Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: JavaScript-free personal bio hosting (plumebio.com)
123 points by mrkn1 10 months ago | hide | past | favorite | 72 comments

I really hate the statement "built-in privacy: this site does not use any javascript", because privacy is not specifically violated by JS, and you can track (or 3rd-party track) without JS just fine. Their site clearly does not need JS, but this misinforms their audience about privacy and safe browsing.

Also, according to their Privacy Policy, they collect your IP (for Geolocation) and browser type... two pieces of data that are, in a great percentage of cases, enough to identify someone.

Having used uMatrix over the past several years, I grow weary seeing almost every site bring in cascading JavaScript dependencies across 3-4 additional domains, sometimes as many as a dozen. I agree that technically, JS doesn't have to violate privacy, but in practice, the internet is packed to the brim with JS-powered 3rd party tracking.

I agree - and I'm sick of it too. I don't think "no JS means no tracking", but it means "more likely less tracking" and "definitely a lot less bullshit 3rd party shenanigans".

I absolutely love JavaScript, have been a fan of it since before it was cool, stayed a fan after it was not cool again, and am still a fan now! But now the benefits it brings me on the web is snowed under by the shit it delivers. It's not worth it.

JavaScript is off by default everywhere for me now, and there has to be a really compelling reason to get me to whitelist a site. Most often (I'd say about 80-90% of unknown/non-regular links I click) I just close the tab and go somewhere else.

Luckily there's a lot of sites out there, and there's starting to be more services like the OP's - which I will be able to visit!

Philosopher kings communicate in ways the average individual has issue grokking, doesn’t invalidate the potential for abuse to complain that it’s free of “tracking”

JavaScript tracking can provide much more personal and behavioral data than server logs can.

While i agree, i do think there is an aspect to it that's true.

Eg, when you visit a site you, imo - agree to some degree of privacy violation with that site. Ie, it's reasonable to expect them to know your IP. It's reasonable to expect them to know your rough location. It's reasonable to expect them to know your username if you log in, and etc.

What's unreasonable is the 50 sites that cascade off of an initial visit. I may have been fine giving my IP to bobsblog.com but not Google/etc.

An interesting extension of this idea would be a hosting service or web framework that didn't just say something like "no javascript", but rather "no external connections with your information". All images, CSS, JS, etc would be loaded locally and nothing would make any remote connections from your IP.

Come to think of it, this would be a neat "contract" that sites could agree to. Like No JS, such that browser clients could enforce it and get the expected UX on those sites. /shrug, just thinking out loud i suppose.

The browser hands that information over, even if you didn't want it to. a lot of info is just included with every HTTP request per the protocol.

You can to some degree massage what your browser sends, to varying degrees of success, but there is not an easy 'send only non-unique things please' button. Obviously the IP has to be sent regardless, the only way to get around that is VPN and similar tech.

Who do you think that statement is targeting in their marketing? Clearly not full techies that would probably pick up that it's BS. Your everyday non-tech person wouldn't care about this service anyway since who cares what a javascript is, linkedin works fine. I guess there's a band of somewhat tech-aware folks who've heard a out wizards of privacy that go a step beyond adblockers to block javascript, and so think that no javascript==good?

Well the fact that you feel more aware of tech, but are talking about wizardry.... says a lot. Dimensionality is obviously complex, but critical consideration is just that.

You didn't read the comment correctly. Wizardry is from the perspective of the tech aware but not tech saavy users.

so there is no potential for unknown dimensional qualities associated with language? i mean if that were the case, i doubt that sex would sell as well as it does....

How do you know that JavaScript doesn’t have an extra-dimensional component the human mind little understands?

I really hate the people talk about 'collecting' IP addresses or getting their "IP address exposed". There is no risk in anyone knowing this, not to privacy, not to security. This is how the internet is meant to work. A bunch of equal nodes.

Just because mega-corps and wireless telcos have gimped the wildly popular mobile computers and taken away their ability to interact (no ipv4, no ports, not much beyond web) doesn't mean interacting directly is bad or unsafe or giving away some 'secret' information.

No, we need more people directly interacting with other people via the internet protocol. We desparately need widespread ipv6 adoption so that everyone can have their own IPs and expose them all to each other in the emergent network we call the 'net.

This 'IP as privacy risk' is scaremongering and very unhealthy.

Absolutely not. You are entirely wrong on this one to a level of causing dangers to others. An IP address, to a court, to officers, is you. That's not an opinion, that's a fact. Proven by the countless number of times people have doxxed YouTubers by simply calling in fake terrorist threats to their police. ISP's know where that IP is routed to, and they will cooperate with authorities. Police can track even cellphones in real-time 10 years back.

Plenty of civil cases use just IP's to prove copyright infringement. That's how BitTorrent cases catch infringers, regardless of who actually did it.

Watch Leonard french on YouTube, copyright attorney, it doesn't matter to judges in Pennsylvania wether an IP is a person or not. They say it is, and thats good enough.

That's why discord was created. So everything is proxied and safe for streamers and anyone online. Maybe you don't involve yourself so you don't know any better, but I've seen it happen, personally, friends get stalkers from the online world simply because the game they played was P2P, or the server admin for vent/teamspeak was a total creep with their friends.

It's not how it should be, but that's how it is.

Discord itself has a fairly concerning policy with regards to cooperating with law enforcement.

> I really hate the people talk about 'collecting' IP addresses or getting their "IP address exposed". There is no risk in anyone knowing this, not to privacy, not to security.

That's like saying there's no privacy or security risk to everyone knowing your home address or your phone number. I can understand if you're not concerned by it, but it's non-zero.

Privacy-wise, knowing your router's IP address is enough to score/segment you and (over time) to build a profile on you.

Security-wise, an IP address enables bad actors to scan and potentially attack your router and possibly your internal network.

Real Security Experts™, am I wrong?

>This is how the internet is meant to work. A bunch of equal nodes.

Things evolve, things change, we learn, we adapt.

Many world governments will happily track down a dissident by their ip, kidnap them in broad daylight and then torture them. Just because you're not one of them doesn't mean those people don't exist and don't have real concerns.

Correct. And people that are living in a war zone should wear bullet proof vests and take all sorts of really burdensom security measures that detract from their quality of life and ability to communicate with their peers.

But I am not going to wear a bullet proof vest while sitting around at home in my safe country. It'd be absurd to suggest so. The same applies to 'hiding' your IP during normal activities on the internet.

Bullets don't follow you around for the rest of your life like data aggregation does. And unlike being in a war zone, your IP can be collected and used against you without you knowing.

If we went full IPv6 and everyone had their own unique IP, then tracking people across sites would not require JavaScript, requests to trackers, or even cookies. There are things that are nice about a world like that, but it's definitely a step back in privacy from today where tracking protection tools work pretty well.

Willful IP blindness is one way to have communication over IP without allowing it to be used for tracking: https://github.com/bslassey/ip-blindness

> This is how the internet is meant to work.

After being slapped in the face by this for a few months now, I can tell you that this means absolutely nothing.

> and very unhealthy

very unhealthy indeed if you're a reporter in some parts of the world not doing what's judged to be right.

I like the idea but I don't see how being Javascript free is a good value proposition here. If I'm looking to hire or find additional information on a person, the way the page is implemented won't be important to me (especially if Im outside of the tech industry).

I am not saying this is bad to have no javascript, but it seems like just marketing targeted at contrarians.

Am I a contrarian for wanting to control what runs on my machine? If so, why?

Personally, I think no JavaScript means no third party tracking. Also requiring a .edu email is a good start.

> Also requiring a .edu email is a good start.

Not really, unless the intent is to discriminate against immigrants to the US / people outside the US / people who went straight into a career from high school.

I did go to college, but that was a decade ago, and I no longer have an edu address.

It looks like the service is targeted at students (US based) and academic researchers. If this is the case, the the email filter makes sense... especially for a launch. It’s not perfect, but a good start.

Why assume nefarious motivations?

Not necessarily nefarious, just myopic.

Why would you want to require a .edu? Seems like it closes it off to a lot of people (especially globally, but also within the US).

Sounds a bit like elitism. It asumes that people with .edu addresses are somehow better as first users.

GP maybe has Facebook in mind that did exactly this.

That was when facebook was meant as an internal platform for colleges though, I don't understand why a platform for hosting bios/resumes publicly would want/need that restriction.

3rd party tracking works fine without JS.

Early in my career I made an access log analyzer, 2005ish. I never browsed the web normally after that. That’d be a good primer exercise for people learning to code, with lessons beyond coding in itself.

Anywhere else and I’d agree but this is hacker news where the hive mind has decided otherwise.

Nice! I'm creating something similar[0] in Clojure, as my first attempt at a Clojure project. It's still super early stage, but the author of plumebio is free to run it and get inspiration from the generated CV html/css page.

If I have more time, what I'd strife for with this project is to become a competitor of LinkedIn (e.g.), but with only private profiles. Companies are then charged when they query for people with skills/certificates that they are interested in. Or they'll pay a subscription for unlimited querying. Users know they are not tracked by the platform itself, and companies that query users agree to a (TBD) license that limits their usage for HR goals.

It'll provide public statistics on what companies query for, so if users with Java experience see that Kotlin is queried more than Java, they'll have an indication of what skill to invest their time in. (Just an example.)

[0] https://github.com/harryvederci/resumator (Any Clojurians that find this subject interesting, feel free to contribute.)

Interesting idea for a business model. How would you get users on board though?

For now I'm creating it as a tool that I'll use to generate my own CV + website, so even without the whole "compete with the likes of LinkedIn" idea, I'll get value out of the time I invested in it.

The next phase will be to share it with colleagues and friends, to get some early feedback going. Then I'll expand it from a self-hosted website (/ tool to generate your CV from your local machine) to a hosted platform where people can sign up.

Then I'll probably first market it to a business sector (/ Reddit groups e.g.) with a higher-than-usual amount of privacy-concerned people. Then branch out if it's successful.

Note that I'm just brainstorming here, it's not like I've done something like this before myself.

What I'd like even more than trying to turn this into a profit-oriented company is to do something more philosophical/political. Hear me out:

1. Create the Resumator tool, and turn it into a platform, as described above.

2. Create a charity organisation that owns the platform, uses the generated income to maintain it, and invests into other like-minded charity organisations.

3. Get governments to support the platform + foundation. They could even self-host Resumator themselves, and make it mandatory for recruitment to be done through the platform. Right now, if a Dutch organisation needs a Java developer, they can create an "easy apply" LinkedIn vacancy. A (probably also Dutch) Java developer now has to spend spare time (or even time in which they are supposed to be working for their current employer) searching LinkedIn for that vacancy. If they click it, the organisation that posted the vacancy pays Microsoft (/LinkedIn) money. So a Dutch employee was less productive because they had to search for a new job instead of just getting an offer, a Dutch company had to pay money to hire that employee, and now the previous employer will pay LinkedIn (/competitors) money. When will the government realise that this money that is going to $usa_based_company can go to its own tax paying citizens?

0. And at the very least, create an API standard for CVs. It's strange to me that it's 2020 and we still have to share PDFs to get a job, where each CV has a different layout, and the person reading it has to look for the relevant section again and again. And often after that, we still have to create a Workday/whatever account and put in the same information again.

Edit: Oh and no more of this "talking to independent recruiters" nonsense. Companies can query for profiles themselves, no need to add more middle-men in between that add no value whatsoever.

Seems like a solid plan. Good luck, I'd love for this to take off.

Edit: Bah, brainfart. Do you have a repo where I can follow this?

Thanks! This is the repo: https://github.com/harryvederci/resumator

Congratulations on the launch!

I would like to inform anyone working on such bio website that there is a need gap for a universal employee verification system which works to independently verify employee experience even if the former company has shut its shop[1]. LinkedIn could have addressed that problem, but it chose to become another cat videos platform(I personally have nothing against cats).

[1]https://needgap.com/problems/54-better-employee-verification... (Disclaimer: My problem validation platform)

I clicked on your link and read the problem. It's the problem of asserting authenticity of a claim all over again, and doing it in way that can be trusted by both parties.

An applicant makes a claim about a former position, but there's no way of verifying the veracity of that claim. There's no notarized and properly archived record which allows verification of the authenticity claim.

So, any 3rd party service that claims to be able to verify authenticity invariably acts as a neutral, impartial, trusted authority. In essence, this what a notary or notary public does in the analogue world.

If such a service would be a private business, it's impartiality can and will automatically be contested - as per your example in the link. You could look towards the public administration and set up a publicly governed system (e.g. tied to public pension rights) which registers employment. But such a system would also come with a few fundamental questions regarding trust and privacy. And finally, you could look into a distributed network of actors verifying each other through block chain technology, but that still doesn't solve the problem of governing those actors and how they behave.

In my corner of the world, employers are legally obliged to hand out a signed form to leaving employees that confirms their erstwhile employment. It's entirely up to employees to produce those copies when asked to verify the claims they make on their resume, and employers are free to take this into account as a formal condition to consider an applicant. It's also up to applicants to seek and reach out to their previous employers and secure a document if they didn't receive one, even when those have dissolved. This system puts the responsibility entirely with the employee, which may, arguably, be the best of all the bad options out there.

Good points, I agree with all of them. A private organisation which hosts a universal employee verification system requires utmost trust and accountability. Making organisations accept its authority on it as a private organisation would itself be a huge problem to solve.

>In my corner of the world, employers are legally obliged to hand out a signed form to leaving employees that confirms their erstwhile employment.

It is common in my region as well. But the issue as the person who posted the problem says, is the 3rd party independent verification companies which verify past experience of a candidate on behalf the future company; they have no idea about how a email system works and require email from a company which has long gone.

How does "built-in privacy" hold up when the bios are basically public?

It looks like the generated links are just based on the person's name as well, so it would be pretty easy to find a lot of people fast. Letting the user generate UUID (or something) based URLs that are valid for a limited time only should be standard.

I am suspicious at the lack of a "pricing" tab. It's free of ads, they won't sell my data, they're "here to help me" - so who's paying to maintain this? Should I use this if I don't know it will still be around in 3 months?

This webapp seems extremely trivial, unless there is some long term play to take on the likes of LinkedIn?

You need js to copy everyone's clipboard ;)

I think this is a neat project - congratulations on getting it out there.

I would love for the page to have more polish - maybe you could do it all using CSS and not JS :) about.me does a good job of this. I say this as a grudging backend developer: the "designy-ness" really does work to help any page seem more credible.

Curious: is it your intention to make money with this project? On the one hand, awesome that you're doing this for free and presumably trying to get users. On the other, I myself would worry that the service "might go away one day", and although charging doesn't prevent that, it may be useful to find some way to better communicate the trustworthiness of your application not just in terms of privacy, but longevity too.

Nice work!

I actually really like this look, see https://git.sr.ht or https://100r.co/site/home.html for similar aesthetics.

> Academic email (.edu), to verify your affiliation.

Uh, why? And since it's just a free text field, what makes it better than me just hosting something on my own?

There appears to be some issues with scrubbing input data (or escaping it when output): https://imgur.com/a/IUBHLsa

Can you support ".ac.ccTLD" as well? Many countries [1] use that for educational institutes.

    [1]: https://en.wikipedia.org/wiki/.ac_(second-level_domain)

If OP really only wants to allow academic email addresses, they could use the domains from JetBrains' swot repository: https://github.com/JetBrains/swot/tree/master/lib/domains

This likely uses swot as the data source, but offers an API as well: https://github.com/Hipo/university-domains-list

I would be surprised if a page like that needed JS at all

No ordinary pages need JS.

Sadly the majority of newer ones never seems to have got that memo.

So true, that could be a simple static html page.

I'd love to see something like this replace LinkedIn. But I guess it needs a few more features before that happens.

Microsoft owns LinkedIn and GitHub. GitHub has “profile readmes” now. I expect us to (unfortunately) trend this direction.

Most people would just use their github profile and readme. It tells a better story.

It would be nice if there was something like this that worked with PGP identities. The public version could just be indexed off the fingerprint. The private version would have to involve signing something, probably just the fingerprint.

Keybase doesn't do this explicitly, but would be in a good position to do so. It's all about identities, including PGP keys. The profile page currently only shows your identities elsewhere, but they do have a "public folder" which could host a bio. They would need to do something similiar to Github profile readmes so that a specific folder or files show up on your profile. They might even have that as a feature and I'm just not aware of it.

- profile page: https://keybase.io/ytjohn/

- public folder: https://keybase.pub/ytjohn/

- github profile readme: https://www.aboutmonica.com/blog/how-to-create-a-github-prof...

UPDATE: They do let you create a homepage with an index.md or index.html. (https://ytjohn.keybase.pub/). However, you would be on your own getting the information from your profile page onto your public webpage. You would just be hosting a static page and not benefiting from the verified identity portion on the profile page.

After zoom acquisition, I ditched keybase and I think a lot of keybase users feel the same way. [0]The original blog post didn't inspire much confidence in the future.

0] https://keybase.io/blog/keybase-joins-zoomffering/

how to find new people . Even after creating new account it is not showing any people or explore page

It is remaining as the same but with log out button that's it nothing is coming up

Put your name on the website and tell the user who you are. The privacy pitch is silly if the user is to share his data with faceless nameless entities.

The “Mark” example links to papers where Mark isn’t an author.

Fake it 'til you make it! I imagine they don't actually have a published author on the site yet?

I know this is pretty harsh, but seeing justified margins immediately makes me hit the back button.

Do you mean container margins? The text is left justified and I don't see any difference between that site and HN.

The text is treated with `text-align: justify`, which can look pretty rough in small screen sizes where you have fewer words per line. In my opinion, it both looks bad and hurts readability.

For me it's left justified on desktop but flush justified on mobile (Android Chrome).

The left justified desktop version looks fine, but the flush justified mobile version is kind of ugly.

Oddly enough, even if I select "desktop site" in the Chrome menu on mobile, it is still flush justified.

Web authors: don't use flush justified text. It never helps you, and usually hurts you.

Gosh, as long as I'm nitpicking, here's another one. If I click New Bio, it lists my location as:


No, no, no! Proper names should never be forced into ALL CAPS. Besides being wrong and ugly, it makes me think you coded the site in COBOL.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact