Looks like the noise generated by his post resulted in his repos and account page being restored. Even if he did violate their code of conduct, other people rely on his libraries, and it’s not cool to just disappear them like that.
It’s the appropriate action for GH to take in this day and age. There’s no real downside to them in banning people quickly, if there’s enough noise they can just undo it. But if the outrage machine decides “GitHub is hosting nazis” or whatever, then expensive (for the company) outcomes like conferences being abandoned can occur. Expect this to continue from platforms that host user content as special interests get better at leveraging the mob to get what they want.
Perhaps they don’t have such a fragile dependency on pulling third party libraries live at deployment time? I’m still amazed that so many production services do.
I’ve weighed in on this before. In my experience, things on lobste.rs that get both heavy upvotes and heavy downvotes tend to be on topics that both upvoters and downvoters regard as important. For example, they are often on diversity issues. The voting expresses people’s opinions on whether conversations around those issues should be allowed to happen. Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority.
I have seen this done, in practice, in other forums. Its effect has been to reduce the quality of discussion by penalizing controversy - however necessary the controversy might be. In fact, I actually campaigned to stop this practice on a communication platform internal to Google, where it was very clear that the formula had been chosen specifically to silence labor organization efforts. The company’s upper management even disseminated talking points about how it would be better this way, because we could all stop caring about ethics and focus on shiny toys. (That’s my summary, not their words…)
That campaign was unsuccessful, but here on lobste.rs we can do better - right?
The putative reason for allowing controversial stuff is to “let the minority speak”…and then there was the time recently where in the wee hours of the morning you deleted a submission about a fork of TempleOS over the author’s Github avatar since it referenced Nazis. Somehow that minority didn’t make the cut–and you were more than happy to let a minority of users who brought in concerns over the tackiness of the avatar overrule the majority of users (seriously, it was like 2-3:1) who just upvoted a neat fork of TempleOS.
In the case of RMS deathball, we had a massive ugly trashfire of stories for a week that just sat on the front page and harmed the community. All that happened was users got drawn into grumpy lines and proceeded to antagonize each other. That’s what controversial gets you–and while that is the bread and butter of various political extremist subgroups, for the rest of us it is a problem.
The failure mode of boosting downvotes is that you let people hasten the slide of controversial stuff.
The failure mode of not so doing so is abiding shitflinging that hurts the community.
Edit: just to be absolutely crystal clear here, we as Lobsters have demonstrated repeatedly that our aptitude for productively discussing technology with civility in no way extends outside of that domain.
We aren’t going to have wizened discussion about controversial things where we all take turns litigating the factual details of the case and being enlightened by different perspectives and worldviews, we are going to devolve into bickering over the evil feminists and Nazis and capitalists and whatever else. The most straightforward way around this is just to remove those controversial things.
The motte-and-bailey people want to pull here is justifying discussion of “controversial” submissions like rants about Go or whatever, but the real effect will be felt with culture war articles submitted under the guise of technology because “technology is inherently political”.
We aren’t going to have wizened discussion about controversial things where we all take turns litigating the factual details of the case and being enlightened by different perspectives and worldviews, we are going to devolve into bickering over the evil feminists and Nazis and capitalists and whatever else.
I’ve seen your comments improve drastically, taking conscious steps to avoid attacking people. Are you saying that others should be denied that same opportunity to discuss and grow and learn from each other?
The only way people learn and grow is through communication with people with whom they disagree. Sometimes they discover they’re right, sometimes they discover they’re wrong, and sometimes they discover that they’re both right and wrong in a fascinating mixture of self-discovery and improvement. I love that stuff. I want it around. I want people to have that opportunity.
The most straightforward way around this is just to remove those controversial things.
Or, you could click “Hide”. That seems way more straightforward to me.
I thank you for your points. I had been hoping I’d find time to write up my thoughts on them and reply, but unfortunately I don’t think that’s realistic. I do think that when there’s overt fighting for the sake of fighting, the moderation team does a decent job of shutting that down; however, as a member of the moderation team, it isn’t really for me to decide whether we’ve done a good job or not.
“Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority. I have seen this done, in practice, in other forums.”
…people already do that here to the degree they can. They’ve been clear they’ll take it further to keep the front page free of (thing they don’t like). It will definitely happen as you predicted.
What I don’t know is if it will escalate from there with back and forth among the two, main groups penalizing each others’ submissions.
I think this is a fair critique. My suspicion is that most “controversial” pieces aren’t actually high-quality and the ones that are high-quality do much better. But I’d have to think of a database query to check this for certain.
For some reason, people have yet to learn to disagree with each other. They take things personally, get angry and refuse to entertain the idea that they might be wrong.
The solution is to help people to be better. Not to shut down the platform that enable their argument, nor to privilege downvote over upvote.
BTW, even if we could not stop people getting mad over people not agreeing with their ideology, the fact of the matter is that the argument itself is useful. Two sides present their best arguments, and for every angry person there are 10 more silently reading both sides and updating their world views.
If people care to spend their time clicking to vote, and to spend their time typing a response, they clearly care about the subject at discussion. And your response to that is to just make it so that the more people care, the less the subject is exposed? Shouldn’t it be the other way around?
And no, I don’t need you to tell me what stories I should or should not be able to see.
We should encourage discussion, and moderation should be used to maintain civility, to maximise the benefit of a conversation and minimise the downside.
There is no world in which two sides presenting their best arguments about the Holocaust is going to generate more good than harm to our community.
There is no world in which two sides in a subthread arguing about how to count trans people for demographic purposes in tech benefits our community.
There is no world in which closely parsing RMS’ remarks about various forms of consent and rape and Epstein and the media lab creates positive feelings about our community.
I used to be right there with you on “oh gee maybe these smart people will be able to have nuanced and productive discussions about topics that have non-technical aspects”…and then I ran repeatedly into lobsters that just couldn’t be reasoned with or who had to be shrill about everything.
From a practical point of view, kicking everybody out of the pub is both a fair and reasonable way to maintain decorum.
There is no world in which two sides presenting their best arguments about the Holocaust is going to generate more good than harm to our community.
About the holocaust? How can one argue about an event?
There is no world in which two sides in a subthread arguing about how to count trans people for demographic purposes in tech benefits our community.
I would say don’t count any people for demographic purposes at all.
There is no world in which closely parsing RMS’ remarks about various forms of consent and rape and Epstein and the media lab creates positive feelings about our community.
Discussions about difficult things have value even if you don’t feel good doing it. Doctors don’t look at a gaping wound because it’s pleasant, but because they needs to know what to do to fix it. So even if this statement were true, it wouldn’t negate the need for discussion.
and then I ran repeatedly into lobsters that just couldn’t be reasoned with or who had to be shrill about everything.
If somebody cannot be reasoned with, then nobody should be allowed to voice their reason? Is that right?
From a practical point of view, kicking everybody out of the pub is both a fair and reasonable way to maintain decorum.
Decorum’s purpose is to enable social engagement. So removing social engagement to maintain decorum is cart-b4-horsing.
I would say don’t count any people for demographic purposes at all.
Please don’t chase red herrings.
Discussions about difficult things have value even if you don’t feel good doing it. Doctors don’t look at a gaping wound because it’s pleasant, but because they needs to know what to do to fix it. So even if this statement were true, it wouldn’t negate the need for discussion.
Doctors don’t just look at unpleasant things for entertainment. They look at them because they have the power and the knowledge to do something about it.
Doctors don’t just look at unpleasant things for entertainment. They look at them because they have the power and the knowledge to do something about it.
And there is that “hide” button that @hwayne (and anyone else who feels the same) is welcome to use to hide the stories that so offend them. It was designed explicitly for that purpose. Don’t like the comments or story? Click “hide”. It’s not hard. There’s no need to penalize other people for enjoying a lively conversation.
Under this process the story just won’t be on the frontpage as long. You’re not being penalized. You can still comment and get notifications that people are replying to you. It’s more inconvenient for everybody else to be expected to click hide on a story that’s attracting a lot of flamewars.
It’s more inconvenient for everybody else to be expected to click hide
That’s an interesting framing, and one that I reject. You have no idea how many people will find a thread or story bothersome or interesting, nor do you speak for the entire community. The “hide” button was created for exactly this reason, so use it, as I’m doing on this submission. Some other people might find it interesting, and they can choose to upvote instead.
These are good points and I appreciate you bringing them up. I have a “conspiracy” that I can’t personally confirm but might be worth adding to the thought experiment to the people who have access to this information. I suspect this same group of people uses the lack of weighting to upvote brigade and create a scenario where the minority is already silencing the majority, essentially I would bet that the same people are the ones only contributing upvotes to those specific articles or topics and nothing else. It would be interesting to see if the same group upvotes anything else. Additionally, I would be curious to see the % of upvotes that come from a invite branch directly in that equation.
To be honest, I’m not sure if I understand where these assumptions of malice come from. My own much more optimistic interpretation is that Brave is trying to figure out a new/better revenue model for the web, and in doing so it made a (now-corrected!) mistake in how it works.
Whether their new model actually is better is another discussion, but I’ve never really seen anything to justify calling it a “scam” or comparisons to pickpockets.
The guy I caught pulling wallet out of my pocket returned it when I caught and confronted him.
How on Earth is that an appropriate analogy?
It’s more like, someone created an economy you had no clue about (still have no clue about), and made some changes to make it more fair. You were given money by said economy, and now you’re being given money in a more fair way by that economy. Money you did not do any job for. Money you signed no contract to get. Money that someone else labored for you to have.
Anecdote alert. The only people I know who use Brave are the ones who would use an adblocker regardless. So any funds Brave provides from their visits are funds that the website otherwise would never receive.
Heavily disagree. They are marketing to people that do not currently use an adblocker. They are increasing the ad-blocking population, and giving them ads regardless. And regardless, I do not care if somebody blocks ads on my site with an adblocker, as it’s usually their own choice. I do care if someone changes the ads that are given to others to their own, ripping me off in the process. The difference is similar to that of someone choosing not to buy anything above essentials in a store(which are often sold at a very low profit margin, or even loss) and someone swapping a few shelves in my store with their own with a separate checkout. Would you be fine with the first one? Probably yes, as it’s a reasonable thing for someone to do. Would you be fine with the second one? I don’t think so.
They are increasing the ad-blocking population, and giving them ads regardless. [..] someone changes the ads that are given to others to their own, ripping me off in the process
As a publisher, I have the option to “Allow Brave to serve ads on my website”, which is displayed prominently on the dashboard and off by default. So as I understand it, you’re pretty much in control yourself, and Brave isn’t deciding anything for you regarding the ads on your website. AFAIK it has always worked like this.
You can disagree with someone, but that doesn’t make you right. Here’s a list of false statements you just made:
and giving them ads regardless.
False. Ads in Brave are opt-in.
I do care if someone changes the ads that are given to others to their own, ripping me off in the process
False. You’re being compensated. (Possibly even better than whatever you’re making from selling out your visitors and violating their security and privacy.)
someone swapping a few shelves in my store with their own with a separate checkout.
False. Unless you are the creator of these ads, or are in the business of selling ads, your website’s content is not being changed and this analogy breaks down. Someone else’s content — a malvertiser that you’ve chosen to subject your users to without their consent, whose content you have little to no control over — is being blocked.
And I don’t care if they are opt in. People in a store can choose if they want to buy from their put in shelf.
False. You’re being compensated.
I am not being compensated. I am being offered a compensation, that I may or may not take, or even be aware about. I know about them, but do others? Doubt so.
False. Unless you are the creator of these ads, or are in the business of selling ads, your website’s content is not being changed and this analogy breaks down. Someone else’s content — a malvertiser that you’ve chosen to subject your users to without their consent, whose content you have little to no control over — is being blocked.
Excuse me, but this does not sound coherent to me. Attention to adverts is a way of payment for my content so to say. And usually it’s the content provider that dictates what choices of payment someone should be able to use. It might be ads, it might be subscription/patreon or whatever. If the client does not agrees to those terms they will not get the product(content) from me. Brave wants to force me to accept their way of payment. Now, I don’t know about you, but I doubt that if you, for example, went to your local store, wanted to buy something, and when asked for what method you’ll use to pay for it, answered “Bitcoin”, the store would accept it. They will not care if you say “but the credit cards are used for tracking spendings”. They dictate the rules here, and they don’t want bitcoin. This is what makes Brave’s detection evasion more egregious. People think they are supporting publishers, where really, they just put money in a hidden spot for publishers to take, but only if the publisher knows that it exists from somewhere else can they take it.
(Possibly even better than whatever you’re making from selling out your visitors and violating their security and privacy.)
Oh, you think I cannot choose ad publishers that respect my clients privacy, do you?
The point is you shouldn’t make false statements. Your arguments become stronger without them.
People in a store can choose if they want to buy from their put in shelf.
So you are selling advertisements? Note that I did include the exception for such cases in my comment above.
I know about them, but do others? Doubt so.
I believe Brave sends out emails to domain owners informing them.
Now, I don’t know about you, but I doubt that if you, for example, went to your local store,
My local store does not offer to sell me items by forcing me to watch advertisements and calling that payment. Nor does my local store, as far as I know, inject me with viruses or other forms of disease, in order to pay for the products on their shelves. And if they did, I would be well within my right to sue them for doing so, or repay them with some other form of retaliation. You’re lucky your visitors haven’t sued you yet.
What stores do instead is they ask me to pay for the products with some sort of currency.
Brave is protecting users from website owners who don’t know how to monetize their content properly. You should be thanking Brave for making your work and website appear better than it is. Maybe Brendan Eich even saved you from some lawsuits.
Oh, you think I cannot choose ad publishers that respect my clients privacy, do you?
The point is you shouldn’t make false statements. Your arguments become stronger without them.
The statement was not false, it was not entirely true. They do give them ads after blocking them, just not all the time.
People in a store can choose if they want to buy from their put in shelf.
You once again misunderstood. In that metaphor, I am selling things to look at. Content, that people come for, is sold at a loss, while ads, is the things that bring me the profits. And Brave swaps several shelves of my items that bring me money, and swaps it with their own. And it’s not their stuff that brings people to the store, it’s my content.
I believe Brave sends out emails to domain owners informing them.
After them earning 100$ in 90 days if I recall correctly. A lot of sites don’t bring that kind of money.
My local store does not offer to sell me items by forcing me to watch advertisements and calling that payment. Nor does my local store, as far as I know, inject me with viruses or other forms of disease, in order to pay for the products on their shelves.
That’s a strawman. I did not said that the local store would force you to watch advertisements. In my argument, they offer payment methods that can be tracked, credit card to be exact. Surprise surprise, some people using consider credit cards as invading their privacy, and want to use cryptocurrencies instead. The business that does not want to deal with cryptocurrencies looses out on some potential customers, but the share is small enough, that they don’t really care. In my websites case, those potential customers are Brave users. I don’t want them and their stupid cryptocurrencies. Sadly, they really want to disguise themselves as legitimate credit card users.
And also, “force”? No one is forcing to buy at that store, nor to visit my website. If you don’t want to, you can just not look at the content that I’m presenting, thus not looking at the ads, and not giving me profit. It’s a free choice.
And if they did, I would be well within my right to sue them for doing so, or repay them with some other form of retaliation. You’re lucky your visitors haven’t sued you yet.
You’re out of your mind. I would enjoy seeing you try to come up with actual legal reasons for it. You might as well try, because if you do, you could make one of the biggest class action lawsuits ever.
What stores do instead is they ask me to pay for the products with some sort of currency.
And the currency I ask for is attention to ads.
Brave is protecting users from website owners who don’t know how to monetize their content properly. You should be thanking Brave for making your work and website appear better than it is.
No thanks, how do I disable it. Oh wait, I cannot, since its their profit.
Maybe Brendan Eich even saved you from some lawsuits.
Ok, I don’t understand why are you bringing lawsuits anymore. Please just stop ridiculing yourself.
Oh, you think I cannot choose ad publishers that respect my clients privacy, do you?
I do.
Well, the publishers I choose trust me with their ad delivery. Brave doesn’t.
And Brave swaps several shelves of my items that bring me money, and swaps it with their own.
Yes, Brave does remove ads from your website. But Brave does not swap these ads with anything, “of their own” or otherwise. (Well, unless you count whitespace.)
Huh, must have misread that part somewhere. I still do think the practice is equivalent, as it is presented as a way support the content creators you watch, which traditional ads already do.
“Brave Ads are presented as native system notifications or background images in a new tab, separate from the web content being viewed.”
https://brave.com/brave-rewards/
So the user must first opt-in, and then only sees Brave’s ads on a separate tab or notification.
it is presented as a way support the content creators you watch, which traditional ads already do
Yes, ads are a way to support content creators.
But for users who would block ads regardless, any funds Brave provides from their visits are funds that the website otherwise would never receive.
An analogy might be a taxi that gives a cut of the fare to any store the rider visits.
This would indeed make it possible for Brave to block existing ads on a website and effectively swap them out for Brave’s ads – but only with the permission of the site owner.
Verfassungsblog also does that, and found advertisers among its readers (AIUI it’s now one of the most important fora for European constitutional law, and carries job offers etc).
How did you find some advertisers willing to do along with that?
Verfassungsblog is great BTW, it often has the bestest coverage of constitutional principles and background questions. Recommended for those who like long text more than up-to-the-minute headlines.
Except for the ads that make it past the built-in ad block, I was unaware that Brave had ever shown any user an ad regardless of the user’s choices. Do you have a link where I can read up on this?
Are you saying that you claimed and received ad revenue, and Brave then took it out of your account before you could transfer it elsewhere, then returned it? What happened, could you give any details?
I was gaining ad revenue, then Brave came and took some of it away, and I can only get it back if I ask them for it. That is not how it should be. Simply said, I find it unethical from Brave(which really take pride on being ethical) to swap my way of supporting myself. I chose that I want support myself with ads, and now they are changing that choice without asking me.
No, I don’t find uBlock origin unethical, since some people need it(ADHD, etc.) and it is more akin with stealing, when Brave is more similar to paying someone else for my content, which is basically plagiarism. Maybe it might not be plagiarism, it feels a bit like plagiarism to me in it’s nature.
In plagiarism, the content is the same, just with a few details changed(name, wording, etc.) With Brave, the content is the same, just the ads have been changed.
With Brave, the content is the same, just the ads have been changed.
Brave does not change the ads on your site. Brave simply blocks them, just like uBlock Origin does. Brave changes your site by removing ads (like any adblocker would), but does not change your site by swapping in anything of its own. I’m still not understanding how this part is different than any other adblocker.
Brave is not “taking your ad revenue away and returning it”. Users are protecting themselves from your attempts to subject them to trackers and malvertisers.
The money Brave is giving you has absolutely nothing to do with that. It has to do with the ads that Brave users have agreed to view. Which have nothing to do with your website. You’re being compensated by the fact that users have agreed to use software that allocates advertising revenue proportionally based on the websites they visit.
I would then very much would then like a way to block users that use Brave. But noooo, I cannot, since they are “protecting their users privacy” by spoofing their user agent with one of a legitimate browser. More like protecting their unethical source of revenue. I don’t want your shitty cryptocurrencies, and I don’t want you fooling my viewers with it.
There’s nothing wrong with a computer user spoofing their user agent in order to prevent a website admin from blocking them based on the user agent string. I don’t use Brave myself so I don’t know how much control the software gives to the end-user about spoofing the user agent string - it may be less control than I’d prefer - but I don’t think that end users have any responsibility to provide accurate information about themselves or their software stacks to the websites they visit, particularly if those websites want to use that information against the user.
Notably even SEO bots have higher morals and use user-agents representing themselves. If the website admin doesn’t want you to see the content on his website, then it is morally correct for you to agree with that.
Brave just imitates user-string of the last Chrome release by default.
Shame on Mozilla Firefox for bringing a fake solution to a very real problem.
Selling this as a privacy solution is basically a lie. I hope they fix this fast. It isn’t their place to decide that all of their US users’ traffic now gets sent to CloudFlare.
Furthermore, the fact that they’re doing this for “US users” means they are tracking their users and determining their location, something they also shouldn’t be doing. What bs.
While I don’t know one way or another how they determine “US” for this, it doesn’t necessarily mean geoip calculation – the initial Firefox download is generally both language- and region-targeted (this is used to set region-specific default search engines, for example), and a given copy of Firefox can know what language/region it’s built for. So one easy way to turn on for “US users” would be to toggle the DoH setting in an update pushed to everyone on an en-US build.
I’m living in a country where English is not the primary language, but a lot of users (especially power users) prefer to use an en-US or en-GB build because they are proficient in English and the translations to the local language are awkward and hard to understand sometimes.
This is rather common for users in Northern and Western Europe.
A reverse image search finds no hint of an ironic reference, it seems like a dumb nazi meme for people trying to be edgy or those who want to drape their bigotry with nonchalance.
I am quite certain that I’d not have been able to tell you what a nazi hat looked like before seeing that drawing in the profile picture today. A full uniform, maybe. Certainly if they were wearing the arm bands they were so commonly photographed in.
I may be especially bad at recognizing articles of clothing, though, so there’s that too. Semi-regularly my children will come down the stairs wearing the same shirt or pants as they wore the previous day, and my wife will really question them about whether it’s actually clean while I don’t even notice it was the same thing they’d worn previously.
I wonder if it’s compliant with ToS. It says that content that “is discriminatory” or “glorifies violence” is prohibited, and so is “inceting violence towards any individual or group”. Display of nazi imagery as such is legal in the US AFAIR, but I hope the GitHub team does have something to say against it.
A couple years ago I took the released source code of John Calhoun’s game Glypha III and ported it forward to PPC / Carbon / OS X / Mach-O / x86: https://github.com/jjuran/glypha3-fork
It’s definitely not a trivial process (and there are various gotchas along the way), but it’s doable with enough effort.
Wow. I had no idea he released his code. You have just made me want to port his glider game to linux. As someone who dabbled in mac game programming in the ’90s, it makes me really happy that he released his source.
I’ve been thinking this so much lately, and not just w.r.t. cryptocurrency (though it definitely comes up a BUNCH there). It seems to me like at least some of the “disruptive” companies of the past decade or so are trying to “disrupt” regulation. Uber/taxis, AirBnB/hotels, anything in the gig economy/labor laws, are just a few examples. Turns out that regulations actually come about because of ordinary people getting screwed by companies, and we have them for good reasons.
There will be scams and cryptocurrencies are also genuinely useful for things like fixing DNS and digital identity, creating decentralized organizations, dead-man switches, etc.
It’s not clear to me this example qualifies as a scam, as it seems to be closer to a bug of some sort. However, you could call it a scam too, and I wouldn’t judge you harshly for doing so. A lot of these things seem scammy to me, and remind me of TheDAO. Broken promises. Foolish investors. etc.
There is an obvious difference, but you seem to have stuff in mind. Are you thinking technically, culturally, economically, politically? I don’t know so I’d rather ask an open ended question. If I ask an open ended question I’ll get your opinion. (Which appears to be that I’m an asshole.)
Edit apologies for the tone. I’m not in a good mood and it’s not related to you.
Everything you mentioned stems from the technical differences. And this is supposedly a website where we discuss the tech. Since you’re now saying the difference is obvious (as I feel), I will take that as you retracting your question.
Edit: saw your apology. Thanks. Hope you feel better.
That’s true, this is a stretch of the term for dramatic effect, and to highlight the notion that cryptocurrencies seem to slowly reinvent classic financial market scams one by one.
It can have the effect of boosting apparent traded volume (because some of these trades bounce currency out of and back into ETH), but the main purpose seems to usually be something in addition to that.
to slowly reinvent classic financial market scams one by one.
One would hope these systems can reproduce the behaviors of the existing system. The point is to be able to do things that weren’t possible before, like decentralized exchanges, social key recovery, ownership over digital goods, etc.
This list seems to be based on a super Frankenstein’d, incompletely applied threat model.
There is a very real privacy concern to be had giving google access to every detail of your life. Addressing that threat does not necessitate making choices based on whether the global intelligence community can achieve access into your data — and less than skillfully applied that probably makes your overall security posture worse.
I agree that mentioning of the 5/9/14/howevermany eyes is unnecessary, and also not helpful. It’s not like if your data is stored on a server in a non-participating country that it somehow makes you more secure. All of that data still ends up traveling through the same routers on its way to you.
In a long list of ways, Google is the most secure service. For some things (i.e. privacy) they’re not ideal, but moving to other services almost certainly involves security compromises (to gain something you lose something).
Again, it all goes back to what your threat model is.
Google is only the most secure service if you are fully onboard with their business model. Their business model is privacy violating at the most fundamental level, in terms of behavioral surplus futures. Whatever your specific threat model it then becomes subject to the opacity of Google’s auction process.
which happily hands over data to the NSA when asked.
Emphasis mine.
As someone who don’t like Google anymore I still think this is still plain wrong I think and I’ll give reasons why:
Google is known to have put serious effort into countermeasures against wiretaps.
Google is known to be challenging NSA and others where possible.
and for the best reason that exist in a capitalist society: it is bad for their business if people think they happily hand over data to the NSA.
(and FWIW I guess a number of Googlers took offense to the smiley in the leaked NSA slides)
Also, for most people running their own services isn’t more secure, and can in many cases be even less secure, even against NSA. I’ll explain that as well:
Things you get for free with Google and other big cloud providers:
physical security
patching
monitoring
legal (yep, for the selfish business reasons mentioned above they actually challenge requests for data)
if I protect my house by getting the biggest strongest door out there, but the burglars turn up with a brick they throw though my window, then my “security” was useless as my threat model was way off. The concept of threat modelling is most certainly not a “meme”.
Lots of people get hacked when they self-host, because it requires quite some knowledge not everyone has and even if you do, it’s easy to make mistakes. Just self-hosting does not make anything automatically secure, and it also won’t protect you from “tne NSA”: you’ll still be obliged to follow laws etc. Besides, the distributed nature of email/SMTP makes it hard to protect from this anyway: chances are most of your emails will still be routes through a US server.
All services “read my emails” to some degree as that’s pretty much a requirement for processing them. This doesn’t necessarily say anything about security or privacy.
It’s not like your comment was especially detailed or overflowing with nuance. Short abrupt one-line comments with blanket statements tend to elicit the same kind of replies.
yeah, but what does “more secure” mean? When people say threat model, they are just talking about what “more secure” means in a certain context. It’s not exactly infosec dogma….
There is no singular axis of more/less secure
“Secure” is a vague term in this context. Giving google and their partners access to your e-mails is not a security issue, I would expect that all to be written down in their ToS and similar documents. It is bad for your privacy and anonymity, definitely.
But I suspect google would be better prepared for a 3rd party that is attempting to hack their servers and forcefully obtain your e-mails than you or any other single individual are. I think that’s also what @ec and others are referring to. Moving away from Google is definitely a good decision to get back (some of) your privacy. Security wise, it really depends on where you are moving to.
Google hands over its users’ data to the American government and through the Five Eyes agreement and similar agreements to many of the governments of the western world. That is not a ‘privacy’ issue it’s a security issue.
Running my own email is not more secure against data loss (unless you also have multi-point off-site backups, encrypted, with the crypto keys stored securely).
It’s also not more secure against email delivery failures causing you to lose business (a much bigger issue for me than google reading them).
Neither is it more secure against your abusive spouse accessing your emails (or destroying the hardware).
Finally, anytime you communicate with a gmail user, google is reading your emails anyways - so to improve your security you also need your mail client to check whether the recipients MX records resolve to a google-controlled IP range.
That’s what “irrelevant without a threat model” means.
I’ve nearly finished de-googling everything in my life. Doing it in a way that preserves the security properties I care about is very hard work.
It’s also not more secure against email delivery failures causing you to lose business
Eh, I’ve run my own email and did gmail side by side for years. I lost more legitimate emails to google’s spam filter false positives than to server down.
Remember that email is designed to be resilient against delivery failures, designed in the days of temporary dial-up connections. If a server is down, it just queues the message and tries again later. If it still doesn’t work, it notifies the sender that the message failed. Not everyone will try to contact you another way when that happens…. but surely more than people whose messages just disappeared into a spam filter.
I’ve been on Fastmail for years now. I regularly check my spam folder; in almost four years I have had one false positive.
When I briefly tried running my own, google randomly stopped accepting my mail after a little while (hence briefly).
I’m glad you have had a good experience with it; I haven’t found it as good a use of my recreational sysadmin time as other things (plex, vscode-over-http, youtube-dl automation, repo hosting etc).
The main problem with 5g is that 4g already provides way more bandwidth than customers can actually use, because of the fucking obscene price-gouging that goes on when you go over your low monthly cap. There’s zero incentive for customers to GaF. 4g is fast enough to stream video to a mobile device, and if you’re tethering you get enough bandwidth in good reception areas to chew up your monthly limit in 10 hours.
Very neat look at the guts of ObjC. I wish there were more articles like this poking around at its innards, it’s an interesting language that doesn’t seem to get enough credit for its power.
Mike Ash has written quite a lot on Objective-C internals in his Friday Q & A blog series. He doesn’t post much anymore unfortunately, but there’s still lots of good reading in the archives.
It really is. I don’t know why people write C++ when they could be writing Objective-C or Rust. I guess they’re moving to Rust now, which is good. Actually, I do know why they write C++, because I used to write it for years myself: ignorance.
The community around C++ seems to be dying to me, and I’m quite grateful for that. No need to stay attached to such a mistake, better to learn from it and move on.
Not sure what you mean by a programming language supporting anger, but if it did I’m pretty sure C++ would steal 1st place.
This article is from 2017, it was the first link I noticed when I searched “rust arm”. If it worked back then, I’m pretty sure it works even better now.
Brave had intended to do a lot of stuff. There are plenty of reddit/hacker news threads with outraged users up in arms related to them. He might be correct that Brave never did some of those things, but only because the internet at large was pretty pissed.
There’s a couple Brave people in that thread, brandnewlow and i think brendoneich adamantly defending this and trying to pass it off as a “UI problem”. IMO seems like they try to tip toe on the line of how much they can get away with.
At least they’re doing something to improve the situation. AFAICT, they’re the reason why Apple and Firefox started adding ad blockers to their browsers by default.
Brave did do something brave, which was to block ads by default, before any other major browser, and try to come up with an alternative funding model. Perhaps it’s not perfect, but it’s more than most people have done to improve the situation.
Brave did do something brave, which was to block ads by default
The author’s argument seems to be that this is a marketing spin, though, and that a more accurate description is “Brave replaced one set of ads with another set of ads”.
But you have to opt-in to that. And saying they merely replaced one set of ads with another ignores all the work they did on improving privacy for ads. Maybe more accurate to say, “Blocked ads by default, and lets you view slightly better ads while paying you, if you want.”
At least at one point in the past (see my other comments), they absolutely were popping fundraising/donation stuff on sites that had not opted in to it.
I’m assuming the NIST guy and Munroe are assuming the passwords are not stored as SHA256 hashes…
The 4 words from a dictionary provides plenty of entropy (even with your “how long they typed” caveat) to foil any brute force approach with a password hashing algorithm implemented by a responsible engineer (bcrypt, scrypt, pbkdf2, etc).
The thing that gets overlooked a lot, though, is that mass cracks of things like some website’s breached accounts table almost never use brute force, or even brute-force-with-dictionary, as their first tactic. They try big lists of common passwords and password patterns first, and enjoy a high degree of success from doing so.
And if you got people to move en masse to the diceware/XKCD-style password scheme, every cracking tool would update to try stuff like
etc. because that’s what people would actually choose as their passphrases. The only way to avoid this is to force people to use a tool that selects random passwords for them, and even then they’d fight against having to remember one of these for every site or service they use. At which point you need the tool to remember the passwords for them, and then you’ve arrived at “just use a password manager”.
That’s not how these passwords work. There’s way too much entropy to pre-calculate tables (and more entropy from the salting). And it’s too much entropy to crack for a reasonable price if any sensible KDF is used.
4 words randomly selected from a large dictionary, say (200,000 words) yields 70 bits of entropy. That on it’s own is way too costly to precompute tables for, and salting typically adds at least another 32 bits (often lots more than 32 bits).
See the working in my own password generation script here, which generates passwords with entropy of at least X and has another function for approximating the cost to crack a password:
If you let the user choose their own diceware-style passphrase, you’re going to get things that are cracked within a fraction of a second, because they’ll be choosing things like “my-password-for-2019”, “my-password-for-ebay”, and so on. The alleged entropy of a passphrase of n dictionary words strung together is pointless in that situation, because nobody will be using a brute-force scan of every combination of n dictionary words as a way to crack these.
Consider an analogy: it’s like saying you’ve developed a lock that’s unpickable because it has a million pins in it, and look how long it would take to pick a million pins! But somebody comes along with an under-door tool and yanks the handle from the other side without even trying to pick the lock. So sure, that was a million-pin lock, but it’s irrelevant how many pins it had because the door’s still open in a couple seconds via a simpler attack method.
And since you presumably want to disallow reuse of a password across sites/services, if you’re not letting users choose their own, you haven’t really demonstrated an advantage over a password manager that just generates long random strings, because the only real thing the diceware system has going for it is memorability and users aren’t going to commit that many distinct passwords to memory (or recall them correctly later on even if they do try to memorize).
Neither XKCD or Diceware recommend creating passphrases like that. Of course if you don’t pick your words randomly then your entropy is lower, that doesn’t make entropy a red herring. Entropy remains the key point.
XKCD passwords are useful for passwords that you need to remember or transmit to other people. Like the passwords for your password managers or wifi networks or whatever.
The whole idea behind these password hashers is that you aim to make the work take a fixed amount of time (say 5ms). That leaves 200 verifications a second on a single core. This is more than enough for a legitimate use case for authentication but is completely a showstopper against brute forcing with a good password.
For scrypt, we only have Litecoin to go by as far as estimates go, and it has a weak choice of parameters. With Litecoin, we have around ~300TH/sec, which means a known 4-word structure password out of XKCD’s 2048 dict is cracked in under 0.05 seconds.
For a dictionary of 235886 words, the four-word “correcthorsebatterystaple” requires (235886^4)/(2^70) ~ 2.6 million US dollars. So what? Just make it six words.
By the way, where does this 1197962070743187 number come from?
Indeed, this also goes to point 1, that the entropy is hard to figure out. The XKCD comic indicated that it was using a 2048 (2^11) word dictionary, which apparently is about the size of the dictionary some cryptocurrency wallets use.
where does this 1197962070743187 number come from?
Looks like the noise generated by his post resulted in his repos and account page being restored. Even if he did violate their code of conduct, other people rely on his libraries, and it’s not cool to just disappear them like that.
It’s the appropriate action for GH to take in this day and age. There’s no real downside to them in banning people quickly, if there’s enough noise they can just undo it. But if the outrage machine decides “GitHub is hosting nazis” or whatever, then expensive (for the company) outcomes like conferences being abandoned can occur. Expect this to continue from platforms that host user content as special interests get better at leveraging the mob to get what they want.
I wonder what happens when someone disappears a library GitHub pulls from itself during deployment.
Perhaps they don’t have such a fragile dependency on pulling third party libraries live at deployment time? I’m still amazed that so many production services do.
I’ve weighed in on this before. In my experience, things on lobste.rs that get both heavy upvotes and heavy downvotes tend to be on topics that both upvoters and downvoters regard as important. For example, they are often on diversity issues. The voting expresses people’s opinions on whether conversations around those issues should be allowed to happen. Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority.
I have seen this done, in practice, in other forums. Its effect has been to reduce the quality of discussion by penalizing controversy - however necessary the controversy might be. In fact, I actually campaigned to stop this practice on a communication platform internal to Google, where it was very clear that the formula had been chosen specifically to silence labor organization efforts. The company’s upper management even disseminated talking points about how it would be better this way, because we could all stop caring about ethics and focus on shiny toys. (That’s my summary, not their words…)
That campaign was unsuccessful, but here on lobste.rs we can do better - right?
How’d that work with the Darmore thing?
The putative reason for allowing controversial stuff is to “let the minority speak”…and then there was the time recently where in the wee hours of the morning you deleted a submission about a fork of TempleOS over the author’s Github avatar since it referenced Nazis. Somehow that minority didn’t make the cut–and you were more than happy to let a minority of users who brought in concerns over the tackiness of the avatar overrule the majority of users (seriously, it was like 2-3:1) who just upvoted a neat fork of TempleOS.
In the case of RMS deathball, we had a massive ugly trashfire of stories for a week that just sat on the front page and harmed the community. All that happened was users got drawn into grumpy lines and proceeded to antagonize each other. That’s what controversial gets you–and while that is the bread and butter of various political extremist subgroups, for the rest of us it is a problem.
The failure mode of boosting downvotes is that you let people hasten the slide of controversial stuff.
The failure mode of not so doing so is abiding shitflinging that hurts the community.
Edit: just to be absolutely crystal clear here, we as Lobsters have demonstrated repeatedly that our aptitude for productively discussing technology with civility in no way extends outside of that domain.
We aren’t going to have wizened discussion about controversial things where we all take turns litigating the factual details of the case and being enlightened by different perspectives and worldviews, we are going to devolve into bickering over the evil feminists and Nazis and capitalists and whatever else. The most straightforward way around this is just to remove those controversial things.
The motte-and-bailey people want to pull here is justifying discussion of “controversial” submissions like rants about Go or whatever, but the real effect will be felt with culture war articles submitted under the guise of technology because “technology is inherently political”.
I’ve seen your comments improve drastically, taking conscious steps to avoid attacking people. Are you saying that others should be denied that same opportunity to discuss and grow and learn from each other?
The only way people learn and grow is through communication with people with whom they disagree. Sometimes they discover they’re right, sometimes they discover they’re wrong, and sometimes they discover that they’re both right and wrong in a fascinating mixture of self-discovery and improvement. I love that stuff. I want it around. I want people to have that opportunity.
Or, you could click “Hide”. That seems way more straightforward to me.
I thank you for your points. I had been hoping I’d find time to write up my thoughts on them and reply, but unfortunately I don’t think that’s realistic. I do think that when there’s overt fighting for the sake of fighting, the moderation team does a decent job of shutting that down; however, as a member of the moderation team, it isn’t really for me to decide whether we’ve done a good job or not.
Good points. I’ll add that…
“Applying a hotness modifier would privilege downvotes over upvotes, allowing a minority of people on the site to silence a majority. I have seen this done, in practice, in other forums.”
…people already do that here to the degree they can. They’ve been clear they’ll take it further to keep the front page free of (thing they don’t like). It will definitely happen as you predicted.
What I don’t know is if it will escalate from there with back and forth among the two, main groups penalizing each others’ submissions.
I think this is a fair critique. My suspicion is that most “controversial” pieces aren’t actually high-quality and the ones that are high-quality do much better. But I’d have to think of a database query to check this for certain.
This is exactly right.
For some reason, people have yet to learn to disagree with each other. They take things personally, get angry and refuse to entertain the idea that they might be wrong.
The solution is to help people to be better. Not to shut down the platform that enable their argument, nor to privilege downvote over upvote.
BTW, even if we could not stop people getting mad over people not agreeing with their ideology, the fact of the matter is that the argument itself is useful. Two sides present their best arguments, and for every angry person there are 10 more silently reading both sides and updating their world views.
If people care to spend their time clicking to vote, and to spend their time typing a response, they clearly care about the subject at discussion. And your response to that is to just make it so that the more people care, the less the subject is exposed? Shouldn’t it be the other way around?
And no, I don’t need you to tell me what stories I should or should not be able to see.
We should encourage discussion, and moderation should be used to maintain civility, to maximise the benefit of a conversation and minimise the downside.
There is no world in which two sides presenting their best arguments about the Holocaust is going to generate more good than harm to our community.
There is no world in which two sides in a subthread arguing about how to count trans people for demographic purposes in tech benefits our community.
There is no world in which closely parsing RMS’ remarks about various forms of consent and rape and Epstein and the media lab creates positive feelings about our community.
I used to be right there with you on “oh gee maybe these smart people will be able to have nuanced and productive discussions about topics that have non-technical aspects”…and then I ran repeatedly into lobsters that just couldn’t be reasoned with or who had to be shrill about everything.
From a practical point of view, kicking everybody out of the pub is both a fair and reasonable way to maintain decorum.
About the holocaust? How can one argue about an event?
I would say don’t count any people for demographic purposes at all.
Discussions about difficult things have value even if you don’t feel good doing it. Doctors don’t look at a gaping wound because it’s pleasant, but because they needs to know what to do to fix it. So even if this statement were true, it wouldn’t negate the need for discussion.
If somebody cannot be reasoned with, then nobody should be allowed to voice their reason? Is that right?
Decorum’s purpose is to enable social engagement. So removing social engagement to maintain decorum is cart-b4-horsing.
Please don’t chase red herrings.
Doctors don’t just look at unpleasant things for entertainment. They look at them because they have the power and the knowledge to do something about it.
And we don’t?
And there is that “hide” button that @hwayne (and anyone else who feels the same) is welcome to use to hide the stories that so offend them. It was designed explicitly for that purpose. Don’t like the comments or story? Click “hide”. It’s not hard. There’s no need to penalize other people for enjoying a lively conversation.
Under this process the story just won’t be on the frontpage as long. You’re not being penalized. You can still comment and get notifications that people are replying to you. It’s more inconvenient for everybody else to be expected to click hide on a story that’s attracting a lot of flamewars.
That would be the problem.
That’s an interesting framing, and one that I reject. You have no idea how many people will find a thread or story bothersome or interesting, nor do you speak for the entire community. The “hide” button was created for exactly this reason, so use it, as I’m doing on this submission. Some other people might find it interesting, and they can choose to upvote instead.
Absolutely agree of the danger of a small minority “burying” uncomfortable content in the graveyard of page 2.
These are good points and I appreciate you bringing them up. I have a “conspiracy” that I can’t personally confirm but might be worth adding to the thought experiment to the people who have access to this information. I suspect this same group of people uses the lack of weighting to upvote brigade and create a scenario where the minority is already silencing the majority, essentially I would bet that the same people are the ones only contributing upvotes to those specific articles or topics and nothing else. It would be interesting to see if the same group upvotes anything else. Additionally, I would be curious to see the % of upvotes that come from a invite branch directly in that equation.
Oh, that scam?
They changed the way it works a while ago: unclaimed contributions are refunded, rather than claimed by Brave.
The guy I caught pulling wallet out of my pocket returned it when I caught and confronted him.
He’s trustworthy again.
To be honest, I’m not sure if I understand where these assumptions of malice come from. My own much more optimistic interpretation is that Brave is trying to figure out a new/better revenue model for the web, and in doing so it made a (now-corrected!) mistake in how it works.
Whether their new model actually is better is another discussion, but I’ve never really seen anything to justify calling it a “scam” or comparisons to pickpockets.
How on Earth is that an appropriate analogy?
It’s more like, someone created an economy you had no clue about (still have no clue about), and made some changes to make it more fair. You were given money by said economy, and now you’re being given money in a more fair way by that economy. Money you did not do any job for. Money you signed no contract to get. Money that someone else labored for you to have.
After taking another economy I was using
Anecdote alert. The only people I know who use Brave are the ones who would use an adblocker regardless. So any funds Brave provides from their visits are funds that the website otherwise would never receive.
Heavily disagree. They are marketing to people that do not currently use an adblocker. They are increasing the ad-blocking population, and giving them ads regardless. And regardless, I do not care if somebody blocks ads on my site with an adblocker, as it’s usually their own choice. I do care if someone changes the ads that are given to others to their own, ripping me off in the process. The difference is similar to that of someone choosing not to buy anything above essentials in a store(which are often sold at a very low profit margin, or even loss) and someone swapping a few shelves in my store with their own with a separate checkout. Would you be fine with the first one? Probably yes, as it’s a reasonable thing for someone to do. Would you be fine with the second one? I don’t think so.
As a publisher, I have the option to “Allow Brave to serve ads on my website”, which is displayed prominently on the dashboard and off by default. So as I understand it, you’re pretty much in control yourself, and Brave isn’t deciding anything for you regarding the ads on your website. AFAIK it has always worked like this.
You can disagree with someone, but that doesn’t make you right. Here’s a list of false statements you just made:
False. Ads in Brave are opt-in.
False. You’re being compensated. (Possibly even better than whatever you’re making from selling out your visitors and violating their security and privacy.)
False. Unless you are the creator of these ads, or are in the business of selling ads, your website’s content is not being changed and this analogy breaks down. Someone else’s content — a malvertiser that you’ve chosen to subject your users to without their consent, whose content you have little to no control over — is being blocked.
And I don’t care if they are opt in. People in a store can choose if they want to buy from their put in shelf.
I am not being compensated. I am being offered a compensation, that I may or may not take, or even be aware about. I know about them, but do others? Doubt so.
Excuse me, but this does not sound coherent to me. Attention to adverts is a way of payment for my content so to say. And usually it’s the content provider that dictates what choices of payment someone should be able to use. It might be ads, it might be subscription/patreon or whatever. If the client does not agrees to those terms they will not get the product(content) from me. Brave wants to force me to accept their way of payment. Now, I don’t know about you, but I doubt that if you, for example, went to your local store, wanted to buy something, and when asked for what method you’ll use to pay for it, answered “Bitcoin”, the store would accept it. They will not care if you say “but the credit cards are used for tracking spendings”. They dictate the rules here, and they don’t want bitcoin. This is what makes Brave’s detection evasion more egregious. People think they are supporting publishers, where really, they just put money in a hidden spot for publishers to take, but only if the publisher knows that it exists from somewhere else can they take it.
Oh, you think I cannot choose ad publishers that respect my clients privacy, do you?
The point is you shouldn’t make false statements. Your arguments become stronger without them.
So you are selling advertisements? Note that I did include the exception for such cases in my comment above.
I believe Brave sends out emails to domain owners informing them.
My local store does not offer to sell me items by forcing me to watch advertisements and calling that payment. Nor does my local store, as far as I know, inject me with viruses or other forms of disease, in order to pay for the products on their shelves. And if they did, I would be well within my right to sue them for doing so, or repay them with some other form of retaliation. You’re lucky your visitors haven’t sued you yet.
What stores do instead is they ask me to pay for the products with some sort of currency.
Brave is protecting users from website owners who don’t know how to monetize their content properly. You should be thanking Brave for making your work and website appear better than it is. Maybe Brendan Eich even saved you from some lawsuits.
I do.
The statement was not false, it was not entirely true. They do give them ads after blocking them, just not all the time.
You once again misunderstood. In that metaphor, I am selling things to look at. Content, that people come for, is sold at a loss, while ads, is the things that bring me the profits. And Brave swaps several shelves of my items that bring me money, and swaps it with their own. And it’s not their stuff that brings people to the store, it’s my content.
After them earning 100$ in 90 days if I recall correctly. A lot of sites don’t bring that kind of money.
That’s a strawman. I did not said that the local store would force you to watch advertisements. In my argument, they offer payment methods that can be tracked, credit card to be exact. Surprise surprise, some people using consider credit cards as invading their privacy, and want to use cryptocurrencies instead. The business that does not want to deal with cryptocurrencies looses out on some potential customers, but the share is small enough, that they don’t really care. In my websites case, those potential customers are Brave users. I don’t want them and their stupid cryptocurrencies. Sadly, they really want to disguise themselves as legitimate credit card users.
And also, “force”? No one is forcing to buy at that store, nor to visit my website. If you don’t want to, you can just not look at the content that I’m presenting, thus not looking at the ads, and not giving me profit. It’s a free choice.
You’re out of your mind. I would enjoy seeing you try to come up with actual legal reasons for it. You might as well try, because if you do, you could make one of the biggest class action lawsuits ever.
And the currency I ask for is attention to ads.
No thanks, how do I disable it. Oh wait, I cannot, since its their profit.
Ok, I don’t understand why are you bringing lawsuits anymore. Please just stop ridiculing yourself.
Well, the publishers I choose trust me with their ad delivery. Brave doesn’t.
Yes, Brave does remove ads from your website. But Brave does not swap these ads with anything, “of their own” or otherwise. (Well, unless you count whitespace.)
Huh, must have misread that part somewhere. I still do think the practice is equivalent, as it is presented as a way support the content creators you watch, which traditional ads already do.
Brave revamped rewards at least once (see comment about them no longer keeping unclaimed rewards), so maybe had considered replacing ads at some point. Currently:
“Brave Ads are presented as native system notifications or background images in a new tab, separate from the web content being viewed.” https://brave.com/brave-rewards/
So the user must first opt-in, and then only sees Brave’s ads on a separate tab or notification.
Yes, ads are a way to support content creators. But for users who would block ads regardless, any funds Brave provides from their visits are funds that the website otherwise would never receive.
An analogy might be a taxi that gives a cut of the fare to any store the rider visits.
Correction:
Apparently Brave has recently started testing an “Allow Brave to serve ads on my website” option for creators. (Thanks to arp242 for the heads up!)
This would indeed make it possible for Brave to block existing ads on a website and effectively swap them out for Brave’s ads – but only with the permission of the site owner.
I’d rather not get into all of this, but I’m curious about your last sentence.
How did you/how does one choose ad publishers that respect your clients’ privacy?
Like how Troy Hunt does it. Serve the ads yourself with the publisher trusting your numbers.
Verfassungsblog also does that, and found advertisers among its readers (AIUI it’s now one of the most important fora for European constitutional law, and carries job offers etc).
How did you find some advertisers willing to do along with that?
The linked site cannot be reached. Misspelled domain?
Sorry. Sleepless typist syndrome.
Verfassungsblog is great BTW, it often has the bestest coverage of constitutional principles and background questions. Recommended for those who like long text more than up-to-the-minute headlines.
Except for the ads that make it past the built-in ad block, I was unaware that Brave had ever shown any user an ad regardless of the user’s choices. Do you have a link where I can read up on this?
Sorry I don’t follow. What other economy has Brave taken that you were using?
The ads that were supporting me. To put it the analogy again:
Brave was caught taking my ad revenue away, and returns it when I caught that and asked for it. Literally.
Are you saying that you claimed and received ad revenue, and Brave then took it out of your account before you could transfer it elsewhere, then returned it? What happened, could you give any details?
I was gaining ad revenue, then Brave came and took some of it away, and I can only get it back if I ask them for it. That is not how it should be. Simply said, I find it unethical from Brave(which really take pride on being ethical) to swap my way of supporting myself. I chose that I want support myself with ads, and now they are changing that choice without asking me.
Understandable.
Regarding ads, e.g. uBlock origin removes your option to support yourself with ads. Do you find uBlock origin less/more/equally unethical?
No, I don’t find uBlock origin unethical, since some people need it(ADHD, etc.) and it is more akin with stealing, when Brave is more similar to paying someone else for my content, which is basically plagiarism. Maybe it might not be plagiarism, it feels a bit like plagiarism to me in it’s nature.
I understand the analogy between uBlock origin and stealing. It also seems to match up with your example of a customer who only buys the essentials and/or loss leaders.
I’m not understanding the analogy between Brave and plagiarism. Can you expound on that a bit more?
In plagiarism, the content is the same, just with a few details changed(name, wording, etc.) With Brave, the content is the same, just the ads have been changed.
Brave does not change the ads on your site. Brave simply blocks them, just like uBlock Origin does. Brave changes your site by removing ads (like any adblocker would), but does not change your site by swapping in anything of its own. I’m still not understanding how this part is different than any other adblocker.
Brave is not “taking your ad revenue away and returning it”. Users are protecting themselves from your attempts to subject them to trackers and malvertisers.
The money Brave is giving you has absolutely nothing to do with that. It has to do with the ads that Brave users have agreed to view. Which have nothing to do with your website. You’re being compensated by the fact that users have agreed to use software that allocates advertising revenue proportionally based on the websites they visit.
I would then very much would then like a way to block users that use Brave. But noooo, I cannot, since they are “protecting their users privacy” by spoofing their user agent with one of a legitimate browser. More like protecting their unethical source of revenue. I don’t want your shitty cryptocurrencies, and I don’t want you fooling my viewers with it.
There’s nothing wrong with a computer user spoofing their user agent in order to prevent a website admin from blocking them based on the user agent string. I don’t use Brave myself so I don’t know how much control the software gives to the end-user about spoofing the user agent string - it may be less control than I’d prefer - but I don’t think that end users have any responsibility to provide accurate information about themselves or their software stacks to the websites they visit, particularly if those websites want to use that information against the user.
Notably even SEO bots have higher morals and use user-agents representing themselves. If the website admin doesn’t want you to see the content on his website, then it is morally correct for you to agree with that.
Brave just imitates user-string of the last Chrome release by default.
It block ads that fund many sites, no?
You mean the ads, malware, and privacy-violating trackers that users hate and never consented to receiving? Yes, it blocks those.
AIUI it blocks the trackers that feed the ads, rather.
I was quite amazed at the effect when I configured Ghostery to block all trackers and let the rest through. I didn’t see an ad for weeks.
Shame on Mozilla Firefox for bringing a fake solution to a very real problem.
Selling this as a privacy solution is basically a lie. I hope they fix this fast. It isn’t their place to decide that all of their US users’ traffic now gets sent to CloudFlare.
Furthermore, the fact that they’re doing this for “US users” means they are tracking their users and determining their location, something they also shouldn’t be doing. What bs.
While I don’t know one way or another how they determine “US” for this, it doesn’t necessarily mean geoip calculation – the initial Firefox download is generally both language- and region-targeted (this is used to set region-specific default search engines, for example), and a given copy of Firefox can know what language/region it’s built for. So one easy way to turn on for “US users” would be to toggle the DoH setting in an update pushed to everyone on an en-US build.
I’m living in a country where English is not the primary language, but a lot of users (especially power users) prefer to use an en-US or en-GB build because they are proficient in English and the translations to the local language are awkward and hard to understand sometimes.
This is rather common for users in Northern and Western Europe.
Related submission: Shrine (also a TempleOS fork)
With a mystery dev 🤔
yikes
Certainly an interesting choice for a profile picture.
Wow. I had to zoom quite a bit to see that swastika. (Guess I’m getting old enough that high dpi maybe shouldn’t be on my feature list anymore…)
Is that just a straight up nazi reference or is it also something else I should recognize?
A reverse image search finds no hint of an ironic reference, it seems like a dumb nazi meme for people trying to be edgy or those who want to drape their bigotry with nonchalance.
I mean… the hat and uniform in general would give it away, no?
I am quite certain that I’d not have been able to tell you what a nazi hat looked like before seeing that drawing in the profile picture today. A full uniform, maybe. Certainly if they were wearing the arm bands they were so commonly photographed in.
But all I see in that profile pic is a drawing of someone’s head, wearing a hat. Before I picked up the swastika, my first thought was that it looked generically military or possibly like one of these hats that I typically associate with commercial airline pilots.
I may be especially bad at recognizing articles of clothing, though, so there’s that too. Semi-regularly my children will come down the stairs wearing the same shirt or pants as they wore the previous day, and my wife will really question them about whether it’s actually clean while I don’t even notice it was the same thing they’d worn previously.
Yeah, similar hats are also used by many armies. This shape is really not specific.
The real difference is the hooked cross (which is not a real swastika BTW) and the eagle.
While some people make the distinction between the ancient swastika and the Nazi Hakenkreuz, for the vast majority of people the terms are synonymous.
I wonder if it’s compliant with ToS. It says that content that “is discriminatory” or “glorifies violence” is prohibited, and so is “inceting violence towards any individual or group”. Display of nazi imagery as such is legal in the US AFAIR, but I hope the GitHub team does have something to say against it.
This is kinda crazy impressive. I’m surprised he was able to get it working.
A couple years ago I took the released source code of John Calhoun’s game Glypha III and ported it forward to PPC / Carbon / OS X / Mach-O / x86: https://github.com/jjuran/glypha3-fork
It’s definitely not a trivial process (and there are various gotchas along the way), but it’s doable with enough effort.
Wow. I had no idea he released his code. You have just made me want to port his glider game to linux. As someone who dabbled in mac game programming in the ’90s, it makes me really happy that he released his source.
The old Mac game I want to do more work with is ZeroGravity, which also has source. I played that incessantly on my friend’s dad’s Mac Plus in 1988.
Ah yes,
in federal prisonon wall street they call these wash trades.A lot of young traders are going to get in a lot of trouble, eventually.
It’s kinda amazing watching the cryptocurrency folks reinvent every scam in finance and then rediscover why regulation exists.
I’ve been thinking this so much lately, and not just w.r.t. cryptocurrency (though it definitely comes up a BUNCH there). It seems to me like at least some of the “disruptive” companies of the past decade or so are trying to “disrupt” regulation. Uber/taxis, AirBnB/hotels, anything in the gig economy/labor laws, are just a few examples. Turns out that regulations actually come about because of ordinary people getting screwed by companies, and we have them for good reasons.
There will be scams and cryptocurrencies are also genuinely useful for things like fixing DNS and digital identity, creating decentralized organizations, dead-man switches, etc.
It’s not clear to me this example qualifies as a scam, as it seems to be closer to a bug of some sort. However, you could call it a scam too, and I wouldn’t judge you harshly for doing so. A lot of these things seem scammy to me, and remind me of TheDAO. Broken promises. Foolish investors. etc.
It’s sounds a lot like a database transaction.
There’s a rather big difference between a MySQL transaction and a transaction that happens on a public blockchain.
Care to explain?
For a start, MySQL has decent performance, and doesn’t incentivize wasting huge amounts of electricity.
You’re right, it incentivizes data breaches, fake claims of privacy, censorship, on top of the same stuff that cryptocurrencies incentivize.
Are you trolling or do you really not understand the difference?
There is an obvious difference, but you seem to have stuff in mind. Are you thinking technically, culturally, economically, politically? I don’t know so I’d rather ask an open ended question. If I ask an open ended question I’ll get your opinion. (Which appears to be that I’m an asshole.)
Edit apologies for the tone. I’m not in a good mood and it’s not related to you.
Everything you mentioned stems from the technical differences. And this is supposedly a website where we discuss the tech. Since you’re now saying the difference is obvious (as I feel), I will take that as you retracting your question.
Edit: saw your apology. Thanks. Hope you feel better.
Wash trades are something other than what is being described here. Your statement is incorrect.
In particular, a wash sale is when the same person buys and sells something to/from themselves to create fake volume.
Using a short-term loan to take other actions is a different thing entirely. If you aren’t your own counterparty, it isn’t a wash sale.
That’s true, this is a stretch of the term for dramatic effect, and to highlight the notion that cryptocurrencies seem to slowly reinvent classic financial market scams one by one.
It can have the effect of boosting apparent traded volume (because some of these trades bounce currency out of and back into ETH), but the main purpose seems to usually be something in addition to that.
One would hope these systems can reproduce the behaviors of the existing system. The point is to be able to do things that weren’t possible before, like decentralized exchanges, social key recovery, ownership over digital goods, etc.
This list seems to be based on a super Frankenstein’d, incompletely applied threat model.
There is a very real privacy concern to be had giving google access to every detail of your life. Addressing that threat does not necessitate making choices based on whether the global intelligence community can achieve access into your data — and less than skillfully applied that probably makes your overall security posture worse.
I agree that mentioning of the 5/9/14/howevermany eyes is unnecessary, and also not helpful. It’s not like if your data is stored on a server in a non-participating country that it somehow makes you more secure. All of that data still ends up traveling through the same routers on its way to you.
If you’re going to put a whole lot of effort into switching away from Google, you might as well do it properly and move to actually secure services.
In a long list of ways, Google is the most secure service. For some things (i.e. privacy) they’re not ideal, but moving to other services almost certainly involves security compromises (to gain something you lose something).
Again, it all goes back to what your threat model is.
Google is only the most secure service if you are fully onboard with their business model. Their business model is privacy violating at the most fundamental level, in terms of behavioral surplus futures. Whatever your specific threat model it then becomes subject to the opacity of Google’s auction process.
Emphasis mine.
As someone who don’t like Google anymore I still think this is still plain wrong I think and I’ll give reasons why:
Google is known to have put serious effort into countermeasures against wiretaps.
Google is known to be challenging NSA and others where possible.
and for the best reason that exist in a capitalist society: it is bad for their business if people think they happily hand over data to the NSA.
(and FWIW I guess a number of Googlers took offense to the smiley in the leaked NSA slides)
Also, for most people running their own services isn’t more secure, and can in many cases be even less secure, even against NSA. I’ll explain that as well:
Things you get for free with Google and other big cloud providers:
“Security” is not an absolute value; it is meaningless without a threat model.
You have demonstrated that you are well out of your league here. Quiet down, listen and learn.
Wow, that seems an incredibly uncalled for level of incivility, even for lobsters.
Yeah, that was definitely going off the deep end.
There’s an appropriate level of criticism here, and this ain’t it.
/u/friendly - I apologise unreservedly for that comment.
Thankfully this attitude is not common here.
if I protect my house by getting the biggest strongest door out there, but the burglars turn up with a brick they throw though my window, then my “security” was useless as my threat model was way off. The concept of threat modelling is most certainly not a “meme”.
Lots of people get hacked when they self-host, because it requires quite some knowledge not everyone has and even if you do, it’s easy to make mistakes. Just self-hosting does not make anything automatically secure, and it also won’t protect you from “tne NSA”: you’ll still be obliged to follow laws etc. Besides, the distributed nature of email/SMTP makes it hard to protect from this anyway: chances are most of your emails will still be routes through a US server.
All services “read my emails” to some degree as that’s pretty much a requirement for processing them. This doesn’t necessarily say anything about security or privacy.
It’s not like your comment was especially detailed or overflowing with nuance. Short abrupt one-line comments with blanket statements tend to elicit the same kind of replies.
yeah, but what does “more secure” mean? When people say threat model, they are just talking about what “more secure” means in a certain context. It’s not exactly infosec dogma…. There is no singular axis of more/less secure
“Secure” is a vague term in this context. Giving google and their partners access to your e-mails is not a security issue, I would expect that all to be written down in their ToS and similar documents. It is bad for your privacy and anonymity, definitely.
But I suspect google would be better prepared for a 3rd party that is attempting to hack their servers and forcefully obtain your e-mails than you or any other single individual are. I think that’s also what @ec and others are referring to. Moving away from Google is definitely a good decision to get back (some of) your privacy. Security wise, it really depends on where you are moving to.
Google hands over its users’ data to the American government and through the Five Eyes agreement and similar agreements to many of the governments of the western world. That is not a ‘privacy’ issue it’s a security issue.
Running my own email is not more secure against data loss (unless you also have multi-point off-site backups, encrypted, with the crypto keys stored securely).
It’s also not more secure against email delivery failures causing you to lose business (a much bigger issue for me than google reading them).
Neither is it more secure against your abusive spouse accessing your emails (or destroying the hardware).
Finally, anytime you communicate with a gmail user, google is reading your emails anyways - so to improve your security you also need your mail client to check whether the recipients MX records resolve to a google-controlled IP range.
That’s what “irrelevant without a threat model” means.
I’ve nearly finished de-googling everything in my life. Doing it in a way that preserves the security properties I care about is very hard work.
Eh, I’ve run my own email and did gmail side by side for years. I lost more legitimate emails to google’s spam filter false positives than to server down.
Remember that email is designed to be resilient against delivery failures, designed in the days of temporary dial-up connections. If a server is down, it just queues the message and tries again later. If it still doesn’t work, it notifies the sender that the message failed. Not everyone will try to contact you another way when that happens…. but surely more than people whose messages just disappeared into a spam filter.
I’ve been on Fastmail for years now. I regularly check my spam folder; in almost four years I have had one false positive.
When I briefly tried running my own, google randomly stopped accepting my mail after a little while (hence briefly).
I’m glad you have had a good experience with it; I haven’t found it as good a use of my recreational sysadmin time as other things (plex, vscode-over-http, youtube-dl automation, repo hosting etc).
I am concerned about how this affects JS crypto libraries… Does anyone have any insight into this? /cc @nickpsecurity
You mean apart from “tests that break for bad reasons tend to be skipped sooner or later”?
If you’re interested in an answer from @dchest, check out this issue: https://github.com/dchest/tweetnacl-js/issues/190
Really enjoyed this article, well done!
There are other problems with 5G, like major health concerns.
The main problem with 5g is that 4g already provides way more bandwidth than customers can actually use, because of the fucking obscene price-gouging that goes on when you go over your low monthly cap. There’s zero incentive for customers to GaF. 4g is fast enough to stream video to a mobile device, and if you’re tethering you get enough bandwidth in good reception areas to chew up your monthly limit in 10 hours.
fixing it for germany:
Seems I’m among the few here who like this idea. Great minds think alike, I guess. :D
Very neat look at the guts of ObjC. I wish there were more articles like this poking around at its innards, it’s an interesting language that doesn’t seem to get enough credit for its power.
Mike Ash has written quite a lot on Objective-C internals in his Friday Q & A blog series. He doesn’t post much anymore unfortunately, but there’s still lots of good reading in the archives.
It really is. I don’t know why people write C++ when they could be writing Objective-C or Rust. I guess they’re moving to Rust now, which is good. Actually, I do know why they write C++, because I used to write it for years myself: ignorance.
Or the fact it’s more portable? Or the large community around it?
C++, portable? Hah!
The community around C++ seems to be dying to me, and I’m quite grateful for that. No need to stay attached to such a mistake, better to learn from it and move on.
This is pretty vitriolic. The C++ community seems to be growing larger.
Call me when Rust supports more than typical amd64 targets in anything more than anger.
Not sure what you mean by a programming language supporting anger, but if it did I’m pretty sure C++ would steal 1st place.
This article is from 2017, it was the first link I noticed when I searched “rust arm”. If it worked back then, I’m pretty sure it works even better now.
Brendan Eich’s response.
I’m really confused, does the author have any merit in any of these arguments?
He added an addendum to the post recognizing the rebuttal but it leaves me even more confused.
Brave had intended to do a lot of stuff. There are plenty of reddit/hacker news threads with outraged users up in arms related to them. He might be correct that Brave never did some of those things, but only because the internet at large was pretty pissed.
Replacing ads
Accepting tips on users behalf and scraping profile data to misrepresent site owns as registered users
There’s a couple Brave people in that thread, brandnewlow and i think brendoneich adamantly defending this and trying to pass it off as a “UI problem”. IMO seems like they try to tip toe on the line of how much they can get away with.
At least they’re doing something to improve the situation. AFAICT, they’re the reason why Apple and Firefox started adding ad blockers to their browsers by default.
Brave did do something brave, which was to block ads by default, before any other major browser, and try to come up with an alternative funding model. Perhaps it’s not perfect, but it’s more than most people have done to improve the situation.
The author’s argument seems to be that this is a marketing spin, though, and that a more accurate description is “Brave replaced one set of ads with another set of ads”.
But you have to opt-in to that. And saying they merely replaced one set of ads with another ignores all the work they did on improving privacy for ads. Maybe more accurate to say, “Blocked ads by default, and lets you view slightly better ads while paying you, if you want.”
At least at one point in the past (see my other comments), they absolutely were popping fundraising/donation stuff on sites that had not opted in to it.
@taoeffect@mstdn.io
I’m assuming the NIST guy and Munroe are assuming the passwords are not stored as SHA256 hashes…
The 4 words from a dictionary provides plenty of entropy (even with your “how long they typed” caveat) to foil any brute force approach with a password hashing algorithm implemented by a responsible engineer (bcrypt, scrypt, pbkdf2, etc).
The thing that gets overlooked a lot, though, is that mass cracks of things like some website’s breached accounts table almost never use brute force, or even brute-force-with-dictionary, as their first tactic. They try big lists of common passwords and password patterns first, and enjoy a high degree of success from doing so.
And if you got people to move en masse to the diceware/XKCD-style password scheme, every cracking tool would update to try stuff like
etc. because that’s what people would actually choose as their passphrases. The only way to avoid this is to force people to use a tool that selects random passwords for them, and even then they’d fight against having to remember one of these for every site or service they use. At which point you need the tool to remember the passwords for them, and then you’ve arrived at “just use a password manager”.
That’s not how these passwords work. There’s way too much entropy to pre-calculate tables (and more entropy from the salting). And it’s too much entropy to crack for a reasonable price if any sensible KDF is used.
4 words randomly selected from a large dictionary, say (200,000 words) yields 70 bits of entropy. That on it’s own is way too costly to precompute tables for, and salting typically adds at least another 32 bits (often lots more than 32 bits).
See the working in my own password generation script here, which generates passwords with entropy of at least X and has another function for approximating the cost to crack a password:
https://github.com/cmcaine/cli/blob/master/examples/token
My point is that “entropy” is a red herring.
If you let the user choose their own diceware-style passphrase, you’re going to get things that are cracked within a fraction of a second, because they’ll be choosing things like “my-password-for-2019”, “my-password-for-ebay”, and so on. The alleged entropy of a passphrase of n dictionary words strung together is pointless in that situation, because nobody will be using a brute-force scan of every combination of n dictionary words as a way to crack these.
Consider an analogy: it’s like saying you’ve developed a lock that’s unpickable because it has a million pins in it, and look how long it would take to pick a million pins! But somebody comes along with an under-door tool and yanks the handle from the other side without even trying to pick the lock. So sure, that was a million-pin lock, but it’s irrelevant how many pins it had because the door’s still open in a couple seconds via a simpler attack method.
And since you presumably want to disallow reuse of a password across sites/services, if you’re not letting users choose their own, you haven’t really demonstrated an advantage over a password manager that just generates long random strings, because the only real thing the diceware system has going for it is memorability and users aren’t going to commit that many distinct passwords to memory (or recall them correctly later on even if they do try to memorize).
Neither XKCD or Diceware recommend creating passphrases like that. Of course if you don’t pick your words randomly then your entropy is lower, that doesn’t make entropy a red herring. Entropy remains the key point.
XKCD passwords are useful for passwords that you need to remember or transmit to other people. Like the passwords for your password managers or wifi networks or whatever.
The whole idea behind these password hashers is that you aim to make the work take a fixed amount of time (say 5ms). That leaves 200 verifications a second on a single core. This is more than enough for a legitimate use case for authentication but is completely a showstopper against brute forcing with a good password.
For scrypt, we only have Litecoin to go by as far as estimates go, and it has a weak choice of parameters. With Litecoin, we have around ~300TH/sec, which means a known 4-word structure password out of XKCD’s 2048 dict is cracked in under 0.05 seconds.
For a dictionary of 235886 words, the four-word “correcthorsebatterystaple” requires (235886^4)/(2^70) ~ 2.6 million US dollars. So what? Just make it six words.
By the way, where does this 1197962070743187 number come from?
Indeed, this also goes to point 1, that the entropy is hard to figure out. The XKCD comic indicated that it was using a 2048 (2^11) word dictionary, which apparently is about the size of the dictionary some cryptocurrency wallets use.
From this article:
2^75/(365*24*60*60)