ShadowPouncer

Mastodon absolutely does have a weakness of making it more difficult to find people that you want to follow based on what you have already engaged with.

And from a purely user perspective, that is a weakness.

But it's also a very distinct choice. Because having enough data to be able to meaningfully make such recommendations means having a central database of every user interaction by every user.

And it also means making choices and value judgements which, almost by definition, can not be value neutral.

If the creators of the algorithm are good, they will actually be aware of the choices and value judgements being made, if not, well... They will still be making them, just not in nearly as educated of a way.

On the whole, I really hope that we eventually come up with answers to these problems that make it possible for a user to make those choices, and to have the amount of recommendations that they want, while somehow not having anyone have the huge database of user interactions. I'm not sure if that's even possible, most especially if you assume that there will be entities on the fediverse that are fudging their data to get recommended in ways that other users don't want.

But it sure would be interesting to try.

That's like saying that only using high security locks with various security pins in them to protect your house is a bad idea, and you should throw in some secured with padlocks too just to change things up.

And if some of them are shitty masterlocks, well, you're changing things up.

That's really not how security works.

Yes, pass phrases can have large amounts of entropy attached. But unless you are picking your pass phrases truly randomly, with a large dictionary, and using unique pass phrases per site, and the sites are not silently truncating the password input (such as bcrypt which truncates to 72 bytes), you are not actually getting that large amount of entropy.

Where as a 16 character password that randomly uses the ASCII printable range, excluding spaces, gives you 93^16 possible combinations. That's 31313180170800116587336013460801 passwords.

Or, very roughly, 104.6 bits of entropy. (104.6265409777285022441578006899739 bits of entropy if you want to be downright absurd about it.)

Knowing that you're doing that simply doesn't help the attacker in any meaningful way.

Bumping that to 20 characters gives you over 130 bits of entropy, or 2342388736625917052139104541473924426001 possible combinations.

This is quite simply not a viable attack surface.

Where as saying 'use pass phrases for some things' means that it is quite likely that some of your pass phrases are going to be much less secure than this.

But let's give the same numbers for properly generated random passphrases.

The xkcdpass utility can help us here.

Even picking entirely randomly, out of a large word list of 7227 words, a 6 word pass phrase only gives roughly 76 bits of entropy.

Going up to 8 words gives us roughly 102 bits of entropy, that helps a ton... Except that some of those passphrases are going to be longer than 72 bytes. So you're almost certainly losing bits of entropy.

That best case still gives you fewer bits of entropy than a 20 character randomly generated password. Unless you're trying to memorize your password, there are no benefits to alternating between randomly generated passwords with good generation settings and passphrases.

And if you're trying to memorize your passwords, you are definitely doing it wrong.

You're both right, but I'm pretty sure that you're having two separate but related discussions.

Certification by itself does absolutely nothing. It's a piece of paper.

However, it's a piece of paper that you can not get unless you've done a bunch of other stuff.

Regulations would have prevented this, because they would have required the certifications, which would have required the other stuff.

In this case, they didn't do the other stuff.

They didn't test the hull to see if it could take the pressure.

They explicitly decided not to bother testing the hull to see if it could actually take the pressure.

They certainly didn't do any fatigue testing to see how repeated pressure cycles impacted the material. The material that is extremely complex, and which nobody has done this with.

Because they didn't do that testing, they had no way to reliably know if other steps were required, like only using it X number of times, or establishing processes to do specific inspections to look for whatever kinds of damage might happen as a result of repeated stress.

So yes, if they had actually followed the process, this wouldn't have happened. They explicitly arranged to use the vessel in locations where they could not be held to the process.

But they didn't want to follow the process. Which means more than 'they didn't do the certification', it means that they also didn't do many of the other things that would have been required to get that certification.

And the lack of regulation meant that nobody could shut them down for those decisions.

The really really sad thing is, Reddit could have done a half decent job and made a fair bit of money, but they decided on stupidity instead.

Sure, it would have upset some people a bit, but... Not by anywhere close to the same degree.

Alright, we're sorry, but use of the API is going to have to start costing money for some kinds of uses.

First off, people that just want to scrape everything get the following access, and a much higher rate limit, but it's going to cost $x.

Moderator tools will always be free, but the API will require that the tool be associated with a moderator, and it will only permit access to subs that the user is a moderator for.

Community bots will generally be free, subject to the following restrictions.

And 3rd party clients will be charged a minimal amount, calculated to be roughly equal to what we are making from similar users on the official clients, to make up for lost ad revenue. Alternate options involving profit sharing may be viable, contact X for details.

By accepting the API agreement, you agree that use of the wrong class of API usage (for example, using the community bot or 3rd party client classes for data scraping) will be billed, retroactively, at $X * 10.

There. That's really not that hard. And people would have been much less upset at that, at least as long as the fees were actually as described, and not based on, say, how much they would like to make per user.

You'd probably want a free tier for 3rd party clients for users of specific account types. If the user is paying for Reddit Premium, maybe 3rd party clients don't get charged for API usage for that user account. Or if the user is a moderator for a given subreddit, API usage for that user on that subreddit is also free. With an API that the client can use to check the status of such things. If they were smart, they would also have a process for users with disabilities to have their accounts exempted from fees. That last one is hard, because you need a verification process, but it would get them a lot of good will.

Again... This shouldn't be hard. And it would have turned into a viable revenue stream!

Hell, flatly disclose that the 3rd party cost is 30% more than the average cost of using the standard client, to support the effort required to maintain the API. (Largely bullshit, but it makes those users more valuable than those that use the official client, while not being expensive enough to make it impossible for anyone to offer a 3rd party client at an even remotely sane cost.)

Yes, this would have very sadly been the end of free 3rd party clients... But I for one would have been... Okay with paying a small amount per month/year through the app store for a client that didn't suck.

Instead, Reddit decided that committing suicide was the better path forward.

I use + addresses for stuff.

Well, since I run my own mail server, I tend to use _ instead of + as the separator, simply because more places will consider it a valid address.

But it's amazing how useful it is to include the name of whoever you're giving the email address to in the email address. It lets you keep getting email for stuff like password recovery. And when an address is leaked, not only can you block that one, but you also get to know who leaked it.

Which is awesome for knowing which businesses to never use again.

Don't do this.

Just use a good, random, password generator with decent settings.

Varying away from that just to 'change the kind of password' is only going to reduce your security.

You want as many random bits of information as possible in the password. That's it.