There's a hilarious map projection on the lobby TV in the 8th image. Massive unified red Korean peninsula (practically the size of Australia on the map), tiny sliver for the Japanese islands, and places Korea at the absolute center with all the other continents warped around it. Brilliant.
It’s common for countries to put themselves in the centre. U.K. does it for English maps, America does it, so does Russia and Australia. And it makes sense too because it allows you to give context to the other land masses (though it’s usually don’t for vanity reasons).
Japan and Korea are more or less on the same latitude and near each other and Japan has slightly more area than Korea. I doubt this is an issue about projection distortion.
The mercator projection is a projection...a mathematically consistent way of displaying the surface of a sphere as a two dimensional image.
This map is something else entirely. Not even sure what to call it, but it isn't a projection. The korean peninsula is bigger than India. It's a fantasy at best.
>I don't see any problem with that map, the ratios are mostly correct.
Whaaaaat?
You see the island off the southern coast of the Korean Peninsula, colored red? That's Jeju.
The Japanese island chain is almost unrecognizable; but the largest southern island ought to be Kyushu. In the real world, Kyushu extends significantly south of Jeju and is about twenty times the land area.
The small green island near to and west-south-west of Jeju is Taiwan. In the real world, that distance is more like 700 miles and more like south-south-west. Taiwan is also much larger than Jeju.
At the northern end of Japan, the NK map has Hokkaido as a tiny cross-shaped island on about same latitude as Pyongyang. In fact, it's 75% the size of North Korea and extends significantly past the northernmost extent of the country.
In the real world, Sakhalin - the long, thin island north of Japan - doesn't overlap at all with North Korea's latitudes.
If you were schooled in the US, you would absolutely have seen such a map nearly every day.
Edit: Sorry I offended someone! If you were educated in the US and had another experience, I'm not invalidating that. I was in HS a few decades back, and I think they've probably reformed those maps these days
The upstream reply asked "I don't think I've ever seen a map that places United States in the center. Is that really a thing?"
So, your question is different.
But yes, to answer your question, in school we also had global maps that centered the Americas and split Asia so that China was on the left and Europe and Africa was to the right
I think it was split somewhere to the west of India, as I recall. The projection may have been over the US, but Im not positive. It was awhile ago
As far as I recall, that map was never used in my American education. I'm guessing it's decided by state education boards, so either you always had it or never had it.
Yes, that is how it 'works', splitting up Russia/Asia.
I was downvoted simply for suggesting another poster who hadn't seen it before, and was it really a thing, do a search so they could see different examples it.
Other people here are downvoted simply for giving their (American) experience, that maps showed the US at the centre.
I had an American experience in several different schools, and our maps had the Atlantic in the middle. I think that's more common, so people are down voting the posts stating the bizarre America in the center map is a staple of US schools.
It's probably something decided by state education boards, so whichever map your state decided was all you saw for twelve years. Leading you to think the entire US had the same.
Yes, you could be right with that. I guess not enough kids are playing Risk.
Although it can seem pettily nationalistic (and probably is to some extent), for quickly illustrating "You Are Here", and the relative positions of other countries to your own, centring maybe makes more sense than having some far away country at the centre.
It seems pretty common/natural in different countries too. I wondered if a 'most accurate map' exists, and found Authagraph:
I’m an American who was in high school in the late ‘90s, and I can’t recall ever having seen such a map before this discussion (though obviously they exist). Perhaps it was changed somewhere in that time span? Or a regional difference?
Edit: perhaps more relevant that I went to private schools, so we wouldn’t necessarily have had the same materials as were chosen by the state.
New Zealand often complain they are left off maps of the world (it happens more than you think). I do wonder if NZ maps leave off other countries (say the UK) in response.
My point (and probably my parent's too) is that America has dominated the shared culture for the past 100+ years (in good part thanks to Hollywood). Most people experience world maps and globes in two places: in schools, where they will be local-oriented, and in movies, which will be predominantly American.
(And if you're into science fiction, you've likely internalized the American view of Earth from space without even realizing it.)
I'm not passing judgement here - just saying that cultural influence isn't equal.
Eh, I'm not sure how much influence movies have over maps. I live in the UK which has a very significant cultural influence from the US, but the vast majority of maps I see are centered on the UK.
The movies won't affect your printed maps, or maps you see in serious contexts (like in classroom, or in a BBC article). But I'm willing to bet that in your day-to-day experience, you see a roughly equivalent number of maps in movies and videogames. Which, unless you have non-average watching habits, will most likely be US-made.
I probably do see a fair number of those maps, but the context matters. Such maps are usually in the background and not what I'm paying attention to. If I'm actively using a map then it's a UK centered one 99% of the time.
True. And I inferred the context is about seeing maps in general - which includes movies, games, advertisements, company logos, computer icons, etc. I.e. the situations in which you see depictions of the world (and mentally recognize them as such), not necessarily use them to find your way.
Maybe not the size of Australia, but compare it to this map I generated (Winkel-Tripel projection) [1] where Korea is correctly sized, and you can see it's easily 2-3 times as big as it should be (in terms of scale).
As someone who's fairly involved with the e-commerce/digital marketing space, let me just say I'm amazed by how brazenly nasty this scam is.
The TikTok promotional program is actually a real thing that does give around that amount of ad credit, and they have been promoting it very aggressively on Facebook with for a long while now, so it makes sense that OP would've not had any mental red flags triggered by the designs and creatives used by the scammers. The real killer is that PayPal is actually well within their rights to process this transaction (as part of the billing agreement generated when you link PayPal to Facebook Ads Manager: there actually was real ad spend in a real Facebook ad auction), so it's down to Facebook itself to refund the ad spend. (As an aside, I'm actually impressed that OP managed to reach Facebook support at all, and that they acknowledged or even understood what the problem was. I have had worse experiences in the past with FB...). What's really amazing to me is that the scammers managed to get on Google Play with thousands of obviously fake reviews, and get through Facebook ad review at all.
The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.
I suppose the real lesson to be learned is to simply avoid installing native applications when you can help it. OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow, but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.
...never, ever buy or even take anything from anyone who approaches you without you being the original initiator of the communication. Simple rule that applies to both online and real world and makes your life simpler and safer.
If you want to see where Google search results really point to, you can right click it and then hover over it to get the real destination... it's been like this for 15+ years (google changes the destination on-click).
Just checked; and while they did indeed use to change the URL (on mousedown (!) - which was infuriating, because right-clicking to copy URLs produced a mess I'd then have to pass to data:text/plain,... in a new tab to extract the URL-encoded... agh), they currently really do just leave the link alone now.
They just fire off a request to google.com/url?... to track the click before letting you on your merry way.
That used to be my strategy until a salesman knocked on my door offering heavily discounted ceiling insulation, which is something I had half-heartedly always wanted but never got round to buying. He said my address was one chosen by the government to give a subsidy to but funds were limited so it was first come first served or risk missing out. Sounded suspicious so I checked with the government who confirmed everything the salesman said was true. I got a 2nd quote from another installer but the door-knocker was cheaper so I bought his. I wouldn't have known the subsidy was available without him and would have missed out on a genuine rare high-value giveaway.
The sad thing is, this is simultaneously the only way to stay safe AND also the underpinning of almost the entire ad industry - and in turn about half of the money that funds what we think of as "the internet" today.
It really sucks that it seems like we've built the most important infrastructure of our generation effectively on quicksand.
I see your position, but I don't view placing an ad as an initiation. He still initiated the conversation by clicking on the ad like he would've if he had called a phone number or anything else and therefore could still have been scammed.
When I'm curious about something that I might have to click through, I DDG it and find source material. It's not overly paranoid, it's been good advice for decades.
Telephone charity calls are exactly the same way in my world, and started me down that handling path. If I look your org up and you look legit, and I'm interested, we'll see. You having called me isn't always strike one, but it often is.
Legitimate organizations are not always a safe bet either. For instance, today I received a phone call supposedly from the Breast Cancer Research Foundation soliciting donations. The organization itself is legit, and the number they appear to be calling from could also be legit, but the number they're calling from could be spoofed.
Personally, I prefer to follow the OP's advice, and only provide information if I initiate the call. Or, more specifically, I'm willing to provide only the information you could find in a phone book, such as name, phone number, and address, and if they truly want my donation, they can mail me something for the request. Still, it could result in mail fraud, but the likelihood is pretty low at that point.
meh, he calls out the exact mistake he made. If I see an ad and like the product, I go to the domain. If the domain is legit (e.g. not developgameonline@gmail.com), you can start to feel pretty good about it. We run ads. If you google my companies name ("seekwell"), the entire first page is properties that we've owned for years. This includes podcasts and youtube videos.
It's ok for the initial pull to be an ad, but only buy from the source.
What if they can register a very similar / regional domain that you didn’t set up already?
Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too. It’s just not practical to examine and confirm the cert manually of every company you interact with online.
These internets are dangerous, even if you know what you’re doing.
The people here posting about how clever/careful they are, which is why they haven't been scammed, are the ones I see as most likely to get scammed (if they haven't been already without realizing). You're best protection against being tricked is realizing that you can be tricked.
> Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too
SAN dnsNames in certificates in the Web PKI are verified by the issuer - these days using one of the Ten Blessed Methods. It would certainly be possible to obtain certificates for a name you don't actually own, but it's a bit beyond the usual casual crooks that run scams like this. We see what appear to be nation state adversaries doing it, as part of wider targetted hijack schemes (e.g. to intercept IMAP credentials for a foreign government agency) but it's definitely not something you see an ad scammer doing.
Any vaguely competent modern browser checks the certificate is trusted in the Web PKI and that it matches the SAN dnsNames to the FQDN in the URL exactly so there's no room for any funny business there.
And human readable names in end entity certificates are largely irrelevant. Nobody looks at them, who cares?
You are replying to a point that the GP didn't make. This was the precursor for the might-as-well-go-for-letsencrypt statement:
"What if they can register a very similar / regional domain that you didn’t set up already?"
In other words, they register fakebook.com and then just go get a TLS cert for it. If you're not looking carefully, you might not notice the difference.
Whether the CA system, with fungible, interchangeable certificates that can be issued by dozens of CA's (pinning excepted), is worth sinking lots of trust into is an entirely different matter ;)
The Web PKI does a pretty good job of making the web browser do what lay people assume it did anyway. Surely this is https://hackernews.hn/ or else why does it says so in the URL bar? Without the Web PKI there was no assurance of that whatsoever, which is not intuitively obvious.
But a very similar domain is the wrong domain. This is not a great novelty, people are aware that a ROJEX watch isn't the real deal, no surprise Fakebook isn't the social media site you actually wanted either.
In terms of authentication, this is where WebAuthn shines because it's tied to that actual domain name. Even if you're 100% dead certain this is really Facebook, your WebAuthn authenticator can't help you. There is no "Look, I know the URL says Fakebook, but ignore that, I am 100% sure this is really Facebook, just shut up and take my money" button.
So my point was that having news.ycombimator.com in the title and address bar is not going to flag anything if they both match and have a SSL cert that's been signed by an authority.
Probably more relevant is that if I have registered luxowatch.com to sell my lovely watches, but am a small store, I certainly won't have registered (as yet) a bunch of global domains. There's nothing stopping you registering luxowatch.co.uk or luxowatch.net with a valid SSL cert to scam my potential customers. Cloning my site to one of those domains (with cert) can be done almost instantly for close to zero cost.
> OP didn't screenshot the login screen in app, so I can only assume it was a real Facebook oauth flow
My guess would be that it was an in-app phishing page. Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.
> but honestly at that point it's already too late. If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse.
On phones, sandboxing significantly reduces the risk. Yes, it is possible to break out of the sandboxes if you have an exploit for that device, but it's a lot harder than on desktop where by default anything you install has full control over everything and could just steal all the users' passwords.
> Many legitimate login flows result in the official login page opening in a web view and asking for a password, which is indistinguishable from a phishing page.
I don't understand how Google/Facebook/etc can allow this to happen, let alone encourage it. I'm just baffled.
Hasn't been 100% effective unfortunately, and even if it was, it's really hard to make users understand that this flow is incredibly dangerous.
And while Google on Android can simply go through system libraries, Facebook doesn't have the option if the app is not installed. They have to open something that will allow the user to log in (usually a browser), which is something the app can fake (in the case of the browser, just fake the whole browser UI, fake address bar included).
I misunerstood the part I quoted, I thought it was about web pages asking you to log in via Google/Facebook. So the problem I was thinking of is more generally entering Google credentials into logins provided to us by a third party. The "don't use the link in your email to log into google, go to gmail.com instead" advice has been seriously degraded by this. It should always be that if you aren't already logged in, you have to go yourself to gmail/facebook/etc and log in there.
And how are they supposed to do that? If it's a fake login (aka phishing) page facebook wouldn't even know about it. The only effective way is dissuade consumers from entering their login credentials in-app, but even that's tricky because if it's a malicious app they could "fake" a web browser complete with a fake "address bar".
They're supposed to ban the legitimate apps, so as to not normalize the interface that leads to phishing attempts. Right now, it's totally encouraged by google to enter your login credentials by clicking "log in with google" at a random site and just typing into the fields presented to you.
I'm curious if the oAuth flow requested a specific scope to have permission to remove the user from their Ads account. If so, did Facebook make it clear that the permission was be requested.
Permissions scoping is a really under-utilized tool.
I see this most often with extensions, which usually want to act on all domains when they should really need an allow list of just 1-2 domains. There are also many app integrations that use an API token that just straight bypasses login with NO security restrictions.
I would use a lot more app integrations if I knew I could trust the host platform to keep the apps honest.
I think we're missing a lot of innovation because we lack secure and reliable integration points between commodity services. Banking and Health are the most obvious issues. It should be trivial for me to authorize a third-party app to download transaction history from any bank without giving it the ability to change anything. I should be able to assemble my entire medical history by pulling from any medical office I interact with, and push that to any provider I choose to use.
There are lots of industry incentives to prevent this though. It's just like the Cable Card saga. You need strong, un-captured, technically-literate regulators to fix this stuff and unleash broader innovation.
It's possible that the attack didn't happen through the regular oauth credential request flow — if the OP logged in to Facebook inside of an app-controlled webview, the app could have just exfiltrated the user's login cookie and performed the change using "first-party" Facebook APIs.
The problem with many attacks is we've now been trained to do dumb things - like putting our password into webviews inside 3rd party apps - by reputable companies. So it doesn't feel as insane as it should do.
It's not just limited to webview's and tech companies.
When my bank calls me up about an issue with my account, they won't talk to me unless I give them my date of birth and email address for 'data protection' purposes.
They're always really confused when I say I will have to call them back.
This is what I think too. WebView doesn't show the domain of the page, and it is not possible to see if you are really in Facebook login page, or somewhere the attacker controls. Unless the attacker was using Yubikey or some sort of hardware token, the victim would have entered the TOTP code too, which the attacker can ask and pass to authenticate successfully.
How does a YubiKey prevent that kind of relay attack? If those keys blindly sign whatever's given to them, there's got to be a way to trick a user into signing something malicious.
This [1] says that U2F avoids phishing by having the browser tell the 2FA device the domain, but that seems a bit weak to me. The same site even has an app where the info is relayed via a browser plugin, so literally relaying the data that's supposed to be trusted. The only way I can see that actually working is if the security key knew to only sign challenges for a specific domain.
The security of the browser implementation is important. It provides the origin for the security hardware to sign, and the authenticating server ("relying party") verifies it. If your browser tells the key it's google.com when it's really evil.com, then sure, you can log into google.com if the user signs the request.
The WebAuthn spec says: "Direct communication between client and authenticator means the client can enforce the scope restrictions for credentials. By contrast, if the communication between client and authenticator is mediated by some third party, then the client has to trust the third party to enforce the scope restrictions and control access to the authenticator. Failure to do either could result in a malicious Relying Party receiving authentication assertions valid for other Relying Parties, or in a malicious user gaining access to authentication assertions for other users."
If you click further into the older FIDO spec, they cover this more explicitly: "Malicious software on the FIDO user device is able to read, tamper with, or spoof the endpoint of inter-process communication channels between the FIDO Client and browser or Relying Party application.
Consequences: Adversary is able to subvert [SA-2].
Mitigations: On platforms where [SA-2] is not strong the security of the system may depend on preventing malicious applications from being loaded onto the FIDO user device. Such protections, e.g. app store policing, are outside the scope of FIDO."
I fell to a (now) very obvious scam on Instagram. It seems to me that it's really easy to bypass their checks. It was a fake ad for a real product. They accepted PayPal and it took forever to get PayPal to refund me. Worst yet, even after multiple escalations PayPal continued to be on the website. Instagram continued to show me ads for the exact same product from different domains. I realized that PayPal is next to useless if you're a victim of fraud. It's much better to use a credit card directly (esp Amex or Discover) and challenge fraud than PayPal.
I use PayPal as a front to my bank account via SEPA Direct Debit, which has an 8-week no questions asked refund policy. If PayPal doesn’t cooperate when I raise the issue I can easily get my money back through my bank. But I still like to dispute just so the business goes on record for fraudulent transaction.
You should be careful relying on that. While many Direct Debit systems have some sort of quick refund guarantee, they don't guarantee that you get to keep the money.
The normal flow will be your bank reimburses you from their own pocket. Then goes after the merchant to recover the funds, however if the merchant can present evidence that the charge is valid then the your bank will attempt to claw the money back from you.
Now the important question is here is what is a "valid" payment. Normally the direct debit scheme will outline that that is, and it probably some very simple like there's evidence that you requested the funds are removed from your account. With something like PayPal they can probably claim that the request was valid, at least the bit between PayPal and the bank was, and that the onwards movement of money is a separate issue that doesn't fall under the direct debit guarantee.
It's worth really digging through the small print on these things, they're frequently a lot less helpful than you think, and PayPal has managed to exploit these little holes to their benefit.
Personally I avoid using PayPal where possible and stick to debit/credit card where you have a very simple relationship between you, your bank and the merchant. Which makes disputes much easier, and places the law very much on your side. All this comes from experience dealing with disputes from the banks perspective, and trying to get the right result for the customer, while dealing with payment schemes, and regulatory obligations.
Good call. I was referring to SEPA Direct Debit. I should have been clearer. With SEPA Direct Debit, I get an 8-week no questions asked refund, regardless of the nature of the business. In fact, I've used it to recover money from government agencies and businesses that auto-renewed annual contracts without my consent.
In the US, debit cards do not have the same consumer protections that credit cards do. If you’ve gotten refunds from your bank for debit card fraud, you are lucky.
“ But if the item was bought with a debit card, it cannot be reversed unless the merchant is willing to do so. What is more, debit card theft victims do not get their refund until an investigation has been completed. Credit card holders, on the other hand, are not assessed the disputed charges; the amount is usually deducted immediately and restored only if the dispute is withdrawn or settled in the merchant's favor. While some credit and debit card providers offer zero-liability protection to their customers, the law is much more forgiving for credit card holders.”
It might help to read a little about how SEPA Direct Debit works. To begin, it's a European scheme, not American. Not every merchant can sign up for SEPA Direct Debit. They need another bank to be their guarantor (called your SEPA Direct Debit Creditor). When I have issues with a transaction and order a refund within 8 weeks of the transaction, I get my money back, no questions asked. I've used this to recover money from all sorts of businesses and government agencies.
The business can only dispute if I requested for my money back _after_ the 8 weeks. That's when the evidence and back-and-forth with the business comes in.
I recently made a purchase that turned out to be fraudulent on paypal, and somehow had no trouble getting my money back relatively promptly. Maybe have taken about a week from when I filed "I never got the product, I think the whole website was fraud".
Be careful, you can still get scammed here. I got hit for a $75 scam product that I bought with my CC, mistakenly thinking I would be protected. The scammers knew what they were doing though. They ship you a super super super cheap version of the product from china, taking advantage of those low low China -> US shipping rates, so that they have certificate of delivery. So you can't say you never got the product. And in that case, both paypal and the CC company require that you send the item back. Shipping the item back to china costs more than the item itself. So there's no point. Scammers won.
Maybe it's because the banks are all pretty good and modern in Canada, but I honestly just don't get PayPal. My credit cards are all very easy to pay with, fraud detected quickly and easy to dispute, and many purchase types insured.
"If anything OP should be grateful that the native app running on what was presumably his personal device didn't do anything worse."
I don't understand why any of these actions would be taken with a mobile phone ...
What I mean is, managing advertising campaigns and budgets and managing assets and spend, etc., is kind of a complicated workflow ... further, it's a fairly critical business process involving a lot of money.
I can see ordering some workroom supplies or paying a hosting bill with my phone ... but creating and managing ad campaigns ? That seems very unwieldy and inefficient. Google adwords, through the web based interface, is very complex and there's a lot of functions there. I can't imagine trying to do this on a phone.
It's not that unreasonable. When I am on the road, it can be days between sitting at a desktop. If I can do something on my mobile, I'll do it, or try.
Laptops exist as a very efficient middle way between a desktop and a mobile phone: all the desktop functionality and the benefit of mobility. This is not an add :p
That's not a silver bullet though. If the password manager does a poor job of domain matching, the user gets accustomed to having to manually search for logins once in a while.
> The scammer silently removing OP as an admin from their own ad account, preventing them from noticing or stopping the fraudulent ad campaign is just icing.
This hints of not having 2 factor authentication anywhere in the chain?
Would definitely advise to setup 2 factor authentication on anything managing 5 figure sums.
2FA is how you protect your credentials from being stolen and used. This wasn't a case of credentials being stolen, this is a case of someone being tricked into authorizing a separate account to take action. They hacker didn't change his credentials to lock him out, it literally revoked access from him Facebook login to the ad account.
I'm using "login" and "account" specifically here to highlight the difference. On systems where there are likely to be multiple people that need access, there's a distinction between the "service account" and "logins or user accounts" that can control it. Generally, when the service account is created by a login, that login is added implicitly as a controlling user account with full privileges, and other user accounts (logins) can be added with varying levels of control. This situation appears to have been along the lines of the following:
1. User "real_user" create facebook ads account id 123456, and real_user is the admin of the ads account id 123456.
2. At some point real_user adds "scam_user" to the facebook ads account id 123456 with full admin permissions.
3. scam_user uses the full admin permissions it has for facebook ads account 123456 to remove access for real_user.
Note that is is a fully legitimate and common action to take in systems like this. If you are a business and pay someone to manage your facebook ads, they are likely the admin on the account (and you may be too), and if they leave and you hire a new person to manage it, you would want to revoke the old employee's account access and add access to the new employee's account.
This is how you handle it on Google Suite, Zoom's business accounts, Active Directory in Windows domains, etc. The real problem here is that the scammer got enough permissions to revoke the original user, and the original user did not get an email notification. I'm not sure if facebook ads allows adding accounts with limited permissions so only certain actions can be taken and part of the scam was making the permissions asked for non-obvious, or if that's a permissions distinction facebook ads
doesn't support.
Maybe the oauth scope requested edit access to the FB business manager? That way the scammer can remove OP from the business and add himself via the API
I was surprised too since OP's writeup indicates that he has 2FA on everything. You would think that you'd at least get an email or push notification if you get removed from an ad account/notification settings get changed, so it seems like an oversight by FB.
Hardly anybody does the "when changing an email address on an account send an email to the old address to allow them to revert the change and temporarily lock the account". It seems like such an obvious thing to do.
The real lesson is to install ublock origin and be done with deceptive advertising.
Last time I tried to find nvidia drivers for windows 1st result was an obvious scam/crapware. This is not acceptable that big tech companies are making money while not taking responsibility for advertisements.
Is this something that could have just as easily happened through Apple's app store? This sounds like exactly the type of thing that those 30% app store cuts should be going towards to prevent (regardless of the platform).
To me the lesson is the same old basic web security practice: don't click links, navigate to pages yourself. When he saw the ad that interested him he should have googled the offer instead of clicking on the ad.
It's actually even nastier than that. If you fail their automated checks for fake accounts, they'll lock your account and require you to submit a photo of your face and ID card.
He had a Facebook ads account with PayPal linked, and the hacker used his login info to run their own (apparently Vietnamese aluminum product) ad campaign and spend using his account.
Ha. I'm stealing that joke, that's quality. I wonder if anybody's managed financial success on Medium/Substack yet with a "hustler inspiration" focused GPT masquerading as a guru. I'd love to read that postmortem.
I sincerely thought the author was joking at first. My lived experience is similar - some folks just genuinely act crappy just because they can, not because of "is actually caused by the systematic inequalities and injustice those armies, police, prisons and governments make possible."
Ironically, the more well-off are more likely to engage in explicitly anti-social behavior[1]...I'd hate to live in a world of anarchist Gordon Gekkos without an SEC.
Gordon Gekkos under Anarchy wouldn't be rich (because significant material accumulation is impossible without private property), so that wouldn't be a problem.
As for a tiny minority of assholes, they have been dealt with for millions of years using social norms and communal existence.
You have a good point about making the desktop experience more painless and idiot-proof.
The real problem for me though is that snaps are slow as hell. I mean like taking 4-5+ seconds to open on a box with an SSD, i7, and 64GB of RAM. That's unacceptable.
The icing on the cake for me is that even through the command line as you mention apt now seems to be giving me snaps instead of debs for a great deal of programs, which affects much more than the store experience. And, also, regarding said store experience: if stuff like Spotify takes 5+ seconds to open I doubt a user coming from Windows giving Linux a try is going to want to stick around long...it would be great if there was just a better solution.
I second this, I couldn't care less about snaps, flatpacks, debs.
But snaps are - for me - A LOT SLOWER than everything else out there.
*.deb, binaries run stuff in less than a second.
Flatpacks, appimage, I have those running in a second or two. Snap, for the same app takes 3-5 sec. sometimes (I wouln't know why), it evens takes as much as 8-10 sec.
NOBODY can get a pass on artificially making slower apps in 2020.
"If you make it idiot proof only idiots will want to use it". - this holds true. Canonical made the conscious and deliberate decision to treat users like morons by not even giving us the ability to decide how and when to install updates.
I gave up on Windows because of their blindly hostile approach to users, I won't be installing the latest Ubuntu - opting for Mint instead.
> The real problem for me though is that snaps are slow as hell. I mean like taking 4-5+ seconds to open on a box with an SSD, i7, and 64GB of RAM. That's unacceptable.
Spotify is specifically one of the snaps I use and frankly, I noticed it seemed to start a little slow but just assumed that was because of Electron or something. I literally don't care and never thought anything of it. I run it, it starts, and then I don't close it.
Besides, if Spotify users reject it, they can always switch to PPA or something else. It's their choice.
> apt now seems to be giving me snaps instead of debs for a great deal of programs,
"a great deal"? I've seen two mentioned, chromium and lxd. Where else have you encountered this where Debian has a package available from a maintainer but a snap shim is used instead?
Apt will also tell you a snap is available if there's no deb but that's just useful information.
> if Spotify users reject it, they can always switch to PPA or something else
Some apps, like Chromium have no alternative ppas available.
I installed KDE Neon 20.04 and when I discovered that Chromium was being switchted to snap, I searched for any current *.deb out there. NO proper ppas, just found some outdated Chromium 1-3 versions behind the current version.
If it wasn't for the KDE from Neon, I would have switched of distro in the hour. I switched to Chrome instead.
Got some old compiled Chromium just to have the thing available (I can just run it when I need it, it takes maybe 1/4 of sec to start).
Just hope Canonical doesn't try its snap thing in more critical packages or (FAR) worst, in the LTS server versions.
I would be getting popcorn to see the show when half the Internet start to ditch the LTS overnight over some half-propietary half-baked software being put in charge of its otherwise perfectly GPLed infrastructures.
Right, this is why Canonical moved Chromium to snaps - It's a ton of effort building Chromium for 20.04, 18.04, and all the intermediate releases every few weeks for a package that's in universe.
It's cheaper/easier for them to publish one version across all of Ubuntu.
> Besides, if Spotify users reject it, they can always switch to PPA or something else. It's their choice.
This is not what happens. The vast majority of users don't know or care why something is slow. They'll just say "Ugh, Linux is slow, I'm going back to Windows."
"Let’s admit it, we are all in the persuasion business. Technologists build products meant to persuade people to do what we want them to do. We call these people 'users' and even if we don’t say it aloud, we secretly wish every one of them would become fiendishly hooked to whatever we’re making."
--"Hooked" (2013)
The snappy aphorism off the top of my head is that "only drug dealers and IT call their customers 'users.'"
One day perhaps we will indeed look at the apps of today as massive social engineering experiments gone haywire. But the author's categorization of Facebook as an "ant farm of humanity" and a "digital cesspool" is juuuust a bit too misanthropic and bitter for my tastes. The internet has connected humanity to an extent that is literally hard to grasp, and yes, that does come with very human problems, so it's silly imo to pin all of our woes on Facebook et al. I'd love to hear what kinds of creative derogatory phrases the author would come up with to describe the period of dominating telephone networks, or mass media television, or even before we had any wires at all and just had to rely on the post and grapevine in the horrific dark ages before the invention of the telegraph in the 19th century.
Plus, for nostalgia's sake, the indie web's still out there if you know where to look (e.g. https://wiby.me/)
While it's a well-known and indeed snappy aphorism, many years after I heard it, I found out that in the mid-20th century, librarians used the term "users" for what they now call "patrons".
For examples: from 1952, "A public library user is defined as an individual twelve years of age or over who used either a branch library or bookmobile during the thirty days preceding the interview." (Quoting "Rural reading habits; a study of county library planning, Prince Georges County, Md.", https://babel.hathitrust.org/cgi/pt?id=mdp.39015034569759&vi... )
From 1931, "This was the first complete triple asyndetic dictionary catalog. It became a favorite with town and mercantile libraries, the idea always being that the user was searching for some book he knew about ..." ("Outline of the history of the development of the American public library", https://babel.hathitrust.org/cgi/pt?id=mdp.39015019970162&vi...)
Maybe it wasn't specific to library science either. I just did a broader search for "user" and found, for example, a 1905 ad for a book of tables for surveyors and engineers: "The computations enable the user to ascertain the sines and cosines for a distance of twelve miles to within half an inch, and this by reference to but One Table, in place of the usual Fifteen minute computations required. This alone is evidence of the assistance which the Tables ensure to every user ... " https://babel.hathitrust.org/cgi/pt?id=mdp.39015063579133&vi...
