debanqued @ debanqued @beehaw.org

Posts

29

Comments

131

Joined

3 yr. ago

no, the government doesn’t serve the people it serves power.

First of all, you’re wrong, unless you have limited your comment to a particular gov where votes in an election don’t count -- which is not the situation I am in. I’m in a jurisdiction where not only is there a decent voting system, the reps in gov also take public surveys and sentiment into account for operational design. I’m also in a jurisdiction where civil disobedience has effect. E.g. so many cyclists were unlawfully turning right on red that they decided to scrap the prohibition for cyclists.

You also seem to misunderstand the fact that my drop-in-the-ocean action need not change anything, just as my drop-in-the-ocean election vote is never the one vote that makes a difference.

Unless power thinks you as a group are worth the effort, they will ignore your mailed documents, state you failed to file paper work and you now have to deal with (problems incurred due to not having completed the paper work).

This assumes a scenario where I not only have an obligation to submit something but I also have an obligation to supply an email address. Obviously my form of submission accounts for these factors. The inquiry in the OP does not inherently cover such scenarios, and that’s deliberate.

Paper processes are going away.

Only in regions that are largely populated pushovers and digital zombies, without a right to be analog movement (or the rights to have a movement).

But the point was, there are no good XMPP libraries that would enable a willing government to easily onboard that support. If there were, it would be a very different discussion.

Keyword there is /easily/. It was not easy for Munich to replace all their Windows PCs with linux, but difficulty of deployment was not a show-stopper.

The question is essentially: if e-mail is scrapped, what is the next most qualifying replacement for the given requirements? If XMPP is not the answer, what is?

The gov can /want/ all they want. It is the gov who serves the people, not the other way around. And we (the people) are have some control. That is, if you object to the gov’s email policy or hosting company, you can simply withold your email address. You can send them snail mail. Then they have to pay someone to scan it and react. This is in fact what I do.

I include an XMPP address along with OMEMO fingerprints in the letterhead. It’s mostly symbolic. No one actually uses it. Exceptionally, some attempt to use my XMPP address as an email address. So now I write “note: xmpp is not email” next to the xmpp address.

I’ve installed Deltachat but not experimented at all with it. What happens if someone sends an unencrypted msg to an email account that uses Deltachat? I would expect the msg to still be accepted by the mail server and MS to still see the unencrypted traffic.

If the gov can use email to send a msg, then the payload is seen by MS before it reaches the gateway.

I find XMPP to be /more/ reliable than email, which is largely due to anti-spam zealots like #SpamHaus who block or blackhole email on the basis of IP address, along with countless other anti-spam techniques that cause collateral damage to legit email. I actually cannot send email to Google or MS users because of this crazed zealotry that has lost sight of the purpose of security: availability.

XMPP is certainly glitchy and has a variety of issues, but at least it has not yet been sabotaged by anti-spam zealots, and large corps using anti-spam measures as an excuse to break the platform for those not patronising a large corp.

The other alternative is they provide a website

That’s for person→gov msgs. It is not something I can put in my letterhead as a way for them to reach me. Also, the webforms likely just result in an email transmission that traverses MS servers in-the-clear anyway.

Anonaddy.com is (AFAIK) the only forwarding service that will encrypt inbound msgs using your pgp pubkey. And I use it, but it is useless for cutting Microsoft out of the loop. MS has already seen the payload before it even arrives at the forwarding server.

Thanks for pointing out ArcaneChat. I had not heard of it. First glance, it looks like Deltachat. What happens if an MS email user sends a msg in-the-clear to an ArcaneChat recipient?

Every method has a barrier:

• snail mail: requires postage, which is particularly costly if you need proof of delivery. Also generally entails revealing your physical address to the controller.
• email: requires revealing your email address to them. And if the recipient is MS or Google, or a user on those platforms, their mail server is fussy. I cannot email any MS or Google users because their server blocks my mail server.

A webform could potentially have the fewest barriers, but they blew it.

You say for suspicious users, but for the 4-month stretch of beehaw being unreachable there was no opportunity to login. So there was apparently a user agnostic systemwide change.

It’s worse than being reversible. The problem is that it’s unprovable. A switch from “zero logging” to “log everything” is wholly undetectible to users. You have to rely on blind faith that a profit-driven entity will act in your interest and resist their opportunity to profit from data collection. All you have is trust. Tor avoids that whole dicey mess and reliance on trust.

Indeed the ISP can only see where you go when using TLS, and that data can be aggregated to who you are along with everywhere else you go. It’s sensitive enough that in the US lawmakers decided on whether ISPs need consent to collect that info. Obama signed into force a requirement of ISPs to get consent. Then Trump reversed that. Biden did not reverse it back AFAIK.

W.r.t VPNs, you merely shift the surveillance point; you do not avoid the surveillance. The VPN provider can grab all that info just as well.

I am anonymous. Only doxxing experts know who is behind my account. Using clearnet makes it trivially simple for doxxers. Activitypub msgs include the IP address of the sending source which anyone with their own instance can see, IIRC.

But note as well Tor offers more than anonymity. It mitigates tracking by your ISP.

I’m scared.

The irony, hypocrisy, and injustice here is that the UN’s own website itself discriminates against some demographics of people and denies access to the UDHR of 1948:

And this same UN will be creating the Digital Global Compact.

I would love to put my code where my mouth is. It’s on my long list of projects. The defects I describe in this thread probably do not justify a forking effort and I’m not enthusiastic about learning JavaScript, which is not just a shitty language but also it’s the wrong tool for the job. Although Rust is probbly a decent choice for the backend (but Ada would probably be better).

The biggest deficiency is that there is no decent threadiverse desktop client. I am just baffled that a majority of threadiverse users are using phones. There are like a dozen different mobile clients to choose from and not a single decent client for the desktop. So if I build anything it will be a proper client for a sensibly sized screen (non-portable).

As for fixing the defects exposed in this thread, the upstream Lemmy devs are rather stubborn but I think devs of an existing fork (Lenny?) might be more open to improvements.

Who would use a well-designed variant? You can see from the thread that millennials & gen Zers actually expect designs that prioritise the anti-bot agenda above the needs of both the direct user (the admin) and the end user. A majority of the population does not see how Google, Spamhaus, and Microsoft have broken email. This threadiverse crowd entered after email was already ruined. The emotional attachment to gmail (calling it what it is.. there is no generic netneutral email infra anymore) trumps software that avoids the dog food problem. I might be the sole user of such software, especially if I also code it to enforce decentralisation (which would necessarily include anti-centralisation features that would be unpopular).

to have not actually had an account yet makes it pretty obvious when you try to login and fail that the application has not been accepted.

That would be a blunt non-transparent/non-specific message to send. It’s not obvious /why/ the app was denied.

If the instance admins wanted to talk about it, they’d have emailed you; or published some means of contacting them outside lemmy.

Lemmy software is designed to make email address disclosure optional. An admin can make it mandatory, but Lemmy’s design should cater for the email-free option regardless of how an admin toggles that setting.

I wouldn’t expect to receive the reason for refusing the application via any other means than the email I’d provided in that application.

I get that. People are accustomed to relying on email. But this is not an excuse for software deficiencies.

That’s the entire purpose of providing an email; so you could be contacted when/if there are updates to your applications status.

That can be accomplished without email. Email is a convenience at best. Some users have decided email is an inconvenience and do not use it. And Lemmy supports that -- partially.

Let’s be clear about who the software is expected to serve. The comms feature of giving feedback to users without an email account is not to directly serve the end user. Software should serve its user (the Lemmy admin in this case). A Lemmy admin does not want to take the time to express themselves on their decision only to have their msg blackholed. They don’t necessarily know that an email address is disposable. The end user benefits by extension, but it’s about creating software that serves the direct user of the s/w. If you’re an admin who makes email optional, you might still want to be able to get a msg to a user.

The core purpose of the Lemmy platform is communication. So relying on out-of-band tech is kind of embarrassing. An in-band msg has the advantage that the admin has more control (e.g. they can edit a msg later and they can know whether the msg has been fetched).

The only sensible concession I would see to make is that there are a hell of a lot more important things for Lemmy devs to work on because the software has a lot of relatively serious defects. I’m talking about how great software would be coded, but extra diligent handling of denials should have a low triage in the big scheme of the state of where Lemmy is right now.

You don’t think providing an email from a throw away service would strike the software as a malicious user/spam bot???

You don’t think that legitimate streetwise users secure themselves by supplying disposable email addresses???

You keep talking like you know everything

The post intends to solicite intelligent discourse with logical reasoning, not the sort of ego-charged emotional hot-headed pissing contest you’re trying to bring.

I’m not seeing how this is a good justification for login refusals to lack information and transparency. When you are denied a login, a well designed system tells you why you are denied and the rationale the server gives you should either include enough info to imply a remedial course of action (e.g. “re-apply and tell us more detail about why you like our node”), or at least make it clear that the refusal is final for reasons that are non-remedial. Users should not have to guess about why they are denied a login when countless things can go wrong with email at any moment. The denial rationale should be emailed and also copied into the server records to present upon login attempts.

The only exception to this would be if they really believe they are blocking a malicious user. Then there is some merit to being non-transparent to threat agents. But the status quo is to treat apps rejected for any arbitrary reason as they would an attacker.

There is no valid reason for the United Nations blocking Tor.

A mom & pop shop selling cupcakes would have a valid reason (lack of funding, lack of competence, no conflicting principles). Blocking Tor is a cheap and sloppy attempt at separating ham from spam which inherently entails blocking ham, ultimately against the principles the UN theoretically supports. The UN should have the funding and competence to support their own values.

The UN probably should not be drafting rules about digital inclusion when they themselves have an embarrassing display of digital exclusion.

I don’t want to be an enabler of the drivel, so without posting the full URL to that article that’s reachable in the open free world, I will just say that medium.com links should never be publicly shared outside of Cloudflare’s walled garden. I realise aussie.zone is also in Cloudflare’s walled garden, but please be aware that it’s federated and reaches audiences who are excluded by Cloudflare.

The medium.com portion of the URL should be replaced by scribe.rip to make a medium article reachable to everyone. Though I must say this particular article doesn’t need any more reach than it has.

Anyone who just wants the answer: see @souperk@reddthat.com’s comment in this thread.

A website isn’t a common carrier

We were talking about network neutrality, not just common carriers (which are only part of the netneutrality problem).

you cannot argue that a website isn’t allowed to control who they serve their content to.

Permission wasn’t the argument. When a website violates netneutrality principles, it’s not a problem of acting outside of authority. They are of course permitted to push access inequality assuming we are talking about the private sector where the contract permits it.

Cloudflare is a tool websites use to exercise that right,

One man’s freedom is another man’s oppression.

necessitated by the ever rising prevalence of bots and DDoS attacks.

It is /not/ necessary to use a tool as crude and reckless as Cloudflare to defend from attacks with disregard to collateral damage. There are many tools in the toolbox for that and CF is a poor choice favored by lazy admins.

Your proposed definition of net neutrality would destroy anyone’s ability to deal with these threats.

Only if you neglect to see admins who have found better ways to counter threats that do not make the security problem someone elses.

Can you at least provide examples of legitimate users who are hindered by the use of Cloudflare?

That was enumerated in a list in the linked article you replied to.