#dev 2021-01-31

2021-01-31 UTC
# 00:23 
jacky ha after months, my site's back up
# 00:23 
jacky barely
# 00:35 
jacky ha I can't log in
# 00:37 
dansup aaronpk: just check for known url patterns https://github.com/pixelfed/pixelfed/blob/dev/app/Util/Sentiment/Bouncer.php#L70-L81
# 00:38 
aaronpk not sure what you mean
# 00:38 
aaronpk https://micropub.rocks <-- there's an email login form there, you put in an email address and it sends an email
# 00:38 
aaronpk people are putting in email addresses to test them out
[chrisaldrich] and schmudde joined the channel
# 01:01 
dansup Oh I see, nvm
# 01:04 
aaronpk i'm gonna do my little javascript trick to see if it stops the bots
# 01:05 
aaronpk i would hate to add a real captcha
[KevinMarks] joined the channel
# 01:29 
aaronpk alright basic anti-spam is in place
# 01:29 
aaronpk now we wait to find out whether this is random bot traffic or more active spam
# 01:52 
aaronpk oh dang, another one just went through
jbove joined the channel
# 01:59 
aaronpk aaand another
# 01:59 
aaronpk welp
[fluffy] joined the channel
# 02:33 
aaronpk okay trying a more aggressive anti-spam. "enter {random number} to log in"
# 02:37 
jjuran I just thought of an idea.  An image-based challenge, but instead of making the symbols nigh impossible to read, split the image into tiles, possibly using CSS to obfuscate their order.
# 02:38 
jjuran Tiling is transparent (i.e. unnoticeable) to the user, but imposes a burden on robots.
# 02:49 
aaronpk nice
lahacker joined the channel
# 03:30 
aciccarello[m] jjuran: You'd also need an accessible solution with that too for people who use a screen reader.
# 03:31 
aciccarello[m] Unfortunately captchas have a history of being exploited via the accessible version
# 03:39 
dansup also tessaract is pretty good at solving them programatically
# 03:39 
dansup the "slider" captcha that a few crypto exchanges use is pretty clever
# 03:40 
jjuran Are the accessible challenges auditory?  I haven't tried one.
# 03:40 
dansup oh I guess the slider ones can by bypassed with puppeteer lol https://filipvitas.medium.com/how-to-bypass-slider-captcha-with-js-and-puppeteer-cd5e28105e3c
# 03:43 
aaronpk Stopping targeted attacks on captchas is very hard, but generally you need to make it only hard enough to make it not worth the spammers time
lahacker, [benatwork] and ShadowKyogre joined the channel; ShadowKyogre left the channel
# 06:30 
jacky ^ yup
ShadowKyogre and dhanesh joined the channel; ShadowKyogre left the channel
# 08:35 
dansup hey jacky!
# 08:36 
dansup aaronpk: yeah I agree, there are many clever ways to do that but ultimately with headless browsers and stuff its a cat and mouse game
# 08:50 
@ContentedW I finally migrated my site from wordpress to @eleven_ty, including integrating webmentions. Special thanks to @mxbck for his great starter template and of course many others providing helpful info. https://www.contentedweb.com/posts/2021/eleventy-webmentions/ (twitter.com/_/status/1355786888553111552)
nickodd and ShadowKyogre joined the channel; ShadowKyogre left the channel
# 10:09 
sebsel spam—-
# 10:10 
sebsel autocorrect--
# 10:10 
Loqi autocorrect has -1 karma over the last year
# 10:10 
sebsel spam--
# 10:10 
Loqi spam has -1 karma over the last year
ShadowKyogre and schmudde joined the channel; ShadowKyogre left the channel
# 15:15 
@hola_soy_milk Adding webmentions to my blog posts was an absolute breeze. Thank you so much for this excellently written guide, A… https://twitter.com/i/web/status/1355871765986242561 (twitter.com/_/status/1355871765986242561)
ShadowKyogre left the channel
# 15:44 
aaronpk still getting a couple bounces in the logs, but it could be that those were sent out earlier
# 15:44 
aaronpk gonna give it a full day and see how it does
# 15:50 
@danyork ↩️ @ambrwlsn90 - Thanks for writing that post. A question - how does Webmentions deal with spammers trying to add links to your posts? That was historically the big problem we wound up with both pingbacks and before that trackbacks. (twitter.com/_/status/1355905491197710339)
# 15:55 
@roytang Shared via pocket: Grow the IndieWeb with Webmentions https://amberwilson.co.uk/blog/grow-the-indieweb-with-webmentions/ (twitter.com/_/status/1355906289541373953)
[KevinMarks] joined the channel
# 16:15 
@danyork ↩️ Ah, interesting... so you are using http://Webmention.io as the service to handle all of that. Thanks for the info. I'll have to explore more. (twitter.com/_/status/1355911716543062020)
[tantek], [KevinMarks] and [Raphael_Luckom] joined the channel
# 18:30 
[Raphael_Luckom] [tantek] one way I think about those things is to try to drive toward a contradiction. Like "If I imagine that the instance admin is 100% responsible for blocking / unblocking, can I think of an unambiguous-ish situation where that would fail badly?"
# 18:31 
[Raphael_Luckom] and in most cases involving "x is enforced 100%" it's pretty easy to find the failure mode
# 18:33 
[Raphael_Luckom] the more interesting designs, like what you suggested, use more nuanced rules and them observe the dynamics that emerge. It's harder to predict what will happen in advance
# 18:35 
Zegnat Should that in the great federated dream not mean that if your instance blocking thoughts do not align with your own, that you look for a different instance? Full disclaimer though: I am not sure I know what "blocking" means in this context. If my instance blocks yours, does that mean you can't follow me? But surely who gets to follow me (if I have no public feed) should always be decided on a per-account level and not per-instance?
# 18:35 
Zegnat Lots of different interactions to think about there, that might all need different levels of moderation, is my uninformed feeling right now.
# 18:36 
[tantek] whoa scrollback
# 18:36 
[tantek] aaronpk, I suggest a rotating set of trivia questions from another IndieWeb spec 😂
# 18:37 
[tantek] What class name is essential for marking up a repost h-entry?
# 18:37 
[tantek] (and don't link anything)
# 18:37 
[tantek] etc.
# 18:37 
[tantek] happy to come up with a suggested set of those 😄
# 18:37 
[tantek] now from chat...
# 18:37 
[tantek] this whole "who to block" conversation is backwards
# 18:38 
[tantek] that apparently is happening in "the fediverse"
# 18:38 
[tantek] I mean if you host a party at your house, you don't do that by inviting everyone in the city, and then tediously deciding who to kick out
# 18:38 
[tantek] How is that not obvious? Or is this yet another "technologists try a technology-centered solution to a social challenge" problem?
# 18:38 
[KevinMarks] this is kind of why we had to give up on barcamp in the bay area, as any venue got overwhelmed rapidly
# 18:39 
Zegnat Also possibly important context: I am not on the fediverse, I never left the blogosphere, so I was only reacting to [Raphael_Luckom] and do not know what prior conversations might have been like outside of indieweb IRC channels.
# 18:39 
[tantek] not really KevinMarks, that was more of a wrangling organizer time/energy thing that burnt out the small set of us doing that. more on #barcamp in #indieweb-chat
# 18:40 
[tantek] Zegnat, all good, that's why I'm reposting what I wrote in #indieweb-chat that was on topic for #indieweb-dev 😄
# 18:40 
[tantek] Continued on the obsession with figuring out "blocking": Also I'm starting to think that the "everyone is invited/allowed by default" position/attitude, whether to a personal site or "node" that you're hosting for folks, is a very entitled+privileged design attitude that ignores (or is naive to) the default harms that marginalized folks face
# 18:41 
[tantek] [Raphael_Luckom] re: "one way I think about those things is to try to drive toward a contradiction." I'm going to go out on a limb here and say while that's a good problem solving methodology for math, philosophy, and computer science, it's ironically *really* counterproductive (or missing so much of the solution-space!) for anything human-centric: UI/UX design, social interactions, politics, governance etc.
# 18:42 
[tantek] and in this case we're definitely talking about a primarily *social* challenge, not math/CS technical
# 18:42 
[KevinMarks] Well, it's also only a necessity when you have the kind of broken reply model twitter has now, where any reply is both sent to you and pasted on the bottom of your post unless you take action to prevent that.
# 18:43 
[KevinMarks] and of course the dunk and brigade culture that has grown up around that
# 18:45 
[tantek] "only a necessity" ... "where any reply is..." <- this is precisely an example of what I'm talking about with "everyone is invited/allowed by default position/attitude"! (of Twitter's design)
# 18:46 
[tantek] it's not just Twitter
# 18:46 
[tantek] it's literally every social startup built/designed almost always by a cis white (presumably/usually het) male
# 18:46 
[tantek] like EVERY SINGLE ONE OF THEM
# 18:47 
[tantek] frankly this goes back to SMTP and then "let anyone email anyone" assumption built into that
# 18:48 
[Raphael_Luckom] ok, I don't really have anything to add to this conversation.
# 18:49 
Zegnat Same assumption is kinda build into webmentions and activitypub. These are all sort of publicly announced public inboxes. This makes federation/decentralisation possible because someone can spin up a new server that you do not know about, and they can then start interacting with you anyway. But public inboxes are hard to manage (see: email). How do I invite someone to my public inbox?
# 18:49 
[tantek] agreed Zegnat
# 18:50 
@GR36 Now I’ve got twitter replies sorted as webmentions for blog posts. How are people displaying twitter likes?
Mine show up as. comment but noting appears underneath. (twitter.com/_/status/1355950269947908097)
# 18:50 
[tantek] what are likes?
# 18:50 
Loqi likes are sometimes part of the information about a post displayed on the post itself, often in a post footer, like a total number like responses, icons of recent likers, or even a datetime ordered list of likes https://indieweb.org/likes
# 18:53 
[tantek] sidenote to aaronpk: how about IndieAuth sign-in as the "Captcha" before entering an email address?
btrem, hs0ucy_, ShadowKyogre, jamietanna, schmudde, [benatwork] and [tantek] joined the channel; nickodd and ShadowKyogre left the channel
# 22:32 
lahacker is this worth noting somewhere? https://www.rfc-editor.org/rfc/rfc8959
# 22:32 
lahacker The "secret-token" URI Scheme
# 22:32 
lahacker for bearer tokens
# 22:32 
Loqi Mark Nottingham
# 22:33 
lahacker prefix bearer tokens with "secret-token:" to allow tools to help keep them safe
shoesNsocks joined the channel
# 23:30 
@ChrisAldrich ↩️ Dan, since you’re in the WordPress space, there are several pieces in place there. Akismet and other anti-spam tools can still be used to filter webmentions just like any other comment/response on your site. If you moderate your responses, the [more...] 
https://boffosocko.com/2021/01/31/55786127/ (twitter.com/_/status/1356021202276413442)
schmudde, [timothy_chambe], [KevinMarks] and [tw2113_Slack_] joined the channel