ShadowPouncer

Every now and then, I try to browser without an ad blocker.

That generally lasts until I encounter something that’s bad enough that I don’t really have a choice, and then I turn it back on.

The page needs to actually function. It needs to be possible to click on something and actually be clicking on the thing that you’re intending to.

And it can not have stuff that blinks in a manner that causes a segment of the population (which includes me at times, but not 100% of the time) significant neurological problems.

That last one has been the driving force behind stuff getting reenabled a fair bit.

Oh, and if it’s ads on video content, they need to be at least vaguely reasonable in regards to interruptions and length. Youtube is way past that at this point.

From the comments, I think that the general answer is: We all recognize it, because a lot of different places used a logo sorta like this in the 90s.

And we can’t pin it down exactly, because a lot of different places used a logo sorta like this in the 90s.

And being the 90s, a lot of that was never on the internet in the first place.

It rings very strong bells for me, and I don’t think the reason is one that (at the time of this comment) has already been posted… But I can’t for the life of me remember what it was for.

Yes and no.

I suspect that Reddit is going to lose a fair number of chargebacks, because the credit card association rules are often a bit more strict.

Because they are unilaterally removing benefits that people have already paid for, and are explicitly stating that they will provide no refunds.

If you paid for a year of premium, a good chunk of the benefit has been the coins to buy awards.

After they get rid of both coins and awards, well, you have still paid for premium in advance, but it is now worth a fair bit less to some people.

Also bad, but more arguably in regards to the law, they are choosing to remove all past awards on posts and comments.

Which means that people who have bought coins (or premium to get coins) are having all of that undone, again, without any possibility of refund.

Arguably, this is much more problematic for people who had purchased coins, but who had not used them all before the announcement. Because that’s taking the money, and then simply choosing not to provide the service that was paid for, while simultaneously stating that there will be no refunds.

You could try to argue that, well, they can use those coins up until they turn buying awards off… Except, well, one of the nice things about awards is that they last as long as the post or comment does.

This is… Problematic.

Extremely problematic.

The big cost to doing it yourself is maintenance.

There is, for a lot of people, a fairly large amount of value in never having to worry about hardware dying. If it does, that’s someone else’s problem, and it will be fixed, as far as you are concerned, rapidly and without any interaction with you.

How much any given person values that is going to vary wildly, but it means that you don’t risk having stuff go down at a moment when you can’t do anything about it. Maybe you’re on vacation, and you don’t have any hands that can do anything. Maybe you’re sick, or just extremely busy that week.

You’re not wrong that this comes at a fairly substantial monetary cost, but it is wrong to say that this isn’t, in many cases, a cost that people are more than willing to pay in exchange for the benefit.

Mastodon absolutely does have a weakness of making it more difficult to find people that you want to follow based on what you have already engaged with.

And from a purely user perspective, that is a weakness.

But it’s also a very distinct choice. Because having enough data to be able to meaningfully make such recommendations means having a central database of every user interaction by every user.

And it also means making choices and value judgements which, almost by definition, can not be value neutral.

If the creators of the algorithm are good, they will actually be aware of the choices and value judgements being made, if not, well… They will still be making them, just not in nearly as educated of a way.

On the whole, I really hope that we eventually come up with answers to these problems that make it possible for a user to make those choices, and to have the amount of recommendations that they want, while somehow not having anyone have the huge database of user interactions. I’m not sure if that’s even possible, most especially if you assume that there will be entities on the fediverse that are fudging their data to get recommended in ways that other users don’t want.

But it sure would be interesting to try.

That’s like saying that only using high security locks with various security pins in them to protect your house is a bad idea, and you should throw in some secured with padlocks too just to change things up.

And if some of them are shitty masterlocks, well, you’re changing things up.

That’s really not how security works.

Yes, pass phrases can have large amounts of entropy attached. But unless you are picking your pass phrases truly randomly, with a large dictionary, and using unique pass phrases per site, and the sites are not silently truncating the password input (such as bcrypt which truncates to 72 bytes), you are not actually getting that large amount of entropy.

Where as a 16 character password that randomly uses the ASCII printable range, excluding spaces, gives you 93^16 possible combinations. That’s 31313180170800116587336013460801 passwords.

Or, very roughly, 104.6 bits of entropy. (104.6265409777285022441578006899739 bits of entropy if you want to be downright absurd about it.)

Knowing that you’re doing that simply doesn’t help the attacker in any meaningful way.

Bumping that to 20 characters gives you over 130 bits of entropy, or 2342388736625917052139104541473924426001 possible combinations.

This is quite simply not a viable attack surface.

Where as saying ‘use pass phrases for some things’ means that it is quite likely that some of your pass phrases are going to be much less secure than this.

But let’s give the same numbers for properly generated random passphrases.

The xkcdpass utility can help us here.

Even picking entirely randomly, out of a large word list of 7227 words, a 6 word pass phrase only gives roughly 76 bits of entropy.

Going up to 8 words gives us roughly 102 bits of entropy, that helps a ton… Except that some of those passphrases are going to be longer than 72 bytes. So you’re almost certainly losing bits of entropy.

That best case still gives you fewer bits of entropy than a 20 character randomly generated password. Unless you’re trying to memorize your password, there are no benefits to alternating between randomly generated passwords with good generation settings and passphrases.

And if you’re trying to memorize your passwords, you are definitely doing it wrong.

The advice to always use a unique password per site is an excellent one.

The why is multifaceted, and some of them are moderately complex.

First off, not every site is going to be storing your password in a good a secure manner.

In an ideal world, every site on the planet would be hashing it with something like bcrypt with a fairly aggressive cost setting, and good salts.

And they would have a way to automatically rehash your password on login in the event that the password hashing settings change. (Almost everyone misses this one.)

In practice… It could be stored in plain text. It could be hashed with classic crypt(), or with md5 or sha1 with no salt. There are so many ways to get it wrong.

On the rehashing one, they could have picked something that was best practices at the time, you setup your account, and then two years later, best practices have changed, it turns out that there was a way to attack the previous way, so they change how they do it… And that’s great for everyone who changes their password or sets up a new account after that change, but everyone who did it before that change? Well, those passwords are just sitting there hashed by the old method indefinitely.

Or someone could compromise the site, and grab every password everyone enters.

Or you could fall prey to a phishing attack, and type your login to what looks exactly like the site in question, but is infact a common typo of the real domain.

Again, there are a lot of ways for the password used on a site to get compromised. Many of those ways are entirely out of your control. It is standard practice for attackers to attempt to use that password and username / email on other services when this happens, just so that they can see what else they can get into.

Don’t let that work.

I use + addresses for stuff.

Well, since I run my own mail server, I tend to use _ instead of + as the separator, simply because more places will consider it a valid address.

But it’s amazing how useful it is to include the name of whoever you’re giving the email address to in the email address. It lets you keep getting email for stuff like password recovery. And when an address is leaked, not only can you block that one, but you also get to know who leaked it.

Which is awesome for knowing which businesses to never use again.

Don’t do this.

Just use a good, random, password generator with decent settings.

Varying away from that just to ‘change the kind of password’ is only going to reduce your security.

You want as many random bits of information as possible in the password. That’s it.

If there are not already people running fediverse nodes that exist specifically to harvest potentially ‘interesting’ data, there will be.

You edited it? That’s maybe interesting. You deleted it? Same deal, maybe interesting.

It looks like an email address? Definitely might be interesting. A phone number? Yep.

An address? Definitely could be interesting.

If you posted it, assume that it will always be available to the exact people that you don’t want to see it.

When I was a teenager, well, there’s a whole lot involved, but I basically didn’t have any dental hygiene to speak of.

Who cared?

Well, I had more than one root canal by the time I was 20.

I’m a bit obsessive about it these days, but I have not needed any more root canals.

Take care of the teeth that you want to keep. Don’t worry, if you don’t, they’ll go away.

The other big problem is that if it’s big enough, it may be uncomfortable or down right painful for any partner.

Again, that’s usually more of a girth than a length problem, though too much length can also result in pain. (Bumping into the cervix is, for most women, a rather painful experience.)