DNA Lounge: Wherein 'This shouldn't be our job'

Emma Silvers in The Chronicle:

As the omicron variant began to surge last month, some in the Bay Area arts community saw the waves of cancellations as reminiscent of the pandemic's early days, when shelter-in-place orders brought live events to a screeching, definitive halt. But there's a glaring difference this time around: Event organizers and performers are the ones doing the canceling. That's because local officials' current approach to restrictions is a stark contrast to the position they took in March and April 2020. Namely, there aren't many. [...]

"We could have gone through with the show and no one would have stopped us, which is a little insane," Goff told The Chronicle a few weeks later. "The reality is, we as musicians are not qualified to be making these decisions." [...]

"You're backing people into a corner," said Patrick Brown, founder of San Francisco music label Text Me Records. "When it comes down to it, most people will risk their health rather than go bankrupt if you're not giving them any other options." [...]

Indeed, in the absence of new citywide mandates, an increasing number of Bay Area venues have voluntarily adopted new policies aimed at keeping staff and attendees safe. [...]

"We are getting no guidance or support from the city," DNA Lounge owner Jamie Zawinski told The Chronicle. Zawinski referred to Breed's recent statements as "the Trump approach: telling people to 'personal choice' their way out of a structural, societal problem."

"If the mayor cared about protecting people rather than protecting capital, all restaurants and bars would be closed right now ... (but) for us to just unilaterally close down, while every other nightclub is going full speed ahead, isn't really an option. For that to happen, we would need support from our government, both legal and financial, and that support doesn't exist anymore." [...]

Low ticket sales due to COVID fears aren't helped by the reality that people don't want to buy tickets if they're not sure a show will actually happen. Then there's the fact that most hourly venue staff have no safety net when they're called off work because a performance was canceled -- as opposed to when clubs were shuttered and they could file for unemployment.

Tags:

The reason the Tuesday Noon sirens haven't returned:

A new system was installed in 2005, which was then hacked in 2018, and fixing that exploit apparently requires replacing the entire communications infrastructure. SFDEM has been downplaying this and referring to this security firedrill as simply "upgrades".

tl;dr version --

I keep seeing articles asking what happened to the sirens, and then answering themselves that they "are antiquated" and "need repairs", which sounds like they're rusty or something. But what really happened was, in 2018 the siren network was hacked because it had no encryption.

The vendor claimed to have immediately rolled out a fix, and then in 2019, San Francisco shut the entire system down for what they believed at the time would be two years. For "upgrades". So, upgrading this system, which had been going off weekly since 1945 necessitated shutting the whole thing down immediately. Not, like, acquiring the budget and the equipment; testing it; staging it; and then shutting down the old system, no. Something was so badly wrong with it that they decided to completely scrap this piece of security infrastructure. Keeping it running at all was judged to be more dangerous than not having it at all.

That sounds like an active exploit in the wild, to me. That sounds like "the only way to prevent this attack is to replace the entire system". My guess is that the fix they came up with is to go with a new vendor entirely. Why is it so expensive? One guess would be that the new vendor uses a different communication system that requires replacing the radios and antennae on all of the horns.

But since SFDEM has been completely silent about what's involved in this "upgrade" (E.g., what is being replaced? Why? Who are the new vendors?) we have no way of knowing.

Here's a timeline that I was able to scrape together:

1942: Sirens installed. This page went online in 2015 and hasn't been updated since, but describes the 2005 system:

Each device is capable of playing up to seven different tones. The most common one is a "wail".

Voice messaging can either be: 1) pre-recorded on a chip installed in each device; 2) broadcast from the Department of Emergency Management through a recorded message or a live message; or 3) broadcast through the use of a mobile transmitter. [...]

Public safety mobile and portable radios can be remotely programmed to patch into the siren devices to allow the operator to make emergency announcements. [...]

Siren devices can be pre-programmed into a variety of groups for specific announcements. One such group is the Tsunami Warning group for sirens located in the inundation areas of the City.

I haven't found any technical details on how that original system worked, or what kinds of upgrades (if any) were made to the signalling network between 1942 and 2005. That probably means that the answer is "none". It's unlikely that the WWII-vintage system was hard-wired, so it's fair to assume that the old analog system was also trivially exploited by anyone who knew the frequencies and signaling protocol.

Oct 1995: Emergency Sirens Fail to Wail:

Nine of San Francisco's 49 emergency sirens, including one at the Ferry Building, failed to go off as scheduled during Tuesday morning's test, officials disclosed yesterday.

"These sirens were built in 1942, and many of them need repairs," said Frank Schober, coordinator of the Mayor's Office of Emergency Planning.

Schober hopes to replace all 49 of the 500-pound electromechanical devices with lighter electronic sirens. The cost would be about $125,000 a year with the job spread over five years.

Nov 2004: It's kaput for those old air-raid sirens:

The old air-raid sirens that have been sounding in San Francisco every Tuesday at noon since World War II are being replaced with a state-of-the-art emergency warning system that can be used to alert the public in the case of earthquakes, tsunamis, bioterror attacks or other disasters, Mayor Gavin Newsom said Tuesday. [...]

San Francisco's old system has fallen into disrepair over the years, with only about a dozen of the original 50 sirens in working order. Officials are replacing the old mechanical devices with a digital system that will be both siren and public address system. They will be located in 65 locations in the city.

The federal government provided a $2.1 million Homeland Security grant to pay for the upgraded system. The new devices are expected to be fully up and running in January.

By 2005, the siren system was being described as "new", so 2004 or 2005 is when the WWII-vintage analog system was replaced with a digital radio network. Sorry, I meant to say a "state of the art" digital radio network. So how did that work out? Let's check in...

Nov 2005: Hearings urged on faulty siren system:

Mayor Gavin Newsom and Board of Supervisors President Aaron Peskin called separately Tuesday for public hearings to educate residents about flaws found with the city's new emergency siren system.

City officials say the sirens, an early warning system for disasters, aren't loud enough and can be heard in only 50 to 60 percent of the city rather than the 90 percent called for in the contract with Acoustic Technology Inc. The city attorney sent a letter to the contractor Friday claiming breach of contract and demanding that the problems be resolved by the end of the year.

After that, I don't see any press about the sirens for a few years, until a couple incidents where they mysteriously went off at unplanned times. And then... womp womp...

Aug 2012: Emergency siren accidentally activated:

San Francisco emergency officials activated a warning siren Sunday afternoon, triggering some confusion among residents. The siren, which sounded around 3:45 p.m., was activated accidentally, and there was no emergency, according to the San Francisco Department of Emergency Management.

Nov 2014: Officials investigate after outdoor sirens triggered at odd hours:

Outdoor emergency sirens in San Francisco were accidentally triggered late Saturday and early Sunday morning, according to the San Francisco Department of Emergency Management. The sirens were temporarily out of service on Sunday afternoon as city crews conducted testing to determine the cause.

Alarms went off around 11 p.m. Saturday in the Bernal Heights, Noe Valley and Hunters Point neighborhoods, the Bayview District, City Hall, and other areas, but there is currently no known emergency that would have triggered the alarms, department spokesman Francis Zamora said.

Alarms around the city went off again around 5 a.m., he said.

Apr 2018: SF's emergency sirens had a security bug -- it's fixed now:

San Francisco officials have been quietly scrambling since early February to patch a security vulnerability in the city's outdoor alert system that, if left unaddressed, could have allowed hackers to seize control of the city's network of 114 emergency sirens.

On Thursday, the Department of Technology announced that the problem had been fixed. [...] The technology department declined to share the specifics of the vulnerability, other than to say that it had to do with how electronic signals were being encrypted as they were being relayed across the alert system.

"It's fixed now", huh?

Apr 2018: This Radio Hacker Could Hijack Citywide Emergency Sirens to Play Any Sound:

Now, after two-and-a-half years of patiently recording and reverse-engineering those weekly radio communications, Seeber has indeed found that he or anyone with a laptop and a $35 radio could not only trigger those sirens, as unknown hackers did in Dallas last year. They could also make them play any audio they choose: false warnings of incoming tsunamis or missile strikes, dangerous or mass-panic-inducing instructions, 3 am serenades of death metal or Tony Bennett. And he has found the same hackable siren systems not only in San Francisco but in two other cities. [...]

When WIRED reached out to ATI Systems, the company responded that "the vulnerability is largely theoretical and has not yet been seen in the field." It also argued that Bastille had broken the law with its research by violating FCC regulations against intercepting and even merely divulging the existence of government radio signals without authorization. But in a statement it sent to Bastille after the researchers warned ATI about its security flaws, ATI wrote that Bastille's findings are "likely true" and that it's testing a software update it plans to roll out soon.

Apr 2018: SirenJack White Paper (PDF), and CVE-2018-8862:

No no no -- thank you!
The SirenJack vulnerability is distinct from the replay attack that struck the Federal Signal-manufactured Dallas tornado warning system on April 7th, 2017. The older Dallas system used Dual Tone Multi Frequency (DTMF) tones to activate the system over an analog radio link. It is trivial to record the audio of those tones (e.g. on a laptop or tape recorder), and then replay them on the same frequency while transmitting. The activation 'code' usually is fixed, and therefore can be accepted multiple times. [...]

The proprietary digital radio protocol used by ATI to control the San Francisco OPWS was found to have no encryption. As messages were sent in the clear, the patterns of changing elements became easy to interpret. These patterns could be extrapolated to craft malicious messages that conform to the protocol's format and therefore look legitimate, such as activation commands to trigger false alarms. In a deployment where regular testing takes place, knowledge gained by passive observation of test activation commands can be used to trigger the siren system in that deployment at will. [...]

The protocol does not draw on any truly secure practices to prevent analysis of the relevant fields, and thwart potential interference with the system. It is therefore vulnerable due to its reliance on security through obscurity. [...]

A Proof-of-Concept was demonstrated on an ATI siren node with a single horn at a low volume at an isolated location. A modulator and transmitter were created using GNU Radio and a USRP B200mini SDR. Knowledge of the protocol gained by passive observation of two active deployments (San Francisco, CA and Sedgwick County, KS) provided sufficient information to enable the crafting of legitimate activation commands for this node, the configuration for which was unknown. [...]

ATI has stated they have worked on increasing the level of security of their radio protocol, and this fix has now been reported to be rolled out across San Francisco's OPWS. During the weeks leading up the public disclosure, the OPWS frequency in San Francisco was active with an increasing number of packets that displayed higher entropy (appeared random), and activation commands in San Francisco have no longer been seen in the clear since public disclosure. No cryptanalysis has been performed to determine the efficacy of the fix. Details of remediation steps have not been made available publicly.

Oh, so the fix has been rolled out in San Francisco, huh? Let's see how that's going....

Dec 2019: Upgrades will silence sirens for two years:

The last scheduled siren test is planned for Dec. 10 before a hardware and software overhaul expected to cost up to $2.5 million takes them offline.

The upgrades -- the first since 2005 -- are intended to make the sirens more reliable and secure from outside tampering, the city's Department of Emergency Management said in a statement.

The two-year outage is necessary so that the city can test new specialized equipment before upgrading all 119 sirens.

Securing the sirens has been an issue for the city recently. Last year, the Department of Technology, which maintains the sirens, disclosed that it spent months trying to patch a security vulnerability that, if left unaddressed, could have allowed hackers to seize control of the sirens.

Dec 2021: Siren system stays silent after original upgrade deadline:

The Outdoor Public Warning System, which dates back to World War II, was silenced in December 2019 due to security concerns.

Upgrades were originally expected to take two years, but the city isn't any closer to finishing the project now. Zamora said it's because the COVID-19 pandemic response altered spending priorities.

Jan 2022: Tsunami advisory wouldn't have triggered SF's emergency sirens, but why do they remain silent?

"Right now the sirens are offline and they are offline due to the fact that there were some significant security issues related to the technology," said Mary Ellen Carroll, Director of San Francisco's Department of Emergency Management. "So, we had to take them offline about two years ago."

The city's Department of Emergency Management says this tsunami advisory would not have triggered an outdoor alert even if it were up and working because of the low risk to the area. Director Carroll says the department relied on first responders securing the beach and existing wireless technology to push alerts to the mobile devices of those who have opted into AlertSF and if necessary even to those who have not. "We would not have sounded the sirens for this alert, and we did use AlertSF, out texting alerts to let people know what was going on," said Carroll.

During the 2018-2022 period, we also got a lot of journalistic malpractice like this article on Curbed, which is what happens when so-called journalists just publish press releases without asking any real questions:

Why is it being repaired? It's antiquated. San Francisco will invest between $2,000,000 to $2,500,000 in upgrades to the bring the OPWS up to snuff. Upgrades will include new hardware that will improve the reliability system.

But we can always rely on the @SFSiren twitter account to tell the truth:

Nov 9, 2021: It's my #Twitterversary! I have been on Twitter for 12 years, since 10 Nov 2009

Nov 9, 2020: It's my #Twitterversary! I have been on Twitter for 11 years, since 10 Nov 2009

Mar 16, 2020: @SFSiren Retweeted @mjg59: San Francisco, noon tomorrow: the entire population leaning out of their windows and making the emergency siren noise

Dec 10, 2019: WAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This is a test. This is a test of the outdoor warning system. This is only a test.

Dec 3, 2019: WAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This is a test. This is a test of the outdoor warning system. This is only a test.

Nov 26, 2019: WAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This is a test. This is a test of the outdoor warning system. This is only a test.

Nov 19, 2019: WAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This is a test. This is a test of the outdoor warning system. This is only a test.


Here are some questions that I still have. If you are a journalist with enough clout that SFDEM will take your calls, how about you try and get these answers?

  1. What actually happened in 2012 and 2014 when the sirens were going off unscheduled? You're probably going to need to FOIA the incident reports to get a straight answer about this.

  2. What happened in 2018 when "officials" were "scrambling" to fix the security problem? What was their understanding of the exploit? What specific actions were taken?

  3. Was the exploit considered to have been mitigated? If not, why was the system left operational between Apr 2018 and Dec 2019?

  4. Why was the system completely shut down in Dec 2019? Was it because of the exploit discovered in 2018? Please note, "we needed to test new specialized equipment" does not answer the question of why the existing system was taken completely offline.

  5. What are the details of the plan for bringing the system back online? What hardware will be replaced? What vendors and what products are involved? What security analysis has been performed on the new products?

But those are just the questions that I would be asking, if I was a journalist. What do I know.


Previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

DNA Lounge: Wherein we're saying goodbye to Bootie

I am sorry to say that Saturday, Feb 12 will be the final Bootie at DNA Lounge. There's one more remaining before that, this Saturday, Jan 29.

Bootie began as a monthly party at Cherry Bar (formerly Covered Wagon, later Codeword) in August 2003. They first joined us here at DNA Lounge in February 2005, when they began hosting the Lounge during our monthly Pop Roxx parties. Then, having outgrown Cherry Bar, Bootie moved to DNA Lounge as a monthly party starting in March 2006. It was an immediate hit, doing impressively higher numbers than the tiny CW room had allowed. By February 2008 we expanded it to twice a month, then to weekly in October 2009, and eventually to four rooms in October 2012.

Bootie was more than just another DJ dance party; every event included a hugely varied cast of underground and alternative performers -- drag, burlesque, aerialists, circus arts. At the height of its power, Bootie was not only giving those performers access to a huge audience that would otherwise be inaccessible to them, but it was also exposing that audience to a wide variety of performance art that many of them had never seen before. And that's a public service. At every event, you could look down at the crowd at the edge of the stage and see a bunch of faces looking up in amazement, with "what the fuck am I even seeing right now?" written all over them.

And when Bootie first started at DNA, it was also one of the horniest crowds I had ever seen. You don't even know.

For many years, it was far and away our most successful event. Bootie was what paid the bills and kept the lights on. When other events were slow, or there was a bad month, at least there was Bootie. In fact, Bootie's great attendance in the 2010-2012 era was a contributing factor to our decision to expand into next door and open DNA Pizza and Above DNA: we needed the space!

But, what goes up must come down...

We started getting concerned about Bootie's attendance around 2017, and we tried a bunch of different things to reverse the trend. We switched it to 18+, and then we began spending a huge amount of money on promotion, not just online advertising but also getting posters and flyers wayyyy out into the suburbs. Our thinking was, "It's a pop party on a Saturday. If people aren't showing up, it's because we aren't reaching them."

Though, to me -- and not all of our team agree with me on this -- one of the biggest red flags was when we reached the point where half of the people coming in immediately asked our staff, "Where's the hiphop room?" They came to Bootie, but they weren't here for Bootie. What they wanted to hear was exactly the same music you can hear for no cover at every corner bar in town, or any town. And they sure had no interest in seeing a drag show. What made Bootie unique wasn't what drew them to us: they were here just because it was a Saturday. The "community" aspect of the party had faded.

Anyway, that aside, our big promotional push actually seemed to be working! In mid- to late-2019, our Bootie attendance numbers began trending upward again...

And then, oops, pandemic. And it never really recovered.

Now obviously everything has sucked in 2021 and 2022, across the board, but even in comparison to our other events, Bootie was in the ICU. So, it was time for it to stop being weekly. We hoped that it could recover as a monthly, and we were planning on giving that a shot beginning next month. But, Adriana decided that instead of continuing at DNA as a monthly, she'd rather find a smaller room and take Bootie to another venue. We wish her the best of luck.

It's a bummer, and we will miss Bootie, but 16 years (or 19, depending on how you count) is an incredibly long lifetime for a party. It is nearly unprecedented.

We hope to see you at those final two parties! Masked and boosted.

Dooooooooon't stop........ belieeeeeeeeeeevin'........

Tags:

Hacker Takes Over Numbers Station For Rickrolls And Memes

Buzzer is a Russian military station currently haunted by radio pirates:

Mysterious Russian shortwave radio station UVB-76, known as The Buzzer, normally broadcasts nothing but indecipherable beeps and numbers. But recently it has started to take music requests and post memes, after hackers seemingly took control of the channel for their own purposes. "Aboba" a voice repeatedly said over the station earlier today, before proceeding to blast Russian rave music.

The Buzzer, a Russian numbers station in use since the Cold War, became a sensation on the internet in the late 2000s thanks to 4Chan, and ever since people have wondered about the channel's origins and purpose. It's been especially good fodder for online creepypasta and paranormal enthusiasts because of the mysterious voices that occasionally read out nonsensical chains of numbers and words.

This week, however, it was home to Guy Fawkes masks, Discord pings, and Rick Astley's "Never Gonna Give You Up," as listeners gathered around YouTube streams for The Buzzer to witness the ghostly mashup.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , , , , ,

Users mourn the loss of top stolen credit card site

Can you imagine a breathlessly credulous article like this being written about someone who found their path to financial independence through smashing car windows and selling fentanyl-tainted cocaine?

Among those lamenting the loss is Player 456, a 27-year-old based in Ghana. "UniCC was credible and affordable. That's why I'm really heartbroken."

When COVID-19 struck Ghana in 2020, the government introduced lockdowns that impacted Player 456's livelihood. "I work in the events industry," he says. "You can guess how business went." Looking to make cash, he spoke to a friend who suggested he get into online fraud. [...]

For Player 456, it was an eye-opener. Alongside the ability to buy access to compromised credit cards, which could be used for illicit online shopping sprees, the site also held a database of stolen U.S. Social Security numbers. Those numbers allowed people to file fraudulently for unemployment benefits, depositing the cash in U.S.-based dupe accounts they gained access to via UniCC. [...]

"UniCC gave me a way out to turn my finances around -- even though I realize it was at the peril of someone else on the other side of the world," he says. "I see people suffer because they have no money. Graduates, people whose jobs they've lost because of COVID. I hoped they'll all get a chance like I did. But now it's gone."

Tags: , , , , ,

Every un-shredded car is a policy failure

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

IRS login makes you take a selfie for this security company you've never heard of

I see no way this could possibly go wrong.

You'll soon have to prove your identity to a Virginia-based security company called ID.me in order to file a return, check tax records, or make payments on the Internal Revenue Service (IRS) website. Your old username and password credentials -- if they still work -- will stop working in the summer of 2022. [...]

ID.me compares your selfie with your driver's license or passport image to verify you are who you say you are. It might also ask for other documentation, such as a copy of a recent bill. If the system still isn't satisfied, it may even ask you to jump on a video call with a human representative. [...] The company says it's also devised ways for overseas, under-documented, or homeless people to verify their identities.

Uh huh.

ID.me says a total of ten federal agencies use its system, including the Department of Veterans Affairs and the Social Security Administration.

The IRS, of course, is a big agency that deals directly with many millions of individuals and businesses. ID.me will become responsible for a huge amount of personally identifiable information -- at a time when cyberattacks on government networks have become common. Recall the 2015 cyberattack on the United States Office of Personnel Management (OPM), in which cybercriminals gained access to 22.1 million government personnel records, including those of government employees and their families, and people who had undergone background checks. [...]

And ID.me can store tax filers' personal data for up to seven and a half years, the representative tells me in an email. [...]

In the event of a data leak, however, your options for redress are somewhat limited. At the very top of the ID.me terms of service, you'll find an all-caps statement saying that by using ID.me you agree to binding arbitration in the event of a dispute, and wave your right to join a class action against the company.

I first encountered this bullshit a few months ago.

My business, DNA Lounge, tried to apply for the "California Venues Grant Program funded by the State of California and administered by CalOSBA", and we couldn't even begin the application process without me personally submitting to this techbro biometric-harvesting bullshit by ID.me. And I wouldn't do that, so we couldn't apply.

There are many ways to prove who I am to the State of California, and giving my biometric information to some third-party for-profit data-harvester with a Montenegro domain is not an acceptable one.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , ,

Monkey Dump

Truck with 100 monkeys crashes in PA, some of them missing:

DANVILLE, Pa. (AP) -- A truck carrying about 100 monkeys was involved in a crash Friday in Pennsylvania, state police said as authorities searched for at least three of the monkeys that appeared to have escaped the vehicle.

The truck carrying the animals crashed with a dump truck in the afternoon in Montour County. The truck had been on its way to a lab.

I have heard this story before, and the first time it was called Mrs. Frisby and the Rats of NIMH.

But more importantly: are the fungible? ARE THEY FUNGIBLE??

CDC: All my apes are gone:

The shipment of monkeys was en route to a CDC-approved quarantine facility after arriving Friday morning at New York's Kennedy Airport from Mauritius, the agency said.

The location of the lab and the type of research for which the monkeys were destined weren't clear, but cynomolgus monkeys are often used in medical studies. A 2015 paper posted on the website of the National Center for Biotechnology Information referred to them as the most widely used primate in preclinical toxicology studies.

Previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

Instagram: How not to do messaging

Though Facebook is really good at a few things -- being a rage amplifier; providing a clean, well-lit space for fascists; and allowing unmedicated schizophrenics to find each other and thereby elevate their delusions into national movements -- it's important to remember that they are actually stultifyingly incompetent at just about everything that comprises what most people think their business is.

Sadly, my businesses still have a presence on Facebook and Instagram because choosing not to use those services essentially means choosing not to advertise, and that's not really a stand we can afford to take during this pandemic apocalypse.

And since I still have to manage this shitshow, here's me pissing in the wind again about how terrible it is to try and actualy use it.

I've written before about the mind-boggling unusability of Instagram's inbox-management for business accounts: that the messages are partitioned into four different places with four different interfaces with no rhyme or reason. It's just unfathomable how anyone is able to communicate with their customers through this disaster. [Narrator: "They cannot. They mostly don't try."]

Well, a couple years ago, Facebook integrated Instagram into this "Facebook Inbox For Business Suits" thing or whatever they're calling it today. In theory, now you can use a Facebook web page instead of the postage-stamp-sized Instagram app to manage your messages while typing with your thumbs like an animal.

Take a look at the image to the right. Zoom in. Let the hate wash over you. I'll wait.

  • First indignity: you have to make the window be basically full screen width or none of those icons on the right show up, because it's got 3 different sidebars (not shown). And even then, sometimes the message author's profile picture appears on top of the buttons, making them unclickable.

  • The "All Messages" tab is not all messages. So the very first words on the page are already a lie. You still have to click through to the four other tabs to see everything.

  • When it shows you an Instagram "story", you almost never get to actually see it. Stories usually expire after 24 hours, but I look at this page once a day and I can't remember the last time a story actually showed up as something other than a broken-image box.

  • When it does actually show you the contents of an Instagram story or post, it is 240 pixels wide. You can't resize it. You can't click on it to open it in a new window. You can't copy its URL. Hope your eyesight is good!

  • When it shows you Facebook messages or replies, it doesn't show you the actual message. It shows you the post on which the messages were made. And it is always set to "Most relevant comments", meaning it's showing you the top-rated 5-of-30 or whatever, in bogosort-order. Because that's what you want to see in your "Facebook Connect Businessy Direct Comments Suite". Not the most recent message, but one that was popular two weeks ago.

  • There is no "mark all read" button. You have a thousand messages in the list, but a couple of them, 700+ messages ago, are marked as unread, making the unread count up top useless? Congratulations, you get to click a thousand times to clear that. Also, the position of the "delete" button changes every time. Sometimes those 5 buttons are horizontal, but sometimes they wrap to 2 or more lines, depending on... I don't even know what. (See "Facebook Cow Clicker".)

  • Once you have deleted a message, it is gone forever. There is no Trash folder. The message itself exists, and everyone can still see it, you just have no way to navigate back to it from "Facebook Presents Inbox by Marc Jacobs" or whatever this is.

  • That "Exclamation point" button means "Mark as spam". As far as I can tell, it's the same as Trash. It does not even move it to a spam folder, because as I said, folders aren't a thing. There is no Spam folder, nor a Trash folder, not an Archive folder. And it absolutely for sure does not report the message as spam. It's just a handy busy-box for you to click that does nothing, like calling 311 about a blocked bike lane.

  • Is there a way to report abusive Instagram messages? Sure there is, there's a "Report" item hidden on a dot-dot-dot popup menu in the "User" sidebar! That takes you to a FAQ telling you to run the Instagram app on your phone, find the message again (good luck with that), and report it from there.

  • If it's a Facebook comment, there are context menus for blocking and reporting, that work completely differently. What you want is a button that means "report this abusive asshole and make them go away forever". What you get is three different paths to report comments, delete comments, and block users, which take like 14 clicks,

    "This web page is using significant energy. Closing it may improve the responsiveness of your Mac."
    and if you miss one step, some or all of those things don't happen. Also it's entirely possible that "block" means "don't show this person's abuse to me personally, but do continue showing them to everyone else who looks at my business page." After all these years, I still have no idea.

  • My business account manages multiple Facebook and Instagram pages. Do messages to all of them show up in the same place? Hahahahahahahaha no. Each one gets its own separate "Instagram By Facebook Inbox Business Message Console Business" page.

  • Oh yeah, those red message count badges at the top? They never change as messages are read or tabs are changed. I mean, that sounds too hard, right?

One might hope that this incompetence indicates that they simply don't have employees who know what they're doing, and one might dream that maybe that's because Facebook is just too embarassing a place for the competent to work. Maybe the people capable of getting jobs elsewhere took my advice and quit. But that's wishful thinking. Ethics are not correlated with programming skill. It's just that they don't give a shit. Tools to allow businesses to use Facebook to intermediate communication with those businesses' customers are not a priority. As a rational, sane person, the things that you expect are part of Facebook's business are not. If you think you are their customer, or even that your customers are their customers, you are wrong.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , ,

Oddly specific botnet

Whoever once had the address "mim@mcom.com" has a vast and extremely enthusiastic botnet trying to crack their password on mcom.com's (nonexistent) IMAP server, from 20,000+ unique IPs in the last 30 days.

Never give up hope, it might work some day!

Though I am impressed by the IP space they control, I guess.

Previously, previously, previously, previously, previously.

Tags: , , , , , ,

  • Previously