Topic: Anonymity: Death of the Stateless Web (Read 4094 times)

http://www.infoq.com/interviews/bracha-javascript-future


Gilad Bracha and W. Cook, Mixin-based Inheritance, Proceedings of ECOOP '90.

Apparently the Android permissions prompt is optional or something.

Uber's Android App Caught Reporting Data Back Without Permission

Any reader who thinks we don't have a totalitarian police state in the USA, should try to explain away the following well documented, egregious case. Don't forget that the USA can now legally send the military after you and "make you shut up" without any due process nor habeas corpus.

http://armstrongeconomics.com/2013/02/09/indefinite-detention/


First they came for the Socialists, and I did not speak out—
Because I was not a Socialist.

Then they came for the Trade Unionists, and I did not speak out—
Because I was not a Trade Unionist.

Then they came for the Jews, and I did not speak out—
Because I was not a Jew.

Then they came for me—and there was no one left to speak for me

I had thought of this, so it is good you raise the issue, so I can respond with my prior thoughts.

1. Those applications that require some advances in user experience does not eliminate those applications where standards for content make semantics more transparent. Both can continue to proliferate, i.e. we shouldn't prevent the former if requiring always the latter would make some applications not exist at all.

2. Those applications that require some advances in user experience could in many cases also publish stateless content (or any other standard for making semantics more transparent), e.g. an application for interacting with a forum offline or on high latency (for example to access it over a high latency truly anonymous network), could coexist with a website version of the forum.

P.S. I hate pay walls and login walls when I am surfing the web for news or research.

I think you are overstating the importance of the "user experience" and discounting the value provided by "robot experience" (by robot I mean the indexing and search engines). One of the most important factors of the growth of "web" was that HTML became some approximation of the lowest common denominator of information interchange. XML family of standards tried, but failed to improve on the HTML model with this regard.

I don't want to devalue your insight, but here is a recent example of "UX uber alles" problem:

http://torrentfreak.com/fail-mpaa-makes-legal-content-unfindable-google-141122/

exhibited by the "overapplification" of the user experience. I'm sorry for the ugly, hastily coined word. I don't know the better term. But from my childhood I still remember a paper pop-up book for "Puss in boots" which could be animated by hands. It was very cute, but didn't meaningfully improve the classic text printed in the plain book.

Edit: One more link from today that is tangentially related to the subject matter:

http://news.slashdot.org/story/14/11/23/1714255/blame-america-for-everything-you-hate-about-internet-culture

Data on the internet ranges in time criticality. For example, posting new Likes and photos to Facebook is not that time critical, but Facebook interactive chat or a stock quotes application are time critical.

There are two components to the latency on a high latency variant of Tor:

1. The greater number of hops (onion layers or nodes) between the client and the server requires some additional latency for each hop.

2. The randomization of when to forward each packet at each hop increases latency at each hop by the time window over which that randomization occurs. As the volume of traffic increases, the time window can shrink because the anonymity mix (of packets forwarded by the node) per unit time has increased.

Let's assume the system can have an algorithm that attempts to choose paths through the nodes of the network that keep latency below 50ms per hop[1]. If that can be achieved, then assuming #2 is reduced to negligible as traffic volume increases, then 10 hops would be 0.5 seconds on average latency. 100 hops would be 5 seconds. Since the client and hidden service server each get to decide half of the onion layer path (with a rendezvous node in the middle), they can choose a latency and anonymity tradeoff that matches their application.

[1]	http://www.webperformancetoday.com/2012/04/02/latency-101-what-is-latency-and-why-is-it-such-a-big-deal/ http://www.sqlskills.com/blogs/paul/are-io-latencies-killing-your-performance/

What kind of high latency numbers are you talking about? 10 seconds? 30 seconds? More? In my experience important data more often than not is also time critical in nature.

They don't need to care. They only need to be aided by the paradigm shift I am describing, specifically the usurpation of the top-down morass of web standards by the viral diversity of a programmable, secure platform such as Android which is on 80% of their smartphones.


You see they need offline app solutions for their high latency network access. So extremely high latency in fact, sometimes they have to wait hours or days to reconnect to the net or connect over very slow GSM or overloaded 3G networks.

The No votes come from neophytes who don't understand the issues.

The sheeple don't care about being anonymous and most of the world is still in 3rd world areas with no net access other than wifi on a cheap smart phone at the local wifi cafe.

The future net will be an AI network and people will have neural implants to put the net right into their optic nerve center, then the next generation will be that dna will be manipulated to have the human brain able to connect on an alpha wave like they do the akashic record now.

There will be no anonymity, there is none now, the AI that created you tracks you through alpha waves now and that AI makes you do what that AI wants through alpha waves as well

No, web is simply developing faster than regulations.

I've gotten some feedback from at least one of my supporters that he is not able to quickly discern the significance of the OP (readers should also read the linked OP).

Until recently the majority of the user demand for traffic on the internet has been HTML over HTTP, i.e. what I refer to in the OP as the stateless Web. That traffic is required to be low latency, because the caching mechanisms are not typically smart enough especially with dynamically changing content (e.g. forums, social networking sites) to give a satisfactory user experience if the transport between server and client is high latency.

Yeah there are other protocols on the internet, such as SMTP which delivers email and doesn't require low latency transfer. And even P2P over UDP versus TCP/IP. But the majority of the market has been focused on HTML over HTTP.

Users become accustomed to the simplifying unification of accessing any content via the web browser. This provided some benefits for developers and content authors too as they could "code once, run every where".

But this had the tradeoff of retarding innovation on those areas that would require stepping outside the web browser’s myopically designed security sandbox or require a different model of interaction that could interopt well with high latency transport. Many even myopically cheered that this security sandbox was a major advantage.

There were some attempts such as Flash, ActiveX plugins, Silverlight, etc but these lacked the holistic purpose, demand, and system design that could cross the chasm to simplifying unification via sufficient market adoption.

I am positing that mobile apps, and more likely Android apps in particular, is a paradigm which is crossing the chasm. And even migrating towards the desktop and laptop to bring further unification.

This opens up new opportunities for fast moving innovation outside the confines of the slowly innovating (top-down standards driven, e.g. W3C.org) web browser. I posit one of those opportunities is to interopt with a hypothetical high latency transport, which would have the benefit of being truly anonymous because Tor and low latency ostensibly can not be anonymous.

The innovations might be so far outside the paradigm of the web browser content platform, that the web browser might not be able to incorporate such innovations without ceasing to be any semblance of what it was. If the web browser becomes essentially Android or something closer to what Android is, then the W3C (top-down, stifling morass) lost control. If Android (or something like it) is a standard that runs every where, then we haven’t lost the "code once, run every where" advantage. What is really accomplished is making the content platform more programmable with more granularity of modularity of Android APIs instead of the "all or nothing" monolithic imposition of the web browser APIs (by for example having a more holistic security sandbox model).

I’d feel facetious and subject to accusation of being non-objectively biased if I did not acknowledge some serious security theatre I submitted an Android Issue on today.

https://code.google.com/p/android/issues/detail?id=80335

Wow 9 ÷ 11 = 82% voted ‘no’ thus far (or 90% if exclude my vote).

The ubiquity of Dunning–Kruger ignorance needs to be culled by action in the market place. This vast preponderance of ignorance means there is a huge opportunity here because most do not realize the paradigm shift yet.

I suspect it escaped the logic of readers that stateless content can increase (even in proportion) and yet orthogonality of transport and content can proliferate.

P.S. if the  ‘no’ votes are pertaining to the rise of the global police state and the need for anonymity, I can only sigh again soon. I was watching the NBA (i.e. Rome’s bread and circus, or the Roaring 1920’s socialite glitter & glee) and realized why most people today would again think it is ludicrous to claim such horrific outcomes as we approach the cliff.

The title and content of the OP is not about the death of all stateless content, rather I think it quite explicitly says death of the Stateless Web.

This salient distinction is that the content and rending model (e.g. HTML) shouldn’t have a monopoly over the transport model (e.g. HTTP).

The Web is becoming more general and the transport layer is detaching from market dominance by the rendering layer.

This enables new opportunities and possibilities.

I wonder what the No voters are thinking? Is my presentation too abstracted? Perhaps I need to incorporate the above summary.

---

Update: done.

My favorite Mozilla kafkaesque, security theatre fuck-up for the ages. I warned there and exactly what I warned happened. And so he eventually closed the bug to further comments after receiving 100 complaints over the next two years as I warned him.

I edited my post to explain I mean convergence via orthogonality and separation-of-concerns.

If you are programmer (especially if you understand the Unix design philosophy) then you know the value of these concepts instead of trying to have one monolithic thing do everything you need.

Then you can mix-n-match to retain the flavor you desire.

HTML should not be a dominating force on how I can distribute apps as seamless content to my users. You may prefer a strict static content model without JavaScript, but other users have other preferences such as for some HTML is just a rendering engine that is used in some contexts within their stateful app. Developers should be allowed to serve all users well, including you (if there are enough of you, else you can roll your own).

P.S. You are conflating the issue of good semantic design with the orthogonal issue of security.

I fought against Daniel Glazman's spaghetization of the orthogonality between code and data with XBL (because CSS was not the correct semantic layer to bind code!). I was for registering events instead of embedding them in the HTML file. Etc.. But I don't think you can build a dynamic web page and not have any code manipulating the page. We are talking only about good semantic programming, not about security unless it is just security theatre. The broader the scope of your sandbox, the less fined grained permissions you need to ask the user about. Because users have no fucking clue and just click "yes" any way, so then you don't have security. Android is trying to design to reduce the need to ask the user for permissions.

I hope not. As I said, I believe there should be a clear distinction between data and code. I was using lynx as my primary browser at least until 2005. It really stopped adapting to new HTML revisions after HTML 3.2. HTML 4 introduced style-sheets, which were never really implemented by lynx.

Edit: I like CSS, just lynx does not.
Edit2: I still try to avoid running client-side scripts as much as possible though.

phillipsjk, good to hear. Yeah I would prefer the web browser be a rendering (android.app.)Activity or Fragment and provide an HTTP ContentProvider which can be hooked into it (or substituted) and not try to be the OS.

Orthogonality and separation-of-concerns.

Looks like we agree on we are headed towards convergence?

P.S. In the transposed direction of misuse or incorrect design, I was listening to this masscan developer explain (how to scan the entire internet in 3 minutes with commodity hardware) in his C10M video about how web servers shouldn't move packet processing into the OS by using threads, because Linux was not designed to be real-time OS but rather optimized to be a multi-user OS. And instead do the logic in user mode.

I don't think we strongly disagree on this point: just on the methods. Java applets were one such clear distinction. Of course, other than the fine-grained control, there was also the (dreaded) "loading Java..." message (and delay) that made the thing unpopular. Android largely follows the Java philosophy: to the point that they were sued over the use of the API.

I believe that web-browsers have become too complex. Because, as you mention, they are being asked to operate as an OS in user-land. One thing Chrome gets right is leveraging OS services by spawning each web-page as its' own process. It is resource heavy for simple web-pages, but actually lets you track down which page is using all of your CPU time/memory.

In Android, your application’s Activities, ContentProviders, etc have a Uri. Thus, I can envision when you type the app Uri (or its abbreviation) in a browser, you run the installed or install the app. So it can become as seamless as the web. It appears disjoint for now and the web appears to be easier and more readily accessed, but it doesn’t have to remain this way. Then web sites could also be placed as favorite icons on your desktop (which you can do now but not so easy or readily achieved as installing an app and seeing its icon appear there).