#dev 2023-04-10

2023-04-10 UTC
[manton], Soni and rory1 joined the channel
#
aaronpk bridgy backfeed is completely turned off for twitter right?
#
GWG It appears so.
#
aaronpk just want to make sure because i'm still seeing tweets in my reader but i think that might be coming from my own twitter search scripts
#
[snarfed] Yup, completely off
#
[snarfed] twitter-atom is still on but will die by 4/29 I expect
#
[snarfed] Looks like zapier or ifttt may now be usable for that, will see
#
GWG [snarfed]: So, what's next?
#
[snarfed] Bridgy Fed
#
aaronpk End of an era 😢
#
aaronpk I will admit that lack of backfeed definitely demotivates me from posting on Twitter at all
#
GWG [snarfed]: So, what is next for Fed?
#
[snarfed] New protocols! Like Bluesky
#
[snarfed] aaronpk same!
#
[snarfed] Then maybe Nostr, Farcaster, others
#
prologic Twtxt ftw :)
#
prologic seriously
#
prologic https://yarn.social just works
#
prologic forget all these complicated push-based protocols
#
[snarfed] Sure! Although you already did the bridging there, right?
#
prologic Yeah I have to a limited scope
#
prologic I mean it works, I'm not 100% happy with it, but its bettter than when I started
#
[snarfed] GWG redesigning BF to support multiple protocols (and arbitrary bidirectional pairs) has been a ton of work, still ongoing
#
[snarfed] prologic++ really great to have more people bridging
#
Loqi prologic has 2 karma over the last year
#
prologic yeah I'm finding the same myself
#
prologic its almost too much work really
#
prologic for little gain :)
#
prologic whoot I have two karma points :)
#
[snarfed] The gain grows slowly but steadily over time
#
[snarfed] Next bridge it to webmention!
#
prologic we already support webmentions :)
#
prologic natively
#
prologic and indiewuth (provider only atm)
#
prologic and websub (pods peer with one subscribe to each other for near real-time pulls)
#
[snarfed] Ah awesome!
#
prologic I mean I really don't know what more you need
#
prologic just start running yarn pods everywhere ;)
#
prologic ditch this Twitter™, Bluesky and Mastodon stuff ;)
#
prologic sorta half kidding, but not really :D
#
[snarfed] Network effects
#
@siygle 又換啦,Deno、Fresh 以及 Webmention https://sylee.dev/blog/2023-04-10-change-again-deno-fresh-webmention 本站就在不斷更換技術桟之中成長 #誤 (twitter.com/_/status/1645311489933447168)
angelo joined the channel
#
bkil How ironic. The site that preaches to developers of independent retro-websites uses Cloudflare, the hive mastermind, but still went down with HTTP 500 due to it being served by a complicated dynamic backend prone to failure. Compare this to much higher availability and cheaper solutions that can be served from a static host in exchange for a bit of JavaScript sprinkled over it. https://nojs.club/
holiday_1 joined the channel
#
@geekplux_cn ↩️ 什么?http://brid.gy 已经不支持 Twitter 了?WTF (twitter.com/_/status/1645426408187887617)
gxt__ joined the channel
#
[snarfed] "I can only blame Boss Ma, the waywardness of rich people 😢"
^ilhalmer, laker, [marksuth] and [dave] joined the channel
#
bkil [snarfed]: Let's bring the conversation here. What is it doing exactly that is against the ToS?
#
[snarfed] bkil I don't know. feel free to research!
#
[snarfed] and again aaronpk and I aren't 100% sure it's due to the instagram-atom/Bridgy browser extensions. just 99%
#
aaronpk I assume it falls under "collecting information in an automated way without our express permission"
#
aaronpk also possibly "reverse engineer"
#
bkil Are we talking about this? https://addons.mozilla.org/en-US/firefox/addon/instagram-atom/ https://addons.mozilla.org/en-US/firefox/addon/bridgy/
#
[snarfed] Yup
#
bkil Reverse engineering for interoperability purposes is explicitly permitted in the EU.
#
bkil Regardless of what a given ToS says.
#
[snarfed] I wish you luck making Instagram obey that
#
bkil On the screenshot, I see an *.appspot.com URL. That seems to imply that this browser was doing some sketchy backend-side crawling/scraping/probing that is way more sketchier than a client-side solution.
#
[snarfed] But this is more the former, automated connection
#
[snarfed] bkil no, the fetching is entirely client side
#
bkil But then it must upload the result to some server to republish it again. That is a no-no in terms of a ToS.
#
bkil It's also bad in the context of the GDPR.
#
[snarfed] sure, re ToS, I believe you
#
[snarfed] GDPR is more complicated, but not necessarily true. https://brid.gy/about#gdpr
#
[snarfed] (more importantly, few if any of the actors here are in the EU, including the extensions' author)
#
bkil Again, I neither use Instagram, nor this addon, nor have read this ToS. But I have read a bunch of similar services and it usually goes this way.
#
bkil So if you have installed an extension that collaborates in such an illegal data exfiltration operation, it falls under different provisions. If, however, your browser would only display and process it in scope of a Reader app, but not transmit it anywhere, it would fall under a different classification.
#
bkil It doesn't matter where the author of the extension is.
#
bkil But I feel as most people in the indieweb are from the US, they seem to be against any and all mentions about it.
#
bkil Let's just talk about the ToS, privacy and common sense aspects that nobody debates here ther.
#
[snarfed] I'm happy to discuss GDPR in general, I just don't think it will be an effective way to get Instagram to allow us to scrape them
#
bkil This is not scraping
#
[snarfed] semantics 🤷 it's definitely automated collection
#
bkil It depends. Is it under the command of a human operator (i.e., in reaction to a user clicking on a profile). If it is, it can not be classified as scraping.
#
[snarfed] it's not. it polls periodically in the background, on a fixed schedule
#
bkil I would think that the ToS will include a "miscellaneous" clause that allows them to suspend accounts for any other reason than one that is listed explicitly and it usually also grants them the right to not disclose the reason of suspension.
#
[snarfed] probably
#
bkil If I integrated such bridging into _my_ Reader, it would only fetch a feed when a user clicks "fetch", posts a new reply or the first time they open a post that includes a post by a new user, etc. So in all cases, _I_ would be safe from being classified as scraping.
#
[snarfed] if so, that's basically the point I made in #indieweb: the important part is what they want and don't want. ToSes are a mutable tool for them to enforce that
#
[snarfed] maybe. but they might still shut you down. and arguing ToS legalese would not convince them to reverse that
#
bkil All similar extensions I've seen over the years did something terribly wrong. If it's how you describe it above, this might be the case here as well. It's still not the case that you can do "nothing" to solve the issue. You just have to be considerate in your implementation.
#
bkil They would not shut me down, as the method I described above would generated a traffic pattern consistent with any other existing client of theirs.
#
bkil I.e., it is trivial to see a cron polling pattern in a web server log, so it is a no-brainer to write an automated ban tool on their side.
#
[snarfed] I appreciate your interest here! I'd definitely like to avoid this problem. but I've spent over a decade building and running tools that access many different social networks' data, via both APIs and scraping, and I've seen them shut many of my tools down, ask me about others, etc, along with other peoples'
#
[snarfed] I have solid experience with what they allow and don't alow, what they care about, etc
#
[snarfed] (if it wasn't clear, I also wrote both of these browser extensions we're talking about)
#
bkil I know that Friendica succeeded in bridging for quite a few years, but they didn't have sufficient volunteer manpower to keep updating the API code.
#
bkil Keeping changing the API to annoy third party developers is not the same as locking you out.
#
[snarfed] I'm very familiar
#
bkil By the way, note that you as the developer of the extension and any collaborator can be locked out personally by them. I've seen many examples of this over the years.
#
bkil Especially if you didn't develop and deploy it anonymously.
#
bkil Note that many existing provisions within the ToS allow them to do that as you are considered a malicious actor by the above reasoning.
#
[snarfed] sure. we suspect this isn't that though, since at least two other people who used these extensions were suspended (we think because of them) months and years before I was suspended yesterday
#
bkil Do you have a way through which users can report this back to you for you to aggregate? This sounds odd that only 4 people are impacted and within such a large time window.
#
[snarfed] just reviews on AMO. the user bases aren't big enough to warrant anything more formal or structured
#
bkil Note that as long as you use a walled garden, any day can be considered a gift - they can and will lock you out without any reason. I know a bunch of people who got locked out of such products over the years.
#
[snarfed] yup, we're agreeing here
#
bkil Even ones who weren't using such addons, but just didn't click on enough likes or ads or whatever (we never figured it out).
#
bkil So whatever the reason, I would rephrase the hunch that the reason (motivation) of blocking was not because of using a third party client - it was a considerable and noticeable increase in server load from certain well defined endpoints and well defined user accounts due to scheduled polling that can be interpreted to fall within DDoS-mitigation best practices.
#
[snarfed] sure! we all agree, that was my (and I expect aaronpk's) original interpretation here. there was never any third party client involved at all, at least no user-facing one
#
aaronpk important note the requests come from the user's browser that runs the extension, not appspot. but it would still trigger bot detection because of the repeated nature of the requests
[jacky] joined the channel
#
[jacky] might be useful for those doing progressive enhancement with their sites using blurring https://www.npmjs.com/package/blurhash-to-css
#
bkil aaronpk: Yes, we discussed that above.
#
aaronpk i'm not sure what the point of the whole conversation above was 🤷‍♂️
#
aaronpk doesn't seem like theres' much point in arguing about what instagram should or should not do
#
bkil I shared my viewpoint that a bridge implementation would be possible that the would not block.
#
bkil they
#
aaronpk without any experience actually building and operating that, i don't think you can make that claim
#
bkil Full disclosure: have worked on the other side for detecting robots accessing our services, but please don't tell anyone.
#
[jacky] this is a publicly logged channel 😬
#
bkil 🙀
#
[tantek] it's in the channel topic/description across all the channels
#
bkil Yes, I know. I just asked for it to be included there. 😉
#
[tantek] I was about to say 🙂
#
[tantek] per aaronpk's point, I'm curious if any of the above conversation is about developing a new IndieWeb bridge, a specific project?
#
[snarfed] no
#
bkil I see a fetch is supposed to run once every 30 minutes as long as the browser is open https://github.com/snarfed/instagram-atom/blob/main/browser-extension/background.js#L17
#
[snarfed] yup! hence https://chat.indieweb.org/dev/2023-04-10#t1681150577798700
#
bkil Do you happen to have detailed logs about the scraping browser and the service just before they locked you out? snarfed ?
#
bkil Do you happen to leave your browser open for long stretches of time, such as 24/7?
#
[snarfed] bkil probably not. I think they suspended my account 21 days ago, but honestly not sure, since I hadn't opened Instagram in at least that long
#
[snarfed] no, it's a laptop
#
bkil That's a pity. The periodicity itself can be detected easily, there are multiple factors at play.
#
aaronpk What happened to me was I started getting more re authentication prompts more often, and they got progressively more aggressive
#
bkil It's odd that they haven't even sent a mail about it.
#
aaronpk like just asking for a password, then doing sms 2fa,
#
aaronpk then there was some sort of automated way to reactivate my account
#
[snarfed] yeah I got a bit of that over the last 6-12 mos or so
#
aaronpk And then finally just boom
#
bkil Yes aaronpk , that one of the main defenses other than the usual heuristics. Getting you prompts and if the bot code does not handle them the same as a human with a browser would be handling it then it could be caught easily.
#
[snarfed] same, they had me take a selfie with a confirmation code, I sent that today. 🤷
#
aaronpk you don't need to explain that to me ☺️
#
aaronpk [snarfed]: I also got that request and sent in the selfie and never heard back 😞
#
bkil Hence why in my scrapers... er, the scrapers of people I don't know... they are doing double confirmation and consistency checking of previous before proceeding to fetch based on the schedule, otherwise it could result in ever worse lock-out (usually resulting in ones that can't be just waved away with 2FA).
#
[snarfed] key point for me here is that trying to evade bot detection built by big tech co's with thousands of engineers is a never-ending arms race I'm not very interested in participating in
#
[snarfed] (even though, or probably because, I've already participated it in it so deeply for so long 😁)
#
bkil The seriously require you to submit a photo of yourself? What if you don't want them to handle that information?
#
aaronpk too bad?
#
[snarfed] it's Instagram, most photos people post are selfies anyway 🤷
#
[tantek] 😂
#
aaronpk 😜
#
bkil 🤦
#
[tantek] 🤳
#
bkil You people are weird...
#
bkil But 🆗
#
[snarfed] and yes maybe I could evade the bot detection by building an end user app/UI to only fetch on demand, but I'm not interested in building that kind of app, esp since there are already plenty of good social readers. not too interested in reinventing that wheel just to see IG selfies outside of the app
#
[tantek] weird++ Correct bkil: https://indieweb.org/principles#fun 🙂
#
Loqi weird has 1 karma over the last year
#
aaronpk If you think you can operate a bridgy like scraper without getting shut down, or successfully negotiate with instagram to allow it, by all means do so
#
bkil Anyway, yeah, Facebook had been doing even more creepy things to combat payed like-bots. They are running bot detection and biometric collection of how you type on the keyboard and how you move the mouse. If the patterns do not match your human self, it gets flagged as well. Guilty of developing such things as well. Come to think of it, I've been into quite creepy tech over the years, contributing on the wrong side.
#
bkil Hope it's not to late to contribute on the right side if I started today 👼
#
[snarfed] huh. in my experience IG's bot detection has been way more aggressive and effective than FB's. I'm still mostly successfully scraping mbasic.facebook.com from the server side
#
bkil Try posting likes to random posts by random accounts. But they are also more observant of those who act from a single IP/ASN, such as "like for hire" enterprises who are doing this all day long with hundreds of accounts in parallel. Today, they only succeed because it is still allowed to do it manually by hiring hard laborers...
#
[snarfed] oh yeah automating writes (posting, likes, etc) is very different from automating/scraping reads. I mostly haven't tried to automate writes
#
bkil Haven't looked into the efficiency of the stuff they have over Instagram, but I would assume they would port at least some of their systems over there as well eventually.
#
[snarfed] you'd think. and yet, at least for scraping reads, my experience has been they're very different, and haven't unified much
#
bkil Yeah, that was just wishful thinking. Have also seen mergers from inside and I know for fact that even in mid-sized players, the tech stacks won't ever be converged. As certain components get phased out once every few years, such parts get rewritten to be used by multiple subsystems naturally instead.
#
[snarfed] IG was acquired 11 yrs ago 😆
#
bkil Well, you have to cut corners to justify acquisitions and rewriting proven stuff that is working pretty well is a hard sell to investors. Who said Facebook was not a cheapskate?
#
bkil But also, isn't the end goal of such integration & bridging to combat the network effect so that over time, more regular people could migrate from silos to independently hosted solutions using open protocols?
#
[schmarty] bkil: yep - https://indieweb.org/POSSE#Why
#
bkil And how did it work out so far for you? I know that practically nobody uses RSS readers among regular people I know.
#
aaronpk i don't know if you mean it this way but that's a pretty confrontational tone
#
bkil Sorry, I just wanted to share my disappointing personal experience with you.
#
bkil I'd been trying to spread the word for decades now with little success, maybe only my methods were in error.
#
[snarfed] bkil if it helps, our general approach here is to build things we want, and gradually encourage broad adoption growth, but adoption numbers aren't necessarily our primary goal
#
bkil So I would be open for any good idea that you got working in your circles.
#
[snarfed] many of us use social readers, I definitely do, including for reading twitter FB etc. many of us use those features built into their sites, eg micro.blog, etc
[campegg] and [KevinMarks] joined the channel
#
[tantek] What is a social reader
#
Loqi A social reader is a modern interactive reader that allows you to directly respond to posts (with a like, comment, etc) right there inline with posts as you read them (as people do in social media), in contrast to legacy feed readers which were one-way read-only experiences and provided no mechanisms to interact with or respond to posts https://indieweb.org/social_reader
#
[tantek] bkil, start with reading up on that, especially aaronpk's blog post linked at the top
#
bkil Thanks. I've already read that some time ago.
#
[tantek] You said you were open to any good idea. See if you can set up something similar and then, rather than ruminating on how/why things don't work (a lot of the above chat is that unfortunately)
#
bkil I don't watch videos to acquire information, though if you were referring to the keynote, so such links are usually automatically a pass from me.
#
[tantek] Reread I wrote. Blog post
#
bkil Or were you referring to this one? https://aaronparecki.com/2018/04/20/46/indieweb-reader-my-new-home-on-the-internet
#
[tantek] Yes
#
[tantek] See if you can setup something similar and blog about your experience doing so!
#
bkil Okay, I've also read that blog post.
#
bkil And I agree that building a good Reader would be one part of a good ecosystem (hence why I'm building one currently).
bret joined the channel
#
capjamesg https://rubenerd.com/greg-lehey-on-interoperability/
#
capjamesg > It does amaze me that we’ve developed all these amazing protocols, but reach software sitting atop the application layer of the OSI model, and all bets are off. Why is that layer special? Why does it get to break the rules?
#
aaronpk cause the OSI model is fake
#
sknebel not fake, just from the wrong timeline
#
[snarfed] lol
#
[snarfed] all CS networking 101 classes start with, here's the seven layer OSI model, it's idealized, here's the four layer internet model, it's what actually exists
#
sknebel basically. I think OSI is given too much room in many cases
#
[tantek] Idealized based on opinions from people who never built apps. OSI is classic plumbing-first architecture astronomy
holiday_medley joined the channel
#
capjamesg I think the point has been missed.
#
sknebel fair
#
[tantek] capjamesg, which specific point were you hoping to discuss from the quote?
#
capjamesg https://rubenerd.com/loading-your-website-experience/
#
capjamesg [tantek] "Why is that layer special? Why does it get to break the rules?"
#
capjamesg I read this as: why did we not end up with more interoperable open protocols?
#
[tantek] capjamesg, the short answer is that market forces incentivize incompatibility by default. It takes a clever (and often long) game of marketplace/competitor "chess" to reach a dynamic equilibrium where an interoperable open protocol is strong & stable enough (network effects) to defend against huge capital investments to capture open markets for rent-seeking.
#
[snarfed] also the key point there is, why does that happen _only at the application layer_, and not below
#
[snarfed] the answer is that the purpose of the lower layers is networking, ie interconnecting. common carriage is the point there, but not (necessarily) at the app layer
#
IWDiscordRelay <c​apjamesg#4492> Did I link this already?
#
IWDiscordRelay <c​apjamesg#4492> https://news.ycombinator.com/item?id=33436051
#
Loqi [preview] [christkv] How do you even know the person you found is the person you wanted? Also if people flock to specific instances it will just keel over and die.
#
[snarfed] we discussed this in depth at fediforum. rel-me is great but not sufficient on its own. in many (most?) cases, a mainstream audience won't necessarily know the correct DNS domain for the person they're trying to follow. eg for the example here, I have no idea if Taylor Swift's web site is taylorswift.com or taylor-swift.com or something else
#
[snarfed] so eg Twitter's old verification was still useful in spirit, even if its implementation had flaws
#
[tantek] ^ presumably wisdom of crowds + follower count solves the celebrity rel-me verified domain problem
#
aaronpk third party verification (vouching) always has benefits over just bidirectional links
#
IWDiscordRelay <c​apjamesg#4492> That is an interesting point.
#
aaronpk they are different problems though
#
[tantek] now for anyone "less popular" than Taylor Swift, that's a different problem yes
#
IWDiscordRelay <c​apjamesg#4492> I posited that if Taylor Swift ran a Mastodon instance we’d have a million more users on the platform 😅
#
IWDiscordRelay <c​apjamesg#4492> swift.town or something to that effect.
#
[tantek] third party verification risks abuse of power by said third party (e.g. that's literally what silo "verification" does) and is a disadvantage over distributed methods like rel-me
#
IWDiscordRelay <c​apjamesg#4492> Does mastodon need a couch system?
#
[snarfed] yup, each approach has strengths and weaknesses
#
[tantek] capjamesg, nah, more like swifti .es (which is an actual existing site)
#
IWDiscordRelay <c​apjamesg#4492> I say I am jamesg.blog, do rel me. I say I vouch for @taylor@seifti.es.
#
IWDiscordRelay <c​apjamesg#4492> I meant vouch system. Autocorrect.
#
aaronpk again i don't think bidirectional links and third party vouching are competing on the same use cases
#
[tantek] ^ so bots can do that too, an abstract "vouch" doesn't mean much
#
aaronpk they can even work together quite well
#
[tantek] vouching is not transitive either
#
IWDiscordRelay <c​apjamesg#4492> Self vouch?
#
[tantek] there's plenty of people I'd vouch for who I would not vouch for their vouches
#
aaronpk bidirectional rel=me establishes a collection of URLs that all claim to be about the same thing. that has nothing to do with identity verification
#
IWDiscordRelay <c​apjamesg#4492> Swift gives a press conference announcing her new mastodon username?
#
aaronpk if tay has a bunch of sites with rel=me to each other, then she would only need to announce one URL in a press conference and now you know they are all official
#
[tantek] capjamesg, before brainstorming, you can look at (and document) existing methods used by celebrities
#
aaronpk (and yes this is the linktree model)
#
[snarfed] aaronpk right. bidir links and third party vouch relate once you can reliably announce one of your links out of band, or it's well known, eg whitehouse.gov
#
[snarfed] but otherwise yes they're mostly separate
#
[tantek] e.g. some creators on IG do a "verification" pinned post / story where they record a video of themselves stating their canonical username
#
IWDiscordRelay <c​apjamesg#4492> Link?
#
aaronpk heh too bad AI cloning is going to make that less reliable now
#
IWDiscordRelay <c​apjamesg#4492> Hm.
#
[tantek] yeah, I'm not even sure how I'd know if I'd seen a deepfake of self-verification video or not. so far it hasn't been worth the effort by fake account creators to do so (it seems)
#
[snarfed] the last ~100 yrs were a brief glorious blip in history when we could use recorded media as actual evidence of anything
#
[snarfed] nice while it lasted
#
aaronpk heh that's one way to look at it
#
IWDiscordRelay <c​apjamesg#4492> What’s next?
#
[snarfed] compared to the history of civilization, barely a blink of an eye
#
IWDiscordRelay <c​apjamesg#4492> I have a QR code to my AI bot on my business card.
#
IWDiscordRelay <c​apjamesg#4492> (Personal business card)
#
IWDiscordRelay <c​apjamesg#4492> If I hand you the card, you know jamesg.blog is me.
#
IWDiscordRelay <c​apjamesg#4492> How does one scale that?
#
[tantek] capjamesg, I believe I answered the "what's next?" question for identity vouching (as opposed to content / comment vouching which is what /Vouch was designed for)
#
[tantek] in short: rel=met
gRegor joined the channel
#
[tantek] aside the trust/optimism in "third party vouching" is IMO misplaced, and in direct contradiction to most (nearly all?) evidence to date indicating that such third parties, if successful, will inevitably grow to the point where their power can be abused, and then is abused.
#
[tantek] so I would say based on experience to date, don't both working on or advocating for such 3rd party "trust" systems because either they fail before they become relevant, or they live long enough to become the villain
#
aaronpk there's a huge range of "third party vouching". those comments apply to large centralized providers
#
[snarfed] trust/abuse isn't binary. gov'ts are the ultimate third party ID vouching system, and obviously they're hugely varied and complex and imperfect, but definitely overall still net positive
#
[tantek] we're done with BDFLs right? "benevolent" powerful third parties are a bit of a myth as well
#
aaronpk but smaller communities vouching for small groups of people, while third party, is totally different
#
[tantek] will take the govts ... question to #indieweb-chat 🙂
#
[snarfed] probably verging toward #indieweb-chat 🤷
#
[tantek] lol
#
[KevinMarks] You can do third party vouching with rel=me. The authority creates a profile page for each person it is vouching for, and does the bidirectional rel=me
#
[KevinMarks] That works for employers, academic institutions, professional bodies that issue credentials etc.
#
[KevinMarks] This is already happening with mastodon
#
[tantek] [KevinMarks] that's not quite 3rd party, that's more 2nd party, eg an employer for their employees (press etc)
#
[tantek] Though it is an interesting separate phenomenon that's worth documenting
#
[KevinMarks] There are third parties too eg https://www.presscheck.org/
#
[KevinMarks] The ACM or IEEE could validate members similarly
bret joined the channel
#
[tantek] welp I just got email from Twitter support stating "This is a notice that your app - RelMeAuth prototype - has been suspended from accessing the Twitter API."
#
aaronpk oh nooo
#
[tantek] aside: Gmail is now marking Twitter support emails as spam, so you may want to check your spam folder(s) for email from Twitter
#
aaronpk oh dear
#
[tantek] "The sender hasn't authenticated this message so Gmail can't verify that it actually came from them. Avoid clicking links, downloading attachments, or replying with personal information."
#
[KevinMarks] Twitter broke their dkim?
#
[KevinMarks] My "it me" app got suspended