It's probably very obvious by now, but there's something to be said about companies with the "SF Quirky" vibes:
- The OS Redesign
- "Sexy Legal Documents"
- Emails with "<relevant hedgehog meme goes here>" as the subject line
- Having a merch shop with action figures of your CEO
It works both ways. When you're looking for adoption and making very pro-user moves, I guess it can be a benefit. However, when you're now looking to grow revenue and making very anti-user moves, it's insult to injury.
I'm the last person to say that tech "shouldn't be fun" or something overly-broad like that, but if your messaging doesn't match the decisions of leadership, you're gonna have a bad time.
It started well, though. It was an analytics tool with a developer-oriented mind; it was refreshing compared to the competition. But all good things do seem to come to an end, especially when it is a company. They went full weirdos in the last 2 years. AI just made everything worse.
Agreed. While I don't entirely care enough to rip it out of any existing products, I certainly won't be adding it to any new ones.
I remember people cheering about their "OS" web redesign, which was the most confusing and unnecessary UX complication when I needed to go track down a session replay to debug something (They've since added navigation to the top right.)
What's most surprising to me is that this is coming from a company that directly markets towards hackers and makers.
Like when you think of the App/Play store lockdowns, the new ReCaptcha attestation stuff, and other things that have a more authoritarian angle to it as of late, you can at least see how it happens: most of their consumers aren't technical and don't even know how to argue against it or why they should care.
With Bambu on the other hand, I'd think a good portion of its customers do actively care about this kind of thing. 3D printing just doesn't have the same market reach as computers and smartphones.
Also, it seems to me like there's eventually going to be a turning of the tide on all of these pushes (app stores included) and companies that are making these kinds of moves aren't seeing that writing on the wall.
With all of the discourse around hardware attestation, digital ID, and age verification in recent weeks/months, is there actually any good solution to the problems these existing tools (Privacy Pass, WEI, Fraud Defense, uploading IDs) claim to solve? Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Businesses will do what businesses will do, but it seems to me having something to point to and saying "do this instead" is more effective than "this sucks and isn't even about security, don't do this at all" even though it's true.
What even is the problem? I keep my kids computers in the living room where it's easy to see what they are doing. Their lan shuts down at night when I'm asleep. They don't get full control of their own cell phone until they are around 16-years old. Bots on social media discourage me from using it which is a Good Thing if you ask me.
The problem is that companies have a legitimate reason to want to block AI agents and verify the users are actually real. And it's incredibly difficult to do that when the old methods of clicking on squares or reading blurry words don't work anymore.
Solving proof of humanity is very difficult without tying to some kind of difficult to replicate or automate ID.
> The problem is that companies have a legitimate reason to want to block AI agents and verify the users are actually real.
Sucks that they have a hard problem like that. Taking away everyone's freedom to exercise ownership of their general purpose computing devices and destroying online anonymity shouldn't be the answer (or, at least, we shouldn't stand for it). Maybe they can spend some of their billions in revenue on it.
Thank you for offering this take -- it is the only forward looking one.
The anonymous internet is going away -- it is too supportive of crime and various kinds of gray area misconduct, and governments and large corporations were eventually going to do something about that.
Such a degree of anonymity is desirable, but it is not a requirement for a free society. What were things like before the internet? You couldn't anonymously browse billions of pages of information in 1960.
There is a good solution to these problems. Exhaustive punishments and forcefully ceasing operations for repeat offenses.
China has all the tech giants jumping through whatever hoops they want by banning them by default and only allowing whichever ones they want to operate after they meet their strict policies and ad hoc decisions.
Now that the US has decided the EU is a rival, the EU should do the same.
> Are there open and privacy-preserving standards that can solve the problem of bots and minors? If not, what would be required to establish one, and is it realistic?
Ideally there shouldn't be standards for this. What we have already is enough.
Companies claiming they are closing down their services/devices to protect the users is total BS. Facebook has admitted they get 10% of their ad revenue from scams, and that's the reason they won't go after scammers on their platforms.
Same can be said for Google. They could come up with numerous ways to block bots or make captchas harder for actual bots (while also not flagging every non-Chrome user as a potential bot, like they do nowadays), but they pretend this is an unsolvable problem that requires a nuclear solution, it used to be Web DRM but now it's called Fraud Defense.
I disagree. Bots have always been an issue, but now every form of CAPTCHA that can be solved by a human can also be solved by a multi-modal language model. Bots are slowly taking over in forums where they previously would have been immediately spotted and banned.
If the only argument you can make every time someone proposes an onerous, privacy-destroying solution to this problem is deny the problem exists, you're going to lose.
GP is correct, we need an alternative we can point to.
> Bots are slowly taking over in forums where they previously would have been immediately spotted and banned.
Failed to mention this but part of the reason for this is that even after getting past CAPTCHA and creating an account, spam bots in online communities have always had to pass a sort of informal ongoing Turing test to not get outed as a bot by human users and banned. In the past, that would happen almost instantly as soon as the bot posted anything. Now they can often go undetected by even human mods for a long time, maybe even indefinitely.
The people pushing for age verification have already said that they want to know who's behind every account on every website on the entire Internet. They won't accept any open or privacy-preserving standard.
I'm extremely glad to see something like this. I've tried to use Zed so many times, and this might sound neurotic -- but there are just so many little theming things that make a difference to me.
For example, https://imgur.com/a/ia2GCgg -- top is VSCode, bottom is Zed. Both using Svelte, and using a similar theme.
- Angle brackets are a different color
- Capitalized built-in components are a different color
- Boolean props are a different color
- Brackets are colored differently than text.
The inspector is a game changer, clicking into these specific things in the preview they provide is super helpful.
I don't use zed or svelte, but this looks like the zed picture is missing a treesitter parser for svelte. Many editors have basic regex-based highlighting for many languages, and optional, more advanced, highlighting available through extensions. You may also get some semantic highlights provided by a language server if your editor uses the Language Server Protocol as well.
It's been a while, but from what I remember you need that extension for any highlighting at all, and that screenshot is with it installed. Also, if I recall, it's something about that extension using an outdated treesitter parser or something along those lines.
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
This is the exact method used to secure iMessage against spam: secure attestation and ‘console’ bans of devices (reversible by iirc phoning support, indicating who you purchased the used device from, and providing an ID). But Google is trying to pull a Windows 11 “TPM or die” conversion on the public Internet via Recaptcha. Welcome to the attestation wars, unwitting websites :)
I remember when I was in high school (2016? 2017?), I found a super simple XSS in the assignment submission form and told the programming teacher. Canvas then proceeded to lock my account and got me my first (only?) detention. Good times.
Somewhat similar vein, the school's blocking software would block YouTube and embeds unless they came from Canvas. They were smart enough to disable the HTML editor for posting discussion comments, but forgot that since it was a rich text editor, you could just copy-paste in an embed by putting the code in data:text/html, then copying the element as formatted html.
I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.
God I hope that's included. As silly as it sounds, having NFC inside passes require a custom entitlement/approval from Apple was my breaking point for ditching iOS development altogether. The form for requesting said entitlement was broken (at the time, at least), and I didn't understand why .pkpass files had to be signed at all - I still don't.
- The OS Redesign
- "Sexy Legal Documents"
- Emails with "<relevant hedgehog meme goes here>" as the subject line
- Having a merch shop with action figures of your CEO
It works both ways. When you're looking for adoption and making very pro-user moves, I guess it can be a benefit. However, when you're now looking to grow revenue and making very anti-user moves, it's insult to injury.
I'm the last person to say that tech "shouldn't be fun" or something overly-broad like that, but if your messaging doesn't match the decisions of leadership, you're gonna have a bad time.
reply