Hacker News new | past | comments | ask | show | jobs | submit login
How SSH got port number 22 (ssh.com)
1034 points by kissgyorgy on April 23, 2017 | hide | past | favorite | 207 comments

A more interesting story is why are the older services using mainly odd port numbers (ie. 21 = FTP, 23 = telnet, why was port 22 free at that time?). It turns out because the protocol which preceded the invention of TCP, called NCP, used even-odd pairs of port numbers, with even for "outgoing" data and odd for "incoming". So the well-known port numbers for incoming services were all odd.




You can follow the assignments of such "socket numbers" for NCP in RFCs 349, 433, 503, 739, 750, and 755. RFCs 758, 762, 770, 776, and 790 address both socket numbers for NCP and port numbers for TCP/IP simultaneously. RFCs 820, 870, 900, 923, 943, 960, 990, 1010, 1060, 1340, 1700 continue that work for port numbers only and RFC 3232 finally switches it to an online database.

RFC 349:

        Socket          Assignment
           1            [Old] Telnet
           3            [Old] File Transfer
           5            Remote Job Entry
           7            Echo
           9            Discard
RFCs 349, 433, and 503 also provided a list of conflicting socket numbers used on specific hosts.

Back in the "bad old days" of the simplex NCP protocol [1], before the full duplex TCP/IP protocol legalized same-sex network connections, connect and listen sockets had gender defined by their parity, and all connections were required to use sockets with different parity gender (one even and the other odd -- I can't remember which was which, or if it even mattered -- they just had to be different).

The act of trying to connect an even socket to another even socket, or an odd socket to another odd socket, was considered a "peculiar error" called "homosocketuality", which was strictly forbidden by internet protocols, and mandatory "heterosocketuality" was called the "Anita Bryant feature" [2].


When the error code is zero, the next 8 bit byte is the Stanford peculiar error code, followed by 72 bits of the ailing command returned. Here are the Stanford error codes. [...]

IGN 3 Illegal Gender (Anita Bryant feature--sockets must be heterosocketual, ie. odd to even and even to odd) [...]

Illegal gender in RFC, host hhh/iii, link 0

The host is trying to engage us in homosocketuality. Since this is against the laws of God and ARPA, we naturally refuse to consent to it.


    ; Try to initiate connection

            init log,17
            sixbit /IMP/
            jrst noinit
            setzm conecb
            setom conecb+lsloc
            move ac3,hostno
            movem ac3,conecb+hloc
            setom conecb+wfloc
            movei ac3,40
            movem ac3,conecb+bsloc
            move ac3,consck
            trnn ac3,1
                jrst gayskt            ; only heterosocketuals can win!
             movem ac3,conecb+fsloc
             mtape log,[
                    byte (6) 2,24,0,7,7
                         ]          ; Time out CLS, RFNM, RFC, and INPut


    gayskt:    outstr [asciz/Homosocketuality is prohibited (the Anita Bryant feature)


        ife rsexec,<jrst rstart;>exit       1,
(The PDP-10 code above adds the connect and listen socket numbers together, which results in bit 0 being 0 if they are the same gender, then TRNN is "test bits right, no change, skip if non zero", which skips the next instruction (jrst gayskt) if they different sex.)

[1] https://en.wikipedia.org/wiki/Network_Control_Program

[2] https://www.youtube.com/watch?v=H-A2Ql81WTY

I think this is both insightful and funny. It's a pretty interesting little thing that I'm sure could easily get blow out of context by the same people who get upset when they learn about master and slave devices.

SimHacker and DonHopkins are the same person. Check out SimHackers history and Don's site; he is a hacker of the SIMs

I don't know why he uses two accounts!

I don't use them at the same time: I switched over to using my own name instead of an old alias.

Whenever I plagiarize myself, I try to check the links and refine the text to keep it relevant.

Just posting a link to an old article requires less effort for me, but more effort for other people to switch context, navigate and read. And a server's disk space and bandwidth aren't as precious as a reader's time and effort.

It was not my intention to trigger mdekkers into having fits about SJWs, or shocking paxcoder who is not a gay supporter.

Personally I think it's great that you reposted your comment.

I suggest however that when you do, you add a line to the bottom that says something along the line "This comment was based on an earlier comment I made X days ago using another account." when you do just to keep people from accusing you of plagiarizing others.

I'm okay with it. I hadn't seen the last time it was posted and I found it very interesting.

Wow, nice catch, how did you do it?

FTP does this too in active mode, right? Port 21 for commands, port 20 for data

And now it all makes sense. That's amazing.

It's not only older services, also fast services. TCP is not the best and fastest protocol for data at all. It's just coldwar security with it's 7 flows of ack to close. "Are you there? Here you are. Got it? Really got it? Ok, you got it" TCP vs "Here you are" UDP.

HTTP Streaming e.g. is only there to artificially keep traffic numbers up by factor 3 but has not much technical justification, other than fix a broken RTSP negotiation.

For example if you telephone with somebody over SIP you will be assigned two UDP numbers (RTP is UDP), you at an even number and the return stream on the next odd number. You don't care if each and every audio frame is ACK'ed. That's why sometimes someone can hear you, but you cannot hear them. No ack for the return stream.

A convention for even/odd ports also appears in RTP/RTCP.

Minor side bit here,

> The number should preferably be in the range 1-255 so that it can be used in the WKS field in name servers.

Well-known service (WKS) records let hosts advertise in DNS which services a given machine made available, by listing which of the assigned port numbers were open for TCP or UDP connections. This never really caught on, as few people used them, even fewer kept them up to date, and checking WKS provided very little real benefit over just attempting a connection.

They had been deprecated already in 1989 through RFC 1123 [1], but it seems that by the mid-1990s at least some people still considered them relevant.

[1] "An application SHOULD NOT rely on the ability to locate a WKS record containing an accurate listing of all services at a particular host address, since the WKS RR type is not often used by Internet sites. To confirm that a service is present, simply attempt to use it." https://www.ietf.org/rfc/rfc1123.txt

How similar/different is WKS to the modern SRV record?

IIUC, WKS was basically just a list of ports you could expect to be open on a host, while SRV allows you to indicate a separate server to handle a given service.

Wikipedia[0] has the example of a SIP telephony server, `example.com` sets a SRV record that redirects interested clients to `sipserver.example.com`.


Yeah, there's no pointing to other hosts in WKS, just information on the host itself. I believe it come out of ideas about service discovery in the early days of the internet, when you might know of 100 other hosts, but not know which ones ran SMTP, FTP, etc. The WKS records would let you get a map of the net's services by doing a bunch of DNS lookups instead of having to portscan everyone.

SRV records are more like an MX record generalized to arbitrary services, allowing a domain to point to the hosts that provides various services for that domain.

Thanks, I was curious what WKS was.

It's not a terribly interesting story IMO.

The author (Tatu Ylonen) sent an email to Joyce K. Reynolds at IANA, on release of v.1.0 of SSH protocol, and IANA agreed to assign port 22.

That's kinda it.

A summary of SSH use follows the story which is a good overview for someone new to it.

I think it's interesting for how simple and informal it was in 1995. I always imagined that port allocation was a much more formal process more akin to an ISO or ECMA standardisation, but nope - Tatu sent an email asking for it and Joyce basically just replied with "sure thing, it's yours". For something as critical as port allocation it's pretty interesting/funny how casual it was.

The process hasn't really changed much (I applied for a port allocation 5 years or so ago). There's a little questionnaire you fill out, and there might be some back-and-forth over email to clarify the answers but basically it's no more complicated than you email someone and if you fit the criteria they reply with your port allocation.

What has changed is that there is essentially no chance of getting a privileged port allocated now.

Yep it's still very easy and informal. I did it a year or two back to get a DNS-SD entry [1] defined. Just fill out the form [2] and do some back and forth - even updating it is easy. Also yes, a dedicated port is very hard to get - you thought IPv4 was running out ;)

One of the side effects of them being such a widespread and networked group is that when I made my application, they suggested I go talk to one of my coworkers (as loosely defined as that is at Microsoft) since he helped standardize the body anyhow. A bit of zen - "the answers you seek were within you[r org chart] the whole time"

1. https://www.iana.org/assignments/service-names-port-numbers/...

2. https://www.iana.org/form/ports-services

Reminds me a bit of how Eli Lilly landed a class A subnet. They applied for a class B sometime around 1990, but Postel found out how large their company was and gave them an A instead.

(Update: s/network/company/

I doubt they had all that many networked computers at the time, but fuzzy memories of a third-hand story.)

Halliburton ( and Ford ( too.

HE sort of should have realized there aren't enough class A:s even for companies of Eli Lilly's size.

IPv4 was an experimental protocol.


Hah. Just like sockets were a "okay we'll just use this hack until we come up with something better." I think sockets (or what became sockets) crystallized (or started that process) around MULTICS?

He apparently later lamented that Lilly wouldn't return it. I believe they've released large chunks of it by now.

When I registered my first .com address in 1995, I emailed "the guy" who handled them after getting the NCSA webserver up so they could prove I had a server.

Things were considerably more casual in the 90s...

I hope you got a good one!

RFC's were informal. Kind of like 'Sup, here is my proposal for...'


"Unlike the modern RFCs, many of the early RFCs were actual requests for comments and were titled as such to avoid sounding too declarative and to encourage discussion"

Meanwhile Author's found that very few people were commenting on them, and decided that they might as well declare and standardize from the get go ;)

Critical how?

Its just an informal agreement. Its just a 16bit number.

critical in the sense of avoiding collisions between protocols. Imagine if redis and mysql had ended up with the same default port, and how much of a nightmare that would be.

It would only mean you could not run redis and mysql on the same host, and your default assumption about what port to connect to might be wrong 50% of the time. Easily handled, though.

There are certainly cases of different software using the same unprivileged ports by default. It's probably more rare for the privileged ports.

Who runs redis and mysql on public facing ports?

Whats the big deal if you run ssh on port 443 as many do, together with nginx on the same port?

Or if you run a web-server on port 22 and irc on 21.

>Whats the big deal if you run ssh on port 443 as many do, together with nginx on the same port?

The deal is that if we're talking of TPC apps on a single network interface, you can't.

The deal is also that it's handy to know where you can expect to see a common service running.

The deal is that if we're talking of TPC apps on a single network interface, you can't.

No, but you can fake it with sslh: http://www.rutschle.net/tech/sslh.shtml

It might not seem much to you now, but to a student in Finland, receiving an immediate and positive response to a request from a very important person in your field is y(h)uge.

I recall the feeling I got the first time I sent a message to the Nessus mailing list. I couldn't compile the program so I was asking for help.

I thought I was going to wait for a long time, but was surprised when a response came a few minutes after. The response came from the author of the program itself, and he was very nice in how he answered my question. It was obvious that I was a noob and needed hand-holding. It made a lot of difference to me.

You have no idea how that positive response affected Tatu.

Edit: Changed possible to positive in the last paragraph.

@finid's post reminded me of when I asked for help on the CFEngine mailing list and got prompt and kind response from the author; who even advanced the release schedule to meet my needs. This was while the author (unbeknownst to me) was putting together a company, dealing with VC's, etc.

I blogged about this at http://verticalsysadmin.com/blog/cfengine-is-awesome/

It's interesting to me simply because it's so profoundly critical, moving the platform dramatically ahead (and serving as the basis of so many other systems), and somehow it was never humanized to me -- it just was. Seeing the author discuss their motivations and process is fascinating to me.

It's also interesting because he wrote an email to just one person and it took no other real effort to make such a huge sweeping change to the Internet.

I wonder if the creator of ssh thought that he/she would still be working on it in 2017.

He did attach an RFC that was in draft but ready for publication....so it was at least more than just an email

Yes, agreed, perhaps I should have said "inherently"; it seems all of those things are kinda meta.

>It's not a terribly interesting story IMO.

You'd be surprised in how interesting me and other find this story.

Of course if you grew up talking all these for granted, and don't have an interest at how things were back then, it might not be.

But there are tons of interesting stuff in this short post, including the informality of how SSH started.

>if you grew up [taking] all these for granted, and don't have an interest at how things were back then //

Bit pejorative there.

I find it more "huh, nice to know" rather than "wow, I'll tell my friends"; I'll hand in my rainbow books on the way out ...

If I showed you the email asking that the "go" light be green, and the people who control vehicle traffic on the entire earth were like "ok green it is", would that be interesting to you?

I'm not really in to artefacts in that way. Somebody decided to use green, there might even have been a letter sent, but it's an expected part of creation of a traffic light colour; so no i would really find that of particular interest. (BTW it seems green was used in analogue to train signals, early traffic signals use semaphores, like train signals, which go back to use of signal flags).

I've been using the internet since one could decide how to route the emails one sends, I've used SSH a lot: it's just not interesting as a story, it's barely a factoid.

FWIW I think a better analogy is the adoption of CQD as the distress signal for Morse operators (https://en.m.wikipedia.org/wiki/CQD). It's interesting, but the manner in which it was adopted has no story to it.

That's precisely what makes it interesting. It was a remarkably simple interaction for something many consider to be a critical service.

What if they simply said; no. Try again in a year. I wonder if SSH would be widespread today if that were the case

I had always just assumed 22 was picked because it was next to telnet/23. Seems like an obvious choice anyway... I guess it being just a single query to the IANA and a single response to make it official is surprising.

And the whole thing was resolved within the same day:

  Request: Mon Jul 10 11:45:48 +0300 1995
  Response: Date: Mon, 10 Jul 1995 15:35:33 -0700

It's a great little story, shining a nostalgic light on the simplicity of life, the universe etc. in 1995.

I wonder if there will be a new invention like the Internet during my lifetime, where I can actually participate in shaping and defining it.

While I grew up with computers, when Internet got to the first homes like mine, I was still too young and had only very limited programming skills to contribute to it.

Love these stories about how simple and straight-forward it was to have a huge impact. I guess there is some nostalgia involved, but these were, in my opinion, better times.

> I wonder if there will be a new invention like the Internet during my lifetime, where I can actually participate in shaping and defining it.

I remember asking myself that same question at age 14, in 1978. It seemed like all the cool stuff had already been done by giants.

There I was using a flakey homebrew S-100 personal computer at home and single-user networked computer (lisp machine) at MIT (no, I was not a student at 14!) that could connect over the ARPAnet to all sorts of other hosts. Ahead of me was the PC revolution, Internet revolution, mobile revolution and others. I couldn't see any of it.

But over the years I got to work on the plumbing of all sorts of crazy developments, some influential, some not, all of them really fascinating. And some of the stuff I worked on in the mid-late 1980s is just now starting to come to fruition.

I think the two keys are in what Ylonen writes about ssh: 1> he just did it, and was not afraid to do things like ask for a port assignment and 2> he announced his work. Funny, he did it on cypherpunks@toad.net -- run by my business partner John Gilmore; the cypherpunks used to meet in our offices at Cygnus. I remember we switched to ssh basically immediately.

Someone else responded that all the interesting stuff starts out small by definition. That's very true, but doesn't mean there isn't room to grow. Some interesting things come in later. For example YouTube: seems stupid to me, since if you wanted video you could always put it on your site, where it would be connected with other relevant stuff. Obviously I was an idiot: the "medium was the message" -- but it couldn't have gotten going until another revolution (TCP) already existed.

So consider something like Bitcoin: I'm pretty sure BC isn't going to make it (and Youtube wasn't the first either) but some elements, recombined with other ones, will be quite influential.

Oh, and revolutions take a long time to get going. They just look fast in retrospect and at the time because you can't see the rest of the iceberg.

> YouTube: seems stupid to me, since if you wanted video you could always put it on your site

Given that the majority of "YouTubers" today are tweens, I'd say the real decisive factor there was that there are people who want to post videos to the web but don't have a website (or any desire for one.) YouTube, beyond its social-networking aspects, was (and still is) a video pastebin, which is something that (AFAIK) didn't exist until then.

In fact, as far as ideas go, "a pastebin for [file format X with huge file sizes], where other people can view your [X] embedded on the page, and you don't have to pay for the bandwidth charges incurred when they do" is almost always a winner.

I agree! I was making fun of my own naiveté. I think sites like Youtube are great (even though I never post on it and almost never watch anything on it).

Unfortunately "seemed" got autocorrected to "seems", and I didn't catch it, grr!

You made free software affordable! ;)

Thank you for the wisdom. :)

> these were, in my opinion, better times

Oh hell no! ;) I mean that only with love & nostalgia, not to challenge your opinion. But that sounds like grass-is-greener syndrome, because networking and coding used to downright suck compared to today.

It's cool to see that getting a port number was easy in 1995, but keep in mind how silly it is to have to get a port number in the first place. That comes from needing to keep port names very small, in 16 bits. At some point someone is going to invent a scheme that uses names instead of numbers and reshape the internet again...

There are definitely lots of areas ripe with cherries, maybe even more now than there were then, and I suspect there is now less luck and more merit involved too. AI is in it's infancy right now, and people are making huge contributions with fairly simple improvements. Even as far as ssh & networking goes, we're having a global crisis of privacy as we speak, there are grand canyons of space waiting for people to fill & make a huge impact.

It will probably take caring about something through the hard times when nobody else seems to care, or solving something specific that ends up getting lucky, or a massive ton of rallying, but there are plenty of ways to participate and shape and define your future that will have a huge impact!

> At some point someone is going to invent a scheme that uses names instead of numbers and reshape the internet again...

That exists already: https://www.iana.org/assignments/service-names-port-numbers/...

Scroll past the port numbers, and you will find plenty of protocols with only a name registered. This name is used by DNS SRV records. If you’re designing a new protocol today, you don’t need a reserved port number. Just do what Minecraft did and require SRV records to point to whatever port number is used. The load balancing and failover features of SRV records are a nice bonus.

> I wonder if there will be a new invention like the Internet during my lifetime, where I can actually participate in shaping and defining it.

Almost certainly there will be multiple such inventions. Internet-magnitude inventions happen once every ten years or so. The trick is that such things are generally very hard to recognize while they are still small enough for an individual to make a significant contribution. It's often hard to recognize them even when you are in the middle of them. They are often lost in a sea of very similar looking things that end up going nowhere (e.g. https://en.wikipedia.org/wiki/List_of_home_computers). Being part of Something Big is largely a matter of luck. The best you can do is to stack the odds in your favor by hanging out some place that Cool Things Happen and never stop trying new things. But many people do that for a lifetime without catching a wave.

...you can. Just the other day was an article on HN about SVG, in that world there are only a few people that are making it work and holding the working groups together. I have a feeling that if you were really good at SVG and doing stuff where you had no man pages then you could be welcomed into the SVG inner circle and start putting your ideas and efforts into shaping vector graphics for the web going forward.

You can also do something similar, at your own level and with your own pace - my near octogenarian father has had his commits accepted by the Drupal people, which I was impressed by as he had to learn things like PHP for that. Sounds like you want more than to just work on someone else's app, so upstream 'defining' the web, look at what is happening in worlds like SVG, or if that does not seem like 'as fun as Lego was' to you then find some other area that you can learn/master/push on from.

BitTorrent was invented by Bram Cohen in the early 2000s.


New technology brings about new opportunities. BitTorrent wasn't feasible back in the 90s because there weren't enough users who were always online to seed files. The question is how do we use this new technology in a way to accomplish tasks we might otherwise thought impossible?

Maybe? The problem is that you can only shape it and define it when it's really small. Maybe one of the cryptocoins is it. Maybe it's Bitcoin, and you've already missed much of the boat. Who can tell?

I think these things are a bit "right place right time". It has to be early enough that you can contribute, but that early and you never know if it's going to go anywhere. Any later, and the opportunity is gone.

Perhaps not on the same scale as the Internet, but there's a lot of potentially revolutionary technologies still in their infancy you can get involved with: cryptocurrencies, 3D printing, VR, AI, quantum computing, etc.

Great list! Also augmented reality (or is that a subset of VR?) Also, a universal sensor/command infrasture (much more than the current iot). Also think of the consumer: could you invent or contribute to a drone shield that lets you pay to let certain companies thru? (and related but bigger, easy/common micropayments still in the revolutionary category afaik).

Last additions from me are the perfecting of the voice recognition (I love Alexa but still room for radical improvement) and also subvocal wearables (I'm sure this is within reach of our generation, imagine ease of speaking but retaining public-use)

This sentiment seems a little bit unusual to me, since we recognize the Internet as the great invention only post-hoc. Throughout the years many people invested inordinate amounts of effort in making various things happen - just to have not that much impact at all in the end. Case in point: how many OS projects are deprecated just on github.

There probably are big inventions waiting to be discovered out there that could benefit from your skills - finding them or getting started on them might be difficult though.

Crypto-currencies are in the wild west early days right now.

Get into VR, AI or similar fields.

Mobile? Self driving cars?

> Anyway, I designed SSH to replace both telnet (port 23) and ftp (port 21).

That sounds weird. Did SSH originally have file-copying capabilities? As I recall, the ssh command was written to be command-line compatible with rsh, not telnet, since rsh (and its companion rlogin) was what people were using at the time to log in over the network between local systems. The manual page for SSH still states this explicitly: “It is intended to replace rlogin and rsh […]”, and SSH from the start had (and still has) an rlogin replacement, "slogin". (Telnet was at the time only used for accessing remote, i.e. not-on-site, services, which did not necessarily imply shell access.) Anyway, the rsh and rlogin protocols use port 513 and 514, but no nearby ports seems to be unallocated. The story seems to be missing some details, or possibly be made up after the fact in lieu of a bad memory.

It seemed reasonable to me at the time to give port 22 to a better replacement for, and a spiritual successor to, Telnet, but the story seems odd for not mentioning rsh or rlogin at all.

> Did SSH originally have file-copying capabilities

ssh basically sets up a secure connection between two hosts, then forwards its standard input to the standard input of a program on the other side.

You can sort of simulate scp by something like:

cat my_file | ssh me@example.com "cat >my_remote_file"

tar -cf - ./somedir | ssh remote '(cd /whatever;tar -xvf -)'

I use that enough that I didn't need to look it up. Works the other direction as well. Was common with rsh before ssh existed.

It's not as efficient as rsync, but I can tell where files will end up without re-reading a man page.

tar -cf - ./somedir | ssh remote tar -xvf - -C /whatever

I still wonder why `cd` doesn't have a form `cd dir command...`, as in `cd dir tar xf -`.

You could quite easily write a script that does this:

    cd $1
    exec "$@"
It's a shame "in" is a reserved word, because that'd be a good name for it. Maybe "cde" for "cd-exec":

    tar c files | ssh dest cde /some/dir tar x

Mine is called cdx and includes 'env' functionality and a bit more. (https://github.com/apk/c-utils/blob/master/aenv.c)

The form I usually use is (cd TARGET && COMMAND), including the parentheses to make it a subshell. That seems close enough to not be worth adding features to something as simple as cd, given the basic shell philosophy of composability.

I mean, I'd encourage you to use && instead of ;...

Rlogin is mentioned. Read the first email in the article - the one to IANA:

"I have written a program to securely log from one machine into another over an insecure network. It provides major improvements in security and functionality over existing telnet and rlogin protocols and implementations."

It still does have file-copying capabilities. See scp(1).

Scp was, according to its manual page, based on rcp (part of the rsh/rlogin set of programs): “scp is based on the rcp program”.

Well, yes, exactly: rsh, rlogin and rcp were often considered together, as they both used the same access control - /etc/hosts.equiv. So it's not that surprising that ssh, slogin and scp came together as a replacement set.

Sure, but scp uses the same port as ssh so the underlying protocol has to deal with both terminal and file copying commands.

And don't forget sftp!

Sftp was not part of the original SSH program, IIRC.

I agree. I first started using SSH in 1996 or so, building it from source on a Linux Slackware system (which didn't even have ELF binaries!)

sftp didn't appear for a few years later.

I remember porting my system from a.out to elf binaries. Manually. Learned a lot though.

Port numbers as service locators is driving us to ipv4 exhaustion. We have 65535 port numbers available on each ipv4 address we could use to run a web server, but we only use 2 (443,80). That's 48bits of addressing information, which is a metric crap ton.

I have a separate theory as to why ipv6 is being pushed so hard by advertising companies like Facebook, Google, and the US Government (CIA, NSA): it makes it very easy to casually track the number of hosts behind firewalls. While not impossible with ipv4 at the layer4 level using fingerprinting techniques, it's quite difficult to do at scale, is unreliable, and spoofable. Ipv6 makes this trivial for anyone, and will allow ip transit providers to scrape more information about users, even those encrypting layer5+ traffic.

Is there any reason not to do NAT with ipv6 for the casual user?

privacy extensions

I'm familiar with them, while they allow one to hide your MAC address, they still individually identify you. It's sort of how like Verizon was caught injecting an arbitrary, but unique, http header into their user's http traffic. While it didn't provide your actual identity, it allowed advertisers to sort your traffic very easily.

Another important thing - when you want something you should ask for it. So many times I didn't ask because I _thought_ it wouldn't happen...

For the record Gopher used port 150 for some time until we got a warning from Joyce that we had to change it.

Registering MIME types was also easy:


Yes I remember that, and also http was on port 82 before it was assigned 80, if memory serves me right.

I reserved port 63 for whois++, that by the way rests fine where it is, in very few people's memories, during the same era. The motivation went something like 43 for whois protocol, 53 for ns, so 63 looks like evolution, though there were no aspirations to replace the name service protocol.

I take it this prompted the change to port 70. Why 70? What other protocol was using port 150 at the time?

SQL apparently.

https://tools.ietf.org/html/rfc1060 first mention of port 150 being used

Was there, at one point, an "SQL protocol"? Because there isn't any standardized SQL wire-protocol today.

Maybe it's a subtle plug for CryptoAuditor and Universal Key Manager, products the author's company offers?

> CryptoAuditor is a product that can control tunneling at a firewall or at the entry point to a group of cloud servers. It works together with Universal SSH Key Manager to gain access to host keys and is able to use them to decrypt the SSH sessions at a firewall and block unauthorized forwarding.

Different era, when you could accomplish wide-ranging changes just by sending an email. These days a committee would have to be appointed.

It's still the same, send emails to the committee members.

There are just more people in copy :D

Yeah, and good luck if you're not Google or similarly sized.

I got a port assigned for our startup 2 years ago with one email and one follow-up response to a couple questions. It's really not that hard. (https://www.iana.org/assignments/service-names-port-numbers/...)

The issue isn't the committees - as V99 said, IANA will assign you a port without too much hassle if you just ask.

The real issue is stupid middleware boxes and overzealous cargo-cult-security sysadmins who block every port except 22, 80 and 443. Getting new applications with new ports to work on the real Internet is rarely worth the hassle, which is why now we have to tunnel every new protocol over HTTP.

You should not be afraid to change the port number either. As a sysadmin, I have heard all the tales of no security through obscurity, which honestly I don't think is nearly as steadfast a law as people pretend, but thats another discussion. Changing ports isn't about security, it's about log fatique. Less hits on different ports, less things to stop and investigate.

Even better, port knocking on non-standard port.

Security through obscurity isn't bad, it's just not enough. I concur with other reports - just running an EC2 host for a couple of day you'll see login attempts all the time on port 22. Just bots looking for low-hanging fruit. Something as simple as using port 2222 or 122 is going to avoid most of those scans and still be easy for authorized operators to remember. A targeted scan is still going to find it, but if there's some zero day and people just start scanning port 22 on all IPs, you're above much of the water. Still patch the zero-day ASAP, but the obscurity has probably bought you some time and decreased your real-world exposure to attempts.

Also its worth mentioning most hacking is fairly low effort. If you're using port knocking or non-standard ports you're avoing 99.9999999% of attacks and scans by default.

As part of a comprehensive security plan I have no problem with it. I dont deploy any linux servers with ssh listening on 22 nor without fail2ban. Unfortunately, because of the vendors we use things like mandatory VPN or ssh keys only aren't in the cards.

The phrase security through obscurity should be applied to algorithms, but it's been co-opted by everyone who knows a little bit about security as a catch phrase applied to everything.

Obviously things like passwords are security through obscurity, but the algorithm to hash the passwords should be well known.

Why do you log failed connections ? Unless you are doing some sort of analysis where things are coming from its a waste of log space. Turn off password auth, use only keys and log only successful connections.

Not exposing ssh means you will forget/not care you are running an old version and eventually this will bite you

What's better - Fail2ban or change port?

Why not both? Really, first thing is to be on top of your pure iptables config. Even better, is to realize iptables is being deprecated and it's time to learn nftables. No, don't use nice little gui's or menus that abstract the data entry away for you, you need to understand how the firewall actually works.

Then port change, SSH hardening in general (key + pass, google pam auth module, etc), then fail2ban, denyhosts, sshguard, tallow, etc.

And all that doesn't matter if you don't see any alerts. Need a hids (I like OSSEC) and a good logging system for syslog etc alerts.

Number one issue I see with servers (besides badly secured in the first place), is a bunch of logs no one ever actually looked at.

If I understand correctly, fail2ban has no effect if you disable the use of passwords. If you force the use of ssh keys, fail2ban becomes completely superfluous.

That leaves port change, which is better than nothing. But even better than that is proper firewalling with whitelisted IPs.

fail2ban is easily the better of those two options. However the best solution is to use SSH keys (disable password authentication) and have a small few IPs whitelisted.

If password authentication is a must then hopefully you can still go for 2FA (there's a few two factor authentication plugins for PAM). But if you do that then make sure you also stick fail2ban in there as well.

Why not both? Changing the port is so trivially easy and just moves you out of the way of the majority of low-sophistication automated scans.

(I repeat my comment from 3 years ago¹:)

I think nobody argues that it adds security. The problem is that:

1. It adds very little security: 16 bits is not much, and the result is not 256 bits (say) of SSH key plus 16 bits equals 272 bits, but instead effectively still 256 bits, or 256+8×10⁻⁷³ bits.

2. The security it adds is itself bad (sent in cleartext, easily brute-forced)

3. These problems stand against the many drawbacks of this previously discussed (complexity, confusion, etc.).

And the final argument: If increased security is what you want, simply increase your key lengths and/or password lengths, and you will get much more than 8×10⁻⁷³ bits of security, without any of the above problems.


Did you reply to the right comment? Feels like you might have been addressing a different issue. There's more to security than information theory. Bits of security aside, if you're not listening on port 22 the majority of wide-scale automated scans miss you entirely. If there were some zero day being actively exploited in the wild, admins occasionally having to remember '2222' instead of '22' is pretty a pretty trivial issue and just sidesteps a lot to buy you some time to patch.

Again I feel the need to repeat myself¹:

I am not in a position where I feel I need to worry about remotely exploitable 0-days in my SSH daemon. If you are, then your situation is, I feel, exceptional.

That said, perhaps those people should sponsor a project to fix this for real. This could be accomplished by having not one program, but two, one after the other, both with realistic keysizes and security. The password/key to get log in would be then be the combination of two separate keys, one for each program.

But what I have described is more or less the same as having a key/password-protected tunnel on top of SSH, so they could just use that. A 0-day in the tunnel/VPN would not allow access through SSH, and a 0-day in SSH would not matter since SSH can’t be accessed directly in the first place. This way, both the tunnel and SSH would need a 0-day at the same time for the security to fail. Like a RAID-1 array. If even this is not sufficiently secure, just increase the number of layers.


Why is your ssh even open to the Internet?

Why shouldn't it be? Tunnelling connections through an SSH jump-box is no more or less secure than tunnelling through IPSec VPN.

It depends on how that jump box is configured, audited, etc. Do you know that your users aren't leaving their keys on laptops that don't have drive encryption, don't have passwords on the keys, etc? Are you forcing 2fa? A lot of these other solutions offer many more deeper enforced protections with better auditing than just an ssh jump box.

I'm also not really a fan of leaving things with a shell connection on the net, again part of configuration. If you can root the ssh server, you could likely root a vpn box.

Also, I guess, I'm sorry, you're not allowed to ask questions on HN anymore. Thanks for the drive by down vote.

(TCP and UDP) ports are for layer-4 protocol negotiation.

If you want to distinguish services, you should be giving them separate names/addresses. This is what the second half of an IPv6 address (the "interface" part) is for.

I'm struggling to think of any circumstances where "log fatigue" might be a thing.

File sizes aren't an issue because auth logs take up such a negligible amount of space compared to the storage capacities we have at our disposal these days. But if your box is really that low capacity then stream your logs to a logging server (or push them to remote storage when you do your log rotate). Realistically you should be shipping your log files anyway.

Performance isn't really an issue either as larger auth logs isn't going to make sshd perform any better or worse.

There isn't really even a strong argument for the human readability impact as those logs should generally be parsed by robots instead of humans. Be it alerting systems like Nagios, reporting tools like Splunk, or firewall management services like fail2ban; in all cases you wouldn't typically be reading the auth logs in vi unless something has gone very wrong.

So I say just keep sshd listening on 22 and instead ensure your system is properly hardened (IP whitelists, SSH keys, etc) with automated processes in place that monitor the logs so you don't have to. Or better yet, don't expose SSH at all.

I've been down voted a few times here. Interested to know why. Any care to elaborate on which bit they disagree with please

For the record, I agree with you, but you can probably get to better understand people who don’t by reading this old HN thread and article:


No idea in your case, but this place is merciless when it comes to any misinformation. That means that downvotes come easy, but that's also one of the things I like about HN.

That would be fine if any the people down voting were exempt from being misinformed themselves and took the time to explain why they disagreed with the comments they were down voting. But in this case I've been hardening Linux and UNIX servers professionally for years and yet still am completely in the dark about what it was that people disagreed with in my advice.

The down vote itself doesn't really bother me so much as the inability for misinformation to be corrected - be that my own error or whoever (which is why I always make a point of replying to people rather than down voting).

In my experience, if you ask nicely and have good intentions you can achieve A LOT of things that you might not expect at all.

So true.

A bigger question would be how did FTP get 21 and Telnet 23 leaving a gap for SSH?

For some reason odd numbers are used more often than even. Ports 24, 26, 28, 30, 32, 34, 36 are all unassigned to this day.

Because of the NCP protocol which preceded TCP. It used even port numbers for outgoing data and odd port numbers for incoming data. TCP used the same port numbers, but fully duplexed the data into a single port. The well-known incoming port numbers are therefore all odd (initially, the limitation no longer applies to TCP of course). https://en.wikipedia.org/wiki/Network_Control_Program

That was to prevent homosocketuality.


IGN 3 Illegal Gender (Anita Bryant feature--sockets must be heterosocketual, ie. odd to even and even to odd)

The host is trying to engage us in homosocketuality. Since this is against the laws of God and ARPA, we naturally refuse to consent to it.


gayskt: outstr [asciz/Homosocketuality is prohibited (the Anita Bryant feature)

Remembering how things worked bach then, someone probably invoked Catch-22...

Wow, I had no idea that SSH had become such a huge security company [1], with 6 locations around the world. Another surprising thing is that it was only created in 1995. I was expecting it to be a few decades older.

[1] https://www.ssh.com/

This is like discovering that air.com exists and is a vendor of breathable gases.

(It does exist, but it appears to be a squatter domain for airline tickets.)

In a way it's pity it was so easy.

/etc/services is now testament to a multitude of broken dreams.

I am aged thirty and every day I use a technology that didn't exist when I was eight, furthermore this technology "feels" ancient to me.

It's a bit cliche but the pace of innovation in our field (at least up to now), and the rate at which we get used to new things, is amazing.

I would have thought the reason it was chosen is that he assumed people had a firewall exception for the range of ports between 21 and 23, and by choosing 22 nothing had to be changed on the firewall.

There weren't nearly as many people running firewalls in 1995. But you may be right.

The firewall extinguisher hadn't even been invented yet.

If a Nobel prize equivalent existed for software developers to recognize their immense contribution to the field, Tatu Ylonen would deserve it for sure. It's great to know stories like this one.

The real reason for SSH being an immense contribution is that the OpenSSH fork happened when Tatu Ylönen made the original SSH program proprietary. Now that I think of it, I wish they had renamed it to something without "SSH" in the name, so he and the SSH Company couldn’t keep reaping name recognition benefits.

I was hoping for some epic Lord of the Rings story, disappointed...but SSH makes up for it :)

You mean like '*' the asterisk standing to mean "anything" being ASCII 42: the answer to Life, the Universe, and Everything.?

tl;dr - I asked for it. - They gave it to me.

So there's actually not a story?

I read the email and the dude just gives them that port assignment with no ceremony. I was hoping it would be more climactic.

HN doesn't really seem concerned that all these titles are low-quality bait. Guess they're digging those page req numbers. Unfortunate how effective it is to just deceive your users.

You shouldn't be. We have links for this. This is plagiarism.

We detached this subthread from https://news.ycombinator.com/item?id=14180152 and marked it off-topic.

It's not your job to tell other people what they should and shouldn't be interested in.

Is your own discomfort from being shocked that TCP/IP allows homosocketuality, because you're "not a gay supporter", so seductively connecting innocent sockets of the same parity sickens you?

Certainly your morality influences how you view things.

We have links for this, to plagiarize your own words:


"My question is honest. My provocation is meant for the soul. I am sorry for not being kind."


"Please provoke souls somewhere else." -dang

I didn't say this shouldn't be of interest. I was defending the author of the original comment, which in light of the fact that both accounts belong to you means my intention was ensuring your attribution.

I felt no discomfort here, though granted I haven't read the whole comment. "Same-sex network connections" gave me a chuckle - I assume a reference to the "male" and "female" hardware connectors. I was actually weighing on commending you for the joke before I found out the same words were used elsewhere by another account.

I am surprised by the tone of your reply. I kind of hope most of my downvotes are from you then, as I would hate to see a rise in reposts. I also hope you have an automated way of finding non-positive comments, because knowing you went through them by hand would be somewhat discomforting.

Now, my morality certainly should influence how I view things - that's what it's for. If it is the case that here lies your problem with me, you should be aware that when I say gay I don't have in mind the mere attraction to the same sex, but indulgence, the practice of sexual acts of this nature (which is closer to the original sexualized definition of the term). The distinction may appear subtle, but isn't really. The grave difference is between temptation and sin. In recognizing the difference, one may become accepting of the human without in process compromising that human's soul.

You are incorrect that gay sex is a sin or compromises your soul, and this is not the right place for you to try to spread those outdated prejudices of yours. Your homophobia is just as unacceptable as racism or misogyny, so keep a lid on it.

but its fine for you to spread your prejudicial views of his religious beliefs? pot, kettle? And just because someone doesn't agree with your view doesn't instantly make then [x]Phobic, its quite possible to be against something without hating on it, im sure most people who hold views similar are not scared of or hold intense hatred to those in same sex relationships, just like i don't like mushrooms, doesn't mean Im a funghiphobic.

This is not a forum for accusing people of being sinners. Don't you have something braver to do than standing up for bigotry, even after the bigot has been politely and repeatedly asked by a moderator to stop his religious harangue, but was argumentative in response [1], found it "somewhat discomforting" to have his own words quoted back to him, and has declared he won't stop [2], regardless of how discomforted his own words make other people feel?

[1] https://news.ycombinator.com/item?id=13246410

[2] https://news.ycombinator.com/item?id=14187168

yet you argue against bigotry with our own bigotry?

bigotry: intolerance towards those who hold different opinions from oneself.

seems you may be a sufferer too.....

You are wrong to tolerate intolerance, and wrong to accuse me of bigotry for standing up against bigotry. It doesn't work that way.

And the fact that you're standing up against my stand against bigotry, without bothering to stand up against the original bigotry itself, means you're tacitly supporting that bigotry yourself, which is unethical.

And you're also violating the rules of this forum by continuing to post off-topic unsubstantive comments and baseless personal attacks. So stop it.


Philosopher Karl Popper defined the paradox in 1945 in The Open Society and Its Enemies Vol. 1.

"Less well known is the paradox of tolerance: Unlimited tolerance must lead to the disappearance of tolerance. If we extend unlimited tolerance even to those who are intolerant, if we are not prepared to defend a tolerant society against the onslaught of the intolerant, then the tolerant will be destroyed, and tolerance with them."

He concluded that we are warranted in refusing to tolerate intolerance: "We should therefore claim, in the name of tolerance, the right not to tolerate the intolerant."

I don't use this forum with the intent to spread such persistent truths as that gay acts are gravely sinful or that human life possesses inherent dignity (something that popped up a few times as well). However, I do and will proclaim and defend truth provided I see a need. I hope to do this to the benefit of any readers, not simply to counter. To this end, and because of the importance, I hope never to let myself be pressured into desisting regardless of how unpopular it may become to resist.

>I don't [do what I am doing in the same sentence]. However, I do [it again]. I hope to do this [for your own good]. To this end, [I won't stop, even after being politely asked to by a moderator (dang), because I am the victim].

You are already on record as using this forum to "provoke souls", and you have already been politely asked to provoke souls somewhere else. Unless you can offer some objective proof that gay sex is a sin, what you're doing is no different than the actions of a schoolyard bully taunting and calling people names. The suicide rate among gays is way too high without your help [1]. Take it elsewhere, or better yet, never do it again, anywhere.

[1] https://en.wikipedia.org/wiki/Suicide_among_LGBT_youth

"The Suicide Prevention Resource Center synthesized these studies and estimated that between 5 and 10% of LGBT youth, depending on age and sex groups, have attempted suicide, a rate 1.5-3 times higher than heterosexual youth."

"Bullying of LGBT youth has been shown to be a contributing factor in many suicides, even if not all of the attacks have been specifically addressing sexuality or gender." Savin-Williams, Ritch C (1994). "Verbal and physical abuse as stressors in the lives of lesbian, gay male, and bisexual youths: Associations with school problems, running away, substance abuse, prostitution, and suicide". Journal of Consulting and Clinical Psychology. 62 (2): 261–269. doi:10.1037/0022-006X.62.2.261.

[2] http://blog.ycombinator.com/meet-the-people-taking-over-hack...

I must say you're conflating my conversations, and misinterpreting my words. I don't think it needs explaining, but if you disagree, I am willing to say (and repeat) exactly where and how.

Instead, here I will just point out that you're now equating talking about sin to bullying. This is harmful because it puts reconciliation with God out of sight and out of mind, but also because it tells bullies they are "no different" than those fighting sin: With blowing things out of proportion like this, you are doing an additional disservice to those sinners you're purporting to support. Note that I was generalizing because your argument allows it - at least to, say, pre-marital sex. And while there is a difference in subject sensitivity, I am not being a bully by simply countering the world when it claims either of these things are acceptable. One's cross is much greater another's, but so is the reward. No surrender, try again.

We've banned this account for violating the site guidelines and ignoring our requests to stop.

You were already warned several times by a moderator that this is not the place for you to "provoke souls" with your religious harangue and unsubstantive comments, yet you continued to argue with him.

You just directly contradicted yourself in the first sentence of your previous reply, as I already pointed out, by falsely claiming that "I don't use this forum with the intent to spread..." and then continuing on to do just that in the same sentence by mischaracterizing your religious bigotry and unsubstantiated falsehoods as "persistent truths", which they most certainly are not.

Calling people sinners and telling them their souls are compromised is bullying and religious harangue, no matter how hard you try to justify it by proselytizing and appealing to your iron age religious prejudices, and this is absolutely not the place for it here.

You have also made it very clear that you have no intention of following the rules of this site or abiding by any of the repeated polite warnings the administrator gave you to "please provoke souls somewhere else", to "please stop posting unsubstantive comments", and that "continuing will get your account banned, so please stop."

I don't "purport to support" sinners, because "sinner" is just an offensive name with which you choose to taunt and harangue people of whom you don't approve.

I am flagging your post as offensive and as breaking the rules, and if you reply again in the same manner that makes it clear you have no intention of following the rules and every intention of continuing to call people names and harass them with your religious bigotry, then I will flag your reply too. If you apologize for repeatedly breaking the rules and attempting to bully people, and finally end the conversation, I won't flag or reply to that.


We detached this flagged subthread from https://news.ycombinator.com/item?id=14178993 and marked it off-topic.

How is Master/Slave discrimatory language? Who is discrimated there?

In my eyes it is simply a factual description of an architecture: the master gives commands, the slave obeys. The slave doesn't act without permission from the master and only speaks when spoken to. I wish no such thing for any human, but it describes a great architecture for software and hardware.

I don't want to get into an argument about discrimination and sensitivity and trigger words and all that.

The real point here is that slave has a lot of meanings, currently and throughout history, and thus has a lot of baggage. A slave is not just someone/something that obeys or only speaks when spoken to. A slave is owned by its master. A slave is entirely under the domination of the master. That doesn't really map cleanly on to replication. A master database doesn't really own or control the slave database; it just provides a log of actions performed against it that the slave needs to mimic.

As I understand history, the master/slave metaphor has been used for a long time in technology (e.g., in machinery and photography), well before computers or software, but we have better terminology. Many organizations use primary/replica or even just master/replica.

Using replica instead of slave seems like an obvious win. It's more precise and clear, and it avoids the baggage. It's also more intuitive when you're using the slave DB for reporting, i.e., "read replica" makes more sense to me than "read slave". Maybe that's just me. I don't see a downside to using replica.

While following this thread I found your comment initially jarring, because in my mind I was thinking of the ATA protocol and not databases. And it appears that neither are good examples.

Perhaps not the best reference, but this Wikipedia page provides some examples as well as some info on the appropriateness of use that I found interesting:


FWIW, it makes sense for databases, but not for peripherals in which one is controlling the other. E.g. an SPI memory chip. If that were called a "replica," it would be confusing.

Yeah, I hear that. I think the general point still stands. Master/slave is a metaphor that we have imbued with specific technical meanings in certain contexts. However, it is rarely (probably never) a perfect match with the historical meanings of slavery. We now have equally precise, typically more precise, terms we can use instead of the metaphor and avoid the negative baggage recalling barbaric acts.

EDIT: Not that you're arguing otherwise, I'm just restating my point more succinctly and abstractly.

Primary/secondary, master/replica depending on context.

"Replica" is actually a lot more meaningful than "slave" in terms of databases.

Good explanation. I always thought "worker" made more sense than "slave" in a distributed computing platform such as Hadoop.

I'm sure somebody can come up with a better term than "master/slave", for an equitable relationship between hardware or software that's harmoniously cooperating towards a shared goal by willfully and respectfully delegating authority.

Even the old telnet protocol politely and consensually negotiates with will/won't/do/don't, and it's not protocolly correct for a server to rape a client, who historians then romanticize as a mistress.

Another common metaphor that I find cognitively dissonant is calling the relationships between nodes in a tree "parent" and "child", since all humans have exactly two biological parents, but all tree nodes have only one parent.


& why are Strings made up of chars — surely a string should be made up of Threads?

Commander - Receiver Instructor - Actor

Off top of head

[super]<class> and [sub]<class>s (or simply 'subitems'). Like in superview and subviews, group and subitems, superclass and subclass.

Yes, that's a great example of why it's always good to use names that describe the nature of the relationship, because nodes can exist in multiple hierarchies at once, that have no topological relationship to each other, like a view hierarchy and a class hierarchy.

A Button can be inside a Panel, but not a subclass of Panel.

A Button can be a subclass of Control, but not inside a Control.

Having two types of parents (view and class) is different that having two parents (mommy and daddy).

There are situations with IVF where a child may have more two parents, e.g. when the genetic mother is different from the gestational mother.

Uh don't get this debate restarted https://www.drupal.org/node/2275877 played some(?) role in Larry Garfield pretty high profile ousting ... three years later. It's one ugly topic.

It makes Americans uncomfortable, because many of them subconsciously associate the word 'slave' with black people.

Wow - I really hope that was meant to be sarcastic... (if so, sorry I missed it, carry on and ignore this)

I'm a white male and even I can read the tone-deafness in master/slave. Modeling computer architecture names on one of the great crimes against humanity is not a great naming convention, I'm sure you can agree.

Honest question: what is it that happens to you when you read the words master and slave in the context of computer science? Slavery is horrible and so is killing, but I do not shed a tear whenever the words 'kill/terminate process' appear on my screen - I don't get visions of beheadings, I don't associate it with the act of ending a human life. It's a safe bet to say that no one reading about computer architecture today suffered as a slave, so saying this terminology triggers you is akin to me pretending to be bothered by loud noises because my great-grandfather went through war.

When you hear about a master/slave relationship or a male/female connector, you know immediately what is being described, which is pretty good for a method of communication. If you are unable to interpret words based on their context, I'm inclined to believe it's not the language that's the problem. I doubt that's the case though, I think these manufactured outcries are attempts at social engineering and moves in a game of power (controlling language->discourse->thought).

> I do not shed a tear whenever the words 'kill/terminate process' appear on my screen - I don't get visions of beheadings, I don't associate it with the act of ending a human life.

I'm totally with you. Just wanted to contribute to the thread by leaving this classic here for anyone who wants visions of (trigger warning!) ending daemon life:

Doom as a tool for system administration:


I too could not tell if this person was trolling. It's a good example of Poe's Law:


Should we ban these words altogether?

Just learn ThoughtSpeak! It will solve all your problems...

>That's pretty awful.

Agreed that is awful! But none of your examples are!

>* Renaming master/slave to central/peripheral

Yes, please go and explain to people in the BDSM scene why their preferences are considered inappropriate and discriminatory. Or should the whole world shape around the sensibilities of US slavery? That's a bit US-centric, no?

>Avoiding gender in code comments and documentation, e.g. "When user clicks, log him out" to "When user clicks, log them out".

Depends on the context. What if it's a woman's magazine website and the comment reads 'log her out'? It sounds a bit hard for all economic activities to not have target audiences. What are we gonna do with all these marketeers then? How would they even establish a focus group?

Off course, that would suggest they are just ordinary people, and not some evil immoral conspiracy against a specific gender.

>Being able to disable animations globally, for epileptic users.

That's not how epilepsy works at all -- these sort of misconceptions are actually the things they are actively fighting _against_.

For some reason, every _constructive_ attempt of making people treat each other better, brings out the worst kind of people that like vultures jump onto any opportunity to find moral laws they can use to feel superior to other people. A sort of moral übermensch (yeah gender neutral phrasing!) if you will. In the bible they are referred to as Pharisees. The monsters that play king of the hill in the moral center. "No true Scotsman" would be an other expression that comes to mind.

The clearly homophobic comments are horrible! Yet it's so easy to tell the difference between those comments and your examples. And you would be able to tell the differences as well, if you your intentions were even in the slightest way honorable.

Animations causing seizures and discomfort are definitely a thing: http://webaim.org/articles/seizure/

These kinds of knee-jerk reactions from people in the industry are exactly why we have to try consciously to remove these biases. Listen to the people who are saying these things make them uncomfortable, and try to work with them on a solution that's inclusive to all, instead of dismissing it out of hand, like most the commenters here are doing.

Off topic, but maybe someone has an explanation to one thing that I wondered quite a few times on mailing lists and that I got reminded of by the E-mail Tatu Ylonen sent to Joyce K. Reynolds: Why is it that some people start their E-mail with "Dear Sir"? From where comes the (to me unreasonable) expectation that there is a single male person on the other end (instead of a mixed group)? Are there stereo-types at play or is this a language/translation thing?

It would be often addressed to the head of an organisation even if they never saw it.

These days it would be proper to address it Dear Sir/Madam IF you did not know the gender of the person.

Besides that, in this case it really was pretty much all Jon Postel making the decisions.

Good story - the time that Justin Hall tried to register fuck.com in 1994.


Assuming you are not a native speaker since you mention language/translation, at the time it was a common salutation when one didn't know the name of the person(s) who would be reading your letter. Gender was not implied. Sometimes people would use "Dear Sir or Madam" but that's more clumsy.

I was always taught in school that "he/him/his" was gender neutral if there was no context indicating otherwise. People have started to get more and more annoyed by this, leading to the grammatically incorrect usage of "them/they."

Anyone who went to school or learned English in 1980s or earlier would have had learned "Dear Sir" as the standard generic salutation when writing a professional letter.

I suppose today one would start such a letter with "Dear Person." That sounds somehow disrespectful to me. There's always "To whom it may concern."

them/they as a gender neutral singular pronoun is not grammatically incorrect. Wikipedia has a rather extensive article on its history and usage. Criticism of this usage as incorrect only arose in the late 19th century.


Heh, well go back to 1978-1982 and tell my English teachers that. I got dinged enough times on improper use of "them/they" that I actually learned the lesson and it still catches my eye like a flashing red light whenever I see the singular usage.

Thanks a lot for shedding some light on this mystery! I was unaware of the fact that "Dear Sir" was meant to be gender neutral at some point. While this convention seems strange to me (not a native speaker, you are right) and I assume it feels strange to women to be addressed with "Dear Sir", there seems to be more to it than my assumption of stereo-types on the sender side.

Still is neutral, and will be in the future if Star Trek is anything to go by:

KIM: Thank you, sir.

JANEWAY: Mister Kim, at ease before you sprain something. Ensign, despite Starfleet protocol, I don't like being addressed as sir.

KIM: I'm sorry, ma'am.

JANEWAY: Ma'am is acceptable in a crunch, but I prefer Captain. We're getting ready to leave. Let me show you to the bridge.

Star Trek copied the Navy (US&UK style) of addressing all senior officers as Sir, regardless of gender.

A tangent: I've always wondered why the feminist movement didn't push language more toward this direction, rather than the one we got.

"Man" was originally a gender-neutral Old English word for human beings (the gendered prefix for males being "wer", as appears in e.g. werewolf.) So why not just expand on that: demand that "man", "sir", "he", "him", "Mr"—and common nouns like "mailman", "fireman", "steward", "host", "master"—be used when referring to both men and women, and thus retroactively de-gender all previously written implicit-male-subject texts for future generations? Instead, we got "he/she", "they", "mail carrier" and "fireperson", which seems like a terrible thing to do to a previously-concise language.

Yeah, that Shakespeare guy screwed up everything when he used "they" as a singular pronoun.

The early-Modern "they" means "one or more people"—as in, it can be singular or plural, as you wish.

Shakespeare still would use "he" or "she" as appropriate when trying to make it explicit that there was exactly one person being referred to.

But now, we are told to use "they" or "he/she" even in that situation, because singular-generic "he" is offensive to some people, and because human-referential "it" is offensive to rather more people.

The current witch hunters on words seem to fail to understand that language is designed for communication between humans. It's a communication protocol.

Taking offence to a communication protocol, is like saying TCP/IP is offensive because there aren't enough of the number 7 used in the TCP/IP protocol, and it's discriminating against the equality of all numbers.

No. It's a protocol optimized for communication, not some sort of emotional playground.

To try to alter the communication protocol based on personal emotions degrades its usefulness and diminishes the ability to communicate effectively.

So now the TCP/IP packet header needs to be extended 25%, and the driver needs to ensure equal distribution of all numbers during communication, further increasing overhead by another 75%.

This is where we are headed with our language, when we allow PC politics to dictate how words should be used.

> language is designed for communication between humans.

Unlike machines, humans do not always just want to exchange factual information about the world, and often use communication for additional purposes - jockeying for status, claiming membership in groups, and yes, playing games. This can even be quite enjoyable for the humans in question, for example, mutual flirtation.

In this example, one of the bits of information that can conveyed by being a bit more thoughtful about the use of pronouns is where the human in question might fall on a scale between "I am aware that there is pervasive and systematic discrimination against one class of human, and do not wish to take even small part in it." and "I believe all relevant systematic discrimination is in the past."

Spanish is similar, so I'd imagine it's common in other languages, at least those related to English and Spanish. If gender is uncertain, for instance in the case of a mixed gender group, you just fall back to masculine adjectives, etc. I'd imagine for such practical purposes most languages would have some "default" and there are surely feminine-defaulting languages out there.

I generally begin a letter or email to an unknown person or organization with "Greetings," - it is a bit informal, but I've never heard of anyone objecting to it. I never use the dreadfully stuffy "To whom it may concern".

Properly stuffy is "To all whom these presents come, greeting", common opening words of English letters patent, one of the oldest forms of "to whom it may concern" still in use.

Can be found on grants of arms and various other formal/monarchical documents up to the present day...

About 20 years ago, I took after my father-in-law in addressing correspondence to unknown persons with (literally) TWIMC:

In English English "dear sir" is still AFAIK the formal way to address a letter to some one unknown.

To whom it may concern is some times used to make it less gendered.

I was taught "Dear Sir/Madam" at school in England around 2000.

What I was told was that "Dear Sir" should be used when writing to a specific person but they are unknown to you, whereas "To Whom it May Concern" is more appropriate if the letter could be dealt with multiple people (e.g. a department) or you expect it to be passed on to someone before being dealt with. I was also told that it's far from a hard and fast rule, and that it doesn't matter all that much.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact