PhilipTheBucket

I don’t really know, but I feel like stuff like deliberately doing a Nazi salute is specifically to solicit people to call him a Nazi so that then he can say they’re crazy because the accusation is so outlandish.

It also takes attention away from the more substantive things he’s done. It’s not illegal and doesn’t really hurt anybody to do a Nazi salute, so in one way it’s a perfect thing to get people jabbering about.

If voting didn’t matter, they wouldn’t be trying as hard as they are to undermine it.

HL2 was the first major game that based its core gameplay to its physics engine, the first to have HDR rendering and the game that Source engine was developed for. Without HL2, a lot of video games in the decade that followed it, would have looked a lot different.

Yeah, maybe so. Source is just Valve's internal engine, it was continuously developed and used during pretty much all of their FPS-type game development which includes HL2 along with everything else. It was forked from the not-"Source" source tree at the time of release of the original Half-Life and moved forward continuously from there. But yeah HL2 did do a bunch of ground-breaking stuff, I do see your point and I think it belongs on the list.

The article claims that Shenmue was the first to have a “living world” where characters follow their daily routines and so on.

It's not. Ultima 6 was doing that.

Actually, The Last Express had already done whatever Shenmue was attempting to do with its "living world" absolutely ten times better. But the same tragic story that led The Last Express to be a commercial flop also means that all the wonderful stuff it did didn't really make any impact. 😢 TL;DR it was an actual successful implementation of powerful narrative inside of a world that the player could meaningfully impact, in a perfectly meshed and groundbreaking form. But for some reason the studio either refused to or couldn't do basically any promotion for it, and so after being completed it sold barely any copies and simply fell into the abyss, unknown. It was a masterpiece. Shenmue probably had more lasting impact on gaming.

https://en.wikipedia.org/wiki/The_Last_Express

Zero Punctuation as usual gets to the heart of the matter very effectively: https://youtu.be/g4Dw0Z2Dsts

That’s for Shenmue 3. He actually made a separate video reviewing the original, but that one covers more of the history and context. TL;DR It has a devoted cult following of people who basically want a very specific type of gaming experience, but the specific game that was the first to give it to them just objectively is not very good at all as an interactive video game, which is why it has never been all that popular outside that little following. Some people trace to Shenmue the lineage of huge cinematic games that emphasize narrative, which I guess could be valid, but even a super-charitable reading shouldn’t put it anywhere near the coveted number 1 spot.

Oh, you know what happened? I just realized, I hadn’t even read the introductory material and realized it was from a public survey. It’s a “first past the post” problem. Plenty of people had various lists of games they felt passionate about (and you can tell where the boundary is where “I played this game recently and I love it now so it is my favorite” started to distort the placement of some recent games), but anyone who had Shenmue anywhere on their list put it as the number 1 spot. And so, it won by bad voting algorithm. I can almost guarantee that each respondent was only allowed a single choice for most influential game.

I actually think the list, with some exceptions, is remarkably accurate. It definitely isn’t perfect. There are also some big omissions, notably in old PC games that had a big influence or fleshed out new genres that have mutated since then, or gone extinct or something. I think they’re just outside of too many people’s memory at this point.

Off the top of my head:

• Ultima or Dungeon Master
• King’s Quest or Monkey Island
• Civilization
• Battlefield 1942
• Halo or Goldeneye
• Counterstrike
• Warcraft 2
• Zelda 1

Yeah. This is absolutely on purpose. What’s that hard-hitting documentary about the 2014 revolution called, it’s definitely “Ukraine on Fire” right?

21. GRAND THEFT AUTO
22. THE ELDER SCROLLS V: SKYRIM
23. GRAND THEFT AUTO III

Wow… okay, this is good. It is really rare to see one of these lists that is actually populated with extremely influential games. That’s a good choice of metric, too. Not which ones are “great” but which ones had a lasting impact on the landscape.

15. WORLD OF WARCRAFT
16. PONG

I wonder if it might be good to separate by decades or generations or something. These are both obviously ground-breakingly influential and belong on the list but it seems kind of senseless to try to “compare” them.

9. HALF-LIFE 2

Okay that’s a little weird. We’re getting up into the real high-water heights here and I mean HL2 is good but…

7. KINGDOM COME: DELIVERANCE 2

Guys? You okay? I haven’t played it but it seems unlikely that it needs to be above WoW and Dark Souls.

6. MINECRAFT
7. THE LEGEND OF ZELDA: OCARINA OF TIME
8. HALF-LIFE

Okay, here we go. You guys found your stride again. These are legit choices yes.

1. SHENMUE

THE FUCK WHY WHAT

Because it is transparently obvious that it's going to happen.

If you're sending your users' private statuses to an ActivityPub server, and just hoping that it's going to choose to keep them private according to certain parameters even though that's not what the spec stays it needs to do, then you're fucking up. The fact that we know that particular instances of particular software are exposing them is a nice demonstration of the harm, a confirmation that you're fucking up when you're doing that, but it's not really needed. It is the absolutely predictable result of some basic principles of security which, as a security researcher, you should absolutely be aware of.

I've repeatedly explained this. You've repeatedly explained your position. We've both had our say. You seem addicted to the concept of "winning" the conversation and wanting to just go back and forth. In that case I would really encourage you to state your position again, and I can state mine again, and we can both have fun doing that for a while. Want to? It sounds like a productive use of both of our time. It's fun, too.

Edit: Actually, I didn't even realize you are on fedia.io when I was typing this. You can test for yourself whether mbin does this, too, by coordinating with @[email protected]. Follow his user, then have him post one of those private statuses, then fetch his user profile via fedia.io from an incognito window and see whether the private statuses show up. I have no idea whether they will, but if I had to guess, I would say it's better than even odds.

https://news-pravda.com/ posts multiple stories every minute, as far as I can tell just at all times. Something like this seems fairly likely.

Are you hoping to restart our disagreement through sheer passive-aggressiveness? Okay, sure.

In my view, this is a Mastodon design flaw (or a user-expectation issue or whatever you want to call it.) I already said that, and you're involved in the unproductive-arguer's pastime of pretending not to understand that that's my position, and just aggressively repeatedly reframing things according to your position and hoping I'll knuckle under to it through sheer force of repetition.

I'm not super invested in trying to track down each and every software that might manage to expose the "private" statuses in this way. I just know that as things come and go there are guaranteed to be some. If you have an mbin account and Mastodon account, though, we can try a little experiment. I don't know the outcome, I'm just curious after taking a quick look down the FediDB list and a quick grep through mbin's source code. You can be the one to responsibly disclose to mbin how their ActivityPub-conforming behavior is a problem, if indeed it turns out that it is, since you seem to be extremely committed to the idea that the model of "vulnerability" needs to be applied to this particular ActivityPub-conforming behavior. Since you're a security researcher, having that as a CVE you discovered can be an achievement for you. It's all yours, you can have it.

Hm... maybe. The exact nature of the problem in Pixelfed means that anyone with a Pixelfed account on a server which is getting private statuses can choose to follow someone who's set to "approve followers" and then read all the private statuses. I do see how that's significantly worse than just the normal lay-of-the-land of the problem, which is a little more random, and laying that out as a little roadmap to read someone else's private statuses before there's been a nice responsible length of time for things to get fixed could be seen as worsening the problem.

The point that I'm making is that anyone who's posting private statuses to Mastodon and expecting them to stay private is making a bad mistake already. The structure of the protocol is such that they can't be assured of staying private regardless of what Pixelfed did or even if Pixelfed didn't exist. They're getting federated to servers whose behavior is not assured, in a way where a conformant ActivityPub implementation can expose them. People who are posting private statuses need to understand that.

That whole blog post where the person is talking about her partner writing private statuses, and then the gut-wrenching realization that they were being exposed on Pixelfed... but then the resolution being "Pixelfed fucked up I hate Dansup now" and then continuing to post the private statuses, is wrong. That person's partner needs to stop treating their private posts on Mastodon that way. The timer for responsible disclosure started circa 2017 or whenever Mastodon decided on how to implement their private statuses. It's been and gone.

Like I say, I get the harm-reduction aspect of saying it would have been better if Dansup was a little more discreet about this particularly bad attack vector until a few more days went by for everyone to upgrade. But it hardly matters. There are still server softwares our there that are going to be exposing people's private Mastodon posts. It's just how federation between untrusted servers works. Giving people the illusion that if Dan had just been more discreet then this harm would have been reduced is lulling them into a false sense of security, in my view.

Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance?

"Insecure" in this case simply means any server that doesn't implement Mastodon's custom handling for "private" posts. With that definition, the answer to your question is yes. It has been mentioned by Mastodon people that this is a significant problem for the ability to actually keep these private posts private in the real world. The chance of it going wrong is small (depending on your follower count) but the potential for harm is very large. I would therefore go further, and say that it's a very bad thing that Mastodon is telling people that these posts are "private" when the mechanism which is supposed to keep them private is so unreliable.

https://marrus-sh.github.io/mastodon-info/everything-you-need-to-know-about-privacy-v1.3-020170427.html

https://github.com/mastodon/mastodon/issues/712

Is any private post visible to people on servers that the poster doesn’t have followers on?

It is not. If you're sufficiently careful with approving your followers, making sure that each of them is on an instance that's going to handle private posts the way you expect, then you're probably fine.

Could I curl the uri of a post thats “private” and get the post’s content?

If it's been federated to an insecure server then yes. If not then I think no.

Yeah, you said that stuff before and then you said it again. I do understand what your argument is here. I was trying a couple of different ways of explaining what I was saying in response, but it seems like it's not working. Oh well.