Funny enough, my favorite version has been the SNES version. Despite all the limitations, it's got built-in controller support and also has a map! Maybe I'll try to gran the mac-for-pc version.
- I don't want my interfaces to have multiple IP addresses
- I don't want my devices to have public, discoverable IPs
- I like NAT and it works fine
- I don't want to use dynamic DNS just so I have set up a single home server without my ISP rotating my /64 for no reason (and no SLAAC is not an answer because I don't want multiple addresses per interface)
- I don't need an entire /48 for my home network
IPv6 won't help the internet "be addressable." Almost everyone is moving towards centralized services, and almost no one is running home servers. IPv4 is not what is holding this back.
Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall.
NAT may work fine for your setup, but it can be a huge headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.
Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed.
And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.
Great question and my gut is that it makes it that much easier for large, perhaps corporate interests to gain surveillance and control. I'm aware it's possible now, but it really feels like there's some safety in the friction of the possibility that my home devices just switch up IP addresses once in a while.
Like, wouldn't e.g. IPv6 theoretically make "ISP's charging per device in your home" easier, if only a little bit? I know they COULD just do MAC addresses, but still.
You can't correlate the number of addresses with the number of devices because IPv6 temporary addresses exist. If you enable temporary addresses, your computer will periodically randomly generate a new address and switch to it.
I feel like this is a silly narrowing of the problem for normal, retail users. My priority isn't masking "the number of addresses" or devices. My desire is to not have a persistent identifier to correlate all my traffic. The whole idea of temporary addresses fails at this because the network prefix becomes the correlation ID.
I'm not an IPv4 apologist though. Clearly the NAT/DHCP assignments from the ISP are essentially the same risk, with just one shallow layer of pseudo-obscurity. I'd rather have IPv6 and remind myself that my traffic is tagged with my customer ID, one way or another.
Unfortunately, I see no real hope that this will ever be mitigated. Incentives are not aligned for any ISP to actually help mask customer traffic. It seems that onion routing (i.e. Tor) is the best anyone has come up with, and I suspect that in today's world, this has become a net liability for a mundane, privacy-conscious user.
> My desire is to not have a persistent identifier to correlate all my traffic.
Reboot your router. Asus (with the vendor firmware) allows you do this in a scheduled manner. You'll get a new IPv4 WAN IP (for your NAT stuff) and (with most ISPs) a new IPV6 prefix.
As it stands, if you think NAT hides an individual device, you may have a false sense of security (PDF):
But most ISPs aren’t giving out static IPv6 prefixes either. Instead they are collecting logs of what addresses they’ve handed out to which customer and holding on to them for years and years in case a court requests them. Tracking visitors doesn’t need to use ip addresses simply because it’s trivial to do so with cookies or browser fingerprinting. There’s exactly zero privacy either way.
> Most home users do not have a static public IPv4 address - they have a single address that changes over time.
I'd be curious to know the statistics on this: I would hazard to guess that for most ISPs, if your router/modem does not reboot, your IPv4 address (and IPv6 prefix) will not change.
"If you enable" is doing ALL THE HEAVY LIFTING THERE.
Again, my point isn't about what is possible, but what is likely. -- which is MUCH MORE IMPORTANT for the real world.
If we'd started out in an IPv6 world, the defaults would have been "easy to discover unique addresses" and it's reasonable to think that would have made "pay per device" or other negatives that much easier.
Temporary addresses are enabled by default in OSX, windows, android, and iOS. That's what, like 95% of the consumer non-server market? As for Linux, that's going to be up to each distro to decide what their defaults are. It looks like they are _not_ the default on FreeBSD, which makes sense because that OS is primarily targeting servers (even though I use it on my laptop).
I haven't done the exhaustive research but props in advance for being the only person shouting in caps on HN. Definitely one way to proclaim one's not AI-ness without forced spelling errors.
I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
I don’t want a static address either (although static addresses should be freely available to those who want them). Having a rotating IP provides a small privacy benefit. People who have upset other people during an online gaming session will understand; revenge DDoS is not unheard of in the gaming world.
> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
Do you ever connect your laptop to any network other than your home network? For example, public wifi hotspots, hotel wifi, tech conferences, etc? If so, you need to be running a firewall _on your laptop_ anyway because your router is no longer there to save you from the other people on that network.
It's also a good idea even inside your home network, because one compromised device on your network could then lead to all your other firewall-less devices being exploited.
Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.
You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)
You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. If you get a /48 form your ISP you could rotate to a new IP address every second for the rest of your life.
Right, but if you’re messing around as a naive learner it’s easy to accidentally disable that or completely open up an IP or range due to a bad rule. It’s a lot harder to accidentally enable port forwarding on a NAT.
> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
This feels like a strawman. If you are making the sort of change that accidentally disables your IPv6 firewall completely, you could accidentally make a change that exposed IPv4 devices as well (accidentally enabling DMZ, or setting up port forwarding incorrectly for example).
As someone who has done this while tired, it’s a lot easier to accidentally open extra ports to a publicly routable IP (or overbroad range of IPs) than it is to accidentally enable port forwarding or DMZ.
You could accidentally swap ips to one that had a port forward, some applications can ask routers to forward, etc etc. I donmt know how exactly we'd measure the various potential issues but they seem incredibly minor compared to the sheer amount of breakage created by widespread nat.
> Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.
"No one"; LOL. I've participated in entire sub-threads on HN with people insisting that NAT = security. I've cited well-regarded network educators/commentators and vendors:
That article is making a narrower claim than you're implying. It argues that NAT is not a security mechanism by design and that some forms of NAT provide no protection, which is true.
It also explicitly acknowledges that NAT has side effects that resemble security mechanisms.
In typical deployments, those side effects mean internal hosts are not directly addressable from the public internet unless a mapping already exists. That reduces externally reachable attack surface.
So, the disagreement here is mostly semantic. NAT is not a security control in the design sense, but it does have security-relevant effects in practice.
I personally do consider NAT as part of a security strategy. It's sometimes nice to have.
Both of those articles are actually wrong. They say "if an unknown packet arrives from the outside interface, it’s dropped" and "While it is true that stateful ingress IPv4 NAT will reject externally initiated TCP traffic" respectively, but this is in fact not true for NAT, which you can see for yourself just by testing it. (It's true for a firewall, but not for NAT.)
The biggest security-relevant effects of NAT are negative. It makes people think they're protected when they aren't, and when used with port forwarding rules it reduces the search space needed to find accessible servers.
I agree it can be a useful tool in your toolbox sometimes, but a security tool it is not.
> Why don't you want every device to have a public IP?
Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
> With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.
There is no guarantee with IPv6 that hole punching works. It _usually_ does like with IPv4.
> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
The answer here is kinda that Wi-Fi isn't an appropriate networking protocol for lightbulbs (or most other devices that aren't high-bandwidth) in the first place.
Smart devices that aren't high bandwidth (i.e. basically anything other than cameras) and that don't need to be internet accessible outside of a smart home controller should be using one of Z-Wave/Zigbee/Thread/LoRaWAN depending on requirements, but basically never Wi-Fi.
>> Why don't you want every device to have a public IP?
> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
Why would it be "accessible by everyone"? My last ISP had IPv6 and my Asus (with the vendor firmware) didn't allow it. My printer automatically picked up an IPV6 address via SLACC and it was not "accessible by everyone" (I tried connecting to it externally).
It's because router defaults have been bad for a long time and NAT accidentally made them better.
I finally have IPv6 at home but I am being very cautious about enabling it because I don't really know what the implications are, and I do not trust the defaults.
>> Why don't you want every device to have a public IP?
> What would be the advantage in it?
Not having to deal with ICE/TURN/STUN. Being able to develop P2P applications without having to build out that infrastructure (anyone remember Skype's "supernodes"?).
> Why don't you want every device to have a public IP?
Big companies would abuse that beyond belief. Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.
IMO, IPv6 should have given more consideration to the notation. Sure, hex is "better in every way" except when people need to use it. If we could just send the IPv6 designers back in time, they could have made everyone use integer addresses.
# IPv4 - you can ping this
ping 16843009
# IPv6 - if they hadn't broke it :-(
ping 50129923160737025685877875977879068433
# IPv7 - what could have been :-(
ping 19310386531895462985913581418294584302690104794478241438464910045744047689
> Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.
But with IPv6 a single device may have multiple addresses, some of which it just changes randomly. So this idea that they'll then know how many devices you have and be able to pay per device isn't really feasible in IPv6.
A single /64 being assigned to your home gives you over 18 quintillion addresses to choose from.
If the ISP really wanted to limit devices they'd rely on only allowing their routers and looking at MAC addresses, but even then one can just put whatever to route through that and boom it's a single device on the ISP's lan.
NAT is arguably a very broken solution.IPv4 isn't meant to be doing address translation, period. NAT creates all sorts of issues because in the end you're still pretending all communications are end to end, just with a proxy. We had to invent STUN and all sorts of hole punching techniques just to make things work decently, but they are lacking and have lots of issues we can't fix without changing IPv4. I do see why some people may like it, but it isn't a security measure and there are like a billion different ways to have better, more reliable security with IPv6. The "I don't want my devices to have public, discoverable IPs" is moot when you have literally billions of addresses assigned to you. with the /48 your ISP is supposed to assign you you may have 4 billion devices connected, each one with a set of 281 trillion unique addresses. You could randomly pick an IP per TCP/UDP connection and not exhaust them in _centuries_. The whole argument is kind of moot IMHO, we have ways to do privacy on top of IPv6 that don't require fucking up your network stack and having rendezvous servers setting that up.
We may also argue that NAT basically forces you to rely on cloud services - even doing a basic peer to peer VoIP call is a poor experience as soon as you have 2 layers of NAT. We had to move to centralised services because IPv4 made hosting your own content extremely hard, causing little interest in symmetrical DSL/fiber, leading to less interest into ensuring peer to peer connections between consumers are fast enough, which lead to the rise of cloud and so on. I truly believe that the Internet would be way different today if people could just access their computers from anywhere back in the '00s without having to know networking
And the worst part about CGNAT is that you have two bad solutions:
Either EIM/EIF (preferably with hairpinning) where you can practically do direct connections but you have to limit users to a really low number of "connections" breaking power users.
Or EDM/EDF where users have a higher number of "connections" but it's completely impossible to do direct connections (at least not in any video/voice calling system).
I recently changed ISPs and have IPv6 for the first time. I mostly felt the same way, but have learned to get over it. Some things took some getting used to.
An "ip address show" is messy with so many addresses.
Those public IPs are randomized on most devices, so one is created and more static but goes mostly unused. The randomly generated IPs aren't useful inbound for long. I don't think you could brute force scan that kind of address space, and the address used to connect to the Internet will be different in a few hours.
Having a public address doesn't worry me. At home I have a firewall at the edge. It is set to block everything incoming. Hosts have firewalls too. They also block everything. Back in the day, my PC got a real public IP too.
NAT really is nice for keeping internal/external separate mentally.
I'm lucky enough my current ISP does not rotate my IPv6 range. This, ironically, means I no longer need dynamic DNS. My IPv4 address changes daily.
A residential account usually gets a /56, what are you talking about? Nowhere near a /48! (I'm just being funny here...)
There are reasons to need direct connectivity that aren't hosting a server. Voice and video calls no longer need TURN/STUN. A bunch of workarounds required for online gaming become unnecessary. Be creative.
I'm not confused about the NAT / firewall distinction, but it might be nice if my ISP didn't have a constant, precise idea of exactly how many connected devices I owned. Can that be _inferred_ with IPv4? Yes, but it's fuzzier.
Okay but why does this matter? They're your ISP they also have your address, credit card number and a technician has been in your home and also supplied the router in the common case.
The theoretical vague problem here is being used to defend a status quo which has led to complete centralization of Internet traffic because of the difficulty of P2P connectivity due to NAT.
The ISP still doesn't know how many devices are connected, because a lot of those devices are using randomized and rotating IPs for their outbound connections.
On Linux, I think the defaults are left up to the distros so there is a chance of a privacy footgun there. Hopefully most distros follow the example set by Apple and Microsoft (a sentence I never thought I would write...)
All desktop/mobile OSes today use "Stable privacy addresses" for inbound traffic (only if you are hosting something long-term) and "Temporary addresses" for outbound traffic and P2P (video/voice calls, muliplayer games...) that change quickly (old ones are still assigned to not break long-lived connections but are not used for new ones).
NAT only matters in so far as you don't technically need a firewall to block incoming traffic since if it fails a NAT lookup you know to drop the traffic.
But from a security standpoint you can just do the same tracking for the same result. That is just technically a firewall at that point.
I mean, so many reasons. Not the least of which is carrier grade NAT is out. And that alone implies so much cost savings, performance increase, and home user flexibility .
I'm struggling to assume good faith on your question, since it's so strange. I feel like I need to start from scratch explaining the internet, since asking this question reveals a lack of knowledge about everything networking.
I don't have CG Nat, I choose a proper ISP. Opening a hole in my ipv6 firewall or forwarding a port in in my ipv4 firewall is effectively the same thing, I define the policy (allow traffic arriving on $address on tcp/1234 to this server on vlan 12) and it goes live.
Away from home, like I am at the moment, I vpn all my traffic back home, to work, or to a mullvad endpoint. Neither the hotel wifi nor tethering off my phone gives me a working ipv6 address (anything other than an fe80::) anyway.
All my workflows work on ipv4 only. Some workflows (especially around the corporate laptop) don't work on ipv6 only - maybe that's a zscaler thing, maybe its a windows thing.
As such the only choice is ipv4 with ipv6 as a nice to have, or ipv4 only.
Personally I prefer the smaller attack surface of a single network protocol.
Sounds like ipv6 is a good solution for people who choose ISPs with CGNat. It doesn't matter to me if I vpn home via my ipv6 endpoint or my ipv4 endpoint, I expose a very minimal set of services.
I guess if I wanted to host more than 4 servers on the same port at home it would be handy, as my ISP will only allow me to have 4 public IPs without paying for more. I don't host anything other than my wireguard endpoint and some UDP forwards which I specific redirect to where I want to go (desktop, laptop, server) - another great feature of nat, but yes nat66 can do that too.
But where's the killer feature of ipv6. Is it just CGNat on poor ISPs?
I'm not sure where that long story is supposed to convey. Cool story, bro.
> Sounds like ipv6 is a good solution for people who choose ISPs with CGNat.
I mean… this is just "not even wrong".
> Is it just CGNat on poor ISPs?
I already said no to this.
Look, like I said, you appear to be unaware of so much about everything about the Internet, running an ISP, running a service provider, corporate networks, ISP-customer relationships, small businesses, BGP viable policies, cloud economics, etc… that it's hard to know where to even start. And while HN is great for some things, HN comments are just not suitable for something that is shaped more like a course or internship. This can't even be described as "gaps" in your knowledge.
I'm put off by your confidence without the knowledge, and of course also by your implication that if you have CGNat then you should have just worked a little harder to not be so poor, to pay a better ISP, or you should move to a more expensive place where other ISP options exist. Of course ignoring that this doesn't scale to the population at all, and extra address bits are very relevant to scaling.
Only because most people don't know how NAT is hurting them, and because corporations have spent incredible resources on hacking around the problem for when peer to peer is required (essentially only for VoIP latency optimization and gaming).
NAT hurts peer to peer applications much more than cloud services, which are client-server by nature and as such indeed don't care that only outgoing connections are possible.
Even in a NAT-less world, the common advice is to use a firewall rule that disallows incoming connections by default. (And I'd certainly be worried if typical home routers were configured otherwise.) So either way, you'd need the average person to mess with their router configuration, if they want to allow incoming P2P connections without hole-punching tricks. At best, the lack of NAT might save you an address-discovery step.
> the common advice is to use a firewall rule that disallows incoming connections by default.
That's good advice! But firewall hole punching is also significantly easier (and guaranteed to work) compared to NAT hole punching. Address discovery is part of it, but there are various ways to implement a NAT (some inherently un-hole-punch-able) and only really one sane way to do a firewall.
> you'd need the average person to mess with their router configuration,
At least with IPv6, that firewall is likely to exist in the CPE, which sophisticated users can then ideally open ports in (or which can implement UPnP/NAT-PMP or whatever the current name for the "open this port now!!" protocol of the decade is); for CG-NAT, it's often outright impossible.
UPnP has covered a huge percentage of use cases that actual users care about, and those who it doesn't cover are often able to do their own customization.
NAT is a horrible, HORRIBLE hack that makes everything in networking much more complicated. IP networking is very elegant when everyone is using globally unique addresses and a ugly mess when Carrier NAT is used.
NAT demonstrably does not work fine. We have piles of ugly hacks (STUN, etc) that exist only because NAT does. If you really want to keep NAT then nothing stops you from running it on IPv6, but the rest of us shouldn't suffer because of your network design goals.
Maybe not necessarily, but it'll be difficult to avoid. We're in a period where people are constantly creating and constantly changing software. Such rapid change really precludes the possibility of excellent. Very few people want to say "let's not add features, it would conflict with our ability to maintain quality." It's not that no one does this, but it is something that's in the minority.
All the change and shuffle feels like an inevitable consequence of so much communication and competition between companies, and cultures and such. Gone are the days where a software product can remain stagnant. Someone else will build something that does a bit more, or if nothing else, does something new, and it will take people's attention away.
Everyone is stuck trying to keep up with trends, even if those trends don't make any sense.
At this point, nearly every online service should be considered hostile. If they can make a small amount of money by compromising your privacy or your identity, they will. If they can make a small amount of money by stealing your attention and addicting you, they will.
Are there exceptions? I'm sure. Will I be erring sometimes by being cautious? Definitely. But, there is really not much of an alternative these days.
This sort of stuff continues to ramp up as everyone rushes to train LLMs while governments are pushing for ID verification that would make it impossible to use the web (or even one's own computer) anonymously. It's a very dark time for anyone who cares whatsoever about privacy or digital sovereignty.
My advice has long beem to delete every single account you've ever created on every platform.
The chance of the data leaking nears 100% with time.
The corporate cloud is a seriously unsafe place to be. It's a dangerous place to store your intimate secrets and a shaky foundation on which to build a culture.
If I understand GDPR and “the Right to be forgotten” properly, then yes - they would have to actually delete the information.
Edit: at least when it comes to PII, which I presume should include photos of you, or any personal detail of you. The content you may have posted there up until then - that might be a different story
I have long wondered about the market size for privacy-focused apps. Sure, plenty of people don't know or don't care to value that, but if there are enough, maybe you could have a whole set of apps that emphasize they are not seeking world domination or selling out to the highest bidder, and a major selling point for using them would be that they are not < your expected chat/dating/photo/social site >.
Am I too idealistic? If such apps are not aggressively seeking hyper growth, it seems like these more trustworthy services could be deployed to cheap servers and let people use them for cheap without having to resort to selling user data.
Even if they were initially trustworthy, it's surely only a matter of time before they start wanting/needing to make (more) money and start abandoning their principles in pursuit of profit.
> The real problem is how to trust that a "privacy-focused" app is actually privacy-focused
I think the real problem is actually that legislative bodies will make privacy focused apps illegal. California AB 1043 is an example of what can happen.
If a company wanted to, they absolutely could include something along the lines of "If we violate the terms of this privacy policy, we owe all affected users $1000" in their Terms of Service. Pointing a gun at their own head to prove that they're serious. Companies don't do this, because they are cowards.
How is that a low trust signal? It's grounds to sue. Crank the number up to the limit of small claims in whatever jurisdiction you're based in.
If it was legal to say "If I break this oath, you can fucking shoot me" in a contract, I'd suggest that. The entire point of the exercise is "we promise do the right thing, and to keep us honest we have set up a system by which you can destroy us if we violate that promise".
Corporations can't swear on their life, as they have no life to offer. They can swear on their cash, and by such their ongoing existence.
On one spectrum, you have privacy -- at one extreme, the most private of people don't even use social apps, they are traditionally private people. At the other extreme, you have the highest consumers of apps -- the people who demand sharing the most.
On the other spectrum, you have technical acuity -- at one extreme you have people who can audit software they use and verify that it actually does what it says -- at the other extreme, you have people who have no clue and will believe whatever is convincing.
Given this, the market for "app that enables sharing, but has privacy controls, and is verifiably so" is a tiny circle somewhere in the middle of this grid.
Users who want to be private and are willing to pay extra for it are necessarily highly valuable for data brokers and advertisers. So incentives always push towards betraying them eventually I think.
Is that true? Not arguing, just curious. I would imagine that the highly valuable users are those most likely to buy things, and people that into privacy would be fundamentally more likely to also go to extremes to block that advertising, but this is very much not my area.
Not privacy-focused, but OKCupid itself fit many of your requirements when it first came out. It wasn't aggressively seeking hyper growth and barely marketed outside of existing SparkNotes and SparkMatch users. It was just a few math nerds at Harvard that wanted to model human romantic compatibility by categorizing you into a shareable cutely named personality type, and they bolted on crowd-sourced questions to see if whatever they hadn't thought of themselves might be relevant.
Ten years later, the social media revolution is in full swing, the relatively small service they built that had catered mostly to nerds was suddenly lucrative, and they sell to Match Group and this happens.
To be entirely fair to these guys, I don't think they came into it intending to sell out as their long-term goal. But four guys who got into data analytics in college also didn't find themselves as their mid-30s approached particularly wanting to run a dating service for the rest of their lives, either.
Whatever happened to FetLife? If any dating service had to be privacy-focused, that was it.
The problem is that large-scale use of the Internet for social networks and for organizing meetings in real life is fundamentally incompatible with privacy. It works for small, tight-knit insular groups, but as soon as you expand the scope of the network to include acquaintances and friends of friends you'll eventually find a connection to someone who cares less about privacy than about making a buck.
If we had a sort of "federated" system we'd still have this problem because you might always find yourself federated with someone who just wants to sell the information.
It's a cultural problem within this hyper-aggressive version of Capitalism that we've adopted, that even data about people has value. Until we decide as a culture that this kind of data sale or data use is shameful and unacceptable we'll be in this situation no matter what technical solution we adopt.
Open source developers are wildly idealistic. In the rest of the world, I have finally internalized...
1. Most people say they care about privacy... but won't spend even $1 for it. They care about their privacy about as much as an open source developer cares about user experience. Just extract the tarball, it's not that hard.
2. Most people don't care about technology and want it out of their lives. They don't want to know what sideloading is. They don't want to know how to discern safe from dangerous. And they aren't wrong. How many open source developers know how to drive manual? Car enthusiasts have just as much of a righteous claim to attention, after all. The model railroad enthusiasts are also upset by our community's lack of attention. Every enthusiast, in every field, hundreds of them, are upset by lack of mainstream attention, and this will never change.
3. Linux and open source software in general are not even close to being popular on the desktop. Gaming and web browsing is a tiny subset of what people buy PCs to do, and Linux isn't even close on the rest. Even the gaming success is so niche it's irrelevant in the grand scheme of things (Switch 2 outsold 3 years Steam Deck sales in the first 24 hours).
4. Some of this optimism was deluded from the start. Like when Stallman said we can defeat proprietary software with open source, then openly admitted he had no idea how any open source developers could afford rent. "If everyone works for free, while the big companies stop working, we could get ahead" is gobsmackingly naive and it's honestly astounding anyone fell for it.
> Most people say they care about privacy... but won't spend even $1 for it.
Maybe they are smarter than you and noticed that trust is being violated constantly so paying for it in no way means you will obtain it and is just a waste of money?
I want to say "we structured the system like that, right?", i.e. maximize profit at all costs.
But it seems to be the natural outcome of the incentives, of an organization made of organisms in an entropy-based simulation.
i.e. the problem might be slightly deeper than an economic or political model. That being said, we might see something approximating post-scarcity economics in our lifetimes, which will be very interesting.
In the meantime... we might fiddle with the incentives a bit ;)
The upper arm of the K shaped economy uses their capital to invent and control the replicator and the lower arm dies off? Seems like the most realistic path to "post-scarcity" from where we're standing now.
This deserves a few qualifiers. I think this should be applied to any service that is
- "free" or "freemium"
- wrapped as a black box which gives no way out for customers.
There are plenty of companies out there who provide services based on FOSS, but we collectively shy away from paying them because it seems "silly" to pay for software that people can run for free.
"23andme", you mean? They were not free, but they were not building their product on open standards, were they? So the don't my pass my filter as well.
I guess I have no sympathy for the addicts, let the social media hyper capitalists consume your FOMO lives, I'll find value elsewhere.
It is sad to see how pathetic we are and yet have so much potential.
I think eventually we will revert back to a Dark Forest model for online services, where people stay hidden and anonymous to carefully avoid being preyed on by looming corporations.
Another point to add, is that old saying: if the service is free, you are the product. I have long considered that dating apps are taking all of our data, and selling it. What's more personal than social media? What do you think about dating. Who you swipe on, the information you put in there, all deeply personal. Sometimes more so than what you put on places like Facebook
Lawyers are playing Calvinball again. I have no idea why the law finds this kind of argumentation compelling. "I clearly intentionally deceived, but I stashed some bullshit legalese into a document no one will read so my deception is completely OK."
Some 20 years ago there was a story about a guy who was opening a bank account. The bank sent the contract, the guy ameneded it with things like "you will give le unlimited credit that I do not need to repay" (if my memory serves me right).
He signed, sent both copies, got his bank signed copy back
Went yo the bank, the bank sued him, he won (the judge told the bank that when you play dirty games you sometimes loose) and they ultimately settled.
That wouldn't work in the U.S. Changes to material terms in a contract generally informed consent (meaning, that the modifications are actually disclosed to the counterparty before they sign) or specific consent (such as a initializing the sections of the contract where the modifications occur). This is a basic part of the UCC, which all states have adopted in some form.
There are a lot of people on the internet claiming that you can get away with surreptitious material changes to a contract before it is signed. None of them are lawyers.
It's depressing to see how the system works. Sure, now there are different kind of terms in a contract, some are material terms and some are... immaterial? And conveniently, you can change some but not others in such a way that the banks and powerful corporations always come out on top.
I never heard of a corporation being forced to point out explicitly which lines in their long terms and conditions document have changed. But it's a well known obligation for regular citizens, because material terms.
> that the modifications are actually disclosed to the counterparty before they sign
Does Microsoft explicitly draw your attention to the fact that Copilot is for entertainment purposes? No, it buries that in a long document hoping you won't see it, and advertises it as the complete opposite, but it's ok when they do it, because those are not material terms, whatever that means. It means it's ok when the big guys do it, in the end.
Material terms are things like price, term, or anything that would change the nature of the overall agreement.
When corporations do it (i.e. change TOS) they need to send you notice of the new terms because it's no longer a change, it's a new contract that replaces the old one...if you agree to it by continuing to usetheir service after notice.
The guy sent the bank a contract. It was the first contract between them, it wasn't a "new contract" (as opposed to the old one? no such thing), it wasn't a "change" to an existing contract.
Why did he need to highlight some terms? How do you mean "change the nature of the agreement", change from what? They didn't have an agreement before this.
> because it's no longer a change, it's a new contract that replaces the old one
What sophistry is this? Of course it's a change. Most of the contract is the same, it's not like Paypal changes it's business to selling shoes. They do the same things, and the terms are mostly the same, only they make some changes. There's nothing supporting your claim that it's a new contract.
> things like price, term, or anything that would change the nature of the overall agreement
That's everything in the contract. Which parts of the contract don't affect the nature of the contract? Why are they there? What the hell is "the overall nature"? If a fee for something changes from $1 to $2, as I understand the english language, "the overall nature" of the contract doesn't change. Just a fee. It's a detail. But this is exactly what you list as "material terms".
On the other hand: imagine someone putting "by agreeing to this, you owe us $1,000,000,000 - unless you opt out in writing within 90 days" halfway down the 100-page EULA of some cookie-cutter smartphone app.
It is not at all uncommon for such absurd contract terms to be unenforceable - especially in B2C contracts, although it might even be tricky for B2B clickthrough ones.
The idea being that most contracts are fairly standard, so a lot of people will just skim through them. Putting a landmine in them is obviously in bad faith, so making it enforceable would basically make it impossible to do any kind of business at all.
FullStory just tried to pull this with their renewal. We had a mult-year contract that started with a two-page order form, on which the words "renewal" or "cancellation" never once appear. During negotiations, it was never discussed that the plan would renew, or that there was a cancellation window. Instead, buried at the very bottom of the form (which they send via CongaSign, and wasn't clickable or obvious), was a line about their subscription agreement being linked to their terms and conditions page. On THAT page, they mention the plan will auto renew and must be cancelled with 60 days notice.
We cancelled at T-45 or so days before renewal, having determined it wasn't a fit for our client anymore, and they insisted "well, actually, you've renewed anyway!" which, no, we haven't. Absolutely absurd to try to "clickwrap" buried renewal terms in a 20+ page T&C/privacy document rather than as a material point of fact on the actual order form being executed.
Feels like the height of absurdity to try to bully your client into forcing them to use your services against their will when they still gave ample notice that they were cancelling and when there was no material loss to the business, but it's always felt like their revenue team has been unhinged in general: exploding offers, insane terms, super high-pressure sales... part of the reason we left them in the first place.
On the other other hand, they can put whatever they want in there, and because they've forced everything into arbitration with "third party" mediation and carved out their own little niche of the justice system, they'll never actually go to court, they'll just settle and evolve their ToS and contracts and word games accordingly.
Nominally, Common Law, the system of law that to a first approximation is used in countries descended from the UK, has a lot of protections of that sort. You can't put "unconscionable" terms in a contract, e.g., it is simply illegal to sell yourself into total slavery in common-law derived systems. All signatories to a contract must consent, must not be under duress, the contract can not be one-sided (this doesn't mean "the contract is 'fair' from a 3rd-party point of view" but "the contract can't result in only one side giving things but the other doesn't"), and a variety of other common sense rules.
In practice, availing yourself of any of these protections is a massively uphill battle. Judges tend to presume that these common law matters are already embedded into the de facto legal system because the people writing the laws already operated under those assumptions while framing the law. Personally, I disagree and think a lot of these protections have eroded away into either nothing, or so little that it might as well be nothing, but you have a 0% chance of drawing me as a judge in your case so that won't help you much if you try.
I wish we lived in more of a "spirit of the law" world than a "letter of the law" world, where everything needs to be spelled out, but we don't. A small minority of people enjoy Rules Lawyering their way through life, insisting on trying to "gotcha" counterparties who are acting in good faith, so as a consequence, we all have to be Rules Lawyers and everything needs to be spelled out.
I think a “spirit of the law” world would result in judges that already abuse their absurd powers way too much have free rein over any abuse they want to do, and there would be no system for ensuring everyone is treated equally or fairly.
Theoretically, courts and judges exist precisely to balance the word and the spirit, and find and judge the actual intent. In practice, I'm in awe that good judgments still happen, despite everything.
When the contract is purposefully obtuse and hard to understand, that should be a valid legal defense.
When it's huge, falls upon people that can't justify a lawyer, and keeps changing all the time, one shouldn't even need to claim it. It should be automatically invalid.
Contract language is obtuse and hard to understand precisely because of previous challenges over meaning. There are stock phrasings and clauses in contracts that have established (by precident) legal meanings. That's why contracts seem to be walls of boilerplate.
If you just wrote them in "plain language" there would be far too much ambiguity and arguing over what was really meant or implied or agreed to.
> Copilot is for entertainment purposes only. It can make mistakes, and it may not work as intended. Don’t rely on Copilot for important advice. Use Copilot at your own risk.
Seems pretty clear to me, do you really think people need a lawyer to understand that?
Support page with ~25 tutorials provided by Microsoft about how to "Create a document with Copilot" or "Create a branded presentation from a file" or "Start a Loop workspace from a Teams meeting".
Do you actually believe that creating branded presentations (from Microsoft's own examples) is something people do for "entertainment purposes"?
If Copilot is for entertainment purposes only then why is https://office.com all about how you can use Copilot, and closes with the small print "Copilot Chat in the Microsoft 365 Copilot app is available for Microsoft 365 Enterprise, Academic, SMB, Personal and Family subscribers with a work, education, or personal account."
Why would they include a product for entertainment purposes only in the product they sell to large companies for doing work?
I have frequently proposed a objective legal standard for false advertising that handles that: "Technically, your honor". If somebody says that in court, they lose.
The words they used, as commonly understood by the target audience, were intentionally crafted to be interpreted differently than what they were going to say they meant in court. They spent time, effort, and money, ran focus groups, and carefully selected and curated their words to be incorrectly interpreted by the target audience to reach knowingly false conclusions.
The correct standard should be that they spent time, effort, and money, ran focus groups, and carefully selected and curated their words to be correctly interpreted by the target audience to reach true conclusions. Their statements should only be accidentally incorrect in proportion to the time and effort spent crafting and distributing them.
"Technically, your honor", should be treated as the ethical abomination it is.
I know there's some tort caselaw in Australia towards both parties actual understanding of the contract vs written word. We went over a few of these cases in high school commerce. Its been further enshrined by the ACCC, which tends to take the view that the verbal understanding provided at the point of sale can often supercede terms and conditions.
"Our software developers clearly were negligent, but we stashed some bullshit legalese saying 'No warranty express or implied' into a document no one will read so our bug-infested software is completely OK."
It's a quite baffling argument on Bondi's part regardless. As if I wouldn't care about prosecuting sex offenders merely because my 401k was doing well.
Even if someone is much richer, 401k owners are still operating out of self-interest. There is still a valid point about income inequality, however I'm not sure that renders 401k into some sort of evil diversion.
You can see this happen in real time if you closely follow some youtube channels. You take someone who is genuinely talented and has some interesting, novel insights. And, maybe a couple of their videos makes it big. And they rightly think they should keep making videos because they have other insights. And they're not wrong.
But over time, something happens. No one has a novel, brilliant insight 1-2 times a week. So once they really turn in and decide to make a serious effort with their channel, the quality of their content suffers. Maybe it's not quite click-bait, but it's less genuine and more formulaic than their original work. A bit more sensational. Videos are reaching for reasons to exist, since the author needs to keep pumping them out.
I wouldn't quite call it corruption, but it's a clear degradation. In principle it's not a novel problem, since people have been writing weekly editorials for a long time. But, there seems to be something about the Youtube format that makes it such that the big channels must always play the game and pump out sub-par content.
> Maybe it's not quite click-bait, but it's less genuine and more formulaic than their original work. A bit more sensational. Videos are reaching for reasons to exist, since the author needs to keep pumping them out.
I've come to accept that this is what many viewers want. They're more interesting in seeing their familiar personalities talk on camera than in the details of what they're doing.
At the risk of downvotes given the audience, this is how I feel whenever I've tried to watch Linus Tech Tips videos. I have some friends who watch every LTT video when it comes out and love the brand, but I can't make it through a single LTT video because there's so little subject matter. The few videos I watched also had some glaring oversights and borderline misinfo. I think the audience for those videos is people who like seeing the LTT crew have fun, do some activities, and talk. The subject matter of the video is secondary for them.
I see a lot of YouTube channels going the same direction: They realize the content they're discussing is secondary to the fact that they're in front of the camera doing something. The cooking channels know that most viewers aren't going to be cooking the dish. The DIY channels know that most viewers don't care about the code or engineering as much as seeing personalities goof around on screen.
I don't think there is anything wrong with this type of content, though. One of my friends says he handles his work better with a constant stream of YouTube videos in the background, so he semi-watches more YouTube than anyone I know. I do appreciate the channels that focus on the content and subject matter instead of becoming content factories, though.
If you want to be profitable, or widely watched, you have to play to the algorithm.
YouTube seems to strongly boost channels that post regular videos in the 10-20 minute range, and actively incentivizes clickbait through AB Testing tools for titles and thumbnails.
There are channels that post irregularly, with long form videos, but they get buried.
Another issue I've seen from some of the more prolific YouTube channels is they slowly become another mouthpiece for "news coverage". The algorithm very much expects you to continue uploading, because everyone is always looking for the newest content; at least before YouTube removed the Trending section. I admit that I only really check my Subscription page at this point, and after going through a subscription purge I only see maybe a half a dozen to a dozen new videos. Its actually been very useful since it encourages me to not get sucked in to watching hours of videos.
However, given my experience during Digg's v4 attempt this past year, I will say being willing to put yourself out there has served as a pseudo-networking activity and I've gotten the chance to speak with several people and now I'm giving talks "out there".
What's curious to me is, why does this not happen to all youtubers? For example, vlogbrothers, 3b1b, numberphile, etc, all seem to continue putting out great educational content and care about producing good wholesome content despite the strong incentives to do otherwise - how does that happen?
I think different topics lend themselves to this better than others. If you're merely teaching about things, then there are endless interesting topics -- and _you're_ not the one coming up with the brilliant insights; you're just doing an excellent job conveying an already-known subject to others. Commenting on the news can work quite well, too. So long as your research and analysis maintains quality, there will be no shortage of noteworthy events to discuss.
I’m old, but this pattern is old too. You’d see it in car magazines where the regular columnists would rehash their tired old opinions but you’d read it anyway because they had a particular sense of humour or an otherwise engaging style.
It’s hard to create novel content regularly once a month, let alone weekly or daily like some of these YouTube guys are doing
- Trust is at an all-time low, so I think that even if this move made a lot of sense most people would not extend much goodwill to the government.
- There aren't stats available to the public -- just how many exploits are due to for-real backdoors vs. bad code. Of the "bad code" exploits, how many can really be attributed to the lax standards of a 3rd party country?
- Also, basically no one makes router hardware in the US and I'm not sure who plans on starting.
- The article states "including IoT devices like webcams and routers." -- how much of this problem is an IOT problem and not a router problem?
I'm not holding these up as facts. ie, I'm not implying-by-raising-the-question that IOT is a bigger part of the problem and routers are a distraction. I'm saying I wish we had hard numbers. If IOT is 1% of the problem that's a different calculation than if IOT is 90% of the problem.
I tried figuring out the reference with Gemini, and it said this:
The immediate reply to that comment is: "On the internet, no one knows you're an editor." This is a direct play on the famous 1993 New Yorker cartoon: "On the Internet, nobody knows you're a dog." By setting the anecdote in 1987 (a few years before the World Wide Web was publicly available), the commenter is implying that back in the analog days, if a dog wanted to be a writer or an editor, they couldn't hide behind a screen—they had to sit in a smoky London pub and do business face-to-face.
Which makes a lot of sense actually. I would imagine that's what the replier to you thought you meant.
Or read magazines and newspapers from reputable publications. My grammar and writing have improved tremendously from reading quality magazine articles, e.g. stuff from The Atlantic or The NY Book Review or whatever.
Both magazines and books are valid forms of information consumption and books are not the only way to improve your writing, reading, and understanding of the world.
I wouldn't count on current stuff in those publications being free from AI. We're seeing it in peer-reviewed paper submissions so why not in literary forums?
If you limit yourself to stuff from maybe five years ago or older, yeah it's going to be human-written and human-edited (ghostwriting still possible).
AI is much better at generating text that resembles scientific papers than it is at literary writing. Even if they're not all flagged as AI, the incidence will be much lower because they're simply bad writing. They won't make it out of the slush pile at places like GP listed.
Nothing has made me want to read classic literature more than AI. For the first time in probably over a decade I even went to my local used bookstore with a list of books to buy, but sadly none of them were in stock. I have had a bit of luck at little free libraries though.
reply