this-is-fine.eml

This is a legitimate email from a Legitimate Financial Institution that I was expecting, but I don’t know what I could change it to make it look more like a phishing scam.

We’ve spent the last 20 years teaching people not to open email attachments but I guess Raytheon’s Cybersecurity company didn’t hear about that?

I did open the attachment in an isolated browser after reading the source. Inside was a button that takes you to their secure messaging site’s onboarding flow. There’s 90K of data POSTed in hidden fields, so I suspect the constraints that led to this were:

  • Our security platform generates 90K of data to authenticate that the source of this request is legitimate.
  • That’s too much to add as query string parameters on a GET request, but it works for a POST.
  • Support for forms in email clients is poor, so we need to put the form into an HTML attachment.

Each step solves the previous problem, but at no point did anyone with the power to fix things step in and stop it. They didn’t say “90K is too much, find another way to authenticate the source of the request, preferably less than 2K.” If I had to guess, the people who had the information about how bad the implementation is were completely removed from the people setting the requirements.

All of that exists, too! If you follow the mobile instructions and forward the email to that unknown email address, it generates a very reasonably sized link, that takes you to an HTML page hosted by them, where you can POST 90k of hidden data and read your secure message.

Despite how awful this system is, I’m still glad that Legitimate Financial Institution is using some secure messaging service to collect my loan documents (I’m getting a loan to buy solar panels) and not asking for them to be faxed or emailed plain text.

Brent Simmons on why he’s not adding algorithmic timelines to NetNewsWire, his RSS reader:

These kinds of algorithms optimize for engagement, and the quickest path to engagement is via the drugs outrage and anger — which require, and generate, bigger and bigger hits.

This is what Twitter and Facebook are about — but it’s not right for NetNewsWire. The app puts you in control. You choose the sites and blogs you want to read, and the app reliably shows you their articles sorted by time. That’s it.

Update: Brent also wrote a follow-up highlighting these tweets:

JavaScript is not available.

1. and 2. mean it’s not the algorithm’s fault. There’s no way to write an engagement algoritm that doesn’t select for outrage and anger. But 3. means anything that incorporates such an algorithm actually makes us worse people.

I keep thinking about these tweets from Derek Powazek:

I’m not really watching Twitter these days, but haven’t gone so far as to delete my tweets. Since I mostly read (past tense) on Tweetbot and that’s going away, I have a bit more space between me and Twitter. Just in time too, because today is the day to stop reading twttr.

Mastodon is interesting. I am on a server at @georgeh@mastodon.social (3 toots this year!) but there are other Mastodon instances that kind of mean something. You can be on photog.social for a photo-specific feed, or mhz.social for ham radio. There are more.

I have different Slacks for different contexts. Slack for work, sure. My coworking Slack doubles as a local online community. That’s where I would ask for a plumber or electrician. I have a few Slack with friends and a few more. I’d probably be on some Discords too if I could ever figure out how their UI distinguishes between text and voice.

I’m reading more blogs too. My RSS reader isn’t a Skinner box, trying to mete out dopamine hits. It’s just a list of posts, in reverse chronological order. Like with Twitter, I’m focusing on people I know or would like to know, and who don’t post a million times a day.

A million years ago, I ran an Ann Arbor blog aggregator called ArborBlogs. It was basically a Planet site, showing all the posts from a curated list of blogs. Curation seems to be the key, and curation doesn’t scale. Is that a bug or a feature?

Maybe the way forward, away from toxic interactions and anonymous trolls, isn’t the public timeline but the small groups. Facebook’s need to connect everyone to everyone continues to be its cruel mission, but its groups are the thing that keeps people from leaving.

I’ve never been someone who looks at hashtags or trending topics on Twitter. Someone looks at that stuff, right? That’s the kind of thing that needs a giant public timeline, algorithmically pruned, collapsing all contexts. I’m looking for good stuff from people I know or would like to know. Introverts of the world: unite!

❤️ This post proudly created in Gutenberg

LiveJournal, Russia, and Reddit

Friends and Blasphemers is a pretty great episode from the podcast Reply All. They dive into what happened to LiveJournal when it got popular in Russia.

https://embed.radiopublic.com/e?if=reply-all-OWdvQ8&ge=s1!e601a84ab2126a49a088148a33a52436f5a8b910

One of the interesting parts was a breakdown of how much Russian trolls got paid to disrupt LJ:

PJ: Emails actually leaked out later that had the rates that these guys were getting paid to troll Alexey and his friends. It would be 85 rubles for a comment, and then a bonus: 200 rubles if you could trick somebody into arguing with you.

That part reminded me of some stats on /r/The_Donald:

It turns out that the biggest growth in subscribers happened roughly 3 days after Donald Jr.’s Russian meeting.

Anyway, the point is that I’m going to see if I can import all my old LiveJournal posts here to make it even cringier.

 

Enter title here

I am going to try this new ‘blog thing. Again. With 1 percentage point more Crud.

Why? Partly because I was going through the archives of that other blog thinking “this isn’t as cringy as I expected.” Partly because email newsletters have peaked and I’m trying to get ahead of the next curve. But mostly because somewhere around 2004 Scott Wainstock said that blogging would die out by now and this is going to be a spite blog to prove him wrong.

No introductions should be really necessary at this point. This is the second post on the blog; if you’re reading it either you know me and what to expect from me, or you’re cyber-stalking me from the future and know what to expect from me.