I've been paying for Premium for a while, but I was behind a VPN when I signed up and apparently they charge you the rate for the country that your IP address resolves to instead of the country your account is actually associated with for some reason. I got an email just a couple days ago though saying that they're canceling my account since my payment method isn't also issued from that country (why they couldn't detect that when I first signed up is anyone's guess). I probably won't bother re-subscribing though. I've started self-hosting an Invidious instance instead, which not only strips Google's ads, but also has the Playlet app on my Rokus, which supports SponsorBlock to auto-skip sponsored ad reads in the videos themselves.
For a few years I've been running a couple self-hosted instances of Uptime Kuma from two different locations (a Raspberry Pi at my house and on my VPS) which monitor a few things I care about plus each other, and haven't had any problems.
Due to their app store monopoly, Apple is probably one of the few companies whose version of enshittification often involves enshittifying the products and services of other companies.
It's too bad the author didn't think to restore the factory RAM before shipping it. My unrelenting cynicism always makes me very careful to hide any evidence of tinkering on the rare occasions when I need to send a tech product off for warranty repairs.
I think the answer to your first point is easily explained by the fact that the major news orgs typically have paywalls that check the user's IP, cookies, and so forth to decide whether they're allowed to see the full article for free or if they have to pony up first. There's no way to really incorporate that functionality into RSS feeds so they're just pushing out the bare minimum as a Hail Mary to drive their dwindling RSS user base back to the website. Smaller personal blogs that don't rely on advertising or paid membership revenue to stay afloat are far more likely to provide full article content on their RSS feeds (since there's no reason not to).
Some feed readers have "scraping" support where they request each article's URL internally and figure out how (or can be configured with CSS selectors) to extract the article's text content and display it in the reader, though it can be pretty hit or miss whether that can work for a given site.
As for formatting, there are a couple possible explanations--the reader could be ignoring or mangling HTML tags in the content when it's displaying it, or the site itself may be generating its RSS feeds with mangled or missing formatting elements. In my experience both possibilities are equally likely.
> If an email has a rich, HTML view; it should be required to come with a text-only, non-HTML copy of the body as well; for accessibility, compatibility, and privacy reasons.
I can't imagine this working. The plain text section would probably something like "Upgrade your email client to view this message" 90% of the time and be completely pointless.
Maybe it's an unpopular opinion but if I were rebooting email I'd forego HTML entirely and either say it's strictly plain-text, or use some Markdown-like formatting spec that looks fine even when viewed as plain text (email clients could provide WYSIWYG editors for less technically-inclined email authors). The evils of HTML in email (phishing, impersonating companies, and other scams) far outweigh the benefits (none, as far as I'm concerned).
And exactly zero of the people who send marketing emails are going to adopt your plain text email replacement. In the year 2024 we ought to be able to format text and add images to our communications.
For the folks who really want to RETVRN to the days of plain text, command line mail clients are still a thing.
My old marketing department would beg to differ. Plain text is easy, graphics and layout is hard. Further, all our emails were written in plain text first, then styled once we were 100% on the copy (so they could be sent off for translations in 20-odd languages).
> I'd forego HTML entirely and either say it's strictly plain-text
Inferior to typical print media text richness would rightly get rejected by most users.
> or use some Markdown-like formatting spec that looks fine even when viewed as plain text
No rich format can "look fine" when reduced to plain text. Reason being that the reduction loses information that the sender relies upon the receiver seeing.
> The evils of HTML in email (phishing, impersonating companies,
I've started reviewing some mail as plain text first. I've noticed some are exactly this kind of junk. The hard part of making a "new email" is that it needs to substantially better than current options.
Outlook still supports RTF. (I have no idea what clients support that)
Any new format could also be included as a new content type.
For all the evils, I can't see any replacement markup being a significant improvement: What is the sender trying to communicate? Why is it beyond plain text? How do attachments not fill that gap?
I think the answer is: any client could choose to behave differently on the existing ecosystem. They currently choose not to. While an individual may think it's complex, the solutions aren't truly reducing complexity.
The thing I'm most confused about is I thought xkcd was one guy named Randall's webcomic, but this post makes it sound like there are several people involved in creating the comics. Is that the case? Does Randall still draw them or is it like a company with a whole creative team now?
Most comics are just Randall, but there are a handful of people who contribute to the occasional more unique / interactive comics, such as the April Fools ones.
I believe his April 1st "comics" have always been coded by someone else; there's been development notes by the developer(s) like this posted after each one.
I am actually a little relieved because everytime one of these interactive XKCD comic is published I wonder how does Randall find enough time to work on them, plus What If, etx.
Of course there are some people that simpliy are hyper productive, but the level of detail and complexity of these comics always made me feel a bit "inadequate" :)
tbf, I don't think he has another job, so if he's only creating 3 comics a week and writing his books, there is def enough time as a side project to put out a fun annual comic that requires a bit of work, obviously it would need to be planned well in advance, which it appears this was not.
I've always assumed he has a large backlog of comics, and a script that pushes them out on schedule.
He can always push new comics into the queue based on current events or fresh ideas, but at other times he can probably go for weeks without needing to draw new comics.
Right. Maybe the workload is manageable, especially for someone with the amount of experience he has, nevertheless the breadth of the stuff he does is what amazes me the most.
Just programming one of those interactive comics must be quite a challenge, to then add the story, the wittiness, depth, etc is what blows me away.
Individuals choosing to live an energy-conscious life is commendable, and if enough people did it it might even ripple some small effects upwards, but ultimately I don't think that would ever be enough to actually solve anything. It has to be a top-down solution where lawmakers force the big corporations to be energy/environment conscious, but of course with the politicians (in the U.S. at least) being in the pocket of those very companies that's a tall order.
Another killer feature for me is its built-in support for Wallabag. I host my own server and routinely save longer articles to it so that I can download and read them on my Kobo later.
A while ago my wife applied for a home equity loan. At some point I got a call from someone claiming to be from the bank she had applied through (I forget which one), calling to make sure I approved the loan since the home is in both our names. He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue. I told him I wouldn't do that, and was there a number on the bank's website I could call in order to get back to him, in order to verify that he actually worked for the bank. The guy started acting really annoyed, and said he didn't think there was any number on the bank's website that could reach him, and that if I didn't give him my full social security number he would be forced to reject the loan application. I told him I didn't feel comfortable giving that information to someone who had phoned me, and if there was no way for me to call him back through an official bank phone number then the call was over. He hung up angrily.
Turns out he actually was from the bank and he did cancel the loan application.
A bank called me to ask me security questions. I said that I would call back using the number on the bank's website. They said (and the bank confirmed when I did call the number) that there is no way to be transferred to the security question people when I call the bank - the only way is for them to call me. I explained that that was poor security practice. They said that I should just look at the caller ID to see that it was the bank calling. It was useless trying to tell them about caller ID spoofing.
It’s a real mystery why, as soon as I heard about a bank founded by people who sounded like they had heard about the internet (Monzo, in the UK), I switched away from my venerable bank (NatWest) that, at the time still had security practices unsuited for the 18th century.
Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.
Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.
One of my favourite things about Monzo is they have a little thing in the app that tells you if they are currently on the phone with you to verify against anyone claiming to be them.
And then if your identifiers somehow get in the hands of bad actors and the bank gets fooled by them to open a bank account in your name, you are the one on the hook. It's utter insanity!
PSA: If you are of a certain age, the last four digits might be roughly all of the useful entropy in your SSN. Be careful with them. Before 2011, the first three digits indicated the office that issued the number and the middle two (the "group number") were used in a publicly-known sequence. The Social Security Administration helpfully published periodic lists of the highest group number reached by each office. This makes it extremely easy to predict the first five numbers for people who were registered at birth, which became quite common in 1986 when tax laws changed to require children's SSNs to claim the associated tax credit.
Tangentially related - wouldn't that mean that if you are an immigrant, then you are at least theoretically somewhat safe from that enumeration type of an attack?
Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?
Your date and place of birth would not be helpful, but an analogous attack may be possible. The key factors are when and where you applied and that the SSN was issued before June 25, 2011.
This is just an extremely incompetent and rude loan officer. Generally the loan officers are motivated to close the deal and write you a check because they get commission from that. They are nice to their customers because pissing off customers won't get them that sweet commission. The loan officer I last talked to managed to close more than $1B of mortgages in a year and he's the nicest guy on the phone. In your case, they could for example let you email them using their official bank email address, or use the bank's own web app or messaging system.
I think it highlights why this jerk was rude and short about it. They want to avoid high maintenance customers because it impacts their short term metrics of how many they can churn out and directly affects their compensation. There are presumably zero repercussions for them personally - the worst case maybe is some long term reputational damage for the bank.
Similar story, I transferred a decent amount of money from one bank account to another (different bank). I thought nothing of it, but I got a call randomly from what appeared to be the receiving bank's 'fraud' phone number (based on Google). I picked up, and the person on the end had an extremely thick accent similar to scam callers. He started asking me if I had made a transaction recently (I said yes), then asked me to confirm this transaction if I would provide additional information about myself, including home address and social... I refused, and was told if I didn't my bank account would get locked!
Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.
I feel for legit employees with strong accents. In an era of getting 5-10 calls a day from OS scammers, I had a call from a woman with an accent about an invoice. I was curt and ended the call quickly. Turned out that her wording was just ambiguous and she was trying to pay my invoice to her employer's company.
Language barrier or whatnot is one thing, but I was having issues with the methodology of it. I’d have had similar levels of concern (perhaps less suspicion) if it was someone who spoke English fluently with no accent. There’s absolutely no reason they needed to confirm information from me to make a transaction between two bank accounts I own!
Terms of service from my bank say you're not allowed to give your PIN or secrets like one-time passwords (called "TAN" here) to third parties, not even the bank employees themselves.
But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...
I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example
I've implemented the bank account checking flow for a German client in a purely B2B setting, and this is essentially based on the PSD2 directive, which requires all/some/most (not entirely sure) banks to provide exactly this functionality (google keywords "PSD2" and "XS2A"). The bank's T&C should reflect this ... somewhere.
The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.
The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.
> It should/must only allow read access to your account
Besides that it also needs to perform the payment, why do they need to pull 180 days of transaction history just so that I can give the merchant their money? (I'd be happy to just be given an IBAN number and transaction description to use and do it myself.)
At least that's what the consent screen said it was going to do: assess my creditworthiness before withdrawing the money. There was no way to pay without sharing who my employer is and how much I earn, which shops I visit in which cities, where I've been on holiday, what online purchases I do and on which platform and how frequently and for how much, etc. Obviously I declined this but since it's one of the logos you see every time, I guess a lot of people "consent" to this (knowingly or otherwise)
Any bank where this is the standard operating procedure for interacting with loan applications is not a bank that I'd want to do business with. Perhaps this was just one loan officer's way of doing things, and not the way of the business, but that's just not okay to me.
Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.
This method of data exfiltration is in Kevin Mitnick's book! He needed a daily pin that banks used to validate intra-bank communications. He called a bank, said that he needed to fax over loan forms from another branch for signing later that day (or something like that). He then asked the bank that he called for the daily PIN. They refused because he called them. He pointed out that he was sending sensitive data to them so they needed to provide the pin... and they did.
One of my startup jobs paid us through ADP. While our ADP account was being set up, my boss told us to be on the lookout for an email from them. So one day, I'm in the middle of programming something, and I check my email. Lo and behold, there is an email from ADP... or is it? It is about fifty words long and contains five grammatical errors. It's asking me to fill out the attached PDF and email it back. The PDF is asking for my full name, address, phone number, SSN, and so on. I figure this may be some kind of phishing attempt, so I ignore it and get back to my work. If it's real, I'll hear about it again, right? Well, two weeks later, my boss tells me amazedly, "Hey, Bill from ADP is still waiting for your information! Why didn't you reply to him?!?!" I laughed and told him why.
As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.
> He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue.
I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.
The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.
SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.
I'd have read him the riot act on the phone. My bank has big warning banners on virtually every page of the site warning me to be careful of scammers. Someone calling me on the phone and asking for my TIN? Yeah, I don't think so.
Had a very similar experience with a bank few years ago. I filed an official complaint because it was not possible to verify the caller was authentic.
Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.
Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/
Reminds me of the repeated calls my parents received to refinance their mortgage under some government program. It took them months to realize it was legit.
Shout out to my car insurance, Amica. They called me because they needed some account information updated/clarified. Before we started doing anything I told them "Hey, not to be rude but could I call you with the number on your website? I'm paranoid about scamming and that's safer" They said "Absolutely, that actually makes a lot of sense". So, I called back and we got everything done.
The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.
