For one, Do Not Track is on the client side and you just hope and pray that the server honors it, whereas cookie consent modals are something built by and placed in the website.

I think you can reasonably assume that if a website went through the trouble of making such a modal (for legal compliance reasons), the functionality works (also for legal compliance reasons). And, you as the client can verify whether it works, and can choose not to store them regardless.

> And, you as the client can verify whether it works

How do you do that? Cookies are typically opaque (encrypted or hashed) bags of bits.

Just the presence or absence of the cookie.

I would assume most websites would still set cookies even if you reject the consent, because the consent is only about not technically necessary cookies. Just because the website sets cookies doesn't tell you whether it respects you selection. Only if it doesn't set any cookies can you be sure, and I would assume that's a small minority of websites.

Those would be the lower 8 bits, no?

In a 64 bit register, e.g., RAX, AL refers to the lowest 8 bits [0-7] and AH refers to the next 8 bits [8-15].

Together, AX refers to bits [0-15]. EAX refers to [0-31].

It's counterintuitive (or at least, inconsistent) that we have a name for bits [8-15] but not for [16-31] or [32-63]. My fuzzy understanding is that this came about from legacy decisions.

This page has a helpful visualization at the top: https://www.cs.uaf.edu/2017/fall/cs301/lecture/09_11_registe...

It's neither. al is the lower 8 bits of ax (ah the higher 8 bits). ax is the lower 16 bits of eax. eax the lower 32 bits of rax.

Here's the AMD manual: https://docs.amd.com/v/u/en-US/40332-PUB_4.08

ax=ah:al eax=?:ax rax=?:eax

What is the distinction between manual coding and human coding?

Often when you're calling something "manual" you're taking something off the automated happy path to tediously and slowly wind the thing through its complex process by hand. The difference between manual coding and human coding is tedium and laboriousness. It's not laborious to program, but the phrase "manual coding" evokes that image.

Maybe that’s what they’ve been doing? No one using Vim, Emacs, or Unix as an IDE would say they do manual coding with the amount of automation that usually goes there.

Indeed, if your not using butterflies to program, it's not manual, and your not a real programmer

https://xkcd.com/378/

Has anyone tried running a generic User-Agent on a standard modern browser? (By "generic", I mean one that does away with this whole compatibility dance.) I'm curious how much would break or degrade.

I once tried having my web browser claim to be the Google spider. It worked well and I completely forgot about it until one website soft banned me a year or two later for impersonating the Google spider. I contacted them to complain. They lifted the ban and told me the ban reason, which made me remember the experiment I never terminated.

Opera Presto didn't use it, and had a User-Agent like:

  Opera/9.80 (X11; Linux zvav; U; en) Presto/2.12.423 Version/12.16

Didn't seem to cause that much problems.

It did keep the version at 9.80, presumably because >=10 must have caused problems somewhere.

God I miss Presto... but Opera did have major compatibility issues even when it was still popular.

Unfortunately, everything that does fingerprinting/"bot detection" will get triggered.

I tried doing that in the early 2010s. Even back then it didn't work (github broke for example). If you did it today, you'd likely be blocked by a lot of major websites for "lying" about your user agent. Cloudflare turnstiles will stop working, you'll get captcha'd to death, and so on.

Even tor-browser doesn't dare to modify the user agent string in any major way. It's almost impossible to lie about because trackers don't actually care about your user agent. They're identifying your device/OS through side channels (canvas, webgl, fonts, etc).

Wrt/ Tor browser, it's not that they don't dare to, it's that they don't want to. One of the goals of that browser is to not stick out too much, and changing the user agent would do just that, so they don't do it.

Then the ideal would be to normalize the user agent string to look identical on every platform. My point is: they can't do that. e.g. A linux machine identifying itself as windows would be spotted immediately. Instead, they have to reduce entropy by bucketing you according to your device/OS/arch.

I don't think there is a point there. In case of the Tor browser, they use the user agent to blend in, so they are not a good candidate to do anything about how stupid the user agent is.

It's the current heavyweights who could change it for the better: Google and Apple. If either introduced a major change in how they present the user agent, websites would be very quick to adapt (if they need to in the first place...), or else. Otherwise, no change will happen - and I think this will be the case, same as with the HTTP "Referer" (misspell of "referrer").

Fun fact, non-browsers actually have much nicer user strings. I run an internet radio, and there is a lot of clients like

Linux UPnP/1.0 Sonos/85.0-64200 (ZPS1) Nullsoft Winamp3 version 3.0 (compatible)

Echo/1.0(APNG)

NSPlayer/8.0.0.3801

mpg123/1.20.1

> In case of the Tor browser, they use the user agent to blend in, so they are not a good candidate to do anything about how stupid the user agent is.

No. They don't use it to blend in. If they wanted to blend in they would be modifying every platform's user agent string to look like Windows x86_64 or something. They don't do that because there's no way they could possibly get away with it.

Instead, they're resigned to simply censoring the minor version number of the browser to reduce entropy.

> Fun fact, non-browsers actually have much nicer user strings. I run an internet radio, and there is a lot of clients like

And those tools will get blocked by various CDNs for not having a browser user agent string, not having a browser-like TLS handshake, etc. This is why projects like curl-impersonate and golang's utls had to be created.

>They don't do that because there's no way they could possibly get away with it.

Yes indeed. They use it to blend in. What they want is to not stick out, so, they act like the rest of the browsers do.

Just like the tools you mention, curl-impersonate and others.

Bravery, daring, could only be done my market leaders here. Google and Safari. The rest of the guys just follow suit.

I will also plug the Keyboard.io Model 100 here. It has a ton of mounting options including tripod screws for custom solutions. The halves are connected with a standard ethernet cable so you can have them any distance apart.

https://shop.keyboard.io/products/model-100

I'd imagine by the time you have a lithium ion fire, it really doesn't matter what the structure is made of.

I think the problem is:

1. How else would you penalize businesses?

2. What else would you do with fines?

If fines exist, it would seem foolish not to budget around that.

Governments should not operate fiscally like corporations. A financial institution will budget around fees because it's in their benefit for their customers to incur fees. A government should not budget around fines because they want the behavior which was fined to not occur at all.

I think one way to prevent bad incentives is to ensure that the organizational units that create and enforce policies are not the ones that benefit from any fines collected.

On the surface this sounds great, but governmental organizational units are still able to pressure one another, or have third parties apply pressure.

Maybe a uniform tax credit/refund for each citizen that is covered by that level of government. We the citizens can then decide if we fix the issue or continue to generate fines, but at least the budget isn't expecting revenue that could disappear (like the lack of traffic tickets during the beginning of COVID).

How about fines go into a sovereign wealth fund (but not be seen as major source for the fund- more a bonus) so there is no short term budget planning based on fine revenue.

I did essentially the same thing. I have this input in a form:

    <label for="gb-email" class="nah" aria-hidden="true">Email:</label>
    <input id="gb-email"
           name="email"
           size="40"
           class="nah"
           tabindex="-1"
           aria-hidden="true"
           autocomplete="off"
    >

With this CSS:

    .nah {
      opacity: 0;
      position: absolute;
      top: 0;
      left: 0;
      height: 0;
      width: 0;
      z-index: -1;
    }

And any form submission with a value set for the email is blocked. It stopped 100% of the spam I was getting.

Would this also stop users with automatic form filling enabled?

No, `autocomplete="off"` takes care of that

If CSS is disabled or using a browser that does not implement CSS, that might also be an issue. (A mode to disable CSS should ideally also be able to handle ARIA attributes (unless the user disables those too), but not all implementations will do this (actually, I don't know if any implementation does; it doesn't seem to on mine), especially if they were written before ARIA attributes were invented.)

Why? Besides both involving terminal commands, they serve very different purposes.

atuin is a collection of the past, which can be training data for a collection in the future. If I'm asking AI to essentially generate commands, my previous inputs ideally would be part of the basis.

You can just pass it a template with no substitutions.