Hive Social got popped already

Warning: do not use Hive Social:

We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported still exist at the time of writing.

The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.

Attackers can also overwrite data such as posts owned by other users.


The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience

To their credit, it sounds like pulling the plug entirely was the right move, and most companies would not have done that. Even if they only did it not when they found out, but only after someone created a PR disaster to force their hand. One takes what one can get.

However, that does not change the fact that (as I said earlier this week) they are yet another data silo whose lock-in design is antithetical to the principles of openness and interoperability that are the good things that the Internet and the World Wide Web brought to the world.

Previously, previously, previously.

Tags: , , , , ,

SF Board of Supervisors approves police murder drones.

Supes approve killer robots, 8-3:

Only Sups. Hillary Ronen, Dean Preston, and Shamann Walton voted against the plan. So much for a progressive majority. Even Sup. Gordon Mar, who already lost his re-election and has nothing more to lose, voted with the police.

[...] It's a huge precedent that has received national attention. San Francisco, the progressive city, has approved a policy that gives the cops another potentially very dangerous tool to use in what are, frankly, vague situations.

Yes, the rules say that only very senior officers can authorize the killer robots -- but given the way senior cops have authorized and defended a lot of completely unacceptable killings in this town, that doesn't blunt the impact of the decision.

It does suggest that the media-hyped Fear of Crime that led to some of the worst criminal-justice policies in modern history in the 1980s is back, in this city, right now.

These supervisors voted in favor of allowing SFPD to execute people by remote control:

Connie Chan, Catherine Stefani, Ahsha Safai, Aaron Peskin, Myrna Melgar, Gordon Mar, Rafael Mandelman, and, to the surprise of nobody, Matt Dorsey.

Dean Preston's dissenting statement:

Today's vote approving the San Francisco Police Department's dystopian military equipment policy -- which will allow SFPD to use robots to kill people -- is deeply disturbing. It is frankly embarrassing that the Board approved this policy based on nothing more than nonsensical hypotheticals [...]

This is a sad moment for our City, and one which shows how far the City has strayed from the reckoning on police violence in 2020. Allowing police to arm remote-controlled robots on the streets of San Francisco is dangerous, and like any other weapons used by police, will place Black and brown people in disproportionate danger of harm or death.

In contrast to the SFPD's fear-mongering hypotheticals, we don't have to look far to see why this decision could put San Franciscans in danger. We have plenty of examples of police using questionable or unjustified deadly force here at home. We also have examples of misuse of bombs and other explosives all over the country. Those include...

SFPD clarified that it would not arm robots with guns. Instead, they would be equipped with explosives.

Update: After a week of press, letters, and an in-person protest, the supervisors voted to send it back to committee for rewrites. Mandelman, Stefani, and Dorsey voted against that, holding firm on their position that it's cool for SFPD to murder suspects by drone.

Previously, previously, previously, previously, previously, previously.

Tags: , , , , , , , ,

GrubHub gonna Grub

If your business uses GrubHub, you must contact them or they are about to double your service fees:

Dear Restaurant Partner,

In April 2020, San Francisco enacted emergency COVID legislation capping commission rates for third-party delivery services at 15%. The San Francisco Board of Supervisors recently adopted a new ordinance updating this legislation, which will become effective in February 2023.

This means that on February 1, 2023, Grubhub will place all restaurants at their previously contracted rates. If you'd like to make any changes to your contract, please contact your Account Advisor. You continue to have the option to select our "Basic'' 15% package inclusive of delivery and marketing.

In June, the Board of Supervisors made the pandemic 15% cap on delivery fees "permanent", but then DoorDash and GrubHub sued the City, with the usual line of implausible bullshit that without higher fees they "might have to completely eliminate their operations in San Francisco." Suuuuuuure. But the Board of Supervisors blinked anyway, and said, "Wellllllll I guess it's ok if you continue to dark-pattern-hoodwink everyone into your extortionate 30%-and-higher rates, so long as there's still technically a way to get 15%."

Hey, I've got a question! Given that it takes exactly the same amount of time, effort and gasoline to deliver my $10 meal as my $100 meal, why does GrubHub get to charge 10× as much for the second one?

Followup question, does the delivery driver also make 10× as much on the second one? This question is rhetorical.

Anyway, please buy our pizza, it's really good! We make more money if you call us and order for pick-up, but deliveries are good, too.

Previously, previously, previously, previously, previously.

Tags: , , , , ,


I've been using Fluid for a few months, and I really like it!

It lets you generate a standalone macOS application that is just a window hardcoded to a particular web page. This means it gets its own dock icon instead of just being one of your web browser's windows or tabs, but more importantly, it does not share cookie data with other browsers.

So, for example, I have a Fluid app that loads the Tweetdeck web site, and it stays logged in to Twitter, but my regular browser is logged out, avoiding all kinds of tracking fuckery.

I'm also using it for Mastodon, because all of the macOS Mastodon apps are way less usable than the web site, but now I have the web site behaving like an app, and handing off clicked links to the "real" browser.

But even more useful is that you can have multiple apps with different logins, so if you have more than one account on a site, you don't have to keep logging out and back in to context-switch. You just generate a different app for each of them.

Previously, previously, previously.

Tags: , , , , ,

"Claim your account"

"Post dot news", the Andreessen-funded probable cryptocurrency grift masquerading as a social network that I busted on yesterday (and that considers dunking on billionaires to be hate speech) is creating fake "placeholder" accounts to try and get their users to bully news organizations into signing up.

This is the kind of shit that Yelp regularly does.

Hey, remember in 2020 when Yelp decided to non-consensually funnel more business to their partner Gofundme by creating a "fundraiser" for your business whether you wanted one or not?

SF Bar Owner to Yelp: "Fuck All of These People Entirely".

Hey, remember my 2012 long-form art project entitled, "I would like my business to not be listed on Yelp"? Part 1, Part 2.

Good times, good times.

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , ,

Big Chonky Glitter Grinning Ornament

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , ,

PSA: Do Not Use Services That Hate The Internet

Don't make me tap the sign: app-only interfaces are not a part of the World Wide Web. As you look around for a new social media platform, I implore you, only use one that is a part of the World Wide Web.

tl;dr avoid Hive and Post.

If posts in a social media app do not have URLs that can be linked to and viewed in an unauthenticated browser, or if there is no way to make a new post from a browser, then that program is not a part of the World Wide Web in any meaningful way.

Consign that app to oblivion.

Most social media services want to lock you in. They love their walled gardens and they think that so long as they tightly control their users and make it hard for them to escape, they will rule the world forever.

This was the business model of Compuserve. And AOL. And then a little thing called The Internet got popular for a minute in the mid 1990s, and that plan suddenly didn't work out so well for those captains of industry.

The thing that makes the Internet useful is interoperability. These companies hate that. The thing that makes the Internet become more useful is the open source notion that there will always be more smart people who don't work for your company than that do, and some of those people will find ways to expand on your work in ways you never anticipated. These companies hate that, too. They'd rather you have nothing than that you have something they don't own.

Instagram started this trend: they didn't even have a web site until 2012. It was phone-app-only. They were dragged kicking and screaming onto the World Wide Web by, ironically, Facebook, who bought them to eliminate them as competition.

Hive Social is exactly this app-only experience. Do not use Hive. Anyone letting that app -- or anything like it -- get its hooks into them is making a familiar and terrible mistake. We've been here before. Don't let it happen again.

John Ripley:

So many people, who should know better, blogging about their switch to Hive on the basis of user experience or some other vacuous crap, and not fundamentals like, "Is this monetized, and if not yet, when how and who?" or "who runs this?" or "is it sane to choose another set of castle walls to live as a peasant within?"

Post Dot News also seems absolutely vile.

First of all, Marc Andreessen is an investor, and there is no redder red flag than that. "How much more red? None. None more red", as Spinal Tap would say. He's a right wing reactionary whose idea of "free speech" is in line with Musk, Trump, Thiel and the rest of the Klept.

Second, it appears to be focused on "micropayments", which these days means "cryptocurrency Ponzi schemes", another of marca's favorite grifts.

They call themselves "a platform for real people, civil conversations". So, Real Names Policy and tone policing by rich white dudes is how I translate that. But hey, at least their TOS says they won't discriminate against billionaires:

life, liberty, and the pursuit of happiness, regardless of their gender, religion, ethnicity, race, sexual orientation, net worth, or beliefs.

Mastodon is kind of a mess right now, and maybe it will not turn out to be what you or I are looking for. But to its credit, interoperability is at its core, rather than being something that the VCs will just take away when it no longer serves their growth or onboarding projections.

There is a long history of these data silos (and very specifically Facebook, Google and Twitter) being interoperable, federating, providing APIs and allowing others to build alternate interfaces -- until they don't. They keep up that charade while they are small and growing, and drop it as soon as they think they can get away with it, locking you inside.

Incidentally, and tangentially relatedly, Signal is not a messaging program but rather is a sketchy-as-fuck growth-at-any-cost social network. Fuck Signal too.

Update: Aaaaaaaannnnnnd.... Hive Social got popped already.

Previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , , ,
Current Music: Whale -- Eye 842 ♬

"But Doctor..."


Previously, previously, previously.

Tags: , ,

Mastodon stampede

"Federation" now apparently means "DDoS yourself."

Every time I do a new blog post, within a second I have over a thousand simultaneous hits of that URL on my web server from unique IPs. Load goes over 100, and mariadb stops responding.

The server is basically unusable for 30 to 60 seconds until the stampede of Mastodons slows down.

Presumably each of those IPs is an instance, none of which share any caching infrastructure with each other, and this problem is going to scale with my number of followers (followers' instances).

This system is not a good system.

Update: Blocking the Mastodon user agent is a workaround for the DDoS. "(Mastodon|http\.rb)/". The side effect is that people on Mastodon who see links to my posts no longer get link previews, just the URL.

Previously, previously, previously.

Tags: , , , , ,

Ghislaine Maxwell asked Elon Musk to destroy the internet

As it turns out, their meeting was slightly more than a photo bomb.

According to a Vanity Fair staff member at the time who stood next to Ms. Maxwell and Mr. Musk and shared contemporaneous notes with The Times, the pair chatted. Ms. Maxwell asked Mr. Musk if there were a way to remove oneself from the internet and encouraged Mr. Musk to destroy the internet; Mr. Musk demurred.

Ms. Maxwell then asked Mr. Musk why aliens hadn't yet made contact with humanity, to which Mr. Musk replied that all civilizations eventually end -- including Maxwell's hypothetical alien one -- and raised the possibility that humans are living in a simulation.

Previously, previously, previously, previously, previously, previously.

Tags: , ,

  • Previously