1. 32
  1.  

  2. 45

    Your original 600MB tracking pixel was a pain in the ass, I’m sure everybody who accessed the website using limited cellular data is very fond of you.

    1. 16

      Especially during a weekend where many (at least Europeans) were traveling.

      Also keep in mind that a lot of people outside the US (i.e. Europe) are on 500MB/1GB plans, so you burn through that with LTE very quickly. And not everyone can afford to buy extra data. This is extremely rude.

      1. 4

        Well even as an american, I accessed this site and that page over my cellular connection. Sigh, even with a 10GiB monthly cap that probably used up a ton of data pointlessly.

      2. 3

        … I was wondering how I ran out of data 4 days early this month.

        1. 3

          I, well, believe it should count as part of the experience.

          1. 2

            You don’t RSS your mobile feeds?

            1. 3

              I haven’t used RSS since like 2009.

              1. 6

                But it was 2002, atleast according to the post dates!

                1. 4

                  We have https, too, to make sure those dates weren’t tampered with in transit.

          2. 24

            | Someone is using Sailfish OS / Maemo

            That’s Me!!!

            1. 11

              If I were an admin on a phpBB board, I would suspend or ban people who tracked my users without their consent, especially if it was by way of a 600mb tracking file. @pushcx

              1. 8

                If the forum allows it, anyone who can link an image in their signature is “tracking” users and has access to this information.

                The 600MB file, I’d agree with, though.

                1. 0

                  By the way, it was pushcx himself who replaced the big image with an humerous remark. Might not have been the brightest idea to put it there in the first place.

                2. 4

                  The lack of response or action from @pushcx is sad to say the least.

                  1. 3

                    He was there when it happened. They saw the picture, people joked on it, pushcx removed it, put his own comment on it into my signature, i liked it, other people liked it, i kept it. Some people had a good laugh. At this point, i was still assuming that most lobste.rs users were on desktop.

                    After compiling the statistics, i felt like, “Oh shit”. Mistakes were made. I can’t turn that back now.

                    You should have been there when it happened, then maybe you would have an different perspective on it. I dont want that pushcx now gets shit from people missing context. Mistakes were made.

                    1. 1

                      Just because @pushcx was “there” when it happened doesn’t mean that it’s OK. You abused the trust we all have in this website and I’m starting to feel like @pushcx is abusing my trust in him as the sysop to act fairly across the board. Not only did you pry into the privacy of users you wasted their time, money and energy doing so.

                      1. 2

                        users weren’t required to download his tracking pixel. they chose to run software that would download it by default. i consider this a lesson about the state of our software ecosystem.

                        1. 5

                          This is a strawman. Every browser behaves this way. What is the lesson supposed to be? Do not trust lobste.rs and move to a better community?

                          1. 2

                            are you using the term strawman to refer to any argument you disagree with? or did i actually construct some sort of strawman?

                            lynx doesn’t behave this way. firefox doesn’t behave this way, with 3rd party images disabled in matrix. the tor browser would not leak data this way. the lesson is that the web is a hostile environment because we allow it to be. if we all used more secure browsers, sites that are broken by the security features would lose traffic. but we allow it to happen.

                            1. 0

                              No, the lesson should be do not trust the browser.

                              1. 3

                                so you have a whitelist of domains that you trust or how do you use the www?

                                1. 1

                                  I try to use it as little as possible and when I use it, I consider it a hostile attacker that I don’t trust.

                                  If at some point there will be a bitcoin miner on the site, I won’t consider myself betrayed by anyone, as nobody made any promise to me, nor I expected anything from anyone. I will simply move on with my life. If I am concerned about blowing through my data allowance, I won’t visit radom websites in the first place.

                                  It seems that currently there aren’t any javascript bitcoin miners here on this site, but I have no expectations that there won’t be any tomorrow or some other day.

                    2. 2

                      Probably worth probation for a week or two.

                      Hey, if we are doing the 2000s BB thing, let’s go all in! ;)

                    3. 11

                      Hi,

                      It’s my personal opinion (I haven’t synced with @pushcx about this) that allowing image embeds was a bad idea - I’d go so far as to say irresponsible, as several of you have. It opened the way to privacy violations of the type @liwakura’s post exemplifies, as well as wasting people’s bandwidth. I’m actually a bit surprised that the bandwidth is the bigger concern for most of you, but that’s my personal bias.

                      With that said, as somebody who reviews a lot of launches, I know that it’s always easy to miss things. It’s always about asking myself “what’s missing from this picture” - what part of the implications isn’t part of the write-up, which is going to be a surprise later. I wasn’t in the loop about the April Fools theme change, but I don’t blame @pushcx for not thinking about the implications of allowing embeds. It was one small detail in a much bigger effort, and it’s a lot more obvious in hindsight than it would have been while writing it.

                      Catching every negative consequence of a new feature is a lot of work, and I imagine it was overshadowed by the work of building something meant to be fun - it must have been a significant amount of engineering work to build. I hope some of you did enjoy it. I personally didn’t like the UX, but I thought it was hilarious, and I probably would have agreed with the general concept if I’d been asked.

                      I ask everyone to try not to argue with each other. Yes, mistakes were made. We’ll have to talk through what action is appropriate as mods, if any. Meanwhile, I ask people to show empathy for each other and not let this devolve into arguments. I promise that your concerns have been heard.

                      Thanks,

                      Irene

                      1. 7

                        This is a solid roundup. I’m sorry I didn’t think to proxy the images, I missed the privacy issue. @liwakura missed the consequences of his prank and has apologized and, no, I’m not going to ban him for it.

                        1. 6

                          In addition to what Irene said, i want to apologize for the harm i caused to several users. Mistakes were made, forgetting about mobile crustaceans was one of it.

                          For the people worrying about the data: My logs are stripped of the last 8 bits of IPv4 and last 64 bits of IPv6 addresses. The data points i have are thus not traceable to your home or phone.

                          I also want to encourage the community to keep calm, i’ll be cooperating with the staff to address open concerns.

                          1. 4

                            Thank you! I am glad to move forward from here.

                          2. 2

                            Thanks for taking time to address this. I’ll leave it to yall as to how.

                            Far as you wondering about data used vs stolen, many folks (me included) assume about anything online might get hit by hackers at some point. Double true if it’s not designed for security like a forum software. We just hope to be notified so we can change passwords, tell friends why they’re getting odd emails, etc. Whereas, data use on mobile is something that might cost us money directly or even cut off our ability to receive important communications.

                            So, at least for those like me, we’d find a data leak (esp non-malicious) to be eyerolling or irritating with its hypotheticals whereas massive data use might do real damage. This time I was lucky enough to have a good plan. :)

                            1. 2

                              That explanation makes sense. Thank you.

                            2. 2

                              I get your point, but maybe we did not need the “launch” in question at all. I personally find all these Aprils fools things super annoying. Maybe less is more and next year lobste.rs is not participating. That would be great.

                              1. 3

                                I definitely consider that a valid option. I feel bad telling other people not to have fun, but I’m not really a fan of April Fool’s.

                                I can promise your view is noted and will be weighed for next year.

                            3. 8

                              What was the reason behind the 600MB tracking pixel?

                              1. 5

                                Protest against lobste.rs april fools theme, intentionally abusing the new functionality.

                                Somehow nobody is bothered that i shouldn’t have been able to get the visitor information in the first place.

                                1. 8

                                  I hated the AF joke too, but now I’m more irritated at you for taking it out on us other victims though cell fees instead of directing your lack of gruntle at the admins.

                                  1. 7

                                    Protesting by harming the visitors of the page is very odd. You are not abusing new functionality, you are abusing peoples trust into the website. Also, you haven’t harmed lobste.rs, but its visitors.

                                    Maybe people protest because tracking doesn’t make lobste.rs worse then any other page they visit, but burning mobile bandwidth of that size is rather unusual? That’s a direct economic damage and people on visit outside of their country might suddenly be caught with no data. Just sayin’.

                                    1. 0

                                      Honestly, i thought mobile users were a small minority. So, the data plan drain wasn’t intended.

                                      1. 6

                                        Intention is an very bad defense. Maybe think stuff through next time.

                                        A “sorry”, for example, would go a long way.

                                    2. 5

                                      Embedding a big hotlinked animated gif in your sig, which you then grep Apache logs for to get traffic info, does feel very 2002.

                                      1. 3

                                        Somehow nobody is bothered that i shouldn’t have been able to get the visitor information in the first place.

                                        I’m very surprised at the lack of reaction about this, too. This was my first thought when I realized you weren’t an admin.

                                        1. 2

                                          I added an clarification note to the top of the post… i think people did miss im just a regular user.

                                        2. 2

                                          Gotcha, I thought you were an admin/mod when I read the blog entry.

                                          How did you get the visitor information? Was that from requests to pull your tracking pixel?

                                          1. 2

                                            The AF joke enabled a privacy vulnerability via hotlinked images which allows for third-party tracking.

                                            1. 2

                                              Exactly. All pictures in the signatures caused GET requests to user-chosen urls.

                                            2. 2

                                              Knowing that this was intentional abuse, I feel much more strongly that this needs to result in a ban. @pushcx

                                              1. 1

                                                Context you are missing: It was him who removed it.

                                                1. [Comment removed by author]

                                                  1. 1

                                                    And that changes things? It’s an obvious and reasonable first response, not precluding anything else.

                                                  2. 1

                                                    I’d agree 100% – the fact that it’s an abuse of trust makes me vote for a perma-ban.

                                              2. 13

                                                If you use 600MB tracking pixel, please stay off the internet. Honestly, this is very rude.

                                                1. 3

                                                  Two instances of Windows XP

                                                  That brings back good and bad memories… That might have been me in one instance.

                                                  1. 2

                                                    | That brings back good and bad memories…

                                                    Yeah, I remember XP…

                                                    | That might have been me in one instance.

                                                    | That brings back good and bad memories…

                                                    Was your weekend okay?

                                                    1. 3

                                                      I was testing out some stuff in a Windows XP SP1 VM. It’s a bit fuzzy since I might not have been fully sober at the time but I dimmly recall visiting lobsters.

                                                  2. 3

                                                    Yeah, I didn’t stick around. I found the interface really horrible.

                                                    1. 3

                                                      A single user is using the AdGuard extension, which always sets the referrer to http://adguard.com/referrer.html. This makes this user unique across the dataset

                                                      That must be me, though I didn’t know it did that.

                                                      Edit: it doesn’t seem to do that, hmm…

                                                      1. 2

                                                        Probably me.

                                                        1. 1

                                                          sounds like possibly a weird interaction between two extensions. I have had my referrer blocker cough up some weird stuff when I tried to get too clever with uMatrix.

                                                          1. 2

                                                            I don’t have any other extensions, though.

                                                            Looking at AdGuard’s website they seem to sell some snakeoil that you are supposed to run locally. I don’t use that, just the Safari extension that doesn’t require running any desktop software. Maybe it’s that other AdGuard that does this?

                                                            Related to all of this, can anyone recommend a good ad blocker for Safari that uses the Safari content-block API? I use AdGuard because it works like this, rather than using Javascript injection while still giving me a control panel. I’m happy to switch to something better if I find an alternative.

                                                            1. 1

                                                              AdGuard sells a local HTTP/S proxy that you can route all your traffic through. It’s an approach I prefer that to a browser plugin or messing around with a hosts file.

                                                              1. 1

                                                                A Safari content-blocking extension is a little more than a bunch of regular expressions, not really a browser plugin in the Firefox/Chrome sense.

                                                                1. 1

                                                                  Yeah, true, but as I use a SSB for some things, and a separate work and personal browser … I like just funneling all my traffic through one location.

                                                        2. 2

                                                          How many OpenBSD users? Note that the user-agent for chromium on OpenBSD contains (X11; OpenBSD amd64; Linux x86_64) because of sites that serve degraded pages when they don’t recognise the OS.

                                                          1. 2

                                                            TIL! Seems to be 12 unique IP addresses (10 unique user agents) that have both Linux and OpenBSD in their agents, another one with FreeBSD.

                                                          2. 2

                                                            894 distinct user agents were spotted 4646 distinct IP addresses

                                                            Wow…. that seems…. odd.

                                                            Hmm.

                                                            http://useragentstring.com/pages/useragentstring.php/

                                                            That would suggest most of those distinct IP addresses are bots and crawlers of some ilk.

                                                            Although I probably would show up as a firefox browser and a feedbro feed reader.

                                                            1. 3

                                                              Lobsters gets its fair share of bots and I got the impression they stepped up their crawling with so much “content change”.

                                                              If folks are curious about these sorts of stats, they can write queries I’ll run on prod logs.

                                                              1. 2

                                                                Could also be IPv6 with privacy extensions.

                                                                1. 1

                                                                  I think its caused by the fact that many users have identical user agent strings.

                                                                  1. 1

                                                                    Well, no, that’s what is odd.

                                                                    That’s about 5 ip address per user agent.

                                                                    If one made the reasonable assumption everybody is on maybe the one of the later firefox, internet exploder or opera browsers. Ok. Let’s be generous assume each of the major browsers each have maybe 5 versions represented… that’s about 50 different user agents.

                                                                    Usage share of all browsers

                                                                    Chrome |57.46% Safari |14.39% UC |7.91% Firefox| 5.5% Opera |3.69% IE |3.06% Samsung Internet | 2.92% Edge |1.86% Android |1.72% Others |1.47%

                                                                    Still suggests to me a lot of things other than humans are reading lobste.rs

                                                                    1. 1

                                                                      User agent strings are highly distinctive. They tend to include exact point releases of browsers, OSes, and often multiple shared libraries. These numbers look typical to me.

                                                                2. 2

                                                                  I’d love to know how many Seamonkey users there were, in the shallow hope of beating the Opera users.

                                                                  Is @liwakura == nero?

                                                                  1. 2

                                                                    Seamonkey 4, Opera 7.

                                                                    Yes. I checked the box that im the author of the submitted story, so my nick should be light-blue.

                                                                    1. 1

                                                                      Thanks liwakura. I still see that as a small victory :)

                                                                    2. 2

                                                                      Used to use seamonkey, but latest firefox was just too damn fast so i switched. When seamonkey get’s the latest engine, maybe i’ll switch back.

                                                                      1. 2

                                                                        I don’t know if that will ever happen. I’m not sure there is the man-power.

                                                                        Seamonkey has always been “Firefox but more sane”. Whilst it’s slipping, I think there’s still a need for a project that does this (but uses the quantum- code).

                                                                      2. 1

                                                                        I’d really like to use anything that isn’t Firefox, but addons seem to be a problem with Seamonkey - how do people get around that?

                                                                        1. 2

                                                                          There’s an extension that adds an ‘addon history’ thingamabob to the addons site, so you can select older versions of addons:

                                                                          https://github.com/lemon-juice/AMO-Browsing-for-SeaMonkey

                                                                          It’s really imperfect and I have older addons breaking. My heart may soon follow.

                                                                      3. 1

                                                                        There were 5 or so Opera users

                                                                        Hello! (Both on Linux and on Android, probably.)

                                                                        Someone is using Sailfish OS / Maemo

                                                                        Sometimes I do, but it wasn’t me this time.