLS altogether) and Public Key Pinning Extension (HPKP). They aren't very widely rolled out, but we're getting there. Test your browser here[2], you may be surprised. This all assumes that the user won't ignore the warnings when they come up, of course. Also it would protect you from your second visit onwards - if you're being MiTM'ed at your first attempt to grab a site with all the above bells and whistles, your browser doesn't know about the pinned stuff yet, so it is vulnerable to SSL stripping, etc.
In short, it's certainly better than nothing (protecting you from 99%+ of bad guys) and we're slowly fixing it[3]. Don't let the man get you down.
[1] Until we get to a proper, more distributed solution
[2] https://projects.dm.id.lv/Public-Key-Pins_test
[3] Shamefully slowly - TACK was proposed so long ago... https://news.ycombinator.com/item?id=4010711
What about if you're in a country that likes to censor the news?
However, after the first visit, your browser learns through HSTS (the Strict-Transport-Security header) that accessing news.ycombinator.com without TLS is not supported, and won't attempt to access it again except via TLS. (For a year, in HN's case - this is configurable by the site administrator.)
Without SSL, you can't be sure of the integrity of the data set by the site. It's important even when not exchanging private data.
As a user of HN, I appreciate these security features. Suggesting that HN should not use HTTPS so that someone can access it from a 10 year old device that's impractical for modern web browsing anyways is possibly the weakest argument you can make against HTTPS.
[1] http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-f...
[2] http://justinsomnia.org/2012/04/hotel-wifi-javascript-inject...
[3] http://www.thoughtcrime.org/software/sslstrip/
It's basically a private key we're all assigned at birth that can't be rotated. It was originally meant to be used in the state-sponsored welfare program "social security", but tons of businesses require it as a unique identifier.
Absolute stupidity on all fronts.
For example:
http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Soci...
Sadly, it's too late in the day for me to try to parse this: http://www.justice.gov/opcl/social-security-number-usage
> This is what I sent: https://www.youtube.com/watch?v=Nqn-EmU5KPw
> This is what they got back to me with: http://i.imgur.com/LuPHqiN.png
> [1]:http://en.wikipedia.org/wiki/Treo_600 (gallery of 2-6,8-9 here: http://imgur.com/a/Gu70R) [2]:http://i.imgur.com/xVdpUST.jpg [3]:http://i.imgur.com/2Yy8fkM.jpg [4]:http://i.imgur.com/nZ7GwC1.jpg [5]:http://i.imgur.com/OJuZmh3.jpg [6]:http://i.imgur.com/z9mNkHt.jpg [7]:http://en.wikipedia.org/wiki/Acid1 [8]:http://i.imgur.com/9VKcxlY.jpg [9]:http://i.imgur.com/5KeI9TI.jpg
Hoping with the sale of the Palm Trademark, and WebOS being free, which is a generation ahead of all mobile operating systems, before the javascript app craze came up, might, in some way, come to lead and inspire the way again.
In my quest I found a phone database where you can search by features (I forget which one right now) and sorted through all possible candidates. My hopes went up momentarily when I saw the Dell Venue Pro[1] before I clicked "next" and saw how wrong they got it[2].
Eventually I sumbled on the Motorola Photon Q[3] - which I'm not even supposed to have, as it doesn't come with a SIM slot at all. Luckily some enterprising Korean guys have figured out the modding process and are selling them on ebay. I tried my luck and received it a few days ago. Really good value for money, loving the sliding action and physical keys but wish it were a bit more powerful. I think I've compensated for this mostly by cutting out a lot of fat and its puny dual core CPU now runs 4.4 fairly comfortably. I'll probably go back to my Nexus 5 soon but it's a great backup phone and I love the keyboard.
I'm half convinced that a custom N4/5 backplate with a built-in keyboard would sell like crazy. #kickstarterideas
TL;DR: Look at Moto Photon Q.
[1] http://upload.wikimedia.org/wikipedia/commons/7/7c/Dell_Venu...
[2] http://cdn.slashgear.com/wp-content/uploads/2010/10/dell_ven... I literally burst out laughing as soon as I saw this. Bless you, Dell. (also: windows)
[3] http://upload.wikimedia.org/wikipedia/commons/8/8d/Motorola_...
The Blackberry Passport is one of the few modern keyboard phones, it uses Amazon's appstore for Android apps.
The CGM wiki isn't entirely clear on this - there's a specific build for the Q which is somewhat outdated [1] so you should use this [2] [3].
Be aware that you'll need to tweak it a bit to make it super-responsive with 4.4 - at least for me, the N5 has really spoiled me (...especially after I went back to 4.4)
> The Blackberry Passport is one of the few modern keyboard phones, it uses Amazon's appstore for Android apps.
The passport is cute, but I didn't consider non-Androids (I'm a flasher:) and I wanted something in the "second/backup-phone" price range. The keyboard would likely be nicer than the Q's though.
[1] http://download.cyanogenmod.org/?device=xt897
[2] http://download.cyanogenmod.org/?device=moto_msm8960_jbbl&ty...
[3] http://wiki.cyanogenmod.org/w/Moto_msm8960_Info (get the _jbbl or it won't flash)
https://en.wikipedia.org/wiki/Treo_650
I'm pretty used to the swiftkey touch keyboard now, but the one feature that the Treo destroyed any phone that I ever used was the ability to press function and calendar on a keyboard and the app would move right into creating a new item on your calendar or to-do list.
Had I thought about it I probably would have written "most unusual". Still, I'm not sure the pedant's case holds up on this one. Two things may differ from everything else to varying degrees; both are unique, but the one that stands apart more is arguably more so. Even among the unique support requests of 2014, Rob's email stood apart the most by a long shot.
So if something is 'more unique' than something else, it doesn't really fit the first part of the definition because they are both only one of a kind, but it fits with the second in that it is more unlike anything else than the other thing.
I think these battles are worth fighting. As does Weird Al: https://www.youtube.com/watch?v=RGWiTvYZR_w
That means they do have meaning. I'm sorry if you had trouble understanding the meaning of the words in the post. I think everyone else got it, though.
[1] http://www.etymonline.com/index.php?term=pathetic
To be unique, all something needs is to have a collection of properties which (taken together) are possessed by no other instance within some larger population.
Even then, it's still quite possible to have multiple unique objects within a set.
This quality of "uniqueness" can then be ranked, based on how many of those unique properties (or subsets of them) are sufficient to still make the item unique.
E.g. blue sphere among blue cubes is less unique than a red sphere among blue cubes.
So yes, "more unique" is perfectly reasonable IMHO :P
Uniqueness may once have been a boolean property (I cannot say for certain one way or another), but at present it is not.
Language evolves over time, and I am no more confused by someone (mis)using "begs the question" than I am by someone using the modern definition of decimate.
[0] http://www.slate.com/articles/life/the_good_word/2005/11/the...
When people talk about how Steve Jobs invented the smartphone, I used to say, "but but but..." Now, though, I just sigh and nod like I'm still listening to them.
i remember it had outlook integration which was especially awesome because my employer at the time used outlook and i was able to leave my work-from-home post during the day to have lunch or drinks with friends in san francisco and not be out of touch.
even though this was barely ten years ago, now i feel really old.
- I watched most of the world cup 2006 games live streamed over 3G. -I used to frequently use google maps which without GPS would use cell towers triangulate my position within a couple hundred meter radius. - Used it as a wireless AP -And even uploaded videos to youtube.
When i first heard of the iPhone i wasn't that impressed as i already been using what i considered a smartphone. Obviously i that's all changed now! ;)
iPhone really fixed that one thing but at the time I was outraged (outraged!) that to get that smooth UI performance I'd have to give up 3rd party apps, 3G, MMS, GPS, (shitty by today's standards) video calling, copy/paste, task switching, and even the ability to change my wallpaper or ringtone!
Kind of amusing today with the relative parity between mobile OSes and the abundance of models to choose from but at the time I just remember being so frustrated with how no single company seemed capable of putting everything into one device. Still, those Treos and PPCs laid the groundwork for the insanely capable and useable devices many of us carry in our pockets today.
I think my experience with that phone is the reason I'm in love with the Samsung Galaxy Note series now.
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html> Connection closed by foreign host.
Maybe you could set up a https->http proxy and access that to see if that solves your problem?
* Handspring Visor+Visorphone (2002): huge!
* Handspring Treo 270 : broken lid
* Handspring Treo 600 : working, but broken screen
* Palm Treo 650 : working
* Palm Pré : still working, but broken USB connector
* https://blog.cloudflare.com/sslv3-support-disabled-by-defaul...
Also RC4 is about to die:
* https://blog.cloudflare.com/killing-rc4-the-long-goodbye/
* https://blog.cloudflare.com/killing-rc4/
* https://blog.cloudflare.com/the-web-is-world-wide-or-who-sti...
[0] http://english.blogoverflow.com/2012/10/prescriptivism-and-d...
Subject: XXXX Case #XXXXXX : Priority changed to Customer Down Date: Tue, 6 May 2014 03:17:47 -0700 From: XXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXX
CC: XXXXXXXXXXXXXXXXXX
* Case Priority change * Case Priority has recently been changed to: Customer Down
Case Details:: Case #: XXXXXXXX Company: XXXXXXXXXXXXXXXXXX Contact Name: XXXXXXXXXXXXXXXXXX Status: New Category: Support System - Support Accounts
Subject: My name is spelled XXXXXXXX
Apparently, the customer could not function if their name was spelled wrong...