Hacker News new | comments | show | ask | jobs | submit login
I will not log in to your website (scottaaronson.com)
302 points by seycombi 65 days ago | hide | past | web | 122 comments | favorite

I do not recognize the problem the author talks about, but it seems weird. From the article:

> Prof. Aaronson, given your expertise, we’d be incredibly grateful for your feedback on a paper / report / grant proposal about quantum computing. To access the document in question, ...

It seems odd to want feedback and then ask someone to go and register somewhere, probably requiring to accept a bunch of legalese in the privacy policy and terms of service... Just attach the document you want feedback on, right?

At least if I'd email someone (out of the blue or an acquaintance) for feedback due to his expertise, I'd be grateful for the time taken and try to make it as easy as possible to do.

Edit: it has been made clear to me that it's not about individuals contacting the author, it's some big corporation that probably sends this out, probably in an automated manner. I still don't understand why anyone would bother with this when "peer reviews" can happen between "peers" (i.e. sending each other documents for review, rather than going through the middleman that everyone seems to hate such as Elsevier, if blog posts linked on HN are to be believed).

This is the norm in academic publishing. Not only do publishers (often for-profit publishers with huge profit margins) ask us academics to critically review submitted manuscripts gratis with short deadlines, but they also want us to use their poorly designed, byzantine online systems to do it.

It's most fun when you are just trying to decline this invitation because you do not have time and are asked to create an account and password (with stupid password rules, naturally), and fill out an amount of personal information just to do that.

You make it sound as if you are required by law to do this. Short deadlines, for free, on poorly designed systems, behind a login wall. Then you just don't, right?

Eventually they will bar you from publishing with them. How bad that is depends on the journal and what you intend to do with your life.

Speaking as an outsider who mostly knows how academic publishing really works from reading occasional blogs that complain about the subject, the entire system seems like something straight out of a Douglas Adams novel.

"Why don't you just stop doing X thing you don't like?"

"Because if we do, they won't let us do Y thing we do like. Or, well, we would like it, except the way they make us do it is so awful."

"So stop doing that, too, or go do it your own way instead."

"But if we don't do Y thing we don't like, then they also won't let us do Z thing. Incidentally, we don't like that one, either. But we need it to be able to do X."

It is totally bananas.

There are two questions: why review at all, and why are the review systems so crappy? For the first, the whole system in the academic world is based on peer review, and I think peer review has mostly proved its worth. For the second: 90% of everything is shit, and the academic world is struggling with the legacy of for-profit journals and trying to get better systems in place. But opting out of everything crappy leaves you with almost nowhere else to participate.

That's exactly what the original post said: he won't do it any more.

It's not about the individual, it's a lot of people I hear about this. Yet it is apparently the common practice. I'm asking why.

For the same reason it happens in other websites/services: to collect personal data and to subscribe the user to their spam^H^H^H^H mailing list.

I guess it is because people see it as necessary in order to build relationships, and have a name. But it looks like it's time to draw a line.

And if it is a government agency asking you to review a grant proposal? Besides the obvious service aspect, you don't want to unnecessarily offend someone with money, that you might have to apply for yourself someday.

I understand you're also helping colleagues, but in the case of wanting peers to review your paper it's a simple matter to send emails with PDFs to those peers.

But I'm not sure how this world works anyway. I read about research in books that refer to it, Hacker News and Reddit that links to it, etc. but never in a magazine. Yet the magazines seems to be what everyone is aiming for to be published in, they are apparently some big deal. I suppose there is some reason why "peer reviews" are not between "peers".

The peer review is supposed to be anonymous. So what happens in practice is you upload your paper to a central website from which a set of reviewers can download a copy for review and give feedback with comments, anonymously. This is also why there is a login system: to ensure the comments are from actual peers which have their own papers up in the repository too.

I'm not saying this is the best way to do it, just how it is now.

Also, if you want someone to just read your paper, sure, email is fine. One does not exclude the other. The central system is there to ensure that should any doubt arise over the quality of the work, the feedback can be read and interpreted.

Again, there might be many other more high-tech solutions out there to solve this problem.

Ah, anonymity is the issue here. That explains it a bit. Thanks for replying.

The process, as I've experienced it, is:

1. Authors write paper.

2. Authors send paper to journal or conference address. (...using a web form)

3. The editor gives the paper a once-over and decides to send it out for review.

4. (Editor sends links to reviewers, who log in, read paper, and leave comments.)

5. Lather, rinse, repeat until accept/reject decision is made.

They used to send pdfs, but now use web systems for roughly the same reason HN isn't a mailing list.

Note: the last time anyone let me review a paper was a long time ago, when they sent paper forms to fill out. Parts in (...) are how I assume it works now.

If you are early in your career and want to make your name heard, then you do accede to all these requests (which probably is why they get made with ridiculous requirements in the first place)!

I think people are too polite sometimes. These requests are an abstracted "GFY" so I think the exact proper response is a non-abstracted "GFY" - with a CC BY-ND 4.0. Basically it's a reply that's congruent with the request, but without the bullshit.

I do see why they ask for that (although it sounds like their systems could use some improvement).

Imagine you trying to get someone to review a 1,000 line patch. If you can just get them to log in to GitHub, they can use all of the pull request commenting tools, and it'll be easy. Otherwise, you have to mail them a big .patch file, and then somehow manually manage comments across all of that. The assistive tools are more convenient.

And add that you have dozens of such patches that you need people to review, and their reviews have to be distributed to a committee of senior developers once they're received, and so on and so on...

A journal may have dozens of submissions at various stages of the peer review process. Each requires two or three peer reviewers, who are busy academics who will often fail to meet the deadline. The editor has to track all of these, follow up with lagging reviewers, and then put together all the reviews for a paper to make the final decision.

Doing all that by email would be a mess. Reviews would get lost, the editor would lose track of which reviewers were sent which papers, and so on.

So the online systems make sense. But they all suck. I've reviewed for several journals which use the ScholarOne system, for example, and despite all being hosted centrally, they inexplicably require separate logins. The website is a clunky piece of crap. If they just had an automated system email me a PDF and ask me to email back a review, and had their script grab reviews from the inbox and format them for the editor to review, it'd be a lot easier. Or if they emailed me a personal link that let me view the paper and leave a review, no login required. But alas, they must overcomplicate it...

Linux kernel patch review is over email like this. It seems to work. I subscribe to a few lists and it makes it easy for anyone to chip in.

It's a bit burdensome on the patch submitter, to collect the feedback into one place, but not that much. At least the burden is on people who want to get the patch in.

Github accepts Google account sign ins. I personally no longer register for services that do not accept my google account as a form of authentication. I wish not to leave even more online accounts and passwords scattered over the web. With google auth, they do not get a users passwords. Without google auth chances are most people will fall for password-reuse.

Last time I saw a Google account log-in, the remote service wanted full access to my contact list. That is, it was demanded that I betray third-party confidences to friends in order to gain an authentication to the service.

Fuck no.

Here: https://ello.co/dredmorbius/post/vv0bq6oia_06z_yjnmjwzw

I wish we still had Persona.

But there aren't twenty GitHubs. There are three or four, and their are hosted versions of those that are slightly different.

If publishers all used the same software package for content management, we might be somewhere. But every company with an IT department seems to build their own Content Management System at some point. I joke with coworkers that we would solve the developer shortage in north america if we figured out how to stop everyone from writing their own CMS.

So then give them a one-time login ticket, and let them upgrade to an account?

Not saying you could do that with GitHub, but there's design space for it.

When asked to peer review something for academic publication, the PDF of the paper is, in my experience, never ever emailed.

Do you know a reason for this? That seems it would be the lowest-effort option for all involved.

Note that the person asking for the review is not the author of the paper, but the editor of the journal or conference. They have several hundred submissions to keep track of at a time. They need to assign two or three reviewers to each paper, and then find alternative reviewers when those decline. They need to collate all the reviews for a paper, use them to decide whether to accept/reject/accept-with-modifications the paper, forward the reviews to the author (except the parts that the reviewer has marked confidential), having stripped the reviewer's identity. If the authors upload revisions, all the reviewers (but not anyone who declined to review in the first round) should receive the revisions, and so on.

I assume they are trying to keep the documents in question confidential. Email is not confidential.

EDIT: Folks email is not secure. Even if someone doesn't have access to login to your mail account. Emails in transit are insecure.

Using outside systems to send confidential data is common practice and has been for years.

In practice, it's no more confidential to use a system where you have a separate, high-security system, that sends out new passwords via email on demand.

I disagree. A sysadmin is not allowed to take a peek in emails unless there is a reason. Or if I create a folder named "private" on my work computer or work email, they aren't allowed to look in there without a good reason. But I suppose Dutch privacy laws aren't universal, so I don't know how that would be in your (or the author's) country.

And if you want to take matters into your own hands, you use PGP. But outside of the computer security business I guess that's mostly unused.

This is not strictly true with US businesses and academia. My last place of employment was a university, and per our legal, all data going through the University email or computers is University property; while there is a pledge from IT that all email is private and will not be accessed except for specific circumstances, these circumstances could be pretty much anything and had no relationship to any existing case law outside of what legal felt was necessary to use as reason for why we could access it.

But the pledge was just a formality - should there be any interest to check the mail, there was nothing technically stopping anyone with the required access except for someone else with equal access having a problem with it. Likewise, various management offices had no issue with submitting email fetch requests for the simplest of things, with date ranges exceeding two or three years sometimes for what turned out to be incredibly minor reasons.

There really is no expectation of privacy with academia in the US when it comes to University owned property or services.

(The only reason I found out about any of this from legal was because I asked for clarification on our "duty to report", and one of the lawyers was almost excited as he told me about how we own everything legally.)

If what is not allowed is not enforced by effective technological measures, or at least logged and reviewed by other trusted parties, then it may as well be allowed.

At my company we trust our people and have a web of review. However, we try never to have anyone be the final trusted party - even the boss.

Not allowed, or not able to?

Email in transit is not secure.

You're technically correct (which is the best kind, of course), but for peer-review of scientific papers it's not really relevant.

There's nothing _private_ about the paper, since the author intends to publish it, or about the reviews, since they're going to the author anyway. Only the identity of the reviewers is confidential, and for that email is perfectly sufficient. Well, a standard email client would be far too error-prone; you'd want something like a blind mailing list just so the editor doesn't click the wrong button and accidentally unmask the reviewer.

If you're using large email providers, every step of the email transaction--SMTP to the outgoing server, SMTP between MX's, IMAP/POP to the mailbox server--is conducted using SSL (assuming the end user hasn't elected to avoid SSL when configuring email clients, which is actually hard these days). Yes, SMTP between MX's are routinely sent using SSL: Google reports that about 80-90% of such traffic is using SSL.

Almost all online login systems offer password reset by email. The moment another human has free access to my emails he effectively owns nearly all my accounts.

OpenPGP is probably more secure than whatever system they are using.

>It seems odd to want feedback and then ask someone to go and register somewhere, probably requiring to accept a bunch of legalese in the privacy policy and terms of service... Just attach the document you want feedback on, right?

It's odd, but it still happens all the time.

Recently, in my customer support tickets, more and more of my users have given me email addresses "protected" by http://boxbe.com.

When I write my reply to them and submit, I get an ACTION-REQUIRED from boxbe.com telling me to register + captcha so that I can get on the receiver's whitelist.

It's so invasive that I don't bother. They'll have to check their spam folder for my email.

I'd never heard of BoxBe, so I took a look. Turns out they're owned by http://eDataSource.com which provides "real-time monitoring of 1.5 million active consumer inboxes" for email marketers. No thanks.

I had an email with I think bluebottle that did that, but it automatically whitelisted people if you sent them an email. Personally I think that if people aren't willing to complete a captcha to send me an email, that email is probably not so important for them.

It is a moot point now, because googles spam filters are good enough that I never see spam, but I just wished there would be an easier way to mass unsubscribe marketing email.

The problem is places like support forms. If you go to my site, click on "contact us" and fill in your message and email, you did not directly email me, as per boxbe. So if I honestly try to reply to you, I'll be forced to waste my time? You better believe you'll never get a reply then.

So to reply to your "if people aren't willing to complete a captcha to send me an email, that email is probably not so important for them.". No. Replying to your request isn't that important to me. It probably was to you though....

Ha ha, I'm at the same "get off my lawn!" moment in my internet life to. The barrier "first, create an account and login..." is a one that very very few products can tempt me to do.

I realized recently that I have space in my life for three log-in websites (HN, a gamedev site, one subreddit), three web apps (gmail, github, slack), and three non-built-in phone applications (instapaper, ride sharing app, twitter). If there's something new in town - it needs to be more valuable than these to knock someone else out of rotation!

could this be alleviated by password managers or is the act of logging in, in and of itself, a burden you would prefer not to do?

Most logins don't solve any of my problems, exceptions include things tied to a credit card. The more typical best case is that a login solves problems around site administration. A lot of login requirements seem to be based on logins being easy to implement in frameworks or being the designer's concept of how web sites work.

The last one is often a bit of an anti-pattern. For most websites a person who actually lands on and engages with the site is pure gold and putting friction on that interaction adds noise...there are people who won't bother to create an account in the absence of more information than can be gleaned from the 'public' resources (often because most functionality gets hidden behind the login).

More and more commonly, logins are a way of growth hacking: Look at all these email addresses that we can pretend are users and sales prospects.

I'm not mrspeaker, but I have a similar stance regarding apps/logins/etc.

For me, it is the burden of having to create accounts for stuff I'll probably only use once, plus the mental burden of knowing that the website has my personal information and might leak it.

That, and the fact that having an account/app these days is synonymous with "oh, sure, send me all the spam you have!", via e-mail or mobile notifications.

If anything, password managers help me see which accounts I should be deleting.

> If anything, password managers help me see which accounts I should be deleting.

I think this is a hint towards what, IMO, password managers should be moving towards. I would like a password manager to really be an account manager that can do things like:

* Alert me if a site I have an account on has a publicly declared breach

* Let me manage personal details (such as associated email address, phone number, etc.) all in one place

* Tell me how often I use each account (and when I login to them from 'unusual' locations/computers)


Oh, I have been fantasizing about a similar thing for about a decade! Currently my "account manager" is either an e-mail folder (I save the welcome e-mails), or my Facebook/Google account (the "authorized apps" page), and this is far from ideal.

I also wish I could sign up for new websites/services using such a manager. If it already had all my personal info, it would take just one click to sign up. And maybe selecting which personal details I would like to disclose with the website.

Mozilla Persona with browser integration[1] was the closest thing to that. Too bad it was abandoned.

[1] https://people-mozilla.org/~faaborg/files/projects/firefoxAc...

With Dashlane and LastPass, there's a "password changer" feature. You click on a button and it changes your password without having to login to the website. There are also alerts if a website had a data leak. iPassword does this also (Watchtower).

The stickyness of email addresses (having to update email/recovery contacts) and proliferation of user ToSes is yet another limiting factor.

Increasignly I just say "no". I've been cutting back on services and apps. It's something of a relief.

This is, in principle, no different than the fact that you have to log in to Github to create issues or add comments.

What makes it different is that as a profession, we have decided that Github is nice, good, and ubiquitous. Unfortunately, the portals that he's describing are crappy, bad, and balkanized.

I don't have to log into Github to read source code or to curl a repository, at least not yet. And I see the author's situation as more akin as having to create logins to "Ultimategitrepository.tv" and "Gitmaster4u.com" etc. in order to access the material.

Half of what you're saying is definitely covered by my comment ("balkanized").

As for the other half, they're asking him to comment, so fully anonymous access simply doesn't work. The fact that Github is publicly viewable would also be part of what's nice about it, thought I obviously wasn't explicit about that.

>they're asking him to comment, so fully anonymous access simply doesn't work.

How so? Just give a link with the equivalent of Google Analytic's utm_source query parameter. Or a link that creates/uses an account that they internally tag as "this is Scott Aaronson".

They have his name, his email address, and can convince him to click a link. That should be enough.

You have to log in to GitHub in order to create issues on GitHub. But that doesn’t mean you must have a GitHub account to report issues to a project hosted on it. Emailing the author with an issue report (and a patch) works as well.

This can get you flamed, and in a way rightfully so, because you just made the author do more work for seemingly no reason. If no one else regularly has a problem integrating, being That One Person https://xkcd.com/1782/ is a great way to declare that you're hard to work with.

Then you find that GitHub forbids multiple identity contexts for free accounts in their terms of service ("One person or legal entity may maintain no more than one free account"), so if multiple people want you to do things on GitHub but you don't want to mix the activities together, your options are to pay for a monthly subscription (possibly forever) or break the rules and hope your ability to continue participating doesn't suddenly get taken away if they catch you.

Centralization of interaction by type creates social paradoxes like this.

You would have to use it if you wanted to keep the reviews/issues anonymous.

Can’t you use somerandomemailaddress@gmail.com?

It would be similar to Github if you out of the blue emailed someone asking them to review your code for free. But to do so they would have to sign up for SimilarToGitHubX. And when they have done so, they just wait a few hours while you add them to your private repo.

He mentions reviewing papers and grant proposals, which are part of your professional obligations if you're a professor. You're not obliged to do so for any particular journal, but you're absolutely expected to do some, and "cold calling" people is normal.

It would be as if part of your job required code reviewing open source projects in your area of expertise, even where you hadn't previously contributed.

That's not really the issue, the issue is on who's terms must this review take place and there's a strong case to be made that it should be the professor's.

I'd argue that's only true if the system can't be better than emailing papers around.

I think Github/Gitlab/Bitbucket have shown us that you can do better than emailing patches. I think the academic world could do better than just emailing crap (the arXiv has already done this, but not for full on peer-review). It's just that the current tools are not good.

I think Aaronson is mostly right to tell off these journals. However, I think the idea of tools that improve peer review is a good one.

On the topic of "the humans failed to engage them through the intermediary of their bureaucratic process", we long ago stopped accepting any purchases for under $20,000 if the customer insists we apply to their organization, sign contracts, and fill in paperwork to obtain a vendor account with their organization.

Yup. In addition to not creating accounts, I've stopped filling in Captchas, especially Google's notoriously horrible re-captcha (I've already clicked all the storefronts about a million times and still it's not good enough), turning on JS for sites that don't present content without it, using sites that don't work with ad blockers, etc. except when I have no choice (banks, work). To me, all these sites are broken. If they want content, they need to fix themselves, and present something useful and secure. Most won't due to their business model.

I applaud this attitude, not least because it reminds me of the UX design story on allowing guest checkouts: https://articles.uie.com/three_hund_million_button/

Add a hurdle, any hurdle, to your potential users' workflow and you are doing yourself a massive disservice.

This describes an increasingly common practice among online businesses -- aggressively monetize visitors, turn them into clients and corporate assets.

When you visit a typical modern website, within 15 seconds an overlay appears encouraging you to sign up, give away your email address, and become part of what's really happening.

In a hypothetical parallel universe where telling the truth is mandatory, you would visit a website and ask, "So, what are you selling, what is your product?" The website will be forced to reply, "You."

All this apart from the present state of the scientific-technical publishing business (also discussed in the linked article), which uses different methods to obtain the same result: monetize people's wish to communicate with each other.

I wish the sites with the annoying "give us your email now!" popups would be honest. Just say, in plain language:

"You can support this site by giving us an email, which we will then add to a list we can sell to various entities. You don't have to give us your main email address. Just please use something other than mailinator (and their ilk) so it's an saleable address. This will help us stay open despite most of our visitors blocking our ads. We will send you a newsletter occasionally so we can pretend this exchange is not purely about money. Thank you."

The worst are the companies who seem to get completely new systems every few years, and if you didn't log in recently you effectively have to create an entire new sign in, and guess what you can't reuse that email and you have some silly new password restriction because SAP or whoever says so. Just awful experiences.

From the article: Oh, Skype no longer lets me log in either.

Funny, I've had the same issue. Between legacy Skype passwords, Microsoft accounts, and what not, for a period of time it became almost impossible to log into Skype. It has improved, but the reset process was designed almost as a maze to help shed all but the most determined. I was not determined enough and eventually gave up and forced Skype contacts to reach out to me via WhatsApp/GChat/Signal/Duo/Allo/FBMessenger. Anything but Skype.

Side note: Same thing happened to Wunderlist after they too got purchased by Microsoft.

I agree with all the advice and sentiments given. Moreover, the proliferation of user accounts, the stickiness that implies for registration email addresses, the general failures of password-based security systems, and the unconscionably high level of tracking implied by indivdually registerd, client-side tattling interfaces, are all rapidly reaching a crisis point.

Some months back, another HN user mentioned as an aside in comments that he had over seven hundred site authentication credentials. This is a slight inflation over ordinary users, but not tremendously -- the typical citizen will have a score or several accounts -- social media, email, various vendors, and quite easily 100 or more.

There's also the problem of multiple worlds colliding. As YouTube's founder famously noted when faced with a "Please create a G+ account" prompt a few years back. After being reasonably assured that G+ and YouTube activity were separate, I've just learnt that they are not, with results that 1) I'd inadvertantly changed my G+ identity and 2) I've yet again blown away a YouTube profile I really don't care for.

I'm not sure what we're going to replace this system with, but extending the current path ain't gonna work.

As for the haircuts, a $25 set of electric clippers addresses that need. Or a blade. A 35 year old man is old enough to learn to cut (or shave) his own hair.

I'm no scientist, but I was involved in a couple of projects with a research group to develop web apps that others could use to run biophysics simulations.

When submitting them for peer review, there was an absolute requirement from the journals in question that the sites did not require a login to use, and not even an email address to be entered to alert the user to results/completion. Result pages and download links were to be provided at a hidden URL which was linked to from the submission page after the form was submitted. So while we did this, we also ended up maintaining emails for job alerts, but optionally so. Most users have since used their emails to run jobs as it is more convenient for them.

But for the reviewers, their requirements made sense. We were submitting to journals which had entire dedicated editions for online scientific apps. Hundreds of them, all of which required peer review by scientists who were being very generous with their time. For a free service, such requirements don't seem at all unreasonable.

"Whenever my deepest beliefs and my desire to get out of work both point in the same direction, from here till the grave there’s not a force in the world that can turn me the opposite way."

Words to live by.

The Journal Of Open Source Software does the review process rather nicely: You send them a PR with your software/description, and then a reviewer will publicly go through the review process (described here: http://joss.theoj.org/about#reviewer_guidelines )

Of course that doesn't work with all of science, you don't always want open peer review, usually because several people are working in various stages on similar or related things, or you don't want to publicly criticize the reviewed party, or you don't want to make the reviewer look bad when the reviewer doesn't know what s/he is talking about

Google now hosts web pages on Google Drive you can't even read without a Google account. Please don't use or link to those.

On a related, but more trivial level, I note that a lot of places that used to have a nice little punch card or whatever for a loyalty program now have accounts you can log into. So I can, if I want, choose to have to remember a burrito password. Awesome.

This is a global issue. We all experienced friends or people asking for joining them on their social network, or their IM app, which unfortunately you're not on. Same for vendors and partners and such that ask you to create accounts on their websites for sometimes just a single event or document to sync. XKCD recently published a fun illustration of it (1810).

On the other hand, most of us want to split between work and friends, between private and public. So we have different accounts for this purpose. I don't use Twitter and Linkedin the same way, and I don't have the same circle of relations connected by those means. So it may be "convenient" to have separate accounts, but at the same time this becomes a burden to maintain and check every of these (not counting data breaches and so).

My current practice is the following : - an email address for my close friends & family. - some public accounts for infosec usage (linkedin, twitter...) - some undisclosed accounts for my professional usage. - some undisclosed accounts for my private usage (ecommerce etc.) - all the rest (a vast majority) uses throw-away emails (I own a domain, enabling me to generate unique email addresses per website) and random passwords, so I don't care to monitor them or if they are breached. If I know I won't use the site frequently I don't even remember the password, I just do a "recover password" if I need it in the future.

My rules: 1. never reuse the same email twice for websites. That also helps me monitor breaches and/or spam and/or db resellers. 2. never reuse the same password twice. Obviously. 3. never use 3rd party authent such as "Login with FB, Twitter or Gmail", as it breaches the first rule.

It generates some work to maintain all of this, but I've been doing it since probably over a decade, and it's now an habit I can't quit, considering the benefits.

So, back to the paper, I'd tend not to follow this guideline, even if I'm tempted to do so.

I'm in the process of setting up the same thing for my email. Any interest in sharing what you're using?

I have a godaddy domain with email. I give each company companyname@myfakedomain as the email. They all forward to me at astro@myrealdomain. If/when they aggressively send me aggravating email, I flip it to forward to some big wig at the company and forget about it.

Works well and is pretty cheap.

Thanks, though I am looking for something that I can manage myself. I won't say without a third party - using a VPS - but I am trying to build it such that I can pick up and move to a different VPS provider without a lot of pain.

Sure, I had a post about my setup on my blog around 1y ago : éé.net/ak5

Excellent, thank you.

The author was me before I started using LastPass password manager and form filler. I can input my name, address, credit card number in seconds, and it will automatically track all my logins. There are many other such apps out there besides LastPass, so this is not a particular endorsement of that product. And, of course, LastPass or other password manager will not fix all the bad websites out there.

And that is why we have implemented this in our platform:



Lol this reminds me of the Demolition Ship Captain incident at AoKH where DSC hacked into Angel THS's account (and then ban half the active users on Age of Kings Heaven) by just creating a website where he could get Angel THS to use the same password he could use everywhere (HUNTER)

Unreadable for the over 40 crowd on mobile.

And as usual, all for nothing. The site makes 43 separate GET requests and transfers 562KiB of data over the span of 8.25 seconds to load ... wait for it ... 3.7KiB of text.

And the site is solid black text on a solid white background. This article would have literally been better as a link to a .txt file on a static file server. The modern web is really such a disaster.

Although I would have then missed out on this gem of a comment ( www.scottaaronson.com/blog/?p=3203#comment-1733204 ) -- and I do mean that sincerely, no sarcasm. Seriously, I can't stand places that make you call in advance either :P

Ah, MathJax

Kind of ironic given the content of the linked post. He wants everyone to do things that are maximally convenient for him, but he doesn't even have a simple responsive layout on his site to make the margins taking up half the screen real estate disappear so that it's convenient for anyone on mobile to read his stuff.

That's even more funny since HTML will automatically fill the width of the page. He goes out of his way to create margins to help people with wide screens but doesn't consider the effect on small screens.

I just remember in the 90's when the web started taking off and all these designers and people used to regular print publications came along and had to control the page layout when the whole point was to let the layout change to fit the users needs. Margins are not necessary at all - the user can adjust the width of their browser window to alter the width of a line of text, but that's not fashionable these days.

A max-width: 80em; is a nice readability enhancement so that users don't have to resize their browser windows after each tab change. The problem is they don't use max-width, they end up using width instead.

And as you said, the forced margins are also a problem here.

Also, to any designers reading this: please don't use text justification, either. I know it looks prettier as abstract art, but it does nothing but harm readability of your actual content.

So would using max-width along with center be appropriate? That seems like it would be very accommodating.

It certainly should be, yes. Would have rendered almost identically on the desktop, but rendered properly on cell phones.

Everything is unreadable for the over 40 crowd on mobile. That's why I use Firefox reader view on mobile. On desktop it's as simple as ctrl-shift-+

No, this site is especially bad. 50% of the total screen real estate is taken up by useless margins that shouldn't be there on mobile, and the text size is way too small. Most sites do a way better job of rendering on mobile.

Yes, that site was poorly designed. Unfortunately is true of most sites to varying degrees IMHO. I browse in desktop mode on mobile (because I don't want the sites to treat me differently) and then use reader mode to read (because then I get a consistent experience).

Use Reader mode if you're on iOS.

Funny, I did not even notice that it is unreadable on mobile. I almost subconsciously pinched to get rid of the margins the first thing I did. This problem is extremely prevalent.

Just double tap to zoom?

Just increase the text size. It becomes easily readable. The font size is larger than text here on HN.

Who don't use Firefox and its perfectly usable reader mode.

> Why didn’t I call myself? Mostly, because I hate making unsolicited calls of any kind, a phobia that I admit isn’t entirely rational and that often causes inconvenience.

Interesting. I hadnt thought of a reservation as being unsolicited. What about online reservations that are more pubsub-like?

The unnecessary accounts I hate the most are the ones that are needed to send feedback. An account should not be required for that if you want feedback from outside your happy users bubble.

Narcissistic proclamation in a blog that brings no discussion or interesting thoughts.

A recent link from Scott Aaronson's blog points to his survey paper on P and NP (http://www.scottaaronson.com/papers/pnp.pdf).

If you think that this brings no "interesting thoughts", this probably says more about your intellectual tastes than it does about Aaronson's work.

If you ever wondered what people meant by out of touch "ivory tower" academics, just read this post.

Just imagine telling a client, "sorry I don't open Google Docs on principle. Life is too short and too precious."

This is an academic talking about work he's doing for free to help other academics and students. In order to help these people, he's required to engage in shadow work that benefits neither him nor the people he's trying to help.

I applaud the stand he's taking. Rent-seeking publishers are not only extracting value without providing much to justify their slice of the pie, they're doing it in such a way as to put an additional burden on everyone else.

If I had a client who forced me to spend twenty minutes creating an account and logging into a service that provided a hostile user experience, I'd try to educate them about better alternatives, and if they weren't amenable to that, I'd charge them for the wasted time.

You say that but if one looks at your example at face value then you would be surprised how often things like that do happen. I had one supplier threaten to cancel business relations with us if we didn't send through customer details (related to the product they were supplying) on an excel spreadsheet via email. It took quite some negotiation to agree a secure compromise.

That's just the most recent example but I've had to deal with countless insane demands from suppliers like this over the course of my career. In several cases being borerline to saying "if you don't want our business then there's plenty of other suppliers that do".

However by far the most annoying one I've had, and one that used to be common place 5 years ago in the UK, was recruitment agencies refusing to accept CVs in PDF form. They would accept a Microsoft Word document or RTF. Some even accepted plain text files. But a PDF was point blank refused even in tech-agencies. This used to be a real pain for myself, a Linux developer and administrator who didn't run Windows so couldnt guarantee what OpenOffice would spit out when exporting to .DOC. I ended up having to use a spare work machine and thankfully had a very forgiving boss.

It's been nearly 10 years since I've had to deal with recruiters but I remember asking about DOC requirement and basically it was because they edited my CV before passing it onto the client (particularly to cut out any personal information so that the client could not contact me directly). RTF was easy enough the generate though, so it wasn't a big deal for me.

When they insist on a doc document it is because they want to edit it, which means they are about to screw you over.

I guessed that much myself to be honest :). However it has always been trivially easy to copy and paste content from a PDF so their restriction didn't make much sense to me even with that point in mind. And with the added issue that every tech recruiter I approached enforcing the same policy, it made it impossible to shop around for recruitment agencies that would honour my CV.

Thankfully I've not had the same issues when job hunting again recently. At least not thus far.

On the other hand, I previously had a job where I was almost always the customer. As a B2C website, we ensured that customers wouldn't have to login, they could, but they surely didn't need to if they didn't want to. Anyway, as one of the developers, every third party was pretty much always someone who wanted our money when they wanted to talk to me.

That put me in a position to dictate pretty much everything, be it the company policy on a maximum of one month legal binding on any contract, or how I wanted to be contacted.

After a few years of setting 15 minutes aside as prep for Skype calls and 30 minutes for Hangout call or any "enterprise" group chat thing, I started to dictate that anyone who wanted to talk to me, had to call me on my desk phone or write an email. If you didn't like it, to bad, you have competitors that will call a normal phone number.

In my current job we sadly accept that customers want to use Skype, but you have to be pretty a pretty big customer, otherwise it's phone, email or an in-person meeting. We do tell customers that we prefer email, or actually that we NEED them to write us an email to have an audit trail. Putting stuff in a Google Doc isn't helpful either, we still require you to send an email.

I understand that if you're a one person shop, then you can't be picky, but maybe you should. For most of us, requiring a phone call or an email is very much doable.

I'm a journalist, and I'm going to adopt this approach in dealing with PR people. Thankfully they're already used to it.

> If you ever wondered what people meant by out of touch "ivory tower" academics, just read this post.

Did you read this: "I’ll continue to devote a huge fraction of my waking hours to fielding questions from all sorts of people on the Internet, and I’ll do it cheerfully and free of charge."

The guy is doing more than most, is it so much to ask people to be polite and make things easy when asking for help?

These aren't clients.

An analogy: Many in the tech industry are happy to offer advice to random people at the start of their careers. But the onus is on the person looking for advice to make it convenient for other person.

If you received an email that said someone was looking for advice on some tech topic you were familiar with, but in order to see the details of the request and respond you have to create an account and log on to this unfamiliar website, how would you respond? I'd delete it and move on with my life. I'm happy to help, but I'm not a circus animal and I'm not going to jump through hoops for free on behalf of random people that I don't know.

No. Imagine you telling your client 3 times a day to create a different account with different workflow.

Did you even read the article and its main point?

I think many just skipped the article and missed the whole point by miles. Just look at that page comments, over and over again people suggesting a password manager.

Like, that's not the point! That's barely tangential, and not even mentioned anywhere as 'the issue'! It's about mandatory account creation! How would a password manager even solve that! /rant

It depends on your market position. If you're a successful company, you get to tell clients what way to send stuff in.

BTW. I don't see it as being "out of touch". I see it as a gentle reminder of how we're all wasting each other's time building stuff that requires creation of accounts for no real reasons (except sales tricks).

Actually he said explicitly that he would open Google Docs. And 90% of the world has a Google account already. What he doesn't want to do is waste 20-30 minutes to create an account and log into a new system every time someone wants feedback on something.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact