00:56 <ocdtrekkie> Okay, so, I'm writing a Windows service that calls the Sandstorm API. I wrote the service part first, and now am writing the Sandstorm call. I now realize this was a mistake.

00:56 <ocdtrekkie> ...Because the only way to test a service is to install it on your machine. Pain in the rear to debug.

01:18 <ocdtrekkie> It works though! \o/

01:22 <crab> kentonv: OK, i tried your experiment. uploaded a 4.8MB file to a new davros grain and downloaded it several times. i am typically able to download the whole thing in 80-100s, and even after several attempts it never took 300s+ the way compressed.js from radicale did.

01:25 <crab> and then i went back and tried compressed.js again, and it took ~150s to load.

04:11 <ocdtrekkie> So, okay, I think everything I was writing today actually works now.

04:12 <ocdtrekkie> I am calling it SSCaaS or Sandstorm Cron as a (Windows) Service. Intentionally terrible name, I don't want to use up a good one.

04:16 <ocdtrekkie> It should (in theory) annoy my TTRSS instance more or less similarly to the way I do when I check the app every half hour or so, with some attempt (so far) to emulate good behavior, by making requests somewhere between every 20-30 minutes (the interval should be slightly random), and like I often do with my mobile app, end up checking again a couple times spaced a number of seconds apart, to, in theory, ensure that TTRSS can completely check all of my

04:16 <ocdtrekkie> feeds before Sandstorm shuts down the app again.

04:18 <ocdtrekkie> This was fun for me because I've A. never written a Windows service before and B. never made a request with HTTP Basic Authentication before.

05:02 <ocdtrekkie> It also strikes me that with a little bit of adjustment, this could be a network monitor for Windows PCs.

13:43 <TimMc> Heh, fun.

13:44 <TimMc> Oh, on the Chrome extensions thing -- as long as you can still install an extension from disk, fine. I just don't want everything to have to go through Google's app store.

14:44 <ocdtr_web> TimMc: They removed the ability to do that by default :years: ago.

14:44 <ocdtr_web> The inline install feature they're disabling requires the extensions be listed in the Web Store.

14:45 <ocdtr_web> (Of course, the problem remains that the Chrome Web Store is still a cesspool of malware, and hence requiring extensions to come from there didn't actually reduce malware at all.)

14:54 <TimMc> oh fascinating

14:54 <TimMc> so what you're saying is that requiring them to be "approved" by Google isn't actually much of a barrier at all

14:54 <TimMc> (yet)

15:08 <ocdtr_web> There's no human-involved approval process on the Chrome Web Store.

15:20 <ocdtr_web> I've started to come to the view that the only way to ensure good moderation of online content is to choose a moderation strategy that doesn't scale.

15:21 <ocdtr_web> So if it's something like software distribution, where bad content getting through means malware, you should probably have a human-based approval process.

15:23 <ocdtr_web> Apple and Microsoft's stores have little to no malware at any time, because the cost/effort required to submit malware and get it through approval is nontrivial. One gets through, and delisted, and the attacker is now back at square one. Whereas with Google's auto-approval with some sort of "AI-based" moderation, you can afford to spam out many arbitrary submissions until they get through.

15:23 <ocdtr_web> And once you find a way to circumvent automated detection, it's likely to can reuse it a number of times before it adapts.

15:25 <ocdtr_web> This is presumably why EV certs still work, despite being relatively terrible at actually verifying your identity: When I watched someone whine about the forms of ID that they had to provide that were unverifiable, it became obvious that really all EV cert providers need to do is ensure there's no duplicates.

15:25 <ocdtr_web> If a bad actor gets an EV cert, and it gets revoked, they're back to square one on an annoyingly manual, arduous process.

15:30 <TimMc> True. You can also find EV cert providers who are terrible at their jobs, but it's still a higher barrier to entry.

15:44 <ocdtr_web> Also, Google could significantly improve the Web Store's malware issue without requiring approval on all addons. Since it has a permission system, they could only require manual approval for ones with particularly risky permissions.

15:45 <ocdtr_web> The "can view and modify content on all websites you visit" permission is surprisingly pervasive, and incredibly crazy to let random developers' extensions have.

15:46 <ocdtr_web> Since it effectively grants that extension the ability to leak any and all sensitive data you traverse over the Internet.

16:02 <TimMc> Kind of like how you don't need sudo to ruin someone's day.

16:02 <ocdtr_web> Yup. Cloud-to-butt has all it needs security-wise to capture your banking account data.

16:47 <ocdtr_web> I really wish Sandstorm had a story for ActivityPub federation. There's so much exciting/neat stuff going on there right now.

16:47 <ocdtr_web> Federated Twitter, YouTube, Medium, Meetup, etc. all using the same federation protocol.

16:55 <TimMc> There's no notion of privacy in it though, right?

16:56 <TimMc> All of those things would benefit from a protocol that allows selection of a subset of the world as recipients.

17:11 <ocdtr_web> TimMc: There's some basic concepts in there, yes. For instance, a Mastodon account can choose to whitelist what federated servers can receive it's updates, particularly private ones.

17:12 <TimMc> But that's only at the server level.

17:12 <ocdtr_web> But private messages are particularly a mostly-bad feature of federated networks. There's warnings in the UI, but essentially private messaging on ActivityPub servers relies on the servers not revealing them.

17:12 <TimMc> No, private messages are a bad feature of ActivityPub networks.

17:13 <TimMc> they're a great feature in federated networks, or just about any social system

17:13 <ocdtr_web> Yeah, I was trying to say, basically, don't use ActivityPub for PMs if you don't have to.

17:13 <TimMc> right

17:14 <TimMc> Mastodon tried to hack in a notion of privacy and it caused huge social problems because other pre-existing implementations didn't know what the hell it was talking about.

17:15 <TimMc> So ActivityPub is great if you want to make blogs, or part of Twitter, or most of YouTube, but it's no good for recreating Livejournal, or the ability to actually send PMs in Twitter, or have private videos.

17:15 <simpson> By absolutely no coincidence, the ocap-ld/linked-data folks have been idling and chatting in #erights over the past few months to try to find better ways to ocap-ify stuff.

17:15 <TimMc> I hope they'll standardize a way to actually make a proper privacy system.

17:15 <TimMc> simpson: Oooh, tell me more, starting with what ocap is.

17:16 <simpson> TimMc: Object-capability security is a way to model capabilities as objects/actors, so that a capability is precisely the ability to send a message to an object.

17:16 <simpson> "ocap" for short.

17:17 <TimMc> What's the basic mechanism -- opaque IDs and lookups, encryption, something else?

17:18 <TimMc> (In an OS you could also use handles, but across a network, you lose that option...)

17:18 <simpson> Usually it's either *unforgeability* (the runtime forbids forging caps arbitrarily) or *unguessability* (cryptography or similar hard problems).

17:19 <simpson> For example, Capn caps are unguessable, which is why one should use TLS with Capn over the network.

17:25 <ocdtr_web> TimMc: IMHO, I am totally cool with "ActivityPub for public social activity, use alternate means for private communication".

17:26 <ocdtr_web> I think we already have a great decentralized tool for private communication, it works on all platforms and you can layer other features or technologies on top of it.

17:26 <ocdtr_web> ...It's called email.

17:30 <TimMc> Email is "private" but its unsecured.

17:31 <TimMc> With new systems we have an opportunity to actually ensure confidentiality and sender verification.

17:31 <TimMc> If you want to say that we should have a single platform for private communication, you *might* be able to convince me of that, but not if you say email is that platform. :-)

17:32 <TimMc> (for the record I think email is fantastic -- just not for this)

17:33 <TimMc> I don't think that restricting social activity to public is healthy. People naturally want to talk in small-group settings and it avoids dogpiling, search-based harassment, etc.

17:37 <ocdtr_web> You can layer confidentiality and sender verification on top of email though.

17:38 <TimMc> With PGP?

17:40 <TimMc> I'd even question whether social networks should be public-first.

17:41 <TimMc> Still working up a proper, less-ranty blog post on that, but the tl;dr is that regular human interactions are limited-visibility and not broadcast to the entire world, globally indexed and searchable, or even persistent -- so maybe we should make social media systems that align with the human instincts that are adapted to that.

17:42 <simpson> Sure. Social networks have an inverse Conway's Law kind of thing going on.

17:42 <TimMc> here's the ranty version: https://www.brainonfire.net/blog/2018/04/18/online-like-offline-social-networks/

17:43 <simpson> (Incidentally, this is why any social network that allows anons to register and gain karma for pretending to behave is inherently planning to be terrible in the future~)

17:48 <TimMc> Can you expand on inverse Conway's Law? I'm familiar with the law, not sure about the application here.

17:50 <simpson> Well, the shape of a social network's software should reflect the kind of community that one wants to attract, right?

17:55 <TimMc> hmmm

18:01 <TimMc> I'll think on that.

18:02 <simpson> No rush; I've been thinking on variations of this for years: https://twitter.com/corbinsimpson/status/829775612898275328

18:03 <simpson> All I have figured out is that we're probably doing things wrong.

18:09 <TimMc> :-)

18:10 <TimMc> So, I totally agree that the "shape" of the software affects the community. I'm not sure it's the same "shape" that Conway's Law talks about.

18:10 <TimMc> and I'm not sure if that's what you were going for or not

18:12 <TimMc> Reputation systems are another thing that we're soooo in need of and have basically no progress on.

18:12 <simpson> Well, it's a very abstract concept. I *can* make a formal statement, if you know category theory.

18:12 <TimMc> hehehe

18:13 <TimMc> "assume a spherical, monadic user"

18:13 <simpson> For some model of human society S and computational category C, the set of functors S -> C is Conway's Law, and the set of functors C -> S describes societies which are borne from the inner language of a program.

18:14 <TimMc> I think of Conway's Law as much more specific: Communication barriers affect system design.

18:15 <simpson> This second set shouldn't be "inverse Conway's Law". Bad name. For most programs, they only support the trivial society, with one user. To have something non-trivial, a functor would have to have an *image* of the desired societal structures expressed within C's logic.

18:15 <TimMc> but I definitely agree that the phenomenon you're talking about is a real thing, even if I quibble with the name :-P

18:16 <simpson> Yeah, that's how it started. But it's more general. Examples: White and Asian men write face classifiers; classifiers don't work well on African or female faces.

18:17 <simpson> There's some *really* deep sociological stuff going on under the surface, and we could definitely pay more attention to it.

18:18 <TimMc> sure, yeah

18:19 <TimMc> that more general case of "who writes the software and how" -> "how the software works" -> "the kind of user behavior that is observed"

18:19 <simpson> Yeah. "Who writes the social network" -> "How the social network connects people" -> "How people act under connection"

18:20 <simpson> "How the social network rewards behaviors" -> "How people change behavior"

19:51 <ocdtr_web> I just learned something magical for batch files.