Post AVKCKD9zJAeK4fISjg by webhat@infosec.exchange
(DIR) More posts by webhat@infosec.exchange
(DIR) Post #AVKC319mgP5VvL0FQ8 by mattblaze@federate.social
2023-05-04T21:49:32Z
1 likes, 1 repeats
@jbaggs @RandomDamage What I want is for people to know that DMs don't reach me. I don't want people sending me an important (to them) message that I never see, and especially because of poorly understood semantics of an obscure feature.
(DIR) Post #AVKC31ouDVytysF5W4 by lauren@mastodon.laurenweinstein.org
2023-05-04T22:06:05Z
0 likes, 0 repeats
@mattblaze @jbaggs @RandomDamage It's like sending an SMS to a landline. Poof, gone, nothing. No clue.
(DIR) Post #AVKCKD9zJAeK4fISjg by webhat@infosec.exchange
2023-05-04T22:09:39Z
0 likes, 0 repeats
@lauren @mattblaze @jbaggs @RandomDamage For a while in the Netherlands you would get a call on your landline and the text message would be read to you as Dutch. I don't if that's still the case #InterestingFact
(DIR) Post #AVKEmopx1ImCwYh49w by mattblaze@federate.social
2023-05-04T22:10:20Z
0 likes, 0 repeats
@lauren @jbaggs @RandomDamage We're fixing that by eliminating landlines.
(DIR) Post #AVKFUvcNAa0KiSNLCy by mattblaze@federate.social
2023-05-04T20:55:58Z
1 likes, 0 repeats
Spam (like the torrent of cryptoscamspam lots of people got this morning) has been very rare for me here (and dealt with quickly), but I've noticed that almost all of the spam I've gotten has been via Mastodon's DM feature.I really wish there was a way to turn DMs off or at least restrict them to people I follow. Control over incoming DMs was a thing Twitter did better than here.
(DIR) Post #AVKFUxdVfK6OyYvHG4 by mattblaze@federate.social
2023-05-04T21:03:04Z
0 likes, 0 repeats
Please stop telling me about the "block DMs from people you don't follow" checkbox. I know about that. It doesn't work properly. It results in people THINKING they've sent you a message that you never actually see.
(DIR) Post #AVKFUzJ1SSu29bLwbQ by mattblaze@federate.social
2023-05-04T21:20:09Z
0 likes, 0 repeats
Because this is Mastodon, I'm now getting people lecturing me on why this obviously broken behavior is "correct".
(DIR) Post #AVKFV0x7KsZLGF7Tjk by mattblaze@federate.social
2023-05-04T21:35:35Z
1 likes, 2 repeats
Another way DMs are hopelessly broken: if your handle is mentioned anywhere in a DM, you get a copy.Yes, I understand why (technically) it might work that way. That doesn't mean it's not broken.DMs here are a dumpster fire of buggy behavior and non-intuitive semantics.
(DIR) Post #AVKFV2ZRJsokHO3b6m by mattblaze@federate.social
2023-05-04T21:39:39Z
0 likes, 0 repeats
Yeah, I should "just go back to Twitter if I hate so much here". Eyeroll.
(DIR) Post #AVKFV4M2gfHzoPnvVI by mattblaze@federate.social
2023-05-04T22:20:29Z
0 likes, 0 repeats
Just to be clear, in case it isn't obvious: If I say "I don't want this feature to work this way", I don't mean YOU shouldn't want it. But please don't tell me that because you like it, I should too.
(DIR) Post #AVKGrbibQCRhc5fRnk by oneiros@ruhr.social
2023-05-04T23:00:39Z
0 likes, 0 repeats
@lauren @mattblaze @jbaggs @RandomDamage SMS to landline still works in some networks (obviously by converting it to voice). SMS from landline also works in some networks.
(DIR) Post #AVKJdGuIIigMsNzZ8y by lauren@mastodon.laurenweinstein.org
2023-05-04T23:31:40Z
0 likes, 0 repeats
@oneiros @mattblaze @jbaggs @RandomDamage Never heard of this from any of the major carriers in the U.S. as any kind of routine service. If someone has to subscribe to it specifically it's basically worthless for this problem.
(DIR) Post #AVKRbaaowBbuz8alnc by SwiftOnSecurity@infosec.exchange
2023-05-04T22:35:00Z
1 likes, 0 repeats
@mattblaze I've had this happen! Someone was talking about me in a Mastodon DM and it sent me a copy!
(DIR) Post #AVKRbbGIRymt3lztRo by mattblaze@federate.social
2023-05-04T22:35:58Z
0 likes, 0 repeats
@SwiftOnSecurity Clearly, they should have read the Mastodon source code first.
(DIR) Post #AVKRbbw7wSFR9VZIeG by downey@floss.social
2023-05-04T23:08:54Z
0 likes, 0 repeats
@mattblaze @SwiftOnSecurity Or, the UI which says "Visible to mentioned users only"?
(DIR) Post #AVKRbcXhgkJ1239JDc by mattblaze@federate.social
2023-05-04T23:11:03Z
1 likes, 0 repeats
@downey @SwiftOnSecurity If you honestly believe that's an acceptable answer to this problem. please don't design anything for people to use.
(DIR) Post #AVKRdrcSbXhaN3RZQm by downey@floss.social
2023-05-05T00:03:53Z
1 likes, 1 repeats
@mattblaze@federate.social At least it's not disingenuous.Those of us who actually did our PhD in HCI aren't typically big fans of the philosophy that users are dumb and helpless.We're also fans of being honest about when a UI has taken steps to teach users how to use it.
(DIR) Post #AVKRhqYQVSEqE4SKw4 by tn5421@fedi.absturztau.be
2023-05-05T01:02:35.051534Z
0 likes, 0 repeats
@downey @mattblaze First box should honestly read "Auto-mute direct messages from people you don't follow" as that's more honest about what happens.
(DIR) Post #AVKZ018uZojdxP8Jto by mattblaze@federate.social
2023-05-04T22:56:12Z
0 likes, 0 repeats
DM behavior is a big deal, because people, for better or worse, often use DMs for both private things (that should stay confidential) and important things (that they expect to be seen by the recipient). The way Mastodon mishandles and obfuscates the semantics of both is a big source of potential harm to users.
(DIR) Post #AVKZ01o26vd20wN9zk by mattblaze@federate.social
2023-05-05T01:26:12Z
2 likes, 1 repeats
Broadly, one of the reasons Mastodon DMs are such a mess, I think, is that mixing a private messaging function with a broadcast medium tends to end badly. My students and I explored this mismatch a bit a while back.https://www.mattblaze.org/papers/spw2011-mab.pdf
(DIR) Post #AVKZ0ADqop2A7KVtLc by mattblaze@federate.social
2023-05-05T01:36:28Z
0 likes, 0 repeats
Mastodon, like email and encrypted two-way radio, is based (approximately) on a "throw the message out there and hope for the best" delivery model. But the reliable protocols we use for secure and one-on-one communication are based on multi-round-trip handshakes and negotiation before and during message exchanges. Shoehorning DMs into the same mechanism to broadcast out toots is an inherent impedance mismatch.
(DIR) Post #AVKZ0FbQoZronuaIIS by mattblaze@federate.social
2023-05-05T01:49:50Z
0 likes, 0 repeats
Anyway, security is hard. Reliable messaging is hard. Usability is hard. All three at once is really, really, really extra hard.
(DIR) Post #AVKZ57yab5pmbBk3Jw by jeff@federated.fun
2023-05-05T02:25:09.142627Z
0 likes, 0 repeats
@mattblaze yea it's a bad ux to mix those and everyone got mad when it was pointed out back then.
(DIR) Post #AVQ4LfhZ2ke6COwlRA by alienghic@octodon.social
2023-05-04T23:01:33Z
1 likes, 0 repeats
@mattblaze I"m down with this complaint being a 100% serious issue, and have periodically warned people of it because I think it's really easy for humans to accidentally walk into deeply embarrassing situations because of it.
(DIR) Post #AVQKBwneDUovbBB3b6 by Adam@social.lein.us
2023-05-07T21:06:39Z
0 likes, 0 repeats
@mattblaze I agree they should be disabled completely. Offloading them to email would give users more choice/control AND reduce the Fedi admin's legal responsibility of content moderation. Did you see the GitHub thread? https://github.com/mastodon/mastodon/issues/6945
(DIR) Post #AVQgpGma3LPRrLpkOW by GossiTheDog@cyberplace.social
2023-05-04T23:11:42Z
0 likes, 0 repeats
@SwiftOnSecurity @mattblaze it’s not a copy, if somebody mentions you, it is visible to you. Like an email Cc.
(DIR) Post #AVQgpHXNFMq8CTj7Ka by mattblaze@federate.social
2023-05-04T23:14:15Z
0 likes, 0 repeats
@GossiTheDog @SwiftOnSecurity Huh? Putting someone's email address in the body of an email message does not send them a copy on any system I've ever used.If you understand (in some depth) Mastodon's architecture, it's clear WHY it behaves this way, but that doesn't make it intuitive, correct, or non-dangerous.
(DIR) Post #AVQgpIC8nnRwEunfsG by marypcbuk@hachyderm.io
2023-05-05T00:27:36Z
0 likes, 0 repeats
@mattblaze @GossiTheDog @SwiftOnSecurity that's called @ mentions and it's in Outlook as part of Microsoft 365, although only for people in your own tenant
(DIR) Post #AVQgpIwE2SJSXqMTho by yojimbo@hackers.town
2023-05-05T02:23:09Z
0 likes, 0 repeats
@marypcbuk @mattblaze @GossiTheDog @SwiftOnSecurity Sure, but in Outlook's case using an @ mention is an exception, a non-default action - usually you mention a person by simply typing their name; in the context of Mastodon's input box using the @ to get auto-complete to give you the correct name and instance address for a reference is more like the default; so the default in Mastodon is that mentioning someone makes is significantly more likely that you end up sending the message to them as well; whereas in email mentioning someone does not summon them into the conversation.I pretty much agree with Matt's comments; the Mastodon software isn't providing sufficient tooling to help users use this platform to do all the things they want to achieve. But some of those lacks are specific choices by the developer, and perhaps we should start looking at other alternatives.But I don't think we'll find any single system providing "messaging for all purposes".
(DIR) Post #AVQgpJWjqhWIN5RdcO by marypcbuk@hachyderm.io
2023-05-07T23:59:35Z
0 likes, 0 repeats
@yojimbo @mattblaze @GossiTheDog @SwiftOnSecurity I don't think 'exception' or 'non default' is accurate: you can @ mention people in Outlook, in Teams, in comments in Word/Excel/PowerPoint; it's a common function that's becoming more common. I don't know whether that transfers to expectations of Mastodon or not; but Mastodon isn't a unique unicorn here
(DIR) Post #AVQgpKF3BwxuaWB1ge by yojimbo@hackers.town
2023-05-08T01:16:06Z
0 likes, 0 repeats
@marypcbuk @mattblaze @GossiTheDog @SwiftOnSecurity I don't think I managed to explain what I was thinking about properly then ...In an email, I'd expect to talk about someone in third person by simply mentioning their name (not their email addr) in the text. This is possibly because most emails are between people who share a lot of context already, and are in "small" domains.In fediverse, I'd expect to use someone's full username when talking about them, to disambiguate them from anyone else in the large domain of "the entire fediverse". And the easiest way to do this is to start with the @ sign and let it autocomplete.Being able to @ mention someone in email is fine, I'd just expect to see it being used when someone wants to involve the person being mentioned, like we do in ticket updates & chat channels. If I sent an email from me to you, and @ mentioned mattblaze ... would I expect him to get a notification or a copy? I'm not sure ... but in the context of what people think is a "Direct Message" it does indeed feel weird for them to get a copy of the message.(It also makes it difficult to complain about a third-party to your local instance admins, for example!)Anyway, that's what I meant, hope that clarifies my ideas.
(DIR) Post #AVQgpLE1XFjpdchij2 by feld@bikeshed.party
2023-05-08T01:19:44.654480Z
0 likes, 0 repeats
@yojimbo @marypcbuk @mattblaze @GossiTheDog @SwiftOnSecurity Reminder that making the @mentions in a post be parsed to figure out the recipients is a Mastodon design choice. You can do explicit addressing with ActivityPub.