Follow

The Fedilab developer just admitted to acting in bad faith by removing the user agent identification from their client.

I can understand a browser changing the user agent to something else for compatibility reasons, but for a client to deliberately remove identification to evade the wishes of the servers they connect to?

That’s not something well-behaved clients usually do...

@szbalint
>The Fedilab developer just admitted to acting in bad faith by removing the user agent identification from their client.

"Just admitted", you're strong for manipulating 🙄

framapiaf.org/@fedilab/1024750

@fedilab how would you characterize removing the user agent explicitly for the reason so that your client can evade a ban?

If you would be consistent in your principles of allowing your app being used to access all content including hate speech, then why would you have an issue with servers exercising their free will and choosing to revoke access for your client?

@fedilab

^^ this is what I mean when I say that people argue in bad faith when it comes to white supremacists. If you argue for certain principles then it has to be applied consistently.

@szbalint

Principle: Applications have no business trying to control their users
Principle: Services have a legitimate interest in what users connect to them, but not in what applications they use. The API is an API.

It's why I shower Moxie Marlinspike with contempt for his threatening LibreSignal into oblivion and his claim that their client hs no right to connect to HIS server. It's as ridiculous as if Google were to attempt to block people from doing searches with Firefox.

@fedilab

@azure

Applications have no business controlling the content of their users except when it comes to abuse such as spam, harassment, hate speech etc.

(Moxie btw was right)

@szbalint As a disabled person who has a good deal of difficulty using Moxie's phone client, I don't really have your sympathy for his "My client or no client" attitude or the accompanying idea that I should either converse with people using the client he wants me to with difficulty and discomfort or not converse with them at all.

If Moxie wants to set rate-limits that apply to everyone whatever client they use, discovers his API is actually broken from a security standpoint and needs to change it, or any number of those other things, I can get behind that.

@trwnh @szbalint @azure I think Moxie has done a poor job of explaining exactly *why* he runs a closed network. Here's my understanding:
meta.ath0.com/2018/08/on-trust

@mathew @szbalint @azure

1) if you can't talk to someone at all then security doesn't matter
2) moxie has reasons, but that doesn't make anything he does "right"

@mathew @szbalint @azure anyway moxie is a control freak and should not be used as a model for behavior. even then the application has no responsibility. the responsibility is on the app provider to not do business with known harmful parties. the app has freedom to do what it pleases, but no responsibility whatsoever (because it is not a person).

@trwnh @szbalint @azure Moxie's decisions are appropriate given his goals. If you have different goals then you should use a different product which supports your goals.

@mathew @szbalint @azure exactly. it's moxie's goals i take issue with. they are not "right".

@szbalint @fedilab Being an intolerant, judgmental bully is really helping your case there, buddy

@fedilab @szbalint same to you, I don't want to use a client with an unresponsive, flippant dev and will be recommending that nobody else who's looking for a client does either

@fedilab Freedom of speech doesn't mean you get to force others to listen to your bigoted self-pitying white male insecurities, or the hatred that said insecurities fosters within you.

Just sayin.

@szbalint

@ansugeisler @fedilab @szbalint no but freedom of speech allows me to not listen to you.

@fedilab @szbalint Hello fedilab account. Please go fuck yourself in hell, you self-satisfied shithead coward.

@fedilab @szbalint lol as soon as you get called out for enabling abusive behaviour you drop blocks and scramble. Fuck outta here froggy.

@szbalint @fedilab well, thanks for confirming that my decision to stop using fedilab was the correct one I guess?

@szbalint @fedilab i thought people like you would allow the devs to do what they wish? like rickrolling gab? or its only ok when the devs of a project to do things to people you don't like?

@szbalint That makes it a bit more difficult but you can still block it from your instance.It registers an API token with "Fedilab" as application name.You can check for that directly in the Mastodon software.It's currently not possible to ban whole apps using the admin menu but maybe you can add a check yourself somehow.

@nipos @szbalint this SHOULD work, but i'm not 100% so maybe test it on a dev instance beforehand

@zoe @nipos @szbalint I feel like I need to mention that the one receiving the 403 error will not be the Fedilab developer but the end-user. And they won't have a clue why.

@Gargron @nipos @szbalint Obviously, yes, but I wasn't sure what the proper protocol for making the text say "Please use a different client" was and I had the feeling anything else would send up a 500, which would be even more confusing

@Gargron @szbalint @zoe Yes,that's really not a perfect solution but it's a small workaround that does its job more or less.Would be cool if there was a possibility for instance admins to block clients and also tell the users why it's blocked.Sure,some shit like FreeFedilab will pop up then but I don't see any better solutions.

@nipos @Gargron @szbalint Honestly just a quick .env option would probably work far better than the mess I'm doing

@nipos @Gargron @szbalint (besides, we do fine enough blocking instances as they pop up anyway, and editing an app takes development knowledge, god forbid)

@Gargron
You know it's not possible to block a client.
At least, people will see a random string as a client. Also the app doesn't use a custom user agent for weeks.

You could stop all this shitstorm with few words, like it was created weeks ago by asking dev to take their responsibilities.

As far as I know, Mastodon doesn't block instances by default and no one harasses you for not doing it. Just don't let some people enrol some users by abusing of their lack of knowledge.

@szbalint privacy respecting clients should use generic user strings, but that's more like a defense against tracking. fedi isn't as much of a privacy risk just yet. as long as ap servers act as proxies anyway.. otherwise a lot of servers could observe you easily. I mean, its fundamentally the same design as email, so there are a lot of opportunities for leakage..

then again, probably not respectful to hide from your instance admin unless they're cool with it.

@szbalint For your information, SubwayTooter has an option to customize the user-agent and I found this feature very funny.
I suggest #fedilab to implement user-agent switcher which is kind easy to do but needs token regeneration.

Fork it.

@szbalint Go to app settings :
Customize your fields then update your app token and check my app name in this toot ?

@szbalint I think that all the apps are allowing this, take Pinafore, Brutaldon and all the other proxy-posting clients allow to change the user-agent and the name of the app and behave like a simple browser.

@szbalint You'd better work for a government that is looking to devellop ways to filter bits and look inside the frames.

@szbalint Well behaved servers don't discriminate by user agent. Every major browser supports changing the user agent string. Changing user agents is fine. Discriminating by user agent is acting in bad faith. It's security by obscurity at best.

@petit @szbalint Admins can exercise their free speech by blocking any client they want. You are literally censoring them.

@felix @szbalint Changing user agents does not conflict with the free speech of the admin.
@felix @szbalint Would you be kind enough to point out who is speaking and what they are being prevented from saying?
@felix @szbalint Sometimes I worry I'm taking certain truths for granted, so I try to prepare myself for being wrong. On ocassion, my mind has changed and I've felt ashamed or embarassed. Free speech has been an island of safety and security. The people who don't think open discussions are worth anything are so inept at convincing people I never have to worry I'm wrong about free speech. Life is good!
@szbalint :( I bought fedilab without knowing about this stuff because it was what some old guide recommended. Does anyone have a more up to date overview of options?

Disagreement, gab 

Disagreement, gab 

Disagreement, gab 

@szbalint Removing user agent ID is even a standard setting on the mastodon web UI and most of the client apps as well.

@zoe
Preferences->Other, look for "Disclose application used to send toots"
@szbalint

@gaab @szbalint That's not what's happening here. It's more like if GoogleBot or some such suddenly started sending the useragent for Firefox instead -- with that preference, the server itself still knows who you are, it just doesn't tell other people on the instance

@szbalint By that reasoning, Tor Browser, and even Firefox with anti-fingerprinting mode enabled, are also "acting in bad faith".

@tga anti-fingerprinting is about protecting the user’s privacy by not leaking personally identifiable data. A user agent string is not personally identifiable but rather specific to an application with all it’s users.

There is a big difference also between a user deciding to change the user agent for their installation (which I have no problem with) vs the developer for every user by default.

@szbalint
Tor Browser and Firefox with anti-fingerprinting enabled spoof their user agent to reduce the ability of the server to run fingerprinting code on said useragent (e.g., they identify the OS as Windows, and decrease the version to the last ESR). The user doesn't opt in, and many serverers try to identify the user agent anyway using other avenues (e.g., TCP stack config). Some sites, like the NYT, will disable the site if they detect this behavior, because ads.

Sign in to participate in the conversation
x0r.be

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!