This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I hate the antichrist!
Modern technology is in dire need of modern solutions
Our story starts a few days ago when I changed the IP address of the VPN I use to connect to my BurdensomeCount accounts and identity. This is a fairly regular thing I do for Opsec reasons. I also scramble the MAC address of my devices every once in a while, same reason. Normally this is all fine and dandy except that last time I decided to do both of these things together. Looking back this was a very bad idea indeed. While minor minutae of misfortunes I've had to face in my daily life aren't worth making a mottepost on my struggles over those pained few hours, if only for didactic reasons about the current state of modern large technology companies and the decay of the anonymous free internet, are well worth writing about.
On Saturday I tried to log into my discord account for a voice game of Blood on the Clocktower (on a server that originally sprung up from The Motte so populated by smart people, it's quite a fun way to spend an afternoon if you have nothing better to do). After inputting my email address and password and solving the captcha- these days they're using one with a picture containing multiple objects, all but one of which are in pairs, so like 2 trucks in the image, 2 lions in the image, one rabbit and you have to click on the unpaired object to pass- Discord did the whole "new login location detected, please check your email address" thing, all well and expected because of my VPN reset.
At this point I went to Gmail to log in. Email address, check; Password, check; no issues here. Since I was using a new IP and MAC Gmail asked for an extra security check before they let me in: they wanted a mobile phone number to send me a 6 digit code. This was the first sign that something was wrong: I didn't even have a mobile phone associated to this account so why was Gmail asking for a phone number? Like seriously, why do you need me to associate a phone number before you let me into my own account? I tried to see if there was a way around this but apparently not, Google wanted a phone number or it was no dice for me.
Obviously I didn't want to provide my registered phone number linked to me in real life but fortunately I have a burner phone. I gave Gmail one of my burner numbers and got the code from Google. Note that since I didn't have any associated phone numbers with the account anyone could have used literally any phone they had lying around for this so it's not like this was providing any real security benefit to my account against intruders, it was all a charade for Google to get its hand on a phone number. I was medium annoyed at this but I had a voice game to play so let it slide. I got my six digit code and put it in, only to be told:
No shit you couldn't verify this account belongs to me when I don't even have a phone number associated with the account? What possible reason related to identity verification could you have to ask me for a phone number in the first place?
It was off to Account Recovery for me. Google again wanted my email address and password, which I provided. I also had some security questions registered to my account that I knew the answers to but Google didn't even bother asking me about them, instead taking me straight to:
and leaving me at a complete blank wall. My only reaction at this point was WTF?? Locking people out of their accounts when they've forgotten their ID details is one thing, but doing it to someone who remembers literally every single piece of identity information associated with their account is a whole new level of bastardry. Do no evil indeed.
All this meant I needed a new Discord account, which meant a new disposable email account as well, and I needed it fast, the games were starting in less than half an hour. I wasn't gonna create another Gmail account after their recent treatment so I went to what I thought was the provider most open to anonymous accounts and least likely to pull another Google on me: Protonmail.
Fortunately making a new account with Protonmail was fast and without issue. I took this new email and tried to use it to create a Discord account. Discord though was much less nice. Firstly it wanted all the standard details: username, email, date of birth (1st Jan 1984 in case anyone is curious) and password. Before making the account it wanted me to verify I was human: it was time for another captcha but that wasn't enough to sate Eris, she also wanted me to verify my phone number to create an account, which as usual I didn't want to provide for Opsec reasons.
At this point I was already feeling some burnout so tabbed over to other stuff for a few minuets. When I came back it was to the landing page Discord has for all new accounts where they tell you about how they are a worse IRC clone and try to upsell you into buying Nitro (but hey, at least it's still better than Slack). Thinking I had lucked through somehow and wouldn't need to go through the whole phone number charade and was home safe I closed these popups but instead of the expected stuff I was presented with the login screen again. It looked like I had timed out instead on the previous screen and would need to login again into the new account.
No matter, at least I was getting somewhere. I put in my new email and password and hit "Log in", only to be rewarded with "Wait! Are you human?". It was captcha time again. I got my burner phone ready and clicked on the rabbit, just about having had it with Discord. Time was ticking, the game was about to start soon and I didn't want to miss out on the first round.
Fuck me with a pointed stick. Why has this account been disabled when it's never been properly logged into ever in the first place? What possible reason could you have for disabling the account? No phone number? In that case why not just ask for one instead of nixing the account straight up? I hadn't got the time to seethe here so I went straight back to the account creation screen. Since the previous attempt had failed to create a working account I tried to create another one only to be told "Email is already registered", but not before going through another round of captchas.
Great, because I had the temerity to switch over to another tab for a few minutes you've now basically made it impossible to use my email address with discord forever. Normally at this point I'd have gone outside and touched grass to cool off a bit but there wasn't any time for that right now. I immediately went back to Protonmail and created a new account then returned to Discord signing up for another shiny new account with my shiny new email. One more captcha later I was back to the "verify your phone number page". This time I had my burner in hand and gave Eris my number post haste prior to her fickle nature banishing me again only to be met with another "Wait! Are you human?" before she'd send me the six digit code needed to gain access to her inner valuables.
I got the code and typed the digits in one by one, then hit enter. My reward for this was, yep, you guessed it, another captcha. These newfangled automatic registration bots must be getting really good now at inserting themselves directly into the middle of the process given that you need to verify your humanity basically every other click.
Even this was not enough to satisfy her, she wanted me to verify my email as well before letting me in. I clicked on the button to send a verification email only to be presented with yet another captcha. This was too much, I was one sliver away from going full REEEEEE now: Verification can was supposed to be a meme you guys, not an accurate description of reality! Nevertheless I kept my composure, clicked on the rabbit and waited for the fated email to arrive.
Instead of the signup email from Discord I was expecting I got one from Protonmail instead:
WTF???????? The fact that you knew this was a registration email from Discord implies that you have scanned my email. I thought one of the unique selling points of Protonmail was that you were so privacy focused to the point that everything was encrypted and if governments served you a warrant you wouldn't ever have any info about your customer's emails beyond their encrypted inbox you couldn't do anything about. Scanning their emails is about the biggest breach of trust possible here. And it turns out you aren't just doing it when your hand is forced by the government (understandable) but willingly to make some extra pieces of lucre.
What's even the point of Protonmail then if you're going to be just as bad as the big providers when it comes to privacy but also provide a paltry amount of free storage compared to what they give, and we haven't even started talking about how you gimp new accounts or your sketchy and misleading advertising (they say new free accounts get 1GB storage but it's actually only 500MB by default with the rest requiring you to set up autoforwarding from your gmail account to use their UI and also download their app; oh and to create a sense of FOMO you only have 15 days to do this or you're forever stuck at 500MB).
I remember the days when you used to have two passwords for protonmail, one to download your encrypted mailbox from the site and then the other to decrypt the mailbox locally on your own machine. Oh how you people have fallen. I used to be highly supportive of them in the past but after seeing this I would't piss on them if their servers were on fire.
And of course by now Discord had timed out again and my fledgling account had been disabled. I would have to start the process from the beginning and go through the captcha gauntlet one more time. I was legit malding now, why did they have to make it so fucking hard to create a usable discord account? I was close to giving up by now, no clocktower game was worth this much strife.
Eventually I had to go to Microsoft and create an Outlook email to be able to create a functioning Discord account. I had just about given up and didn't expect much from them but surprisingly the process with them was completely smooth. All those capchas by the end though had me channelling my inner Elmer Fudd and I was just about ready to kill that damn rabbit. I noticed quite wryly that in the year 2024 AD Microsoft, that old bogeyman of the 90s, was somehow more OK with completely anonymous accounts than services which a few short years ago were loudly trumpeting how pro-anonymity they were.
But even now I was not home safe. I may finally have had a working Discord account but still needed an invite to the BOTC server because surprise surprise my last link had expired. Even though we're an open fun server that's happy to welcome pretty much anyone from rdrama/themotte in 2022 Discord got rid of permanent non-expiring invitation links unless the owner designates it as a "community server" which means giving Discord full rights to scan all content as well as getting it listed on a public directory on the discord website (not a good thing for us, the server's culture risks getting run over). This means we are forced to rely on invite links that expire every seven days...
This change by Discord making user experience worse sounds completely nonsensical until you realize that Discord wants to compete with other established social media sites like Twitter. That means they're trying to incentivise people to spend as much time as possible on their site and pushing community servers that people can self discover is one way of doing it (same reason they switched to fixed usernames). These incentives also have a side effect of Discord cannibalizing other smaller discussion sites like drama where Aevann who runs rdrama.net now hardblocks links to them because they very noticeably siphon off conversations and people; I can't say this policy is wrong either, something like it is probably necessary for the long term health of the site.
In the end I ended up messaging multiple different people I knew to be on the server and very obliquely asking them for an invite link (because I didn't want my messages to get filtered), hoping one of them would respond so I could join my game. Fortunately @everyone saw my message and I was able to join the game, but not before he got his drama account temp shadowbanned for falling afoul of the Discord filter. After wandering the modern technological desert I had eventually made it to the promised land, but not without half a headache and an intense burning hatred inside of me for the way these big companies operate...
Yes, it is providing an excellent security benefit -- that from here on out the account will be protected by association to an additional factor.
Obviously it's not retroactively possible to add that as a factor for this specific login. But that doesn't mean it's of no benefit.
You have as much information as a well-motivated attacker might have. In fact, you went to great efforts to make yourself so uncorrelated with the original login, that you are indistinguishable from an attacker.
On some level, sure, this is a failure of the technology to have more factors that the real count has that an attacker wouldn't (although see above -- you got mad when they tried to add more factors)
Please, I don't want to look like abuse but I'm going to do everything I can to look like abuse!
Obviously. You made the account just to get past various other registrations. Of course that's gonna flag you.
Think of the alternative: if ProtonMail (or whoever) allowed this shit, then Discord (et al) wouldn't accept a ProtonMail account as a verification.
No, they don't scan. Discord and others explicitly insert metadata into the email header saying "this is a service registration request, please ensure that only established accounts can read it". No scanning necessary, because Discord actively tags it. You can read it yourself in the SMTP headers.
This is maybe understandable, but at the same time this is niche-of-a-niche kind of user behavior.
The social question of whether the systems that we put in place need to accommodate the needs of tiny minorities of people rather than being aligned to the larger majorities is well trod.
Privacy is incompatible with Gattaca's "Valid world" or Shadowrun's SIN. If we still believe it's a right - as it has been for most of history and is official policy in most Western countries - SINs as a prerequisite of existing in society can't be allowed. If we don't, we should go the whole hog, abandoning all restrictions on government surveillance (there is a lot more social good in police surveillance than corporate surveillance!), ripping out the "three felonies a day" from the criminal code*, and possibly going the full Geodesica-Bedlam route of "privacy is against the law; everyone gets to access the telescreen cameras and run spy drones".
*Laws that everyone breaks + no privacy = police state, since everyone is always provably guilty and thus prosecutorial discretion is ultimate power. And, indeed, we're sliding in that direction at the moment.
What about zero knowledge proofs?
What is to be zero-knowledge proven?
The current ideas around the application of the technology are precisely that you could use it to build a digital identity system that still retains privacy.
The usual example involves medical records: instead of having some centralized authority store all of your information and reveal select parts of it to people of interest, which has the properties you decry, you could hold this information encrypted (and even public to some degree) and require the signature of the individual to verify any property of this shared encrypted data without ever even exposing the data itself.
You could have your pharmacy check that a doctor prescribed a particular drug to you without knowing what your illness is, who the doctor is or any other information about you and none of that information be handled in the clear by any state authority.
Whether it's realistic that such a system would be made is another question, but the raw technical impossibility you speak of is, at least, being questioned right now.
OP's usecase doesn't seem amenable to zero-knowledge-proof, though; you could certainly prove that you have access to a SIN, but everyone has such access (including spammers) so there's not much point.
Maybe i'm being too literal, but SR SINs are specifically about what social categories you're part of in the RPG, not mere individual identification.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link