Every Time I Make A Post, Before I Hit The "post" Button I'll Proofread It 7 Times And See Nothing Wrong.

Every time I make a post, before I hit the "post" button I'll proofread it 7 times and see nothing wrong. Then immediately after posting I'll notice at least 3 mistakes. I'll edit to fix those, but noooo that's not enough. Instead, each time someone reblogs it I'll be forced to notice a NEW minor error. I have been cursed by the blogging gods. I've edited errors out of my last long post on FOUR separate occasions after getting a notification for a like or a reblog. My eyes are simply unable to notice the mistakes of their own creation until I am forced to face the fact that other people actually read the words I type. thank god there's no edit history

Tumblr is Tracking Shared Links

It looks like Tumblr @staff have finally implemented tracking garbage into shared links in the Tumblr mobile app. It took them years and years, but Tumblr is finally making an attempt to track shared links you click or links you share with friends.

When you share a post and choose to “copy” a link to your clipboard, you can see that they use their (new?) url shortener, at.tumblr.com.  The shortened URL appears to contain: your blog name; either the ID of the destination post, or the short string associated with the post; and an alphanumeric string.  Eg:

https://at.tumblr.com/pizza-and-ramen/im-fucking-dying-this-is-hilarious/uqndb20nkyob

The shortened URL redirects you to the destination link, but with 2 URL parameters: _branch_referrer and _branch_match_id.  Both are associated with a third-party analytics tool, branch.io.  Eg:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D&_branch_match_id=1104914739086906151

_branch_referrer appears to be another shortened at.tumblr.com URL, except it’s been gzipped, base64 encoded, then URL encoded.  Eg:

H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D

URL decode to:

H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86+eK3w8ByqcWsU7jHnql0u99xd0v/AuVQAAAA==

base64 decode to (in hex for legibility):

1F8B0800 00000000 000315C4 C10D8020 0C00C089 4A1FC68F DB545069 A4805082 32BD9A5C CEABE6BA 20921A6D B286626C 12CC3C06 01450785 648BC802 7BB327C7 03DCF3AF 9E2B7C3C 072A9C5A C53B8C79 EA974BBD F71774BF F02E5500 0000

and unzipped with gunzip:

https://at.tumblr.com/pizza-and-ramen/im-fucking-dying-this-is-hilarious/xlz53wqdowww

which directs to the post with the same _branch_referrer but a new _branch_match_id:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_match_id=1104899685865808870&_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D

_branch_match_id, according to this stackoverflow answer, is an identifier unique to you, used to track users.  It could be based on browser fingerprinting, as branch.io’s branch_match_id is.

Anyway, there’s not a terribly easy way to avoid this tracking from the Tumblr mobile app, but if you get a link that has the id, not the string, you can modify it to the format of blog.tumblr.com/ID, like so before sending it to a friend:

https://at.tumblr.com/pizza-and-ramen/118684413624/uqndb20nkyob

https://pizza-and-ramen.tumblr.com/118684413624

Alternately, you could paste the link in your browser, allow it to redirect, then remove everything past the ? at the end, eg:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D&_branch_match_id=1104914739086906151

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious

Anyway, this has been my privacy rant of the day.  Thanks for reading, and let me know if you know more about this than I do!

bad git tip #1

Ever feel like you want to try out a new git trick, but you're afraid it might cause some problems or break your repo somehow? Wouldn't it be great if you could track the history of your git state and revert if something went wrong?

Well, now you can, with a little trick I call git-git!

Just go into a directory with a git repository, cd into the .git folder, and run git init. Then, cd back out, and create a post-commit hook in the toplevel repository that creates a commit in git-git repository every time you commit in the toplevel repository! Now your git history is being track by git, and you have all the powerful tools that git gives you at your disposal. Never worry about doing fucked up shit in git again!

i took these assignments pretty seriously and honestly, it was probably good for me to put my fucked up little feelings on paper. except then one of my teachers announced that we'd now read our work aloud for the class. everyone else wrote some normal bullshit until it was turn to speak and I had written something like "i do not feel seen, i don't think anyone else sees my life as valuable, if I didn't show up to school tomorrow I don't think anyone would notice I was missing" and guess who broke down crying after the first sentence! me! i was crying! so the nice teacher was like "don't worry I'll just read it for you!" i would rather die actually. please free me from this hell.

what the fuck is with english teachers n being like “write a story abt a deep personal memory that impacted your life” maam if i do that youre going to send me to the counselor’s office

oh my god I just discovered that I can turn off the endless scroll. this site was literally built with me in mind. im in heaven.

Cloudflare lives in an interesting niche on the 'net. When we talk about the internet, we typically think of it as a bunch of "servers" (or "hosts", which "host" websites) and "clients" (like web browsers, which "receive" websites). In this model, a "client" (anyone with an internet connection) connects to a "server" and asks it for a website. The server will then give them that website. But, when we really get down to it, the server is just a computer, much like your laptop/desktop/phone/tablet, but instead of asking for (or "requesting") websites, it's configured to answer those requests.

Now, most people on the internet don't know the intimacies of configuring a computer to answer (or "serve") these request, and so if they want to make a website, they'll pay somebody to run the actual "server"/"host" computer for them. There's a whole industry of "hosting providers" that will give you a computer (or "host") to host your website on. Then, all you have to do is point your domain name at your hosting provider (using a system called DNS, which I've talked about in the past) and everything starts working!

This is not what cloudflare does (ok technically they have recently started doing this a little bit, but 99% of the things they are doing isn't this). Nobody actually uses cloudflare as their hosting provider because it's not really a service they even offer. Cloudflare solves a different problem which I think at this point literally everyone on the internet has heard of: DoS or DDoS attacks.

We've all heard the term thrown around in different contexts, but for our purposes we're going to need to get a little more specific. When a computer is "serving" a website (responding to requests for it), it's like running an application on your computer, let's use a text editor as an example. Answering a request is similar to opening a new document, adding a few words, then closing it. Under normal conditions, this does not break your computer [citation needed]. In fact, your computer can probably handle tens of documents opening and closing at the same time without a hitch. However, if you wrote a program that would open and close document this hundreds or even thousands of times every second, your entire computer would slow to a halt, CPU usage would go to 100%, and it would become totally unusable.

That is what a DoS (denial of service) attack is -- sending far more (phony) requests than the server/host can handle, causing it to no longer be able to answer any requests (legitimate or phony). DDoS is the same idea, but distributed (that's the first "D" in "DDoS"). In that case, the requests are coming from thousands of different client computers so it's much harder to block. The details of how these attacks are actually run isn't super relevant, they'll usually also leverage several very technical tricks to make things even worse and even harder to block but that's besides the point.

It used to be that anyone who could pay for a big enough network of computers could DDoS and successfully take down nearly any site on the internet. Because of this, a new type of service popped up: DDoS protection/mitigation (which is the 99.9% of cloudflares business that I mentioned earlier). There are different ways to do DDoS protection, but the way cloudflare does it is by sticking themselves between the "client" (browser) and "server" (website host). From that position, they're able to scan every request from a client before it reaches the server/host and potentially block it if they determine it to be part of an attack. So, if you're trying to connect to a Cloudflare secured website, instead of directly connecting to the host/server, you will actually be connecting to cloudflare, who will then examine your request and only pass it on to the actual ("origin") server if they deem it to be safe.

This, if you haven't already gathered, is an incredibly valuable and useful service to anyone who wants to run a website. And cloudflare provides it for free. no strings attached. zero dollars. to anyone on the internet. A good metaphor for cloudflare is a home security system, but if those companies just gave out free systems to anyone who asked.

So, now that we all understand what cloudflare is and where they sit in the web ecosystem, I'm going to talk a little about the recent news (the kiwifarms ban) and why it's a much more interesting case than a typical website takedown.

Typically, when trying to get a website taken down, the usual targets are either a) the person who owns and runs the website or b) the web hosting provider that the owner is using. These are obvious targets because they cut the website off instantly and directly. To make an analogy, let's think of a website like a brick and mortar business. The owner of the website is the owner of the business, the hosting provider is the landlord that rents their space to them, and, to bring cloudflare into the picture, cloudflare is their anti-theft system (it could also be the lock on their front door, the alarms when someone smashes a window, etc, it doesn't really matter for the analogy).

If a business is shitty, the only ways to make them shut down would be to target either the owner or the landlord that they rent their physical "platform" from. In this case however, the target was Cloudflare, aka their anti-theft system. This is uncommon mostly because taking down the anti-theft system doesn't actually shut down the business. It just makes it possible for anyone else to break in and destroy things much more easily, which, in the case of kiwifarms, is a large enough group of people that without the anti-theft system, it would likely immediately succumb to attack. I, like most people, would not mind seeing kiwifarms succumbing to these attacks :P

However, what makes this much more interesting is looking at it through the lens of one of the core ideals of the internet: Net Neutrality. "Net Neutrality," in the sense most people are familiar with it, means that an ISP must be "neutral" in how they manage the internet traffic they provide. They're not allowed to treat the traffic differently based on it's source or destination. This means that a company like Hulu couldn't pay your ISP to start throttling all traffic going to Netflix so that Hulu looks better, the ISP is required to be neutral.

This is similar to the posture cloudflare has been trying to build, in that cloudflare have tried to position themselves as a similarly "neutral" operation. They treat all traffic from all of their customers (the websites they protect) the exact same way, similar to how your ISP treats data from all of the websites you visit in the exact same way. If cloudflare kicks a site off its service and forces them to use a different service, it's much like your ISP deciding to start blocking netflix and now instead you can only watch netflix on cellular data (which is usually provided by a different company).

Now, I don't want this to be misconstrued so I'm going to make myself 100% clear: I am so fucking glad kiwifarms is gone. What they did is beyond awful and I want to see them gone through any means possible. I also think that this is a very interesting test of cloudflares posture around neutrality, which is something that has not really been tested before, and I'm curious to see where this goes in the future.

Anyways, hopefully this has revealed a bit more of the nuance around what cloudflare is and why we haven't heard about them banning websites before, despite them serving something like 10% of all internet traffic (that 10% number is from 2016, it's likely much more these days). I just wanted to put together a little explainer because this is a really unprecedented case and I've been watching it with a lot of interest. If you'd like to see cloudflares official positions, those are up on their blog (1, 2) (which, by the way, I would highly recommend, their blog is great, especially for a technical audience).