Posted on
by

Me, driving a smallish gas-fueled car in the 2000s: Wow, gas has gotten expensive these days, but at least I’m not spending too much per tank.

Me, driving a hybrid car in the 2010s: Yeah, gas is still expensive, but I’m still not spending too much per tank, and I think I’m filling it less often than I used to.

Me, driving a plug-in hybrid to the grocery store and back during the first year of the pandemic: I have no idea how much gas costs. I haven’t filled the tank since the before times. I hope the gas engine still works.

Me, driving the same plug-in hybrid normally during the 2020s: Oh yeah, gas is kinda expensive. At least I don’t have to fill up the tank very often, and it’s not too much when I do.

Me, driving a rented gas-fueled SUV to the next county and back once: WTF I’M SPENDING HOW MUCH TO FILL UP THIS TANK!?!?!?

Posted on
by

Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

Posted on
by

Last Friday, I dropped off my ballot for today’s primary election. I’ve got to say, I really appreciate the new approach in LA County of mailing everyone eligible a ballot, maintaining permanent drop boxes at relevant locations (libraries, etc.), and opening some polling places early to accept completed ballots.

MUCH more convenient than needing the time on one specific day and, in elections with a lot of turnout, waiting 45 minutes, an hour, or longer.

The longest I’ve waited was when I was living in Orange County, either 2003 or 2004, and they actually had to apply the “if you’re in line at closing time, you get to vote” rule. Someone brought a box of to-go coffee from the Starbucks down the street (I think Starbucks might have donated it, too?) and was offering it either to the poll workers or to those of us still in line.

The first election in which the county implemented early voting and flexible polling places (instead of requiring you to get to the specific place on your sample ballot) was also the week before COVID-19 hit the area. Now that I think of it, they still didn’t send out an actual ballot by mail unless you requested one. That changed when it became clear COVID wasn’t going to just blow over before November. Since then some of the smaller, local elections have been mail-only.

Four years….WTF

Posted on
by

I’ve been meaning to disconnect from Jetpack for a while now. This seems like a good time to do it, and to finally clear out the older Tumblr and WordPress.com blogs I don’t use anymore.

Tumblr and WordPress to Sell Users’ Data to Train AI Tools404 Media

It’s the kind of thing that you expect from Google or Facebook, or from any number of start-ups, but there’s been this sense that Automattic should know better — and with Tumblr being login-walled and ad-saturated, and the push to upsell in their WordPress plugins, and now this…it’s looking like they don’t.

I don’t think they’ve hit the “trust thermocline” yet, but selling user data is a pretty clear line.

As for AI access to the Firehose: My previous understanding of the firehose is that it’s basically an aggregation of what you’d see in a bunch of blogs’ public RSS feeds. Which, OK, fine. Analyze your heart out. Display my posts in your RSS reader. Just make sure private posts and comments don’t leak.

But LLM training isn’t the same as analytics, or showing a properly attributed post in a reader. And quietly changing the terms to allow more kinds of re-use on something most people using the service don’t know about? Not cool.

And not making it clear what is and isn’t included for which purposes? That breaks down trust.

Before this, I wasn’t worried about the Firehose. But now I’m not sure I can trust Akismet, never mind Jetpack, and I’m looking for a new spam filter.

Originally posted across several threads through my GoToSocial test site.

Update: Automattic did clarify that self-hosted blogs with Jetpack are not included in the training data. Only company-hosted blogs on Tumblr and WordPress.com. But I still uninstalled Jetpack from this site, just to be sure. Like I said, I’d been meaning to for a while.

Posted on
by

The year is 2006. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2011. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2022. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

Corporations haven’t learned. Unfortunately, their customers have learned from all this training. And so has the fraud industry. Even if you’re usually savvy about this sort of thing, you can get caught up if the circumstances put you just off-balance enough to line up the holes in each overlapping layer of security.

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don’t know how to pronounce my bank’s name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch – they didn’t raise red flags. Cory Doctorow on “Swiss-cheese security.”

And here I am, in 2024, complaining on my blog about…well…you know.