I'll add that I can't find a report of this issue upstream on the Chromium issue tracker. :/
If we remember the hotword detection issue from a few months ago, once the issue was filed, Chrome engineers responded rather quickly. (As of today, hotword detection is 100% removed not just from Chromium but Chrome as well).
If anyone can reproduce this issue, I'd like to help getting it filed so we can determine what's going on.
Edit: We've found the upstream issue: http://crbug.com/498272 In it, we've isolated two separate pings in this scenario. One is to grab an experiment status; we're looking into if this is neccessary.
The other ping is for the component updater, to evaluate if your Chrome extensions should be updated. Neither of these pings report what sites you are visiting to Google.
I don't think that chromium should call home at all but incognito mode is not about this... it is about not leaving traces of your browsing history on the local computer.
There's an implicit corollary that, if your trying to avoid leaving behind traces of activity on your own computer, you probably would also like to minimize traces of activity left behind on other computers as well.
This might carry the expectation that unintentional interactions with other systems should be eliminated, since, the fewer systems touched, means the fewer traces of said activity there are in the entire world, no?
That is a common misconception, but bears no resemblance to reality. As the other commenter noted, incognito mode (for any browser) only concerns with the local machine.
What you mentioned, "minimize traces of activity left behind on other computers as well", is a difficult task. Attempting to do so requires more advanced techniques that entail tough compromises. Consider using Tor, you are anonymous to the endpoint (e.g. the website you visit does not have your IP), but confidential data is not safe from prying eyes in the process. Alternatively you can use some sort of crypt to sign and encrypt your connection... your data is safe from prying eyes (potentially verified as well) but you are no longer anonymous. This can all be mitigated to some extent, but it is well outside the scope of a browser.
> Count the motivations to resist alterations that would doubtless improve Chromium's respect for privacy.
That's a very indirect way of explaining motivations. I am certain that there are conflicting requirements that have tradeoff and not as black-and-white as you make it seem.
Firefox is a great contrast to Chromium since they are likely to have greater respect for privacy. Is there a privacy aspect that Chromium lags significantly behind Firefox? If not, then your hypothesis (on motivation) is wrong (proof by contradiction: Mozilla doesn't have the same motivations)
If they were true, they would disable cookies, as they allow servers to track you.
But they do not. They just make sure the cookies are not stored on the computer.
Thus the point is to avoid leaving traces on the computer, not the server.
Chromium is an open source branch of chrome, offered as a convenience. It is not a standalone product with its own goals. Shouldn't there be a "Chromium-Privacy" project that branches Chromium and reviews code changes, to keep it aligned with such goals?
> Shouldn't there be a "Chromium-Privacy" project that branches Chromium and reviews code changes, to keep it aligned with such goals?
Maybe Iridium is what you're looking for. From their fp:
> Iridium is a free, open, and libre browser modification of the Chromium code base, with privacy being enhanced in several key areas. Automatic transmission of partial queries, keywords, metrics to central services inhibited and only occurs with consent. In addition, all our builds are reproducible, and modifications are auditable, setting the project ahead of other secure browser providers.
Unfortunately these forks -- of which there are many -- often fall behind Chromium's security updates and even introduce serious bugs of their own. E.g. "WhiteHat Aviator", another "security-oriented" fork, had this fiasco:
More went wrong with Aviator than that: they munged up the code rebranding it and made it much harder to track upstream. It also didn't start out open source!
Have you ever tried hacking on any of Google's "open source" projects? Android is ~100GB just to download for example, but I think chromium is smaller.
Privacy is not in Google's interests, so they aren't likely to help with any such effort, and I suspect the number of non-Google contributors is pretty low.
> Chromium is the name we have given to the open source project and the browser source code that we released and maintain at www.chromium.org. One can compile this source code to get a fully working browser. Google takes this source code, and adds on the Google name and logo, an auto-updater system called GoogleUpdate, and RLZ (described later in this post), and calls this Google Chrome. As such, everything which applies to Chromium below also applies to Google Chrome
I use incognito mode to get Chrome (or Firefox) to pretend to have an empty cookie jar. So that I can log into some site again with a different account, for example.
Just an FYI there is a pretty neat chrome extension called Click and Clean, it allows you to whitelist cookies and deletes the rest with the click of a button. Good for web development, etc.
The link doesn't contain any useful information besides that Chromium was somehow opened "in incognito mode" (there's no such thing, incognito mode applies to windows, not browser itself) and there are some connections spotted. No information whenever Chromium had sync enabled, whenever it has Google account associated, whenever it has any extensions installed, etc.
Say, I see a C2DM connection to get push notifications about updates. Whenever it's legit or not depends on the context. If browser's core has logged in user and a bunch of extensions installed, I'd say it's a bug if said connection is not present, even if no non-incognito windows are open at the moment.
Maybe it's updating its list of sites that are known to be infected with malicious code? Firefox does this, and it seems like a good idea to me. (I wish it didn't.) How is Chromium's malicious site filtering implemented?
It's good to be transparent about this, but maybe this is something legitimate and safe that's already documented, and the Debian user and maintainer just haven't found the documentation yet.
Using a web browser from a company basing most of its income on web advertising does come with such unpleasantness.
I was hoping mozilla would have their users' back, but a default install of Firefox also makes multiple connections to mozilla, google and other domains when started. Some extensions (notably NoScript and Ghostery) ping the mothership.
Safari connects to configuration.apple.com and the google website blacklist. uBlock for Safari tries to update itself even if no one asked it to.
Later edit:
I have been told that I am perhaps being unfair to Mozilla. Let's see - I started reading https://support.mozilla.org/en-US/kb/how-stop-firefox-making..., to see how I can stop Firefox from connecting to servers without being requested to. While it's nice that they provide this page, this article's breadth only serves to prove that this browser is out of control when it comes to making connections to servers by itself.
I have the following settings:
* disabled Firefox health report
* disabled crash reporting
* never check for updates
* do not check for addon updates
* block reported attack sites
* block reported forgeries
After reading the page, it turns out that I also have to disable the following from about:config:
* the addons blocklist
* link prefetching
* DNS prefetching
* speculative pre-connections
* firefox Hello
* tiles, even if they were already disabled from the UI
* the default search engine geo-location
* the what's new page
* add-on metadata updating
* the heartbeat
For reference, here are the connections that Firefox tries to establish immediately after startup:
Outgoing to self-repair.mozilla.org (54.230.200.16), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
Outgoing to shavar.prod.mozaws.net (52.26.89.67), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
Outgoing to safebrowsing.google.com (2a00:1450:4001:809::1005), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
Outgoing to tiles.r53-2.services.mozilla.com (52.25.98.110), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
Outgoing to cmp-cdn.ghostery.com (54.152.180.212), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
Outgoing to search.services.mozilla.com (54.69.18.27), Port https (443), Protocol TCP (6), 0 B sent, 0 B received
I was hoping mozilla would have their users' back, but a default install of Firefox also makes multiple connections to mozilla, google and other domains when started.
Firefox checks for updates, and will update the malware/phishing databases a bit after startup. That's actually the same SafeBrowsing the OP mentions. All of this can be toggled. I'm not sure what your vague "other domains" is.
I'm a bit puzzled at the extreme shortsightedness of a browser checking for security updates being branded as "not having their users' back".
Isn't also shortsighted to expect every application to implement its own system for checking for security updates? Wouldn't it be more secure to have this managed by the OS or a package manager instead of hoping every application does it correctly?
That depends on whether the OS or package manager does a better job of providing security updates, or the application does.
Historically, browsers -- because of their enormous potential risk (easy to exploit) -- have done a better job of providing security updates quickly than have other tools.
That's only true if the OS has a solid, secure and open package manager. Linux users have had that since the mid-90s but it still doesn't exist for Windows or OS X users unless you count their respective app stores or are talking about a few niches (Flash, drivers) where Microsoft is willing to distribute things through Windows Update.
This is about Chromium, not Chrome. A lot of people assume that Chromium is safer because things like this should get caught by the community.
I think the lesson to be learned here is that FOSS can be just as dangerous as commercial software if not enough people are inspecting the code and following development. It seems there are a lot of people who unconditionally trust anything that's open-source.
I have been told that I am perhaps being unfair to Mozilla...For reference, here are the connections that Firefox tries to establish immediately after startup
So: It connects to Mozilla itself and to Google (specifically their server for the malware/phishing DB). The fact that Ghostery is in there is because you have third party addons installed.
FWIW shavar.prod.mozaws.net is a Mozilla server which updates the blocklist for Tracking Protection. Somewhat ironic you're complaining about it given the context.
"That said, the fact that Linux distros might switch off Telemetry and [Firefox Health Report] by default causes issues right in that way: they are undercounted and [Mozilla] may disregard them completely in data-driven decisions. If you are a Linux distro package manager, think about that."
These requests are trivial to detect and block with a proper gateway firewall like pfsense or others. Consumer grade firewalls just don't have enough options, or resources to support those options.
They do have the user's back. That means not wearing a tin foil hat. In order for a modern browser to work in a halfway decent manner, they need to ensure that things are reasonably up to date, that developers see crash reports so they can discover bugs and security flaws before someone malicious does, and that lists of malicious sites get updated. Not checking for updates, not providing bug reports is the opposite of good software hygiene.
> Some extensions (notably NoScript and Ghostery) ping the mothership.
could you explain what this means? Been using uBlockOrigin+NoScript+Ghostery combo for quite a some time now and never realized how NoScript might be unsafe
NoScript is unfortunately quite sketchy, I don't use it any more.
It has a whitelist supposedly to not break "top websites", but this list contained IMO some questionable choices last I checked it. It also tries to connect to the dev's website for no reason at all (addons are updated directly from Firefox) and after updates, "to show the release notes".
Last but not least, this is the same dev which got involved in a scandal for trying to underhandedly whitelist the said website into an ad-blocking addon.
What list is that? I'm looking at it and I'm pretty sure I personally whitelisted all of those domains. The only ones that seem to have come from NoScript are the about:... ones
I reinstalled it to check again and it seems you are correct, there's nothing except about:* links. I remember it had some big portal websites I hadn't visited and would not enable JS for, however I am willing to accept I was wrong. Unfortunately, I can't edit my initial comment any more.
Thanks for checking and sorry for my confusing initial post...
I guess it's a cost benefit. Does noscript block more than it leaks? Given the noscript is integrated into the tor browser bundle it can't be that bad... Right? We hope...
Perfect is the enemy of better.
As long as you stay away from browsers with strong for-profit origins, especially Google who thrives on data mining, you'll be better off.
Browsers don't make money at all, not directly, as you know.
Microsoft pulls in 11 figures a year in online advertising revenue. As of earlier this year, Apple was still earning more mobile ad revenue than any other firm. And Mozilla is funded almost entirely by companies that earn billions in online ad revenue like Yahoo and Google.
>Browsers don't make money at all, not directly, as you know.
Which is neither here, not there. As I wrote those three browsers don't make money off of ad revenue and/or private data. Chrome does.
Whether the money are made directly or indirectly is beside the point for the purposes of the discussion.
>Microsoft pulls in 11 figures a year in online advertising revenue. As of earlier this year, Apple was still earning more mobile ad revenue than any other firm. And Mozilla is funded almost entirely by companies that earn billions in online ad revenue like Yahoo and Google.
Not that relevant either. Apple sells display ads (iAds etc) and that's it. They don't deal in personal data. Mozilla even less -- whether Yahoo/Google pays it to be the default search engine or not.
From selling its "default search engine" spot -- I'm on this web business professionally since 1995, I know that.
That's not direct ad sales and Mozilla wasn't created with the specific purposes to sell ads or collect private information, nor is owned by an ad-selling company.
Besides you can change the default search engine in a heartbeat.
Someone said that that all of those call home as well. I need a browser that just lets me browse instead of filling me with constant "1984-esque" anxiety and paranoia for every URL I go to, and apparently all the extensions I run ALSO call home and leave a uniquely identifying finger print.
Honestly I'm moving to backend work and using a terminal browser. This is so fucking stupid. Wish there was at least one program on my computer that isn't trying to constantly stab me in the back.
>Someone said that that all of those call home as well
Obviously, since all have update-check (and auto-update) features, live content (e.g. intro page), etc.
That's not the same as mining your every search, and they don't own an add company or anything.
>I need a browser that just lets me browse instead of filling me with constant "1984-esque" anxiety and paranoia for every URL I go to, and apparently all the extensions I run ALSO call home and leave a uniquely identifying finger print.
It's even worse: EVERY IP (and/or page) you visit is registered on your ISP.
About apps phoning home specifically, you can install an application firewall like Little Snitch and be warned and in control of any such attempt.
It's not something that you should trust on the browser vendors not to do, anyway...
Is it Yahoo again? I thought it was Bing now. But it's advertising. It's advertising for whomever gets their shitty search engine in the prime real estate.
The limited checking I did on my machine points to this, at least that's what the URLs in the code appeared to be for. Didn't really look at the code, just searched for the URLs.
That should only happen when logged in, and given the context here, I assume the user was not logged in (since when you're logged in, all privacy is definitely completely lost).
This is in the Debian bug list, not on the chromium bug list. The maintainer who replied is not a chromium developer, so I don't blame him that he doesn't have a lot of time to look at chromium's source code since a 'modern web browser' is really big. I have built chromium from source before. The android application alone is 44MB, not including the libraries, just saying, for one person to 'look' at chromium will take awhile to do so.
The person who replied did have a good comment with the 'chrome://net-internals/#sockets'. It will list specifically what this person is looking for.
How so? He just says: this seems like it'll be hard to track down and I don't have much time to dedicate to it. I don't see how that says anything about (1) packaging and distributing specifically or (2) modern web browsers specifically. It just says that complex pieces of software can require a lot of work to debug. What am I missing?
Packaging and distributing anything for endpoint devices is a profound exercise in pain and suffering. If your target is anything other than a Mac or a phone, multiply it even further.
It's a major driver of Internet centralization: things must be centralized to escape the deployment nightmare. It's exponentially easier to manage deployment on a handful of servers than it is to actually ship an app to users.
With our app, we test our Windows build on Windows Vista, 2008 Server, 7, 2012 Server, 8, 8.1, and 10, on both x86 and x86_64. It always passes before we ship. Then inevitably we get bug reports: the UI won't open, device drivers won't install, the app mysteriously crashes, etc. Investigation always reveals some weird little variation or clashing piece of software on the customer's machine. Every Windows machine is a special snowflake, and as Windows machines run they accumulate 'OS rot' and gradually become less reliable (due to the mutability of the OS and dependencies). To fully test deployment you'd have to test hundreds of thousands of VMs with different software install histories, etc. In the end we have to tell people 'sorry, we tested with clean Windows installs on eight different versions, you're on your own.'
Mac is the only tolerable deployment target and that's because it's a fascist dictatorship compared to Windows: uniform hardware, strict restrictions on OS modification, and enforced software conformity. Phones aren't too bad either but that's because they're also fascist dictatorships with locked-down OSes.
Basically the modern OS is broken. Things are mutable that shouldn't be, process isolation is a joke, etc. Server OSes are broken too but at least if you own all the servers you can make sure they're all broken in the same way. Even there the trend is toward statically linked binaries (Go) and packaging apps as entire containers with their own OS (Docker) to basically deprecate the OS and achieve predictable deployment.
Insightful! I didn't know it was that bad. Did your team ever consider using something like Turbo Studio (called Spoon Studio until recently), which is a bit like Docker, but different, and for Windows?
Their promise is that they basically solve most of the problems you mention, so I'm curious how well it stands up in practice or why you choose not to use it.
EDIT: I'm a bit confused: I just got two downvotes for asking a question. So just to be absolutely clear: I don't have any relationship with Turbo or whatsoever.
You shouldn't be confused. It's all just numbers and ideas. There isn't really such a thing as a "vote" or "clear" or even "Hacker News" apart from the idea you have of it in your mind.
A fairly common practice is shipping applications utilizing Citrix to have end users remote into a citrix server to minimize the various configurations of a desktop application. Personally I dislike the architecture in that the user experience is compromised (glitchy/laggy/hacks for interfacing with the client) but it does return some of the control back to those managing the host
Anyone monitoring their connections has already noticed this long ago, I know I have. It is not a bug. If privacy is a concern you wouldn't (or at least shouldn't) be using chromium in the first place.
The fault in your analogy is that you seem to think that oxygen is somehow less important in situations where it's easily available. You say, "Just when I'm diving or doing something where it is equally important." But oxygen is always equally important. It's just that in most situations it's easily available to you: all you have to do is inhale.
Your analogy isn't even internally correct, but even if it were, it still doesn't prove anything about privacy, because privacy isn't easily available, at least not over technological channels. Privacy isn't oxygen, so accurate claims about oxygen don't imply anything about privacy at all.
Analogies are for explanation, not evidence. If you can't make an argument without an analogy, you're may want to consider that you're wrong.
> Analogies are inexact by semantic definition, and that doesn't make then "faulty".
Well, it makes them useless as evidence. An argument by analogy simply isn't a valid argument. Don't you remember the "You wouldn't steal a car" ads?
> Privacy is readily available through https, two factor OAuth, etc.
HTTPS is broken by privileged man-in-the-middle attacks (attacks where the attacker has key signing power) and downgrade attacks. And that is when it's even available (it isn't always). And even against attackers with less power, it only provides privacy for what you send over the wire, not who you send it to. And finally, this all assumes that you're sending your data to an entity which won't simply sell it to whoever is willing to pay a few bucks (an uneducated user might think, for example, that data sent through GMail is private).
I'm not even gonna touch "two factor OAuth"; I'm not sure what kind of privacy you even think that provides.
In short, you clearly have no knowledge about what does and does not provide privacy. It would behoove you to not make claims on topics you are ignorant of.
Analogies aren't evidence, they're a tool for explanation, again by semantic definition.
It's committing a no-true-scotsman to say that "privacy isn't as easily available as oxygen" when you change it to "true privacy is is really perfect privacy" when faced with HTTPs and OAuth.
All privacy & security tools are are imperfect, but most of us find the right level, rather than live in a faraday cage in our mother's basements (that's the point). Unless of course, copsarebastards, you need that level of privacy - then I'm not going to judge.
> Analogies aren't evidence, they're a tool for explanation, again by semantic definition.
Agreed, that's what I've been saying all along.
So then why did you use an analogy? Did you really think the sentences "Privacy is easily available" or "People only have to use privacy tools when they are doing something that they want to keep private" needed explanation? Perhaps I assumed you were using it as evidence when you weren't, but you have to admit that's a reasonable assumption given that the analogy is completely pointless otherwise.
> It's committing a no-true-scotsman to say that "privacy isn't as easily available as oxygen" when you change it to "true privacy is is really perfect privacy" when faced with HTTPs and OAuth.
Imperfect privacy isn't privacy. Either people are able to look at your data or they aren't. If people are able to look at your data, you don't have privacy. This isn't a complicated idea or a "no true scotsman" fallacy, it's the meaning of the word "privacy".
We have plenty of evidence showing that the NSA surveils data which is "protected" by HTTPS, ergo, HTTPS does not provide privacy. And the NSA isn't the only actor with this capability.
And OAuth doesn't provide privacy. It's not even the problem that OAuth tries to solve. OAuth provides authentication, which is an element of privacy, but it takes more than simply showing that a person is who they claim to be to provide privacy.
> All privacy & security tools are are imperfect, but most of us find the right level, rather than live in a faraday cage in our mother's basements (that's the point).
That's exactly not what happens. The average user simply is not informed enough to make an educated choice about what level of privacy they want and make choices to get that level of privacy. As a result, people don't find the right level of privacy. Closeted gay people get outed by their Facebook friend graph, pregnant teenagers have their pregnancies publicized by their targeted ads, celebrities have their nude photos leaked to the public, adultery website users and corporate employees have their information leaked, women are found by their jealous law enforcement exes misusing surveillance technologies. Only a fraction of these people actually knew what risk they were taking when they friended someone on Facebook, searched for goods on Amazon, texted a nude photo to a lover, put their credit card into a website, gave their info to their employers, or made a phone call.
Obviously living in a faraday cage in your mother's basement isn't the answer: that's a straw man argument.
The answer, in my opinion, is both social and technical. Socially, we need to get people to prioritize privacy and use privacy by default, we need people in power to respect and protect the right to privacy rather than actively taking it away from people. From the technical side, we need privacy tools that are faster, more secure, and easier to use, and we need decentralization so that violating people's privacy is no longer an option.
Why? I thought Chromium was supposed to be the open source (libre) version of Google Chrome. It shouldn't do anything "evil". I guess you would have to change the search engine and perhaps disable update checking if you plan to do that yourself, but other than that...
I personally prefer Firefox regardless, but that's not because of paranoia reasons (I just like it better with about:config and the available add-ons and the way the url bar works and... just usability reasons).
Yes, and it's not just usual ignorance, but they seem to be proud about their ignorance in a way that makes them behave irrationally and become offensive. For example how people downvote me in this thread, right now, although I got this treatment in many other venues, and in real life as well.
And of course the "argument" that language changes doesn't hold water. They are not merely using different words, they are de-facto eliminating the word that describes a "theory". People who actually make scientific hypothesis and scientific theories use the word correctly, it's the ignorants who can't use it, and who quite often will utter phrases like "X is just a theory!", like somehow that should lessen X.
That unfortunately doesn't make it easy to see where those requests are coming from, especially given that the vast majority of Chrome(ium) developers are from Google.
>What's hard to understand about maintaining radio silence?
What's hard to understand about the fact that "radio silence" is a desirable trait in war (and that in certain circumstances only) -- not in desktop software, and even less so in one whose PRIMARY PURPOSE is connecting to thousands of addresses everyday?
And that, being up-to-date with the latest security patches, including for users who would otherwise wouldn't bother to install is better for everyone involved?
I would assume that step zero of "maintaining radio silence" isn't "launch an application which has as its raison d'être making connections to other machines over a protocol that was never architected to be stealthy in the first place."
The point of incognito mode is to send out less information. The web browser can update itself perfectly well a) through the normal OS software update process b) when started in regular browsing mode.
Incorrect. The point of incognito mode is to record less information locally, not send less information. It doesn't store cookies (beyond the duration of the session), doesn't record history (beyond the duration of the session), etc. On the Chrome incognito start page, it clearly says:
>Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit.
If I'm consistently reprimanded for not maintaining an up-to-date system against potentially hours-old zero day vulnerabilities, then pardon me for the mistaken perception that I'm not perpetually under attack.
Having to assume that I am always at risk of being attacked is known as being placed under "siege mentality" and yes, it is a symptom of war. [1]
>It's not an absurd expectation that a system only does exactly what it's told to do, and only when told to do so.
Now, you listen: most simple (non techie) users don't know what they need to "tell browsers to do" in the first place, aside from loading webpages.
We had what you propose and people were stuck with 10 year old IE6 versions, tons of viruses from old exploits and plugins, etc.
Now we expect modern browsers to be evergreen and to keep themselves secure. That's part of what browser developers are implicitly "told to do" -- and people jump to those browsers (e.g. Firefox when it pioneered that evergreen thing and then Chrome).
Unless you personally are constantly under attack by exploiters using hours-old 0-days (which, let's be honest, you wouldn't be as a personal user; there's far more high value targets than you), then you're not "consistently reprimanded" for not keeping your system up to date to fight these 0-days.
Not blabbing packets across the network to a security provider, while blabbing packets across the network to many other hosts, is not a security posture.
So, you mean to tell me that I'm not allowed presume that I might actually be in complete control of the machines my program is holding conversations with? Is that what you're saying?
If you want to be in complete control, you need to understand the complete source code. Otherwise, you at least need to trust whoever wrote the software you're using.
I guess nobody is happy that chromium opens a undocumented network connection to transfer unknown data.
But the biggest problem is that we don't (yet) _know_ exactly why and what is happening. Fortunately we can understand it by looking at the code, and somebody will do that.
Then we can discuss if this was a violation of trust, a simple error, a useful feature etc.
Um, this isn't reddit. Out of all of the snark you posted you had one, tiny, possible point about creating a vector for MITM attacks but since the connection is over TLS it's not much of a concern at least at the moment plus I'd imagine they would sign such things (but I don't know for certain).
So I guess good job at taking your only point and surrounding it with nonsense which is always downvoted on HN.
It's way more reddit than it used to be. It happened to Reddit, it's already almost completely happened here. This place is basically a decent subreddit in culture now. Kind of sad.
Just curious, how long have you been around? Your current username is less than a year old.
Because based on my impressions as someone commenting or lurking here 5+ years, HN has experienced a significant uptick in quality over the past year or so. I see many older commenters making the same type of observations.
And Reddit-like comments are consistently downvoted here.
EDIT: Removed "Of that there's no question." from my statement about comments being consistently downvoted, since clearly that's not true.
Mostly a lurker. I've checked the articles here since.. I dunno.. sometime in 2007-8, at least regularly anyhow. I remember when it was called "Startup News".. heh.
Much like my Reddit experience - was a long-time lurker, but have a more recent account.
Both sites have gone downhill in terms of community quality.
> HN has experienced a significant uptick in quality over the past year or so
In the news articles I'd agree. In the comments? Drastically the opposite as far as I've read.
> Reddit-like comments are consistently downvoted here.
I wish. The worst meme-crap sure, I agree with that, and it's a good thing. However it's not that that's the problem: it's the community attitude and outlook; just seems to have got a lot worse - especially in the last year or two.
Case in point: down-votes for disagreement rather than lack of content. See my comment above for a great example of that.
> down-votes for disagreement rather than lack of content
The debate about downvotes for disagreement rather than lack of content has been going on here for years. For me, it's as clear as day that this is getting much, much better. From about 2012 to early 2014, there was some type of either bot or some very, very eager HNers who would rapidly downvote topics they didn't like, 3-4 downvotes within the first 5 minutes, even if it was a quality comment. I would regularly upvote comments even though I vehemently disagreed with the commenter just to offset those downvotes. I find myself having to do that much, much less now.
It is clear that HN is getting more "traditionally" polite as well as what many would consider politically correct, so if that pisses you off then I can definitely see how the site would seem to be worse.
But I strongly, strongly disagree with the Reddit thing. By the way, take a look at the HN guidelines:
"If your account is less than a year old, please don't submit comments saying that HN is turning into Reddit. It's a common semi-noob illusion, as old as the hills."
If I'm not mistaken, that guideline has been in place since I got here back in 2010-2011 or so, so that should tell you something. People have been complaining about Reddit-like comments on HN since at least back then.
(As as you will have noted, people are quick to downvote comments saying HN is becoming Reddit for this very reason)
There should be a corollary to that guideline of "if you have to repeatedly deny that you're turning into something... you're turning into it".
I mean... seriously. It's been a problem SINCE 2010-2011 so I'm not surprised. You're right tho - it DID get better. So did the quality of Reddit for a white - then it got a lot... LOT worse.
> people are quick to downvote comments saying HN is becoming Reddit for this very reason
Well no, mostly it's just the false sense of superiorly that this place has actively cultivated over Reddit for many years. Got to maintain that.
I've noticed the opposite. I see more jokes than before and they don't seem to be downvoted when I'm around. The jokes aren't even clever; just low reaching ones just like on reddit.
They are all over, I think it's easy to spot them. Here's one I saw earlier: https://news.ycombinator.com/item?id=10433865 While HN has with exceptional moderation effort made this place "nice", as opposed to the generally "mean" Reddit, it's optimized for a certain kind of niceness that doesn't necessarily align with the hacker aesthetic, and reddit's brand of rudeness is just one characteristic of reddit, general low quality comments are the problem. Quality has been declinining since at least https://news.ycombinator.com/item?id=2403696 and on the aesthetic side I think this thread sums up what's good and bad about the site: https://news.ycombinator.com/item?id=8214343 (The bad: complaining about the name, political correctness in general.)
Jokes seem inconsistent on HN. Sometimes I'll see a good, quick one and it'll be upvoted (which honestly I'm fine with; jokes are fun) and sometimes they'll be downvoted immediately. But the common theme I always noticed with jokes and HN is that, even when they're upvoted, they don't turn into mega pun threads like Reddit's do. I rarely see a joke just keep going on HN.
In the end I think the HN and Reddit audiences are different. Yeah there is overlap but I don't think there is a ton of overlap.
Even if this is true (and [jnbiche](https://news.ycombinator.com/item?id=10433503) argues that it isn't), what's the use of saying so? If you don't like the increasing Reddit-ness of HN, then pointing out that HN isn't Reddit is the right thing to do to stop the trend.
> It's way more reddit than it used to be. It happened to Reddit, it's already almost completely happened here. This place is basically a decent subreddit in culture now. Kind of sad.
I took this to mean that you thought that BinaryIdiot's chiding was inappropriate, or useless.
They're probably a cheese eating surrender monkey and don't realise the good you are doing by trying to force your skewed version of "freedom" on to them
These codebases are too large to vet easily, and I've always been suspicious of someone hiding something like this in plain sight.
I'm a FF user since before 1.0 and I never switched to Chrome, for obvious reasons. I did keep Chromium as a media browser on Linux, now I'm done with Chromium too.
https://www.imperialviolet.org/2012/06/25/wireshark.html