bootloader unlocking

I used to buy Xiaomi products because of the bootloader unlocking, but in practice it is a dystopian nightmare - they have built it so to unlock the bootloader you need a cryptographic signature from them, and they don’t give that out all that easily.

You have to sign up for an account with them, use a Windows-only tool to request unlocking, and they have a long wait period (deliberately imposed) to unlock, which sometimes randomly restarts. The wait period is different for different models, and can be weeks.

Their support are unwilling to help unlock immediately even for replacement devices where you want to get up and going quickly - if your device breaks (they are not the most durable phones IMO, as you note) and you get a replacement, you’ll have to wait the time again before you can restore a backup of a phone using a custom ROM.

It’s possible they have improved, but because of their attitude around what I can do with my own hardware, I’ve stopped buying Xiaomi gear.

As if telling Reddit, Facebook, or Google what to put on their roadmap as an ordinary consumer would actually work.

At least with FLOSS if you want something, and if it is a good thing the developers like, you can likely get it merged. If not, you can fork and still have the feature locally. Good luck getting that freedom with a closed-source product.

For software I develop, I do find it is helpful if people making feature suggestions tell developers what is useful for them and why, but that doesn’t entitle them any of my time to demand what features I prioritise. The alternative is “I gave you something you like for free, so now I owe you to make it even better for you”, which is obviously nonsense.

If you have control of the domain, you can also get an X.509 certificate from any CA (e.g. for free from LetsEncrypt). Then you can put up a new server on that domain with a valid cert. If that server supports ActivityPub, it can provide new public keys for private keys you control for all users on the server, and can use the corresponding private keys to sign messages from any user on that server to any community those users are still subscribed to. In addition, any users on other servers still posting to / interacting with communities on that server would cause their server to send that to the inbox on the new server.

This means any usernames or communities on queer.af should no longer be trusted.

Yeah everyone using Cloudflare is definitely centralisation, but maybe a kind of centralisation that allows for easier switching to something else if Cloudflare gets too crazy.

DDoS is a war of attrition - and the best way to win a war of attrition is to make it cost much more than $1 to make you spend $1, and to be able to outspend the attackers (e.g. the whole community bands together to support the victims against the attacker). I think the best response depends on who is attacking.

Network level DDoS is likely using stolen bandwidth - but the person directing the attack is probably paying someone for the use of it (i.e. they didn’t compromise the equipment themselves, someone else builds botnets and rents them out). If you can identify what traffic is part of a DDoS, you can track down where it is coming from, and alert the owner of the network where it is coming from, which hurts the person providing the services to the attacker quite a lot. If I have a reputation of: if you attack me for someone else, I’ll cost you a significant part of your business that will take you months to build back up, then you are not going to offer that service cheaply, or even at all.

Application level DDoS usually relies on amplification of cost - I do something relatively inexpensive (like send a packet opening a connection), and it makes you do something really expensive involving databases, disk IO etc…; a good mitigation is to redesign the API to flip that on its head, so you do something expensive, and I do something relatively cheaper for you. There is an open issue about using Hashcash to do just that at: https://github.com/LemmyNet/lemmy/issues/3204 - the downside is that it forces users (even on mobile devices) to use more compute / power for every request to Lemmy, but I think there is a balance that can be struck there where it isn’t too bad for users, but makes that type of attack infeasible.

As a former founder and moderator of a community that chose to host on Reddit, this is an even bigger red flag than the APIs.

Someone deciding where to put the effort in to build a community would now be crazy to do it on Reddit. This unambiguously takes it from being the founder’s community that happens to be on Reddit, where they are investing their time to build their own community, to Reddit’s community where the founding moderator works at Reddit’s pleasure to serve Reddit for free. Reddit has already made other steps on that journey - but this would be the most overt wake up call that moderators are not free to shape their own community to a vision for how it will operate if they chose to host it on Reddit if it doesn’t please the masses.

This is short-sighted, because people are going to found communities off Reddit instead. Tooling like Lemmy is only getting better, so Reddit is increasingly an unattractive choice.

It is also unnecessary - if people don’t like the premise of a community, they can vote with their feet, and go to another one, and put in the effort to build the new community themselves. And applying the same principles to Reddit itself, if a majority of Reddit users say they don’t want Spez to be CEO any more, or don’t like the Board, should they be allowed to fire him, even if the shareholders don’t want to do that? Or should they just vote with their feet and go to Lemmy? If he is anything but a hypocrite, he should let the users decide if he will continue as CEO.

Also a good opportunity to back it up everyone with just not visiting their site. I’ve added 127.0.0.1 reddit.com old.reddit.com www.reddit.com mod.reddit.com i.reddit.com to my hosts file so I don’t accidentally follow a link to Reddit (I think they have a lot more subdomains, so the hosts file based approach isn’t perfect, but hopefully good enough for a quick solution).