It seems nice but every single time I see service allowing anonymous uploads like such I’m thinking immediately: criminal use.
How hard would it be write a protocol that uses relatively safe urls to encode messages, e.g. by ensuring that the ratio of emojis isn’t serialized URL, credentials to some stash or an encoded picture no one wants to keep?
> It seems nice but every single time I see service allowing anonymous uploads like such I’m thinking immediately: criminal use.
This seems like the Hollywood movie plot criminal use.
Actual criminals just put a normal server/proxy in a non-extradition country or compromise any of the zillion unpatched Wordpress instances on the internet or something equally boring.
Might I say that this whole safetyist moral panic is very convenient for large corporations? If you can't host your own service due to these concerns, you'll use the cloud :)
It's even more boring: When I share criminal data (usually old movies that are still in copyright), I just put them in an encrypted 7zip archive and upload to google drive, then delete after my friend downloads it.
I mean, in this case we're talking about emoji, so I'm having a hard time picturing the criminal use, but in general anonymous file uploads or text uploads absolutely get used by criminals as soon as they're discovered. Anyone who's run a service for long enough will have stories of the fight against spam and CSAM (I do!).
The ultimate exploit is to create fake "likes". Once any system of likes becomes successful, it gets used for (a) filtering news feeds, and (b) establishing consensus & social truth. This is the biggest exploit there is.
A cheap system for "likes", such as this, is only safe when few people use it. Once it becomes popular, and worth something, it gets exploited, and then utterly fails.
"A Open Heart message should contain of a single emoji sequence. However, the emoji sequence may be followed by arbitrary data which the server is expected to ignore."
Italics mine.
That arbitrary data could be a multi-gigabyte zip file of some expensive program, classified data, copyrighted video/music,or anything for all this spec cares.
With ZWJ (Zero Width Joiner) sequences you could in theory encode an unlimited amount of data in a single emoji.
Particularly interesting are the "family" emojis, made by joining any number of person-type emoji with ZWJ characters. So in theory, a family made of thousands of men, women, girls, boys, etc... would be a valid emoji.
It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
In the age of beepers, criminals found plenty of creative ways to send messages in just a few characters. And this permits emojis, which -- binarily speaking, contain far more bits than a beeper message.
You don’t need a upload a lot of data in order to have illegal data stash and there are creative criminals out there.
E.g. for GPS coordinates you need only a 16 digits. Emojis are 8 bytes so by selecting specific ones and adding a control character (or two) and ensuring other stay in sequence you can encode this data in.
And then I can only respond with „Did you read article on ACME Times about a car riding a bike?” which is a simple pointer for URL which you might check for the drop coordinates.
This it’s also possible to provide encryption keys, url serialization, cryptocurrency wallet pointers etc. And sure, this seems complicated and dystopian but when government asks you to provide data of your users who committed hard crimes it’s not really fun to be at position when you say „I don’t know who my users are”.
From my experience any service that allows anonymous write and anonymous read over long periods will sooner or later be used for illicit activity. It doesn’t matter if that’s 1mb or 10 bytes.
that's really only a risk when you allow direct retrieval of the uploaded data.
if you're only returning counts and you're not even offering a guarantee that every submission will be counted, then the potential for abuse isn't really any higher than any other website out there.
Byte value is a count of flipped bits. Those bits aren’t even guaranteed to be correct (see cosmic bit flipping) and yet our computers work this out.
IMO this is risky because it’s easy to distribute upload, e.g. I could have infected, semi popular website that would submit distributed request on visit (think about it like 1000 credits daily to use to encode message). Visitors of this website wouldn’t see a thing and yet the encoded message would be consistent.
As for other websites - especially free image hosts - they often keep a metric ton of data, some won’t work if you won’t have an identifiable partner cookie on submission request, and there is post upload analysis etc.
In theory, Bluesky, Mastodon, Pixelfed etc could offer a service where you drag and drop the button onto the Bluesky/Mastodon/Pixelfed website where you are logged in and sign the reaction in your name. And send the post with a signed message like "Peter Prima endorsed this page with a thumbs up emoji /signed: Peter Prima"
This way, the web would get a decentralized like system.
It's a little button counter in an iframe that you can embed on your website. It also looks great next to 88x31s.. I have one in my footer https://varun.ch/
I think I just love the idea of making static pages a little more interactive by adding in these little widgets. I have an HTML form embedded on my contact page that's hooked up to `ntfy` and acts like a 21st century pager. So much fun.
I like the way this being proposed in a decentralised manner. Kudos to the author for the effort and thought put in.
However, I am curious what the incentive for publishers is to adopt this standard if those emojis are only relevant for the websites own silo? Use cases like these call for customized deep integrated implementations.
My question is a curious one. I might be missing the big picture and would like to get educated.
For many services which allow arbitrary emoji reactions (most notably discord) they remain ordered by "first reacted" order, which can allows emergent behavior like spelling out words with the letter emojis
But JSON mappings are ordered. The thing producing/consuming them might choose to map them to an unordered mapping but inherent to them being serialized is you get an order for free.
The JSON specification describes objects as unordered. Which means any standards compliant JSON encoders or decoders can and will produce maps in different orders even when the same object is passed through twice.
It’s also worth noting that quite a few languages don’t guarantee ordered maps either.
If you want an ordered map then you really need a key/value map inside an array:
There is Zeeker <https://addons.mozilla.org/en-US/firefox/addon/zeeker/>, but there seems to be no new versions recently, and I cannot find a link to the browser add-on on their web site, so they might have abandoned it.
The problem with comment sections on web sites is that the web sites are incentivized to have shitty comments for engagement and ease of moderation. If it's a browser plugin, it's out of the website's hands and as the user I could probably configure it so I only see comments from people I think are good at commenting, like my friends or people I follow on social media.
I think it was to be able to discuss things on websites that removed comment sections or that had a lot of heavy moderation that prevented meaningful discussions.
If it's a decentralized like button, why is a new protocol needed? `PUT /count/increment` is a pretty straightforward RESTFUL solution over the existing HTTP protocol.
I like this idea but think there is a missing link, literally. It needs a built in way to notify URL A of a reaction to URL B, so that reactions can be recorded independently of the target URL. Like putting URL B in a query parameter. This would support repositories of reactions that are independent of the reactee, and not subject to their feelings on the matter.
Use ATproto, but with a different data model so that each "post" is associated with a URL being commented on. Then bring the moderation system from Bluesky.
(As much as I don't like ATproto's centralization, ActivityPub doesn't work the right way)
Accepting arbitrary input is a complexity that will be abused. Why not lock it down to a limited set of inputs… or just a heart? `POST /openheart/heart{?url}`
I love the idea of a completely open protocol that thwarts spam by being unable to post any text at all, only tiny predefined pictures, aka emoji.
The obvious abuse will be, of course, pumping some counters to ridiculous values, making them useless as a measure of readers' reaction. Though it can be lighthearted fun in the spirit of the Web form 1994, I suspect that implementing caps could be useful.
Less fun could be posting tons of negative emoji (anger, crap, etc). Some site owners will limit the set of allowed emoji to only positive reactions, as seen in some large Telegram channels currently.
The most pervasive misunderstanding about evolution is that it leads to "perfection". Sure it is a kind of optimization procedure, but a) it's optimizing on a loss function that is measured on the population scale, not the scale of a particular organ, so don't expect your pet figure of merit to be optimized even in an average sense, and certainly not in an individual; and b) there is not a unique optimum, the optima are not stationary, and local optima generally are not all that sharp, so do not expect the population to be all that close to the optimum either.
It seems nice but every single time I see service allowing anonymous uploads like such I’m thinking immediately: criminal use.
How hard would it be write a protocol that uses relatively safe urls to encode messages, e.g. by ensuring that the ratio of emojis isn’t serialized URL, credentials to some stash or an encoded picture no one wants to keep?
> It seems nice but every single time I see service allowing anonymous uploads like such I’m thinking immediately: criminal use.
This seems like the Hollywood movie plot criminal use.
Actual criminals just put a normal server/proxy in a non-extradition country or compromise any of the zillion unpatched Wordpress instances on the internet or something equally boring.
Might I say that this whole safetyist moral panic is very convenient for large corporations? If you can't host your own service due to these concerns, you'll use the cloud :)
6 replies →
It's even more boring: When I share criminal data (usually old movies that are still in copyright), I just put them in an encrypted 7zip archive and upload to google drive, then delete after my friend downloads it.
I mean, in this case we're talking about emoji, so I'm having a hard time picturing the criminal use, but in general anonymous file uploads or text uploads absolutely get used by criminals as soon as they're discovered. Anyone who's run a service for long enough will have stories of the fight against spam and CSAM (I do!).
1 reply →
What do you have in mind? It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
The ultimate exploit is to create fake "likes". Once any system of likes becomes successful, it gets used for (a) filtering news feeds, and (b) establishing consensus & social truth. This is the biggest exploit there is.
A cheap system for "likes", such as this, is only safe when few people use it. Once it becomes popular, and worth something, it gets exploited, and then utterly fails.
"A Open Heart message should contain of a single emoji sequence. However, the emoji sequence may be followed by arbitrary data which the server is expected to ignore."
Italics mine.
That arbitrary data could be a multi-gigabyte zip file of some expensive program, classified data, copyrighted video/music,or anything for all this spec cares.
1 reply →
With ZWJ (Zero Width Joiner) sequences you could in theory encode an unlimited amount of data in a single emoji.
Particularly interesting are the "family" emojis, made by joining any number of person-type emoji with ZWJ characters. So in theory, a family made of thousands of men, women, girls, boys, etc... would be a valid emoji.
4 replies →
>A Open Heart message should contain of a single emoji sequence
7 replies →
You are aware that computers also just use zeros and ones to enable everything that is around us?
It seems to only allow sending a single character at a time from a limited set. What criminal use does that allow?
In the age of beepers, criminals found plenty of creative ways to send messages in just a few characters. And this permits emojis, which -- binarily speaking, contain far more bits than a beeper message.
1 reply →
You don’t need a upload a lot of data in order to have illegal data stash and there are creative criminals out there.
E.g. for GPS coordinates you need only a 16 digits. Emojis are 8 bytes so by selecting specific ones and adding a control character (or two) and ensuring other stay in sequence you can encode this data in.
And then I can only respond with „Did you read article on ACME Times about a car riding a bike?” which is a simple pointer for URL which you might check for the drop coordinates.
This it’s also possible to provide encryption keys, url serialization, cryptocurrency wallet pointers etc. And sure, this seems complicated and dystopian but when government asks you to provide data of your users who committed hard crimes it’s not really fun to be at position when you say „I don’t know who my users are”.
From my experience any service that allows anonymous write and anonymous read over long periods will sooner or later be used for illicit activity. It doesn’t matter if that’s 1mb or 10 bytes.
5 replies →
<http://habitatchronicles.com/2007/03/the-untold-history-of-t...>
that's really only a risk when you allow direct retrieval of the uploaded data.
if you're only returning counts and you're not even offering a guarantee that every submission will be counted, then the potential for abuse isn't really any higher than any other website out there.
Byte value is a count of flipped bits. Those bits aren’t even guaranteed to be correct (see cosmic bit flipping) and yet our computers work this out.
IMO this is risky because it’s easy to distribute upload, e.g. I could have infected, semi popular website that would submit distributed request on visit (think about it like 1000 credits daily to use to encode message). Visitors of this website wouldn’t see a thing and yet the encoded message would be consistent.
As for other websites - especially free image hosts - they often keep a metric ton of data, some won’t work if you won’t have an identifiable partner cookie on submission request, and there is post upload analysis etc.
1 reply →
[dead]
In theory, Bluesky, Mastodon, Pixelfed etc could offer a service where you drag and drop the button onto the Bluesky/Mastodon/Pixelfed website where you are logged in and sign the reaction in your name. And send the post with a signed message like "Peter Prima endorsed this page with a thumbs up emoji /signed: Peter Prima"
This way, the web would get a decentralized like system.
This reminds me of one of my favorite web things: https://incr.easrng.net/
It's a little button counter in an iframe that you can embed on your website. It also looks great next to 88x31s.. I have one in my footer https://varun.ch/
I think I just love the idea of making static pages a little more interactive by adding in these little widgets. I have an HTML form embedded on my contact page that's hooked up to `ntfy` and acts like a 21st century pager. So much fun.
Arbitrary length strings (unsure exactly how arbitrary, I’ve tried up to 4) can be stored using zero width joiners.
https://emojipedia.org/zero-width-joiner
TIL Intl.Segmenter[0]. The ECMAScript standard library never ceases to amaze me.
[0]: https://github.com/dddddddddzzzz/api-oh/blob/312d490641c7ec7...
> If reaction counts are write-only, the server should respond with a 403 or a 404.
Wouldn't HTTP 204 be more appropriate here? A 4xx would make it seem like the request failed, when in fact it succeeded.
403/404 seems to be the response to GET, not POST. In which case 405 Method Not Allowed would be better.
And 405 response must include `Allow: POST` header.
Oh, I misread. Indeed, 4xx makes sense for a GET.
So one person can send 10 hearts + some rate limit? Feels like if this took off it would be like a cookie clicker.
Is this a decentralized like button? It's an interesting alternative to webmention (as is mentioned).
This seems centralized, though you can self-host it.
Yeah or more like a decentralized reaction button with any emoji.
I like the way this being proposed in a decentralised manner. Kudos to the author for the effort and thought put in.
However, I am curious what the incentive for publishers is to adopt this standard if those emojis are only relevant for the websites own silo? Use cases like these call for customized deep integrated implementations.
My question is a curious one. I might be missing the big picture and would like to get educated.
”The response should be a JSON object mapping Emoji (as Strings) to their count (as Numbers)”
This means ordering semantics are lost.
Why would you expect/want ordering semantics here?
For many services which allow arbitrary emoji reactions (most notably discord) they remain ordered by "first reacted" order, which can allows emergent behavior like spelling out words with the letter emojis
3 replies →
But JSON mappings are ordered. The thing producing/consuming them might choose to map them to an unordered mapping but inherent to them being serialized is you get an order for free.
The JSON specification describes objects as unordered. Which means any standards compliant JSON encoders or decoders can and will produce maps in different orders even when the same object is passed through twice.
It’s also worth noting that quite a few languages don’t guarantee ordered maps either.
If you want an ordered map then you really need a key/value map inside an array:
Though in this specific instance, you’d be better off with more specific key names like “emoji” and “count” (respectively).
Edit: HN stripped the emojis from my comment so I added ASCII placeholder strings into the example to illustrate the same point.
Not by the spec. Some implementations may preserve the order, but the JSON spec doesn’t guarantee that, so you cannot rely on it.
This reminds me of the browser plugin that adds commenting for any website you visit. Whatever happened to that?
There is Zeeker <https://addons.mozilla.org/en-US/firefox/addon/zeeker/>, but there seems to be no new versions recently, and I cannot find a link to the browser add-on on their web site, so they might have abandoned it.
There was also “Dissenter”, still available at <https://github.com/gab-ai-inc/gab-dissenter-extension/releas...>, but the website seems to have pivoted to something else, and the add-on seems to have been removed from the official add-on repositories (possibly due to negative press coverage: <https://archive.fo/sWxAS>). Further discussion: <https://discourse.mozilla.org/t/the-removal-of-the-dissenter...> and <https://www.reddit.com/r/browsers/comments/ptaau2/what_happe...>
I purposely installed a browser plugin that removes comment sections from web sites. I really don’t know why anyone would want to add one.
The problem with comment sections on web sites is that the web sites are incentivized to have shitty comments for engagement and ease of moderation. If it's a browser plugin, it's out of the website's hands and as the user I could probably configure it so I only see comments from people I think are good at commenting, like my friends or people I follow on social media.
I think it was to be able to discuss things on websites that removed comment sections or that had a lot of heavy moderation that prevented meaningful discussions.
I feel like this existed in the 90's; Basically a web browser where every page was a chat room. Maybe I'm confusing it with ThePalace or WorldsChat.
Can someone explain what the motivation for this protocol is, and why it merits the name "protocol"? It looks like regular old HTTP to me.
(I earnestly hope I'm wrong, because I'll learn something new and cool.)
Seems like a decentralized like button. But without any quality control on the data, so the number of likes is meaningless.
If it's a decentralized like button, why is a new protocol needed? `PUT /count/increment` is a pretty straightforward RESTFUL solution over the existing HTTP protocol.
2 replies →
> [...], so the number of likes is meaningless.
uh...
I'm not sure you and I use the same definition for meaningful.
I like this idea but think there is a missing link, literally. It needs a built in way to notify URL A of a reaction to URL B, so that reactions can be recorded independently of the target URL. Like putting URL B in a query parameter. This would support repositories of reactions that are independent of the reactee, and not subject to their feelings on the matter.
How about an "open comment protocol" so we could finally get rid of the siloed internet we have today?
Who is going to deal with spam?
Use ATproto, but with a different data model so that each "post" is associated with a URL being commented on. Then bring the moderation system from Bluesky.
(As much as I don't like ATproto's centralization, ActivityPub doesn't work the right way)
SMTP?
USENET?
i don't see how that's going to make the internet any less siloed?
unless you're trying to say it'll make us less reliant on services like Disque.
Trackbacks! (No, don't do trackbacks again.)
But we need silos to protect your data from greedy AIs...So we can better package it and sell it to wealthy AIs.
Accepting arbitrary input is a complexity that will be abused. Why not lock it down to a limited set of inputs… or just a heart? `POST /openheart/heart{?url}`
I love the idea of a completely open protocol that thwarts spam by being unable to post any text at all, only tiny predefined pictures, aka emoji.
The obvious abuse will be, of course, pumping some counters to ridiculous values, making them useless as a measure of readers' reaction. Though it can be lighthearted fun in the spirit of the Web form 1994, I suspect that implementing caps could be useful.
Less fun could be posting tons of negative emoji (anger, crap, etc). Some site owners will limit the set of allowed emoji to only positive reactions, as seen in some large Telegram channels currently.
This reminds me a bit of 'visitor logs' from the 1990ies.
... tried to use the curl commands as-is from the documentation and immediately get slapped by bot protection. :')
This is dumb; I love it.
Here's me thinking it would be some open source artificial heart designs.
I thought it was about digital communication over 4-20mA devices.
SAaaS: Staying Alive as a Service
The ticker inside every H. sapien is the only design you need. Thanks to evolution, it's been perfected over ~4B years.
The most pervasive misunderstanding about evolution is that it leads to "perfection". Sure it is a kind of optimization procedure, but a) it's optimizing on a loss function that is measured on the population scale, not the scale of a particular organ, so don't expect your pet figure of merit to be optimized even in an average sense, and certainly not in an individual; and b) there is not a unique optimum, the optima are not stationary, and local optima generally are not all that sharp, so do not expect the population to be all that close to the optimum either.
1 reply →
Yeah, no. Look up "sick sinus syndrome" and "premature ventricular complex". (The latter occurs in up to 75 percent of people at times.)
4B years, yes, but evolution is a pile of kludges on top of kludges.
1 reply →
Yeah I thought this was some Pacemaker design stuff.
Is it Heartbleed again?
Yeah this wouldnt't be massivly exploited. /s
Too bad the modern internet is a monitized cesspool. This is a cool idea.
so one needs to pay for a cloudflare account for this to work?