Ben probably wouldn't be offended by that. He described Ben Folds Five as "punk rock for sissies". Further he said that he was always compared to Billy Joel, but hadn't heard him until he was much older, he always cited Elton John as an influence.
Feh, more music about middle class white boy pain. I like his older stuff, but producers with computers fix all his shitty tracks these days.
Seriously though, it's often fraught with peril to try to compare two artists directly, especially across time, styles, and genres. For me, I just try to weigh how much enjoyment their respective catalogs have given me, and I've enjoyed the hell out of both Ben Folds and Beach Boys records. It's all good.
Ben is eminently and deeply talented, but it's just a different aesthetic that is mostly very literal and conventional. Brian Wilson's songwriting and production technique was a one-of-a-kind imprint.
To me Wilson and Clapton are in the same league mainly due to rather unpalatable personalities, Wilson insisting on breaking the boycott of an apartheid state and Clapton throwing racist tantrums and profiting off a tragedy in his family.
People bringing their pet dogs into grocery stores is an especially egregious societal ill. It's a major problem in places like Seattle where dogs outnumber children.
I once watched a woman hold her little dog over the glass at the pizza bar in Whole Foods. Was waiting for the dog to drop a free sausage link onto the pizza below.
Placing dogs into shopping carts is another one. Dogs rub their dirty buttholes on the same surfaces where you later place your fruits and vegetables.
I too dislike extreme dog people - the kind of people who treat them as a human equal. I grew up with dogs and cats, nowadays just two cats, after they go, no more pets for me. I deeply love my animals and they make great companions.
But make no mistake, they're still animals and are not predictable. I would never bring a dog with me outside to do anything other than go for a walk, always on a leash. They really dont belong in public spaces. I've seen and heard too many stories of dogs suddenly not being the perfect precious animal their owner claims and it bites or attacks another animal or person. Then when they do the owners insist the victim must have done something wrong and take zero responsibility.
> the kind of people who treat them as a human equal.
No, they treat them as better than people.
Because in their value system, animals are moral objects but not moral subjects. By that, I mean that actions done to animals can have moral weight. If you take a sick kitten and nurse it back to health, you are a good person. If you kick a puppy, you are a bad person.
But the animal itself (according to this culture) carries no moral responsibility. If a dog bites someone, it's not an evil dog. It's not the dog's fault. It was just raised poorly, or traumatized as a puppy, or the owner should have kept it leashed better, etc.
Thus animals are always morally pure, but people can be bad people. I kind of get where the value system is coming from: animals really are on the bottom of the totem pole when it comes to power and agency, so it does make sense to think of them as mostly receivers of moral actions. But some people take that really far.
Yes, it extends to the realm of absurdity. When people post videos of animals doing good things, invariably comments are posted affirming how much better animals are than humans and "we don't deserve #{animal}s". At the same turn completely forgetting that in the wild, animals eat other animals (and humans) alive, engage in tribal wars, play around and torture their prey before eating them, commit infanticide, rape, etc.
When they aren't abused, nearly all dogs are extremely loyal and affectionate. When they see you after even the shortest of absences, they act like a kid on Christmas morning just because you're there. They understand basic feelings and will try to comfort you when you're not feeling great. Most are patient to a fault with children. Many if not most will act as guardians, protecting you from threats without hesitation, even in cases where it is obvious it is likely to cost their lives.
We absolutely don't deserve them.
With no cognitive dissonance, I can also recognize that some dogs can be dangerous, and in extreme cases, need to be put down. However, I would point out that the vast majority of misbehaved dogs can and should be trained out of their bad behavior, so it's nearly always their owners' responsibilities.
> I would never bring a dog with me outside to do anything other than go for a walk, always on a leash. They really don't belong in public spaces.
This seems a bit extreme. I think dog owners have a responsibility to make sure their animal is trained and able to be controlled near people, but outdoor public spaces (parks/plazas, cafes with outdoor seating whose management is dog friendly), seem fine.
However, the responsibility for your dog's behavior extends even outside of public space. I was bitten by a dog in the lobby of a friend's building. The dog was leashed and presumably just returning from a walk. Later, I heard that some inspections in that building had to be rescheduled because a dog bit one of the inspectors while inside one of the condos (not sure if it was the same dog). Being in a non-public space in no way reduces the owner's responsibility.
> and maintaining a dedicated three stage filter spout next to my kitchen faucet costs me approximately nothing
Calling bullshit on this one. I have one, it's positively wonderful, but the filters are expensive and per the manufacturer's recommendation you're supposed to change them all simultaneously. So when one times out, they all time out. This runs approximately $150 a year minimum depending on usage.
People spend an order of magnitude (and much more) on coffee every day, never mind smokers or drinkers who spend crazy amounts just to hurt themselves.
Not that I don't love and respect Wirecutter (I don't), but I'm on team "I like how my water tastes when it's filtered."
Some units give you different fixed timespans for each. For that reason, I just use the Reverse Osmosis stage and ignore the rest. RO is the last step, and in theory it renders pure water meaning the only reason to have the previous ones is to pre-filter somewhat the water and extend the RO cartridge lifespan. Problem with that is, first, there's no way to gauge when each filter is spent. Second, they're priced the same anyway, so why even bother. Just go straight from tap to RO! Keep the post re-mineralization stage if you want.
pre-filters typically have specified "capacity" in gallons. which is measurable. also if water is very dirty filters get clogged and pressure dropped. it's also measurable.
"post re-mineralization stage" is actually "ph adjustment".
I know pressure drops. The problem is knowing which filter is the one causing it in particular. Also, filters that are spent at different rates are a PITA. What I mean is if you are going to feed it nominally clean tap water, there's no reason to protect a catridge with equally or more expensive cartridges. Just use the RO filter and be done with it.
you can put pressure guages in between or one of $10 flow meters before system.
RO membrane doesn't remove chlorine iirc or vocs. On the other side chlorine degrades membrane. "nominally clean tap water" can have enough dirt to clog membrane if you don't auto backflush it frequently
It isnt merely ph adjustment... You want some amount of minerals in water for your health, plants, and taste. Changing the PH isnt the concern in most cases, its just part of the result.
All those filters are specifically made for PH adjustment (you are welcome to look at specs). There are bunch of different formulations depends on how much PH adjustment is needed.
RO makes water more acidic. if water was somewhat acidic to start with, it can get more acidic or become corrosive.
Are you sure that it makes it more acidic? AFAIK it only outputs pure H20, should be neutral. If you feed it alkaline water you'll get "more acidic" water, but the other way if you feed it acidic water.
True. But have tasted distilled water? Tastes metalic. Probably just my imagination but I feel like it pulls stuff from the mucous in your mouth and tastes like blood.
What system are you using? My five stage filter system has me replace the charcoal filters once a year and the RO every... three? Maybe five?
But let's assume it costs you $150 a year. Thats less than $0.50 a day for drinking and cooking water. I doubt you could buy any significant amount of bottled water for fifty cents.
> But hey, at least it's not bottled water, which is basically tap water that has been put in a single-use plastic bottle and trucked across the country.
Everyone acts like bottled water is evil until there is a water crisis, then it's the lifeline.
I don't understand your point. That $8/gal water next to the Starbucks checkout is not addressing a crisis when the baristas are rinsing out people's cups with equivalent water for free. The bottled water isn't next to the prepper-sized cans of dehydrated food in your supermarket.
Asking you if you trust a device before opening a data connection to it is simply not the same thing as asking the person who just created a shortcut if they should be allowed to do that.
I once encountered malware on my roommate’s Windows 98 system. It was a worm designed to rewrite every image file as a VBS script that would replicate and re-infect every possible file whenever it was clicked or executed. It hid the VBS extensions and masqueraded as the original images.
Creation of a shortcut on Windows is not necessarily innocuous. It was a common first vector to drop malware as users were accustomed to installing software that did the same thing. A Windows shortcut can hide an arbitrary pathname, arbitrary command-line arguments, a custom icon, and more; these can be modified at any time.
So whether it was a mistake for UAC to be overzealous or obstructionist, or Microsoft was already being mocked for poor security, perhaps they weren’t wrong to raise awareness about such maneuvers.
But anywho, cve.org lists 78 shortcut vulnerabilities across many platforms.
I know you'd like to believe the world we live in shouldn't require permissions for a user to create a shortcut and then access it, but that... Is actually the world we live in, and have been in for a very long time.
Security is hard and it's not getting any easier as system complexity increases.
If you don't believe me, ask your favorite LLM. I asked Gemini and got back what I expected to.
If the user manually creating a shortcut is so dangerous, why did Microsoft remove that permissions prompt when they fixed their terrible initial UAC implementation?
> Can anyone explain to me if there is any way to determine whether an inbound IPv6 address is "local"?
No, because it's the antithesis of IPv6 which is supposed to be globally routable. The concept isn't supposed to exist.
Not to mention Google can't even agree on the meaning of "local" - the article states they completely changed the meaning of "local" to be a redefinition of "private" halfway through brainstorming this garbage.
Creating a nonstandard, arbitrary security boundary based on CIDR subnets as an HTTP extension is completely bonkers.
As for your application, you're going about it all wrong. Just assume your application is public-facing and design your security with that in mind. Too many applications make this mistake and design saloon-door security into their "local only" application which results in overreaction such as the insanity that is the topic of discussion here.
".local" is reserved for mDNS and is in the RFC, though this is frequently and widely ignored.
It's very useful to have this additional information in something like a network address. I agree, you shouldn't rely on it, but IPv6 hasn't clicked with me yet, and the whole "globally routable" concept is one of the reasons. I hear that, and think, no, I don't agree.
Globally routable doesn't mean you don't have firewalls in between filtering and blocking traffic. You can be globally routable but drop all incoming traffic at what you define as a perimeter. E.g. the WAN interface of a typical home network.
The concept is frequently misunderstood in that IPv4 consumer SOHO "routers" often combine a NAT and routing function with a firewall, but the functions are separate.
It is widely understood that my SOHO router provides NAT for IPV4, and routing+firewall (but no NAT) for IPV6. And provides absolutely no configuability for the IpV6 firewall (which would be extremely difficult anyway) because all of the IPV6 addresses allocated to devices on my home network are impermanent and short-lived.
You can make those IPv6 IP addresses permanent and long-lived. They don't need to be short-lived addresses.
Also, I've seen lots of home firewalls which will identify a device based on MAC address for match criteria and let you set firewall rules based on those, so even if their IPv6 address does change often it still matches the traffic.
There’s something about ip6 addresses being big as a guid that makes them hard to remember. Seem like random gibberish, like a hash. But I can look at an ip4 address like a phone number, and by looking tell approximately its rules.
Maybe there’s a standard primer on how to grok ip6 addresses, and set up your network but I missed it.
Also devices typically take 2 or 4 ip6 addresses for some reason so keeping on top of them is even harder.
When just looking at hosts in your network with their routable IPv6 address, ignore the prefix. This is the first few segments, probably the first four in most cases for a home network (a /64 network) When thinking about firewall rules or having things talk to each other, ignore things like "temporary" IP addresses.
Ignore all those temporary ones. Ignore the longer one. You can ignore 2600:1700:63c9:a421, as that's going to be the same for all the hosts on your network, so you'll see it pretty much everywhere. So, all you really need to remember if you're really trying to configure things by IP address is this is whatever-is-my-prefix::2000.
But honestly, just start using DNS. Ignore IP addresses for most things. We already pretty much ignore MAC addresses and rely on other technologies to automatically map IP to MAC for us. Its pretty simple to get a halfway competent DNS setup going on, so many home routers will have things going by default, and its just way easier to do things in general. I don't want to have to remember my printer is at 192.168.20.132 or 2600:1700:63c9:a421::a210 I just want to go to http://brother or ipp://brother.home.arpa and have it work.
But as you can see this is still an explosion of complexity for the home user. More than 4x (32 --> 128), feels like x⁴ (though might not be accurate).
I like your idea of "whatever..." There should be a "lan" variable and status could be shown factored, like "$lan::2000" to the end user perhaps.
I do use DNS all the time, like "printer.lan", "gateway.lan", etc. But don't think I'm using in the router firewall config. I use openwrt on my router but my knowledge of ipv6 is somewhat shallow.
The device is an IoT guitar pedal that runs on a Raspberry Pi. In performance, on stage, a Web UI runs on a phone or tablet over a hotspot connection on the PI, which is NOT internet connected (since there's no expectation that there's a Wi-Fi router or internet access at a public venue). OR the pi runs on a home wifi network, using a browser-hosted UI on a laptop or desktop. OR, I suppose over an away-from-home Wi-Fi connection at a studio or rehearsal space, I suppose.
It is not reasonable to expect my users to purchase domain names and certs for their $60 guitar pedal, which are not going to work anyway, if they are playing away from their home network. Nor is ACME provisioning an option because the device may be in use but unconnected to the internet for months at a time if users are using the Pi Hotspot at home.
I can't use password authentication to get access to the Pi Web server, because I can't use HTTPS to conceal the password, and browsers disable access to javascript crypto APIs on non non-HTTPS pages (not that I'd really trust myself to write javascript code to obtain auth tokens from the pi server anyway), so doing auth over an HTTP connection doesn't really strike me as a serious option either..
Nor is it reasonable to expect my non-technical users to spend hours configuring their networks. It's an IoT device that should be just drop and play (maybe with a one-time device setup that takes place on the Pi).
There is absolutely NO way I am going to expose the server to the open internet without HTTPS and password authentication. The server provides a complex API to the client over which effects are configured and controlled. Way too much surface area to allow anyone of the internet to poke around in. So it uses IP/4 isolation, which is the best I can figure out given the circumstances. It's not like I havem't given the problem serious consideration. I just don't see a solution.
The use case is not hugely different from an IoT toothbrush. But standards organizations have chosen to leave both my (hypothetical) toothbrush and my application utterly defenseless when it comes to security. Is it any surprise that IoT toothbrushes have security problems?
How would YOU see https working on a device like that?
> ".local" is reserved for mDNS and is in the RFC, though this is frequently and widely ignored.
Yes. That was my point. It is currently widely ignored.
Well, who can agree on this? Local network, private network, intranet, Tailscale and VPN, Tor? IPv6 ULA, NAT/CGNAT, SOCKS, transparent proxy? What resources are "local" to me and what resources are "remote"?
This is quite a thorny and sometimes philosophical question. Web developers are working at the OSI Layer 6-7 / TCP/IP Application Layer.
Now even cookies and things like CSRF were trying to differentiate "servers" and "origins" and "resources" along the lines of the DNS hierarchy. But this has been fraught with complication, because DNS was not intended to delineate such things, and can't do so cleanly 100% of the time.
Now these proposals are trying to reach even lower in the OSI model - Layer 3, Layer 2. If you're asking "what is on my LAN" or "what is a private network", that is not something that HTTPS or web services are supposed to know. Are you going to ask them to delve into your routing table or test the network interfaces? HTTPS was never supposed to know about your netmask or your next-hop router.
So this is only one reason that there is no elegant solution for the problem. And it has been foundational to the way the web was designed: "given a uniform locator, find this resource wherever it may be, whenever I request it." That was a simpler proposition when the Web was used to publish interesting and encyclopedic information, rather than deliver applications and access sensitive systems.
> Literal amateurs can launch a WooCommerce site from nothing in a weekend
Selling low-volume horseshit out of your garage is in no way comparable to running a major eCommerce site.
> two Stanford grads in YC can do a hundred-fold better than that.
No they literally can't.
> Yes, a big site is more complicated, maybe there will be some frazzled manual data entry in Excel sheets while your team gets the "real" site back up
Great idea, we'll have Chloe in Accounts manage all the orders in a million-row Excel sheet. Only problem might be they come in at 50 orders a minute, but don't worry I hear she's a fast typist.
