patrick.net

As much as possible, give your users the ability to customize things on their end. A good CRM is worth years of development work. Current company is in the process of pulling all the customization back and focusing on just putting out a standard platform. Spoke with a couple people when I started as part of onboarding. Most common complaint I heard was how customization fucks everything up, and this was mostly coming from the business side.

Patrick says

I used node.js to rewrite patrick.net a few years ago, and I'm very happy with it. Clearly I'm no visual artist

This is one of the best websites out there. If I wanted to see the work of a "visual artist" I'd visit a museum.

Instead, we have:
• Clear, high-contrast text
• nothing animating, giggling, or making noise
• everything on the page searchable in local browser text search
• pertinent information displayed without information overload
• responds properly to browser window width resizing
• zero CPU usage after initial load and layout
• fast load times

NuttBoxer says

As much as possible, give your users the ability to customize things on their end.

The last company I worked for did Dye-sublimation printing on fabrics. The users could pick or upload a pattern, and order a sample size or a quantity of full yardage. I gave him a html based GUI that not only batched like fabrics, and a graphical layout of the samples before printing it. He could remove items, or move them around to accommodate their needs. Also to bring up a batch or a single item and reprint it. I gave him many tools for every gotcha we ever ran across that was outside of what my application could manage. Like report on the real available fabric at hand, or a report that shows stock needs to be moved to fulfil the order. Show the image didn't download for what ever reason, or the print error was due to the image being an improper format or wrong dimensions per the step repeat instructions(A serious error when that happens). The huge International consultant team ported that process to a cloud based MS 360 Cloud ERP. The end user I designed it for, says now the batch is just a list. It tells me nothing. The XML instructions that drives the print press is generated minutes after he batches it. Not Realtime, so if something fails or doesn't print. They don't find out about it until customers are moaning they didn't get it. With my system, he knew immediately . And because the new cloud system is purely a onetime one shot operation. The only way to reprint, is to tell the customer to cancel the order and send a new one. No guarantee it will make it either, if they don't' know that the image is screwed up.

More idiots that wondered. "What in the fuck did he do it like this for? All of this shit shouldn't be the guy that is printing the orders job!"
They are damn lucky they have that guy, I wrote him what he needed, and it was elegant and the industry leader. The consultant idiots wrote what they wanted him to have and it sucks and is nothing but problematic. When I wrote them the software, one of their Competitor/Partner developers were struggling generating a batch XML like I created. So the owner had me send them my code and massage them until they understood it. That really hurt, I should have left then rather than doing that.

Tenpoundbass says

My goal when I start work at a company. Is to write code that someone that isn't a programmer can manage with the tools I made them.

THIS!!! People are running a business and the computer is just a tool. Just like how a traveler uses a car to go places and does not want to stop every few miles to reset engine timing.

I just asked ChatGPT to make an algorithm that would

1) scramble the bytes of the input randomly with a function
2) unscramble the output to produce the original data

It couldn't do it. It lied to me. It gave me code, that didn't work.

The more I play with AI, the less functional I realize it is. It's GREAT for starting with simple coding in languages you don't know, but ask it a somewhat difficult or unusual problem? It's worthless.

This idea that it will replace skilled workers, is bullshit. It's nowhere near that. It will always give you an answer, but if it's a tough one, it's most likely wrong, and there's no way to input data into it to correct it so it cannot learn from its errors. When you indicate it's made an error, this is apparently regarded as "hostility" and will disconnect. They really fucked up on the algorithm.

richwicks says

This idea that it will replace skilled workers, is bullshit. It's nowhere near that.

Very likely, the model they use in production has a cutoff with high probable nodes in the graph to be more 'reliable' and generic.

Tenpoundbass says

So they asked me if they could use the test project I sent them as the foundation to build their software.

You should have charged them for it.

Tenpoundbass says

I would tell the kid to put himself out there.

Thank you very much. He appreciates this recommendation.

gabbar says

Tenpoundbass says

I would tell the kid to put himself out there.

Thank you very much. He appreciates this recommendation.

I would also suggest your kid to make use of ChatGPT - it's not the wizard being sold to the public - I've used it.

It's tremendously good at basics, but ask it a hard problem, and it will produce nonsense.

For example, I asked it to produce a program to create two windows using curses (that's a very old library for terminals), and it did it. That saved me hours of work. I asked it to write a program to take in characters using Apache as they were typed, this is websockets, it suggested CGI which doesn't work.

It's great for a STARTING point, but worthless at new solutions. Apache can do this, but it requires a plugin. It didn't recognize this.

Open source AI that helps you write code, it is offered by Facebook and called "Llama AI for Coding"

https://about.fb.com/news/2023/08/code-llama-ai-for-coding/

richwicks says

It's great for a STARTING point, but worthless at new solutions.

New Solutions, require using existing technology or libraries, in an off label fashion.
I'm often impressed, that I reuse a Library I wrote for one solution, but was able to tweak it to handle another problem that I originally didn't intend it to do.
AI will not make that connection. It uses the code libraries out there, in accordance to the documentation. I think it starts producing nonsense, because it took documentation too literal, with a broader stroke than intended.

I could write a parser that could pull relevant code out of documentation and provide a starting point.
I employ a method to crank out the working prototype and starting point, in a day or two that would take a team of 3 developers a couple weeks to do.
I build a few tables that hold meta data of the data models and structures, and then I script a SQL script to spit a long concatenated string that provides the Classes needed. .I have several flavors, for making the class objects, the data classes, code for the forms, as well as appropriate html, and javascript.
This is where I impress myself on how with a little tweaking these scripts bang out code for totally different methodologies, and design patterns for various solutions. I mean I can see it wouldn't be a far stretch to take what I have and convert it into some AI code gen thingy, that would impress the Hype Tech consumers..

ECC encryption and why it's superior to RSA.

ECC works with an elliptic curve, a quick explanation of what such a curve is can be found here:

https://www.youtube.com/watch?v=dCvB-mhkT0w

It works over a Galois Field (i.e. using modulo arithmetic). The video above explains point addition. Point multiplication is repeated addition just like it is with standard math. Scalar multiplication is when you have only one point - this is a special condition when you're adding the point P to P X number of times.

To understand why point addition follows the commutative property, you have to understand number theory to know why - just accept it does. The commutative property means that

G +
2G +
4G
----
7G

Where G is the generator point, which is the initial point where you do scalar multiplication. In order to quickly calculate any scalar point multiplication G is computed, then 2G, 4G ... 256G etc - but just doing repeated point addition. Again, see the video.

The secret key of ECC is just a random number usually in the range of:

0 - 2^{252} +27742317777372353535851937790883648493 (for Curve25519)

ECC curves have an order normally called n, which is the total number of points a generator G can reached with scalar multiplication. You can have a larger secret key than this, it doesn't matter, since it uses modulo addition, but you end up with a key that is larger than it needs to be. Generally the private key is a 256 bit number.

You can easily do scalar multiplication using the commutative property, but division is (so far) impossible.

To do Diffie-Hellman key exchange:

Alice picks a random number for her private key, and then computes the scalar multiple of this private key. The result of this calculation is the public key. Bob does the same. When Bob and Alice share their public keys, Alice takes Bob's public key (which is a point on the curve), and does scalar multiplication with her private key. Bob takes Alice's public key, and does scalar multiplication with his private key. The result is both end up with the same point on the curve.

For additional security, the result of the shared secret is hashed sometimes with a shared OPEN secret (a nonce), and the public keys in a given order.

The advantage of ECC key generation is that unlike RSA, it's immediate. Generating a private key is just picking a random number, and scalar multiplication is also very fast on the order of milliseconds, they keys are also smaller.

In short, RSA is crap, although ECC might have a fatal weakness. RSA depends on the inability to factor very large numbers, ECC depends on the inability to do point division although it's trivial to do point subtraction.

Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?

That would take care of encryption and MITM attacks and leave all the spook agencies out of it.

There are a few guys out there with alternatives to typical internet protocols that touch on this. I think Corbett had a few on in the past year. There's onion routing, although it should always be pointed out, majority of the funding comes from the government.

Patrick says

Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?

That would take care of encryption and MITM attacks and leave all the spook agencies out of it.

@Patrick, TSL has superseded SSL and yes, certbot (which I believe you use from Let's Encrypt) can do ECC, although I've never tried to set it up. From here:

https://eff-certbot.readthedocs.io/en/latest/using.html

I if you search for "ecc" you'll find:



It looks like it might be a little nonstandard, and the main advantage of ECC is the speed. You can absolutely instantly generate a new keypair.

The weakness of ECC (possible weakness) is that the random number generator could be compromised. I'm working with libsodium, and will probably use the offered private key, and then grab a random number myself, then do something like an sha256sum on the result, so even if the random number generator IS compromised, the resulting generated number should be impossible to work out backwards.

There are cautions against doing your own thing. With libsodium for example, you have to lock the page to prevent it from being swapped from memory, and clearing secret keys before it's returned to memory. I'm not so concerned about security right now, I'm just trying to understand the concepts.

What I'm finding is that the complexity of all this shit, isn't complicated at all, it's just explained very poorly. I can condense my explanation of ECC much further.

Private key a = random number = Pa
Public key A = PKa = Pa G where is defined as G raised to the Pa'th power in scalar multiplication on an ECC field

Private key b = random number = Pb
Public key A = PKb = Pb G where is defined as G raised to the Pb'th power in scalar multiplication on an ECC field

Shared secret = PKa b == PKb a == shared secret.

Shared secrets are only about 2^252 bits large, so you can do some additional obsfucation on it, and using the shared secret AS a key is not recommended. For example: the true shared secret to be used as a hey might be HASH (PKa Server_Public_key Client_Public_key)

There's a lot of non obvious mistakes you can make, which is what cryptography is all about.

@richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You just need something that only real the owner of the domain can do, l like creating a file on the server.

Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.

richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

@Patrick - Do you want to dump TLS/SSL entirely? That CAN be done I believe. I think. I want to patent it. I don't believe central authorities should exist and I THINK I know how to accomplish that. Basically with TLS, you are depending on a Certificate Authority to say "yes, this OTHER certificate really does belong to Google, YouTube, Patrick, whomever".

Do you want to eliminate the need for a Central Authority (CA)? If you still need a CA, what's the point of moving from TLS to something else? ECC is part of the TLS standard, although I've never set up an ECC key for my webserver. I know it's possible.

Patrick says

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You don't need to identify the IP or keep it constant. There's always a threat that the secret key can be stolen or guessed which is the weakness. I think DNS needs to be done away with, perhaps using a DHT instead. The problem with DHTs is that they are slow. DHT is how a file is found on bit torrent, it's just a distributed database across multiple computers. DHT could be combined with an instant database, that AFTER you connect it warns you "maybe this site isn't legit", limiting input during that time.

Patrick says

You just need something that only real the owner of the domain can do, l like creating a file on the server.

That's how certbot works, BUT you could do a man-in-the-middle attack. This is when somebody just receives and forwards traffic. They aren't the endpoint, but they appear to be and they just eavesdrop on the communication HOWEVER you can prevent a M.I.T.M.A with certificates and with Diffie-Hellman. The client needs to know that they are CERTAINLY talking to the server at this point.

If you have any interest in trying to setup ECC for TLS on Nginx, I can help you do that on a Linux machine at your home. You'd have to modify settings on your router (this is super easy) and get what is called a "dynamic name" - you need to use DNS with certificates. This is maybe a hassle, but it's not difficult. You'd have to open port 80 and 443 and forward that to a target machine where you're setting up ECC. Again, the advantage of ECC is that it's very fast in comparison to RSA.

YouTube and probably Google use ECC because it drastically reduces computational time during Diffie-Hellman.

NuttBoxer says

Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.

@NuttBoxer I've heard them. There seems to be tons of people working on this on and off.

Here is an example of how point and scalar multiplication is used in ECDSA which is a method of making a digital signature:

1) Choose an elliptic curve and a generator point G.

2) Choose a private key k.

3) Calculate the public key Q = kG using point multiplication.

4) To sign a message m, choose a random number r and calculate the point R = rG using point multiplication.

5) Calculate the value s = (H(m) + k * x) / r mod n, where H(m) is the hash of the message, x is the private key, and n is the order of the curve.

6) The signature is the pair (R, s).

7) To verify the signature, calculate the point W = sG - H(m)Q using point addition and point multiplication.

8) The signature is valid if R == W.

richwicks says

Do you want to eliminate the need for a Central Authority (CA)?

@richwicks Yes, exactly.

Patrick says

richwicks says

Do you want to eliminate the need for a Central Authority (CA)?

richwicks Yes, exactly.

@Patrick

The best that I can do is use either a distributed hash table which is what bitcoin uses which is just a distributed database, OR use a 16 byte number which is entirely randomly generated to identify an entity.

I've been going through a lot of math of probabilities for the last couple of months and studying encryption. With TRUE randomness, there is no need for central authorities. The chances that two people in this world would pick the same random number, when they are told to pick a random number in a field of 0-0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF is one out of trillions of trillions and that number isn't that large.

There would at least be no need to register your ID, but PROVING who you are, that's another problem. I think proof of identity may always require a Central Authority of some sort. The number above can easily be represented as a QR code:



That's just an example to demonstrate how easily that can be represented.

richwicks says

PROVING who you are, that's another problem

Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.

Patrick says

richwicks says

PROVING who you are, that's another problem

Is there a way to rely on DNS for that?

I can see that DNS normally has no encryption, so your request could be intercepted and you could be given a bogus IP. Fix that, and things are good, because people trying to hit, say, patrick.net would know they really hit it.

I think DNS should be eliminated. It's a central point of failure. With DNS a single authority can deny access to communication, and I have seen this done where websites have been blocked by removing them from the DNS database.

Encryption doesn't matter with DNS, what you are talking about is a signature, to verify it's authentic.

But how do you know which signature is, say, really the one from patrick.net?

Patrick says

But how do you know which signature is, say, really the one from patrick.net?

You need a central authority, or at least a consensus.

If we had a different system than this fucked up system, I would have the ID of the system posted on the site, but that could easily be substituted by a man in the middle attack.

You basically have the same problem with a phone number. If your number is 555-123-4567 but your friend believes it is 556-123-4567 an eavesdropper can substitute speech when the true number is given out over the phone line - this is possible with AI today, but it's trivial with a computer to do a string substitution. I've been trying to figure out how to do this for a long time, I think it's impossible without an authority of some sort, but DHT can do that, which is "truth by consensus", and of course that is flawed as well.

The only way to prevent this is to advertise your site with around 16 characters which isn't that much and that is "your contact" information. This puts everybody on the same playing field, instead of having a well recognized name, you end up in the sea of completely random numbers. There's no advantage to anybody.

You can eliminate the need to register, but authentication - I believe you need a central authority for that but you can have multiple central authorities.

You can simply be removed from DNS databases as of today, what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f. Your computer or personal database should save the information. There could be several patrick.net's each a unique site, but the identifier is that number. Websites can be forged, but I think with a certificate you can verify that say in a purchase agreement you can guarantee you are talking to a particular seller.

Storage is so cheap today. I can't go over it and I can't get others to appreciate it, that a single SD Card can contain all my knowledge. The storage we had in the 1980's is so trivial compared to what we have today. Want every single NES video game ever made? You can download it in less than an hour, and store it on a device smaller than your fingernail and that's an enormous amount of data. I could post every single video game ever made for the Atari 2600 video game system here, and this site wouldn't choke on it. It's insane where we are at.

richwicks says

but PROVING who you are, that's another problem.

Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!

richwicks says

I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?

NuttBoxer says

Fuck proving who you are. You wanna surf the web, do it at your own risk. No authority, no verification other than what users agree on amongst themselves. Back to newsgroups!

I want to resurrect newsgroups. I think the angle to do this is to make it hard for stupid people to get on it. People complain that sites like BitChute and Rumble aren't taking off ans aren't "real competitors" to YouTube, the reality is, all the dumb people are on YouTube and you really don't want them migrating to BitChute and Rumble anyhow.

HeadSet says

richwicks says

I have seen this done where websites have been blocked by removing them from the DNS database.

Could that DNS block be defeated by having the web site put out its actual IP address?

It's easy to get around, every computer has a list of files that you can use to map IP addresses to a name.

The_Deplorable says

There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.

Patrick says

richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.

Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.

For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?

You just need something that only real the owner of the domain can do, l like creating a file on the server.

@Patrick - I wanted to mention there are several weaknesses in OpenSSL which I'm convinced are purposeful weaknesses. One that was (relatively) recently identified is during the TSL handshake process, an attacker can overflow a BUFFER to execute code which is a junior mistake but it's been there for decades.

This buffer is meant to contain all the possible methods available between the connection, and can overflow. I work mostly in C++ now, and it's impossible to overflow a buffer because storage is done differently and any attempt to overflow causes a crash. Even if people prefer to work in C, they should use the vector and string methods for arrays and strings. This eliminates 99% of security issues.

C++ can be (actually can? IS) far more complicated than it needs to be, but like C, you can organize your code well and make it well ordered and easy to understand. The major fault of C++ is that classes are just enormous, for methods (class functions) that are hardly ever used. The result is getting an enormous executable for many calls you will never make. The scattering of code throughout memory also slows down execution although I don't know if that's such a big deal with the size of cache we have today.

It's very different than when I was a kid. Execution speed isn't as much dependent on memory fetches, and if you optimize the hell out of code, you just end up with wait states and no increase in execution speed.

richwicks says

There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.

how about Brave and Firefox ? or Chromium ?

.

ad says

richwicks says

There should be a push to move to simpler browsers. What we have today are as complex as operating systems, and 10000 times more insecure.

how about Brave and Firefox ? or Chromium ?

.

No I mean much simpler. Something like NetSurf:

https://www.youtube.com/watch?v=MoM2bzzsAcY

The Internet is extremely bloated and unnecessarily complicated. There should be a subset of html supported. Basically, I find that the actual utility and usefulness of a site is inversely proportional to its complexity. The more polished and whiz bang a site, the less I have a tendency to use it, because form follows function. Whenever I can get a video on BitChute instead of any other site, I go to BitChute.

The Internet was built in this gross hurry. Force XML to be standard (you can use standard XML on the Internet now), make WYSIWYG editors for pages, if you like support WebAssembly (this allows you to literally run ANY program in a web browser, you just have to compile it for it) get rid of JavaScript (unless it's WebAssembly) get rid of Java (unless it's WebAssembly) - it can be TREMENDOUSLY simplified and retain all the current functionality.

We have this now, people just don't use it. Instead of making browsers support all this legacy crap, get rid of the legacy crap.

There is literally no reason for all this junk. You know how many cookies you REALLY need for any website? 1. To identify you, the rest can be stored on the server. There's no reason to have more than one other than coder's laziness (and I can't blame them), and to track you around to other sites.

richwicks says

No I mean much simpler. Something like NetSurf:

I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.

ad says

richwicks says

No I mean much simpler. Something like NetSurf:

I run Linux (Ubuntu) on my HP desktop (2017 model). Chromium and Firefox crash sometimes. I'll try NetSurf.

You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.

richwicks says

You might have to compile it.

I'm not saying NetSurf is a usable program, I doubt it is, but I'm saying browsers should be as simple as that. I wouldn't install NetSurf on my machine, but I've played with a few very simple browsers before. Some don't even support the ability to play video inline.

I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.

.

richwicks says

what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f

I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.

Patrick says

richwicks says

what I'm suggesting is contact information isn't www.patrick.net but rather something like e5725089ef32b85aa3e35d4d67c70e7f

I had a similar idea, but something which can be remembered by a human, like 4 or five words. The average person knows about 25,000 words, so four of those gives 390625000000000000 distinct combinations. That should make a sufficiently large space of four-word names that people can remember.

If you want to talk privately, I can arrange that through my computer. I'd give you a temporary username and password, and you'd then setup your own username and password, and delete the one I gave you. I want to explain something to you at a point. We really don't need DNS at all.

Should be 10 words as well, and picked by a machine, not a person. People have a tendency to quote other people, most people are parrots. I have a password "TheBearAteATreeAndBarked". You know how often that's been written in history? Never. This is the first time you've seen it. It makes no logical sense, but it's easy to remember. Still the entropy could be higher however the phrase would require at minimum a dictionary attack.

Passwords are done wrong. People are lazy and want a short one, what they should do is aim for ludicrous phrases "Eat a bug or a hair, I like to dance with flair". That's pretty easy to remember and nobody has ever said it before, and nobody will ever say it again.

ad says

I am using NetSurf now. Seems rather crude or overly simple, but it is fast and does not crash.

I'm sure it lacks polish, but that's not the point. I frequently make throw away interfaces just so I can worry about more important things than if it's pretty or not. I've got the design taste of post modern art appreciator which is to say, none.

Remember when lots of people had tiny little pages with "About Me" posted and so on, and their interests, etc? I really want to bring that back. FaceBook, YouTube, and Twitter will ALL disconnect you from a person without even notifying you. They don't allow free association.

A simple web browser that follows a few rules will prevent you from accessing much of the Internet - well, GOOD! The VAST MAJORITY of the Internet is just centralized corporate garbage. If people want to promote their website to the "real web" fine, but I think there should be a simple, easy to access, little web that doesn't require any setup other than to install a program on your computer and leave your machine running and maybe not even leave it running, the webpage can be cached on somebody's machine that recently visited your site.