mastodon - Link to source
I read this comment on Hacker News about specialization in software development roles, in a thread about what kinds of coding LLMs are and aren't good at (no, I don't want a debate on AI): news.ycombinator.com/item?id=4… And it reminded me of this old Steve Yegge post from 2005, when he was at Amazon: sites.google.com/site/steveyeg… It has a whole heaping helping of Yegge's usual snark directed at the OO fads of the time, but I think the core points are still valid.

steve yegge - age-racecar-driver

Age of the Racecar Driver Stevey's Drunken Blog Rants™ I have an absolutely fascinating interview story to tell you. The other day I phone-screened a guy who claimed he has an undergrad degree in Computer Science from a high-profile school.
sites.google.com
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

I guess it's inevitable that if the software industry is really going to mature, we have to embrace specialization. Big tech companies have already done that to some extent, of course. But I still see plenty of glorification of the solo developer who does it all, the full-stack developer. I've done it myself. I was that developer at Serotek from 2002 to 2017, and I left Microsoft in 2020 to do more of that at Pneuma Solutions. Thankfully, the latter company is beginning to grow.
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

My first big project for Serotek, in late 2001 to early 2002, was taking over the development of our first product. I wrote the JNI bindings for new speech synthesis and recognition engines (the client app was in Java), rewrote the whole server side in PHP (the original dev team did a J2EE monstrosity), built the installer with NSIS (a self-voicing installer at that), and did the online trial signup and purchase processes (also in PHP). In ~3 months. But, I did much of that very badly.
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

I continued making rookie web developer mistakes after that initial crunch (because I *was* a rookie web developer). For example, one of our features was our own UI for doing online shopping through Amazon. I screen-scraped the HTML using regular expressions, because of course you couldn't parse real HTML with an XML parser, and there weren't robust HTML parsers for PHP as I recall, though there was a decent one in the Python standard library. And I really thought regexes would be good enough.
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

I also did some things badly on the desktop side. I wrote a C program to launch the app; it set a bunch of environment variables, then started the JVM by creating a subprocess with the java command. For some reason that eluded me at the time, the real program couldn't consistently grab focus on Windows XP. I understood much later that Windows XP's rules to try to prevent focus stealing meant that focus could only be reliably grabbed by the actual process that was launched by Explorer.
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

And yet, if we rely on well-funded teams of specialists to do everything, some problems will remain unsolved. Here's why I think that: My current company's latest product, which I developed solo, has no direct competition. Nobody else, whether at the few remaining assistive technology companies or the big platform companies, has done what we did for remote desktop access. I'm not happy with all aspects of the implementation (it's an Electron app), but it exists and is helping people.
in reply to Matt Campbell

gotosocial - Link to source

the esoteric programmer

and it has no linux support, important to mention. Yeah, accessible remote control solutions aren't many even on windows, because all we had for a long time were screenreader based tools. Electron is kinda bloated, but the issue is that it's hard to find a cross-platform gui library which is accessible nowadays. For example, I'm trying to make a matrix client and I sit there, imagining the architecture and how I would use the rust sdk, but no line of code got written because I couldn't find a UI library for it, it's that bad. So yeah, in those cases, I can justify electron, unless the app is c++, in which case one can just use qt, but trying to use qt from pretty much anything else which is nicer than c++, nope, doesn't work as well, if at all depending on what you want to integrate with it and how. I'm then thinking I should just use gtk and be done with it, but then there are building and compatibility issues on windows papered over with gtk for a long time if a developer I know is to be believed, and I'm not sure if it's going to be very well accessible on windows and mac even after the accesskit integration, egui has unpatched holes when it comes to edit boxes and afew other things, so that's not very good for accessibility either, imgui doesn't implement accesskit at all, godot's accesskit implementation isn't merged yet, so it's indeed a difficult choice if one wants to stay away from electron. On the topic of specialising, I'm more into low-level systems programming stuff, so trying to do anything else isn't very practical for me, so one could say I'm specialising in a way. I believe it's good that people specialise and stick to one field at some point, because if you have to do both the backend and the frontend of an application, you'll work slower and produce more half baked ideas and code just to get the thing to ship, where as if you work with one thing, you can fully dedicate to it and be even more productive at it, so it's a net win for everyone imo.
in reply to Jeffrey D. Stark

mastodon - Link to source

Matt Campbell

@jstark I suspect one reason the original FreedomBox was hitting a wall before I took it over (as I described earlier in the thread) is because the original dev team didn't know how to go down a level of abstraction to fix things, whereas I did, at least to some extent (I still found Win32 intimidating as hell at that stage). The original dev team's installer was particularly clunky, because of all the third-party components it installed in separate user-visible steps.
@Jeffrey D. Stark
in reply to Matt Campbell

mastodon - Link to source

Quin

I'm curious how greatly you think this applies when you have others assisting you. Not even with code, but just in general. For example, I, having no idea what I want to do with my life after college, started trying to write a piece of software that I plan to sell eventually. The coding is all me, but I'm surrounded by other blind hackers, one of them hundreds of times more talented than me. The kinds of people I can throw a registration system at and go "hey, can you break this?" and watch them do it in under an hour, then iterate on that design, so it really doesn't feel like a solo project, despite me doing all the coding. It's all in one language too, which avoids another problem you seemingly hit, do you think that being split across so many domains is part of what made this difficult for you? You've got decades more experience than me and this is literally just a hobby project for me thus far, but I would like to see it succeed if possible.
in reply to Quin

mastodon - Link to source

Matt Campbell

@TheQuinbox Yeah, having a community definitely helps. Since I was working for Serotek and had to keep the details of my work secret, I was limited in how much I could take advantage of the mailing lists, forums, IRC channels, and whatever else that existed in 2002. Yeah, being solo developer on proprietary software was (and is) lonely. Having it be solely your own proprietary project, and having more latitude about what to share with whom, must be nice.
@Quin
in reply to Matt Campbell

mastodon - Link to source

Quin

Makes complete sense. I wonder if I'll ever get out of the mindset of writing everything natively. Personally I'd rather go through the pain of learning the internals of the Windows API, Cocoa and GTK enough to make my application work on all three platforms then hit compile and get a 100 MB dist that's primarily DLL files that I never call, but are required by my framework of choice. Even .NET doesn't escape this, as much as C# and VB.NET both appeal to me the user pressing enter on my app and being told that they only have version 6 of .NET core and need version 8 to run my app or whatever is just not okay with me.
in reply to Quin

mastodon - Link to source

miki

@TheQuinbox You're not wrong.

I wonder how good the built-in web engines of modern OSes are at this point; I looked at this a few years ago, but MS still shipped trident with some Windows versions back then.

This way, you could do something very similar to Electron, but without actually shipping a runtime.

I feel like the situation around desktop app development is just sad as hell. Win32 isn't a panacea any more, even if you're willing to put in the work, as it apparently looks quite dated by now, from what sighted people have told me. AppKit is slowly getting abandoned in favor of SwiftUI and Catalyst, and they both suck, so the situation on that front isn't much better.

@Quin
in reply to miki

mastodon - Link to source

Matt Campbell

@miki @TheQuinbox Windows 11 ships the Chromium Edge-based WebView2, I believe. It's not the same as Trident though. Trident became problematic enough as the basis for a third-party full browser that Serotek had to give up on our blindy browser in 2016. But on the other hand, Trident ran directly in the application process, whereas WebView2 doesn't even run the Chromium privileged component in the application main process. That means more boundary tokens (see the Glyph post I referenced earlier)
@miki @Quin
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

@miki @TheQuinbox With Trident, an embedding application could expose its own COM objects to the web content and have the JS and native code run on the same *thread*. I did that in the Serotek Windows software, a lot. With Electron, you have to use asynchronous IPC between the main and renderer processes. If you disable sandboxing in the Electron renderer, you can to some extent run native code in there, but you're still gonna have app state and other native bits in the main process.
@miki @Quin
in reply to Matt Campbell

mastodon - Link to source

x0

@miki @TheQuinbox Wait, someone has finally done this! I've been saying this for years, that we should ditch electron and just use OS-native browser engines for web apps, and let the OS do some kind of resource sharing to avoid having so many complete copies of chromium hogging resources. I doubt edge web view has done that yet, though. Shit like this is why 16 GB is now the bare minimum of RAM to use a PC remotely efficiently.
@miki @Quin
in reply to miki

mastodon - Link to source

André Polykanine

@miki @TheQuinbox Hey, a one-and-a-half-year-old .NET toddler here. You can do both, actually. You can do either what Mikołaj said (that is called self-containing app), or you can do what Quinn says. I prefer the latter (installing a .NET 8 environment if the user doesn't have it already), because I have several apps and am planning to have more, so distributing, say, ten apps with ten frameworks is kind of overkill for me.
@miki @Quin
in reply to André Polykanine

mastodon - Link to source

Quin

@menelion @miki Nods, that's also definitely a thought. If the user has 12 .NET apps on their system, having 12 copies of the same framework lying around is a huge waste, both of bandwidth and disk space. Out of curiosity, what's your preferred .NET workflow, including UI frameworks? I tried the dotnet CLI and absolutely love its workflow, but Winforms is so heavily dependent on the designer that it's hard, but not impossible, to write by hand, and WPF is, well, WPF, weird accessibility presentation framework as I call it.
@miki @André Polykanine
in reply to Matt Campbell

mastodon - Link to source

Quin

It mainly stems from me seeing how wasteful it all is. I can write an app in C# that requires an entire framework to run but just wraps the Windows API under the hood, thus needing to either have the user install the framework or ship it along with my app, or I can just...call the APIs myself. Seems like an obvious choice to me, and it saddens me that so many people have lost interest. My tool of choice certainly helps too, PureBasic is an utterly amazing tool that's sadly gatekept by its price tag and small community, but the value of being able to natively call Windows API functions, objective-c functions, C functions from lib files, and dynamic libraries all from one cross-platform codebase cannot be understated. This codebase is currently over 5000 lines and growing, and even with statically linked Universal Speech and SQLite, the executable barely surpasses a megabyte. The overall dist grows slightly when you include the nvdaControllerClient, saapi64 and zdsrapi, but not by much.
in reply to Matt Campbell

mastodon - Link to source

Quin

For whatever it's worth, SAAPI64 is actually the smallest screen reader DLL, with the nvdaControllerClient weighing in at around 150 KB (note that this is the old controller, the new one is even larger), and the zdsr API is around 264 KB. That said, though, I certainly wouldn't say no to a lighter SAAPI64, and wish you luck! I really should give Rust another look, it just hurts my brain so, so much.
in reply to Quin

gotosocial - Link to source

the esoteric programmer

saapi64? is that what I think it is? is anyone still using, checks notes system access? I forgot how to use that now that I think about it, but yeah, if people actually use that, that's awesome and scary at the same time. About rust, it depends on what you're struggling to understand or what seemns weird. It definitely feels like something new, because people not versed in functional languages probably never heard of a lot of that stuff, but that's ok, we're learning things all the time. Out of curiosity, what's your biggest issue with trying to understand it? maybe I can explain more, having faced issues when initially learning it too. If you don't want to highjack this thread further, matrix is there, if you still have it that is. @matt
@Matt Campbell
in reply to the esoteric programmer

mastodon - Link to source

Matt Campbell

@esoteric_programmer @TheQuinbox You can still download the SA/Sero/DocuScan Plus bundle here: download.pneumasolutions.com/S… SAToGo is even still online, though it's useless without IE. I posted the last SA update (*checks notes*) nearly a year ago. SA has been in maintenance mode since I went to Microsoft. I myself still use SA for reading some web pages, but I know my program's limitations.
@Quin @the esoteric programmer
in reply to Matt Campbell

mastodon - Link to source

Matt Campbell

@esoteric_programmer For all practical purposes, NVDA has probably been faster for a long time, though SA's lack of a distinction between browse mode and focus mode was convenient for less complex web pages. And I still like the way SA reads text with inline links, playing a tone for each link. I believe @TheQuinbox was a long-time SA user.
@Quin @the esoteric programmer
in reply to Matt Campbell

gotosocial - Link to source

the esoteric programmer

yes, I'm trying to see how to not have the distinction between browse and focus mode in the long term for odilia. We will probably have it for a while, but it's kinda confusing all things considered, it's like, everything works in this way, except websites which require me to learn new commands entirely just for these things, and the distinction isn't important anymore because see electron apps and so on. So, I'm thinking of either having everything be in a browse mode kind of state by default, only not entering browse mode if the user puts the sr to sleep or the sr encounters certain control types, or perhaps have browse and focus mode work everywhere, even normal apps, so that unfocusable label over there can be read like anything else on the web and quicknav things work in normal apps too. About earcons instead of overly verbose information, I do think that's where screenreaders should be going in general, not only for links or whatever, but for all important kinds of controls. NVDA can do this to some extent with adons, but from what I remember, voiceover has it integrated, which is a much nicer experience. Not sure what odilia will do yet, but it's possible we'll do a voiceover type thing
in reply to the esoteric programmer

pleroma - Link to source

Jason J.G. White

VoiceOver for Mac handles it well: there's almost never a keyboard conflict with an application, screen reader review and navigation commands are always available. You can turn Quick Navigation on if you want to use unmodified letters/digits for screen reader navigation, but that's an exception, not the default.
As I remember, ChromeVox is similar.

mastodon - Link to source

Catholic #priest in Belarus sentenced to 11 years - for criticising the government, as crackdown tightens

In the first case of politically-driven charges against #Catholic clergy since #Belarus became independent after the Soviet Union collapsed in 1991.

euronews.com/2024/12/30/cathol…


Catholic priest in Belarus sentenced to 11 years as crackdown tightens

'The harsh sentence is intended to intimidate and silence hundreds of other priests ahead of January's presidential election,' human rights activist Pavel Sapelka said.
Daniel Bellamy (Euronews.com)
#belarus #catholic #priest

mastodon - Link to source
New virtual reality-tested system shows promise in aiding navigation of people with blindness or low vision sciencedaily.com/releases/2024…

New virtual reality-tested system shows promise in aiding navigation of people with blindness or low vision

A new study offers hope for people who are blind or have low vision (pBLV) through an innovative navigation system that was tested using virtual reality.
ScienceDaily

mastodon - Link to source
Tusky localizations, help wanted

Sensitive content

#Tusky

mastodon - Link to source
Paris and Berlin are now linked with an 8 hour daily rail service, that starts at €59. It produces 100th of the emissions of flying between the cities.
euronews.com/travel/2024/12/13…
a Deutsche Bahn ICE inter city express looking quietly satisfied with itself.

Paris and Berlin linked: High-speed train service launches with fares from €59

The route is the first directly linking the two capitals' city centres.
Angela Symons (Euronews.com)

mastodon - Link to source
You know how many of the popular apps we use to check the weather offer the data of the Norwegian Meteorological Institute as an option? Having recently learnt that Norway has one of the most stringent laws on accessibility in Europe, I have decided to check their official app for iOS and am not disappointed. It found my current location in Poland without a problem, albeit with a typo for some reason. It also provided webcam imagery from my hometown - this of course is not accessible. It remains to be seen how accurate the data really is long-term. About the accessibility: the data presented is grouped as it should so it is read out in one cluster for each 3-hour segment. Custom hints will let you know that by tapping twice, the hourly forecast is expanded. In the 10-day view, each day is a heading. Unfortunately, the graphs are not accessible despite the API's for this being available for some years now. Other than that, the app is very simple and convenient to use so if you're looking for something uncomplicated to check your local weather, you can try YR. No idea how accessible that is under Android but I expect the experience might be similar apps.apple.com/pl/app/yr/id490… #Accessibility #A11y #Blind

‎Yr

‎Yr på iPhone og iPad er ulikt alt annet du tidligere har sett innen værvarsling. Sveip deg gjennom en vakker og animert himmel og se hvordan været endrer seg time for time - samtidig som du får alle detaljene du trenger å vite.
App Store
#a11y #Accessibility #blind

mastodon - Link to source

Úsměv na rtu, dobrou kartu,
k tomu dobrých lidí partu.
Zdraví, štěstí, hodně lásky,
žádnou starost, žádné vrásky!

Šťastné vykročení do nového roku vám všem, přátelé!🤞🍀🥂

I když naše cesty někdy vedou do neznáma, věřím, že za mlhou nejistoty svítí sluníčko každému. ♥️
#PF

#pf

threads - Link to source

"Handing the reins to Harris in July, rather than sticking it out, wasn’t one of his mistakes. His mistake was that he didn’t do so sooner."

New from @wsaletan on the fantasy that Biden would have beaten Trump: thebulwark.com/p/biden-world-h…


Biden World Thinks He Should Have Stayed in the Race. What Are They Smoking?

The question is not whether he should have dropped out. It’s why he didn’t do so earlier.
Will Saletan (The Bulwark)
@wsaletan

mastodon - Link to source
Tom Baker has been honoured by King Charles with a Member of the Order of the British Empire (MBE) award for services to television.
cultbox.co.uk/news/doctor-who-…

Doctor Who star Tom Baker honoured with MBE

Actor Tom Baker has been honoured by King Charles with a Member of the Order of the British Empire (MBE) award for services to television. The 90-year-old actor was chosen along with other recipients as part of the New Year Honours.
Andrea Laford (CultBox)

mastodon - Link to source

John @tuckner sent me on an interesting wild goose chase. He is investigating the Cyberhaven extension compromise, trying to find out more. And he found something that he considered another campaign compromising browser extensions, related to the sclpfybn[.]com domain: secureannex.com/blog/sclpfybn-…

Edit: Just to make sure this is clear: so far there is little indication that these two campaigns are somehow related. Both being present in one extension was most likely a coincidence.

One of the extensions that used to contain the code in question was Visual Effects for Google Meet – which brought him to me because I recently covered that extension in my Karma Connection article: palant.info/2024/10/30/the-kar…

I checked my data but couldn’t find sclpfybn[.]com domain mentioned in any extensions other than the ones @tuckner found already. I then looked for similar code and immediately found it in Urban VPN Proxy.

First thought: Urban VPN Proxy has the legitimate version of a library that was trojanized elsewhere. Taking a look at the communication of Urban VPN Proxy disproved that theory almost immediately – not only was it communicating in exactly the same way, but also to an unknown domain, namely ducunt[.]com. Yet the same endpoint existed on the official urban-vpn[.]com domain as well.

So not only did Urban VPN Proxy contain essentially the same code, it was likely added there by the developers themselves. Further investigation increased the suspicion that all these extensions haven’t been compromised, that this was rather some monetization SDK.

At which point @tuckner found the sales pitch for that SDK, detailing how it would add ad blocking functionality to the extension at the cost of exfiltrating very detailed browsing data (of course anonymized and aggregated before being sold to everyone asking for it, we know the drill). And explanations on how to make sure Google won’t object.

And that explains it all: before the Visual Effects for Google Meet developer sold their extension to Karma, they tried to monetize it with this “ad blocking library.” The sales pitch doesn’t mention who develops the library but everything points to Urban VPN.

According to Urban VPN privacy policy, they are selling the data they collect from their users via BIScience Ltd. Who are most likely the hidden owners of Urban Cyber Security Inc., a company registered to a virtual address in the USA.

Edit: Updated link to Tuckner’s blog post, he split it away from the original investigation.


The Karma connection in Chrome Web Store

A bunch of malicious extensions in Chrome Web Store have hidden affiliate fraud functionality, collect users’ browsing profiles, or both. These extensions appear to be connected to the Karma shopping assistant, developed by Karma Shopping Ltd.
Almost Secure
@tuckner
This entry was edited (11 months ago)

mastodon - Link to source

Another great podcast episode from @RyanAndrosoff this time with Andres Raieste from Estonia.

This is the second podcast from this year's #FWD50 conference in Ottawa. I would definitely recommend that folks in government listen to Trust is Everything | Ep 27

I liked the line about the importance of demonstrating incremental improvements. Starting with the tax department is also interesting.

youtube.com/watch?v=FzbyuwzRcr…

#Estonia #DigitalTransformation #Government #Trust #LetsThinkDigital


Trust is Everything (with Andres Raieste) | Episode 27

Trust is everything. It’s clear we’re in a moment in time where people do not trust their governments. There is skepticism about the impact of big technology...
YouTube
#digitaltransformation #government #trust #Estonia #fwd50 #letsthinkdigital @Ryan Androsoff

mastodon - Link to source

#NCP

A reminder, a week on after this news broke, if you have the HONEY browser extension from PAYPAL installed, you should uninstall it immediately and delete all its cookies.

The extension + app owners

- does NOT find you the best coupons
- does backroom deals with big retailers to drive conversions, with less discounts
- steal(s) from creators
- harvests your data for resale and manipulation
- is classified as malware

Full details here (nb, the youtube display may not work because Youtube is actively blocking their cards / videos from displaying on Mastodon because of the MastoDDos effect)

youtu.be/vc4yL3YTwWk


Exposing the Honey Influencer Scam

Was Honey a legitimate money saving tool? Or just an affiliate marketing scam promoted by some of YouTube's biggest influencers?If you have any inside inform...
YouTube
#ncp
This entry was edited (11 months ago)

mastodon - Link to source

A look back, a look ahead: How was 2024 at IzzyOnDroid? What might 2025 bring you there, what are we working on?

android.izzysoft.de/articles/n…

And if anybody ever tells you #security or #reproducibleBuilds are "set-and-forget", laugh straight into their faces. Software evolves, and so do their threats and risks…

German readers: Die Deutsche Version folgt in Kürze…

#IzzyOnDroid


Review of 2024 and Outlook for 2025: Reproducible Builds, Security Measures and more

2024 waves goodbye, 2025 knocks at the door: what did we achieve in 2024, and what are our plans and hopes for 2025? Join us to take a look back at security measures established, at progress with Reproducible Builds – and for a look ahead of what mig…
IzzyOnDroid
#security #reproduciblebuilds #izzyondroid
in reply to IzzyOnDroid ✅

mastodon - Link to source

IzzyOnDroid ✅

Jetzt ist auch die deutschsprachige Version unseres "Jahresberichts" online:

Ein Blick zurück, ein Blick voraus: Wie war 2024 bei #IzzyOnDroid? Was mag Euch 2025 hier bringen, woran arbeiten wir?

android.izzysoft.de/articles/n…

Und wenn Euch jemand sagt, #security oder #reproducibleBuilds wären (einmal aufgesetzt) reine Selbstläufer: Lacht sie laut aus. Software entwickelt sich weiter – und so auch ihre Risiken und Threats…


Rückblick auf 2024 und Ausblick auf 2025: Reproducible Builds, Sicherheitsmaßnahmen, und mehr

2024 winkt zum Abschied, 2025 klopft an die Tür: Was haben wir 2024 erreicht, und was sind unsere Pläne und Hoffnungen für 2025? Werft mit uns einen Blick zurück auf die eingeführten Sicherheitsmaßnahmen, auf die Fortschritte bei Reproducible Builds …
IzzyOnDroid
#security #reproduciblebuilds #izzyondroid