Threads for jefftk

  1. 4

    Turns out it was a mistake:

    YouTube spokesperson confirmed to The Verge that Cyber Weapons Lab’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”

    https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike

    (Disclosure: I work for Google)

    1. 4

      “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.”

      This is in and of itself a good reason to self-host rather than relying on Google. The expectation that content should be available if and only if Google approves, perhaps after a manual approval process, is terrible.

      1. 2

        In this case the video was available immediately, but moderators took it down after misinterpreting site policies. Then when it was appealed moderators realized that policy did allow it, and they reinstated it. That seems pretty reasonable to me? Like, you can’t allow all videos (ones you legally can’t host, incitement to violence, probably porn, probably gore, etc) and wherever you draw your lines you need moderators to make decisions about what side videos are on. Some of those decisions will be wrong, and in that case you have appeals and reconsider the decision. The policies, enforcement, and appeals process could all be better (though of course we only hear about the cases where they decide poorly) but the general outline makes sense to me.

        When I hear people’s ideas for how a decentralized replacement of YouTube would work, it seems to me like while you solve this for hosting (anyone can host anything, subject to legality) you’d need similar processes in whatever system you end up with for content discovery and promotion. How do you imagine this working?

    1. 6

      You can tell Firefox to use a profile (-profile) and delete that profile when you’re done. Or you can use Firefox’s excellent profile management tools. Or any of the many extensions.

      A custom $HOME that you delete after should work but is pretty hacky.

      1. 4

        Yeah, that whole $HOME remaping is actually getting me off, while Firefox only maintains its profile at ~/.mozilla/firefox/*.profile, no other XDG directories are lost.

      1. 10

        This feels like it misses that a lot of this complexity of there because people like it, not just because of “fighting for attention”. Major things gopher lacks:

        • Being able to include images, as illustrations or to discuss them

        • Text that looks good on a wide range of devices. Hard word wraps assume a number of characters per line that don’t work for phones.

        • Communications that can’t be observed or modified by anyone who happens to be on the network path between you and the server.

        Only the last one is fundamentally complex, but these all provide real value.

        1. 1

          Images can be transferred by gopher but not displayed inline. I don’t think this is necessarily a bad thing: usually, when I see an image on the web, I have not wanted to see it, & to the extent that I do want to see such images, I would find it completely acceptable to have performed another operation to download and display it.

          Hard word wraps, certainly, are bad style and should not be used (on gopher or elsewhere). Every text display system is capable of character-wrapping on lines (if not word-wrapping). This is not a problem with gopher, but a problem with the people who write documents for gopher.

          Crypto is useful if (1) a MITM has a reason to modify content, or (2) a MITM has a reason to intercept content. In the absence of stuff like authentication & authorization (stuff bolted onto the side of HTTP by NetScape), gopher documents are mostly static & gopher users are practically (if not reliably) anonymous – in other words, no secret information should ever be transmitted over the protocol, nor should information ever be tailored to individual users in any way. (After all, gopher is so stateless that it closes the socket after writing a response.) Despite some folks trying really hard to bolt crypto onto gopher, I hope they do not meet with success, because the inability to target users or perform commerce on gopher is what keeps it usable as a hypertext system.

          The complexity of the web is not because ‘people like it’ but because features were deemed useful for potential profit centers & added without thinking the consequences through. Any system built organically by beginners will eventually end up looking like the web.

          Anyway, I don’t think the primary thrust of this essay is promoting gopher. Instead, gopher is an example of how to get 90% of the desirable functionality with less than 1% of the code (and less than 1% of the undesirable stuff).

          My own (very strong) take: HTML (all of it) is a bug; HTTP (most of it) too; CSS is a collection of bugs intended to work around HTML’s limitations without actually fixing them, and ends up merely adding complexity. There is no utility in preserving a knot of technical debt this way. The features added largely should either not exist or should have been provided by already-existing facilities (that could not be used because of problems introduced by poor design).

          1. 2

            I want to focus on crypto, because that’s both the most complex feature we’re talking about and the one with the strongest case for it. Consider the case where gopher or something else similarly simple succeeds to the point where it’s an important protocol that a lot of information people care about is transmitted across. Sure, responses are not individually tailored, which means the information shouldn’t be secret, but there are at least two ways you still need crypto:

            • Without it other people can tell what you’re reading. You should be able to read things without your ISP/coffee shop/government knowing.

            • Without it other people can modify the content. This includes the range from public WiFi inserting ads into responses (simple text ads would still be commercially viable to inject if gopher/etc took off) to governments modifying news coverage or editorials to support their position.

            1. 1

              That’s true, but consider possible threat models. Why do people care what you’re reading? Why do people want to change the content?

              In the absence of commerce & personalization, vast third party commercial enterprises have no reason to do drag-net surveillance (they don’t care what you’re reading because they don’t know who you are) or to change data (they don’t know who you are or what you’ve been reading, so they have no reason to believe they can improve revenue by changing ads, nor does inserting ads make as much economic sense).

              In other words, your threat model is substantially less vague: you only need to care about secrecy if you personally know of specific organizations with a specific interest in specifically you, & you only need to care about anti-tamper if you specifically know a MITM has reason to change your stream (to feed you modified information for political reasons or something).

              If either of those things are true, it makes sense to use crypto for gopher. The appropriate way is probably to use ssh tunneling or tor, both of which already work & require no changes to the protocol.

              1. 3

                You’re forgetting authoritarian governments who have a vested interest in controlling the information their citizens consume.

                1. 1

                  An authoritarian government is a known specific organization acting as a MITM with reason to change your stream. I intentionally specified the threat model to include that. Even so, authoritarian governments don’t want to intercept or modify all content – only certain types that are generally predictable.

                2. 2

                  That’s true, but consider possible threat models. Why do people care what you’re reading? Why do people want to change the content?

                  To inject advertising and make an extra few cents. There are already instances of ISPs doing this.

                  1. 1

                    People barely pay for targeted advertising (like, a couple cents for a few hundred click-throughs – not even impressions). What makes you think anybody will consider it viable to pay for advertising to be injected on a platform that supports neither tracking nor click-through metrics.

                    1. 3

                      People barely pay for targeted advertising (like, a couple cents for a few hundred click-throughs – not even impressions).

                      This sounds way off. Quickly searching I see AdStage claiming “In Q1 2018, advertisers spent, on average, $2.80 per thousand impressions (CPM), and $0.75 per click (CPC). The average click-through rate (CTR) on the GDN was 0.35%.” Those are in-line with what I’d expect to see, and would be $75 for a hundred click-throughs, not $0.02. And this is for a mixture of personalized and unpersonalized ads, since it’s an average across the GDN.

                      There’s also content-based targeting: inserting ads for credit cards into someone’s post on how to choose a credit card would be very profitable.

                      What makes you think anybody will consider it viable to pay for advertising to be injected on a platform that supports neither tracking nor click-through metrics.

                      Advertisers bought ads before the internet, and still buy ads in untracked media: billboards, tv spots, radio, etc. Personalized ads are worth more, sure, but not so much that only personalized ads are worth running.

                      You also can still track clicks through URL decoration. This is like when you see an ad on the subway and it gives a url like www.example.com/subway.

                      1. 1

                        This sounds way off.

                        Numbers are from my experience running ads on blogs & personal websites since 2006. I have made a total of nine dollars and change from those ads, eight dollars of which come from a 2-month period in 2006 during which things were computed differently. I’ve had thousands of impressions and hundreds of click-throughs. Maybe my blogs were exceptionally hard to target or attracted only low-paying advertisers, or maybe AdStage’s metrics are biased by a handful of folks spending thousands on SEO or click farms.

                        Advertisers bought ads before the internet, and still buy ads in untracked media

                        You also can still track clicks through URL decoration.

                        Fair enough. I don’t think it’s a major risk, even in the case that gopher really takes off, on the grounds that the main lesson from adtech (and the falling price of personalized ads) is that even in the best-case scenario (micro-targeted ads with 100% tracking across sites), ads don’t work well enough to spend market rates on. That said, it’s not like people don’t regularly make terrible business decisions.

                        Tracking through URL decorations is definitely a thing, but I only really see it used in an influencer context (where somebody has a strong parasocial relationship with, say, a podcast host & so is disposed to include the tracking info when retyping a URL). With third party ad injection, impressions are unintentional on the part of the user and click-throughs are accidental. It’s very different from someone you trust recommending things to you. Techniques to turn accidental click-throughs into impulse purchases are less effective when you can’t make purchases through the same protocol, as well.

                        1. 1

                          Numbers are from my experience running ads on blogs & personal websites since 2006. I have made a total of nine dollars and change from those ads, eight dollars of which come from a 2-month period in 2006 during which things were computed differently. I’ve had thousands of impressions and hundreds of click-throughs.

                          Hundreds of click-throughs with thousands of impressions seems much higher than I’d expect; normally you see 0.1% to 1% as many clicks as impressions?

                          I’ve also had ads on my personal sites, going back to late 2010, though I had them turned off for a while 2015-2018. Checking AdSense, I see a CPM of $1.79, and a CPC of $0.54. These are also after AdSense’s 32% cut, which means advertisers are paying more like $0.80 CPCs.

                          (Disclosure: I work for Google, though I’m speaking only for myself)

                      2. 1

                        Because it would be so cheap to inject content into text as to make it worth it regardless of targeting or tracking. Look at spam email. Or how Google displayed ads in GMail based on text in the messages. That’s a level of targeting that might give it value.

                        You’d have to be part of the connection chain like an ISP or WiFi provider, unlike email where anyone can send mail to anyone. But “free” WiFi could have the ability to do this and someone might think it worth doing. A lot of stores (or places otherwise selling something) provide WiFi and would have an incentive to advertise in any plain text protocol if the tools were available to them.

                        1. 1

                          If you’re a large ISP & you have enough of a monopoly that you have no risk of losing customers by alienating them with injected ads, you have the potential to inject ads & perhaps the motive. (And, Comcast famously did this with targeted ads, replacing already-existing ads with their own.) But, that’s a lot more effort for less return than simply increasing your prices and lowering your quality of service.

                          If you’re using gopher and your ISP has started doing this, I would recommend using an encrypted tunnel. I do not think gopher ought to have out-of-the-box encryption. Gopher is nice because even a newbie programmer can implement a gopher server or a gopher client in a couple lines of code. Using a tunnel maintains that simplicity, while building encryption into the protocol means only crypto experts can write gopher implementations anymore.

                          1. 2

                            If you’re using gopher and your ISP has started doing this, I would recommend using an encrypted tunnel.

                            I agree. I think something like Tor is probably the best solution as it solves multiple problems such as protecting your IP, protecting your DNS queries, as well at protecting the data in transit. And as long as it’s not a hidden service only, it can be opted out of to maintain backwards compatibility or remain light weight if someone doesn’t want/need the security.

            1. 6

              Nice article! Sorry to hear you found this to be a struggle. My key takeaways are:

              1. openring’s readme doesn’t actually tell you how to contribute [fixed]
              2. The page you land on when you finish registration should have a more obvious “how to contribute to projects on sourcehut” link. [fixed] Out of curiosity, did you click through the tutorials link? The tutorial that would have saved you isn’t there, but I’d like to know if it would have helped if it were.
              3. There should probably be a troubleshooting page for when you run into issues like these with git-send-email (this isn’t normal)
              1. 6

                The page you land on when you finish registration (…)

                As far as I understand sourcehut one doesn’t need an account to contribute. Maybe it would be beneficial to advertise it? (something like “you don’t need to register, just send e-mail to xyz”).

                1. 4

                  Hm, good point. I’ll work on that.

                2. 2

                  openring’s readme doesn’t actually tell you how to contribute [fixed]

                  Looks good!

                  did you click through the tutorials link?

                  I didn’t see one. I think I clicked on man and didn’t see anything relevant, and then gave up and decided to email a patch.

                  a troubleshooting page for when you run into issues like these with git-send-email

                  Part of why I wrote the blog post was so my error messages would show up to other people searching ;)

                  One thing I didn’t end up putting in the post was that there was actually another round of silliness: after I installed Net::SMTP::SSL and IO::Socket::SSL I didn’t notice that the error message I was getting had changed (I was getting sleepy) and I spent a while trying to figure out why they hadn’t installed properly (I thought maybe I’d selected the wrong value for local-vs-global?) Eventually I realized the error message was different and continued on.

                  1. 2

                    I didn’t see one. I think I clicked on man and didn’t see anything relevant, and then gave up and decided to email a patch.

                    Normally once you complete account registration you land on man’s index page, which has a (hopefully) attractive green button taking you to tutorials. Did something else happen for you?

                    1. 2

                      I don’t remember, sorry!

                      1. 4

                        Okay, no worries. I appreciate your feedback!