Elixis Technology

Las Vegas IT

Please don’t scan random QR codes

Elizabeth Technology October 4, 2022

The Past and Present of Random Links

Before the age of built in antivirus and user-friendly web design, it was entirely possible to wander onto a webpage that would just start downloading something malicious out of nowhere. Popups that did this were a serious problem, and many browsers responded by working in a sort of zero-trust philosophy. Firefox, for example, will tell you when a site has tried to open a pop-up, and asks you if you still want to open it. This does occasionally catch honest secondary windows (like payment portals and the like) but the great thing about that is that because it asked, you can say ‘yes, I wanted that to open’ and you’re not stuck with some horrid flashing popup dominating your screen every other time.

Aside from popups, some websites were able to either trick users into downloading things by mimicking a real website, or simply start downloading things themselves as soon as they were clicked. Separate antivirus programs were needed to combat phishing downloads alongside other website trash, as browsers can’t always differentiate between intentional and unintentional downloads. In this era of the internet, misclicking or accidentally misspelling a website URL could be catastrophic for the computer. Big hosting companies protect their hosted websites now by preventing others from registering domains that are almost the target URL, but not quite (a form of domain squatting) but this wasn’t always the case.

Furthermore, hyperlinks can be used to trick people into clicking things they’d otherwise have avoided. Remember Rick Rolling? Every trick that anyone has ever used to Rick Roll you can also be used to get you to click on, and download, something you don’t want on your computer. Disguised hyperlinks. Obfuscated URLs that re-route a couple of times to get you to lower your guard. Clickable buttons, in place of links. Social engineering. The list goes on!

The False Sense of Security

The modern web as most people browse it is a safer place than it used to be. Google’s SEO is partly to blame – users who report unpleasant website experiences or demonstrate that the website isn’t good by leaving within so many seconds of it loading will lead to that website appearing lower in the search results, until eventually Google stops letting it pop up near the top at all. Hosting services are also partly to blame – they have a monetary interest in keeping their websites whitelisted, and malicious websites screw that up for them. Plus, it’s sort of scummy. Would you want to do business with a company that passively allowed one of its clients to wreck another potential client’s car? Probably not!

Antivirus and default browser settings take care of much of the rest. But these things don’t mean the nastier parts of the web have stopped existing, they just mean it’s harder to get there without doing so intentionally. Users don’t fear clicking on links that lead to sources or Ko.Fi services because it’s been so long since that was a problem. Forum users click through links with no fear. While not a perfect breeding ground for scam links to come back (most people still know and remember the warning signs) it is a perfect breeding ground for something new built on old foundations – QR code scams.

QR Codes

A QR code is a sort of bar code that’s recorded in two dimensions (vertical and horizontal) instead of one. Almost every modern phone (and many of the outdated ones) come with a QR-reading feature built in. QR codes and code readers have a high tolerance for missing or damaged information, making it a fantastic resource for quick and easy link-loading – where a barcode is unreadable if a bar is missing, a QR code can often still be read if squares are missing or obscured. Advertisements, verification texts, digital menus, libraries, virtual queues, etc. all benefit from how simple it is to whip out a phone and point the camera at a black and white square for a few seconds. It’s even easier than typing in a link, and you can direct users to specific pages with gangly URLs without worrying how that URL is going to look on printed material – the user isn’t going to see the URL anymore, they’re going to see the QR code!

This lead to things like QR code stickers that would lead to individual GIFs or art project websites out in public, a form of easy-to-remove graffiti that still showed off some art in today’s hyper-online world. QR codes gave restaurants and their diners an easy way to see a digital menu without having to type in a URL. It also made Rick Rolling easy again.

You’re probably already seeing the issue here: when users can’t see the URL, they have no way of knowing where they’re going to end up when they scan it. A hyperlink’s true destination is visible to a user when they press and hold on mobile, or hover their mouse pointer over it on desktop – the same is not universally true for QR codes (some phones and programs show the link before asking you to continue, but many do not). The scam potential for these codes is off the charts because many do not understand them as ‘links’ but as ‘scannable objects’.

Discord Scam

For example, the recent slew of Discord scams! Essentially, what happens is a scammer compromises an account, either by password brute-forcing or by social engineering, and sends messages to everyone on that person’s friend list saying things like “ummm idk if this is really you or not but it was your name and it says you sent a girl gross stuff like wtf? Check the #shame tag and you’ll see it. I’m blocking you just in case, I can’t be friends with a predator”. They then send a link inviting you to join the Discord server mentioned in the message, and block you so you can’t continue to chat with them. As this is a compromised account and may be pretending to be someone you actually speak to on the regular, this can be very alarming. The first instinct is to join the server so you can defend yourself against whatever allegations have allegedly been made in that server! It presents you with a QR code to join the server that this compromised account has sent to you so you can clear your name and get your friend to unblock you, but when you scan it, it tricks your phone into giving over the login credentials for your Discord, compromising your account and continuing the scam.

This is the sort of scam that happened all the time before people grew wary of random DM’ed links! Here we are again, re-learning not to trust people that talk like bots and the things those bot-people/compromised accounts send us.

Sources: https://mamoru.tumblr.com/post/688687077511086080/new-discord-hacking-scam 

Nomad Bridge Hack – Decentralized Currency Is Not Always Safer Than Plain Money

Elizabeth Technology September 29, 2022

The Base Of Cryptocurrency

Cryptocurrencies generally work off a blockchain which records its movements. This has both pros and cons, but the biggest pro and con is that there’s no centralized agency that monitors the coins. They monitor themselves instead! Given the base coin technology was made correctly, you can kind of just set it and forget it, and transactions using secure, well-made cryptocurrencies will work out as they should so long as both parties are being honest and not trying to scam each other. That’s not always the case, but in a perfect world, the flaws belong to the people and not to the tech. You can’t hack a Bitcoin, for example, it has to be deliberately sent. Almost all Bitcoin scams involving theft are social engineering attacks for this reason – if a scammer can get into a Bitcoin wallet, either by brute forcing the password or tricking the owner into giving it to them, they can still steal the coin by sending it elsewhere, and it can’t be called back.

However, this really applies best to Bitcoin and older cryptocurrencies that have had a minute to mature and improve the tech. New tech using blockchain are riddled with flaws. Take NFTs, for example – on some of the platforms hosting them, a security flaw allowed ‘smart contracts’ to be planted in someone’s wallet, which would then move the real NFTs out of the wallet once the owner clicked them. NFT chains can’t show if something was paid for, they only show if it was moved, and so those NFTs would be sold along as though they’d never been stolen because nobody would be able to tell. It’s sort of ridiculous.

The coins are impenetrable – everything else is not.

The Nomad Bridge Hack

Bridges, in cryptocurrency speak, are like currency exchanges. They allow people with one type to spend it like another by depositing the crypto they have to be used as collateral for the one they want. Blockchain technology is difficult to break when it’s one continuous piece, but when it’s not, it’s just like any other kind of banking technology. Meaning it also needs layers and layers of security so a failure on one layer doesn’t mean total system failure.

The problem is that typical banks have had a ton of time to work out security, but crypto is new, and it always wants to build itself something special, just for crypto, because that makes it more special than all the other modes people have used for payment. As a result, they’re rediscovering issues that banks have already worked out, like the exploit that drained Nomad of all of its money. Or the different exploit that drained Wormhole. Or the other different exploit that drained the Ronin bridge.

In Nomad’s case, a bad update allowed any tokens with the default value for transactions to go through as though they were valid. Once one person figured it out, others began copy-pasting his transaction info and substituting the destination address for their own. This allowed them to transfer currency to their own wallet without having to put up any collateral, like they normally would. A handful of people tried to altruistically take money so it’d be safe in a wallet and they could give it back later, but the vast majority was snatched before the platform could react.

Currently, Nomad is attempting to trace the coins and get them back, but this is the major disadvantage of cryptocurrency – they can’t just reverse the transaction, and the coins don’t record whether a movement was legal or not. There’s also no central body to make the thieves give the coins back, because the currency was made specifically so it wouldn’t need that. It’s unclear if Nomad is actually going to be able to get those coins back. Right now, 9 million dollars’ worth of the stolen coins have been returned (probably due to the 10% bounty that Nomad set trying to encourage people to give the money back) but the rest is still up in the air.

Sources: https://blockworks.co/nomad-token-bridge-raided-for-190m-in-frenzied-free-for-all/

Can a PDF Attachment Really Compromise my Network?

Elizabeth Technology September 27, 2022


Basic Email and Anti-Phishing Safety

It’s a message that bears repeating – you shouldn’t click on links or attachments in emails you weren’t expecting, didn’t sign up for, or otherwise don’t entirely trust. For example, say you get an email from Target, but there are several typos in the header. That’s a really easy tell that the email is likely a fake! A real business the size of Target has several sets of eyes on their marketing materials.

A harder tell is checking the email sender each time. Say you open an email from ‘Tagret’, and it’s not loading right. If you don’t normally have that issue, it might be a fake trying to get you to click a ‘view in browser’ link that actually leads to a download page set up for a virus. You might have missed the fraudulent sender if you didn’t double check!

But what about attachments? You should approach attachments with a zero-trust philosophy. Verify the sender, verify the email itself isn’t riddled with typos and easy-to-fix mistakes, and verify that the attachment itself is titled appropriately for what it says it is. While you could easily accidentally open a phishing email, realize it’s a phishing email, and then close it before you click any links or type anything in (you should still report that incident to your IT Department), clicking on an attachment that’s malicious is harder to recover from! PDF attachments, which are normally pretty inert, are a possible highway into your network or computer. Keep these following things in mind when you open attachments.

It Might Not Be A PDF

Not all that glitters is gold! That attachment from someone you don’t remember hiring might be something like an executable file (a .exe file) that’s just named Invoice307.pdf. When you name a file, only certain characters are excluded from possible names, including characters like the percent sign (%) and question marks (?) because they’d interfere with the way the file is stored. Periods are not, and that makes it easy to fake a name! It won’t get everyone (invoice.pdf.exe looks pretty strange, right?) but it might get the kind of person who doesn’t spend that much time on computers, or doesn’t get this kind of scam regularly. If that sounds like you, it only takes a second to double-check the extension name before you download it, and that second can prevent a lot of pain! Most desktops will also show you a file’s full name if you hover your mouse cursor over said file – to hover, you just move your mouse cursor over the file without clicking it, and wait a second or two for your email program to show the full name. This is nice if the name is too long for the thumbnail and you’re not sure if you trust the sender or not.

A similar tactic is hyperlinking some text to open a website which will begin downloading malware instantly. The scammer puts in some ordinary-looking links, like a Shop Now! or Click Here! Button, and then uses the hyperlink feature available in most email applications to hide a viral link inside. If it successfully tricks you into clicking it, you’re in for a bad time. The hover trick from before works here too, and it should show you where the address actually goes in the bottom left corner. Remember – don’t click if you’re using the hover trick! At least until you’re sure it’s safe.

However, there are ways to mess up your computer without overtly malicious software. Consider the ‘.zip bomb’, for example! A .zip bomb is a huge amount of junk files packed into a .zip file, which compresses it. When you, the receiver, download and open the .zip, it slows or even crashes your computer with the huge amount of information it’s trying to decompress. Since the files themselves don’t have to be malicious to achieve this (they can be, but they don’t have to be), many consumer antiviruses will just ask you if you trust the source – and if they’ve done a really good job social engineering by making the sender sound plausible and writing without typos, you might click yes without thinking twice. To recap – if it doesn’t end in .pdf, and someone you don’t know sent it to you, it might cause problems for your computer.

Even If It Is, It Might Have Something Nasty

If you’ve ever struggled to get Word to allow you to open a document and edit it, that’s because some malware can be hidden inside otherwise innocuous-looking documents. It’s rare, but it happens – it’s usually something called a macro virus, or a virus that uses ‘macros’ to download itself. A macro in Microsoft properties is a command that groups several keystrokes into one, and they have many legitimate uses, but can be used maliciously to lead you somewhere you don’t necessarily want to go, or download/unzip another file contained within the file you’re working with. A much simpler version is just using macros combined with the hyperlink trick from before to get you to bring the document out of safe mode by disguising said hyperlink as something innocuous, but other, more complicated ways to get your PC to download something nasty can be hidden too.

Once again, double-checking the file extension might help you determine whether or not you really want to click something. Microsoft Office products save differently if they contain macros or ‘active content’ – for example, instead of a .docx file, a Word document with macros in it will save as a .docm file. If you download one, most recent versions of Office products will ask you to verify you trust the place you downloaded from, adding further security.

Don’t Forward Emails You’re Suspicious of to Anyone but Your IT

If you send this mail to your manager, and your manager is in a rush and doesn’t read what you wrote about the message and clicks the attachment… you’ve just moved the problem! Don’t forward something suspicious to another member of your organization – if the scammer had their info, they’d likely be a target too! Instead, if you get an email you’re not sure about, forwarding it to your IT department is a safe bet. If it’s nothing? Then you sent your IT guys an email with a legit attachment, and you know for sure it’s safe to open. If it’s malicious? IT should be able to handle it in a quarantined computer. They may even be able to tell if it’s malicious without opening it! This could potentially save you and your organization from ransomware or other malware that can completely halt your business.

Sources: https://support.microsoft.com/en-au/office/protect-yourself-from-macro-viruses-a3f3576a-bfef-4d25-84dc-70d18bde5903

Space Items We Won’t Get Back

Elizabeth Technology September 22, 2022


Why launch a telescope into space when the ones on the Earth aren’t limited by launch weight restrictions? There are many reasons, but the biggest one is that Earth’s atmosphere and pollution get in the way. When you get to the sort of deep field imaging the Hubble is doing, any infrared fuzz from other sources at all will blur the photo and reduce the telescope’s range. The atmosphere contains and reflects a lot of radiation, all across the spectrum, so it naturally obscures quite a bit of what you’d see if you were just outside of it.

As a result, NASA uses satellite telescopes to see the farthest reaches of our universe! While Hubble was not the first of its kind (the 60s had the Orbiting Solar Observatory) it is one of the most technologically advanced, and it remained the pinnacle of space-based telescope tech for most of its life so far, receiving regular upgrades and repairs until 2009. It consists of the same ‘mirrors reflecting lights onto a central point’ that many long distance telescopes do, but without all the fuzz of the atmosphere in the way, it was able to catch an astonishing amount of detail and distance not previously seen by telescopes on Earth! While this is no longer the most powerful telescope in space thanks to the James Webb, it’s still provided tons of valuable, useful research material. It’s central mirror can capture 40,000 times more light than a human eye could. You may notice that stars in Hubble’s pictures have a distinct halo with four points of light – that’s thanks to how the side mirrors are arranged around the central one.

Cassini and the Golden Disk

Most of the stuff people send into space isn’t expected to make it back to Earth, at least in one piece – there’s not a great way to retrieve large objects from space. However, most of the objects we send out are expected to stay in orbit, or burn up. James Webb and Hubble are in orbit (although the Webb telescope is actually orbiting the sun).

The Cassini space probe, launched in 1997, is not in orbit, at least not anymore. Cassini’s original goal was to learn about Saturn and its moons. It maintained an orbit around Saturn from 2004 to 2017 when it’s orbit decayed (on purpose) so it could descend into Saturn and hopefully learn a little more on its way out of this material realm. And learn it did!

Even more far-reaching are the Golden Records, sent out on the Voyager spacecraft in 1977. Voyager was not launched towards one particular star; the closest it’s going to get, barring any encounters with space debris on the way, is a lightyear and a half away from a star in 40,000 years. The records contain sounds and sights from the planet Earth, intended as a message in a bottle, for anyone or anything that finds it. It uses pulsars, long-lived remnants of stars that ‘flash’ or ‘pulse’ EM waves at a constant rate, to orient the map, since anything complex enough to spot Voyager would also be able to see them, thus providing a reference point.

Did you think the Mars Curiosity probe singing happy birthday to itself was sad? We’ll never see Voyager again. There’s no promise anything will.

James Webb

The James Webb telescope is one of the most technologically impressive things humankind has ever managed to make. It took several hundred millions of dollars and years of hard work to make it happen. The images coming back right now (as of this article, July 14th of 2022) cover an area of the sky approximately the size of a grain of sand from our perspective on Earth. The universe is huge! That one little point shows an enormous amount of galaxies, including ones whose light has been warped as it traveled to us by something in between us and them, all different angles and distances away from us. It also captured higher-quality images of planetary nebulas and the like that we had from Hubble, but even more detailed! None of this, of course, would have been possible without Hubble coming first, and the images Hubble captured are equally impressive – the Webb scope’s design simply allows it to see further and gather more light in order to actually ‘see’ the things out there in space. Webb’s images of stars also have halos, but it has six points of light instead of four like Hubble, a result of a different and improved mirror focusing design.

When you’re dealing with such huge distances, your telescope has to begin compensating for something known as ‘Red-shifting’ – especially with things that are moving away from you or your telescope. Red-shifting means that the waves of light will begin stretching out. Wider wavelengths of light are redder than narrower ones, and so everything begins trending towards infrared light when it gets far enough away from us. If those galaxies have aliens looking back at us, they’d see us as redder than we are, too! As such, both Webb and Hubble captured information from Infrared all the way up to X-Ray bands. We can’t see X-Rays either, and have to compensate there as well.

Technology on Our End

Not all of that compensation is happening in the telescope itself – a lot of it is happening in the data processing back on Earth. The same thing goes for the Hubble. Many of the complex images of planetary nebulas or gas clouds are the result of weeks’ worth of light catching and data combining. Some celestial bodies are bright, others are dim, some gasses that compose nebulae are not visible to the human eye, etc. and so all must be visually adjusted so that we, on the other side of that enormous void, can actually put together an image we understand. This doesn’t mean the images are ‘fake’, although they’re not always the pretty colors shown in the images by NASA. NASA often color codes things to indicate where one kind of gas cloud ends and another begins, for example, or differences in density and temperature that the telescope could see in X-Ray but we couldn’t.

Just as the telescopes have gotten better, so too has the technology receiving the images back on Earth. 

Tone Tags – the Result of Constant Bad-Faith Readings

Elizabeth Technology September 20, 2022

The internet’s a tough, cynical place. You may have heard of Poe’s Law, which states that parody and the thing the parody is parodying may be indistinguishable from one another, or maybe you’ve just been on the receiving end of a scathing Twitter retweeter who mistakenly assumed you were being sarcastic instead of genuine. Most human languages use some sort of tonal change to indicate things like mood and whether something is a question – even American sign language encourages the use of facial expression and exaggerated movements to convey intense emotion. Text, however, is pretty limited. You have word choice, punctuation, and occasionally the ability to italicize or bold or change the color of words to get a different message across. But you can’t do it everywhere, and you can’t trust that the other side of the screen will read it as you intended. Going ALL CAPS TO INDICATE EXCITEMENT!! Can also be read as aggression or indicate shock.

Tone tags are one possible solution to this hurtle! Tone tags are tags that indicate tone, usually included at the end of a sentence. Some common ones are /pos (positive tone intended) /hj (half-joking tone intended) /j (joking tone intended) /gen (genuine tone intended) and more. Instead of having to phrase something especially carefully so it doesn’t come across as sarcastic (or couldn’t possibly be read that way) you can simply attach a /pos to the end and know that if they misread it after that, that’s on them, not you. They’re not exactly common yet, and are sometimes considered a bit cringey (not being able to distinguish tone can be a symptom of social awkwardness or isolation IRL) but they’re at worst harmless fluff.  

So why are they getting popular?

Shooting The Messenger

 I witnessed an exchange in a Tumblr post where one user asked “So how exactly is [X] considered [Y]?” Another user, notably not the creator of the post, gave an explanation: “[X] could be considered [Y] for [these reasons], I think.” The first user then responded “Well, [X.a] and [X.b] come together to make [Z], not [Y] in the US, so again how exactly is [X] considered [Y].” The second responder had to clarify that they were just giving the same explanation they’d seen online, not that they were pushing [X] = [Y], and apologized. The exchange ended there.

The first user, in the process of defending their thesis that X and Y were not alike, accidentally came across as though they were snapping at the second person for giving this response, even though I’m sure that if this conversation had happened in real life they wouldn’t have responded in the same way. The phrasing could be neutral, but asking for more info the way they did (assuming that’s what they were doing) came across pretty harsh.

Unfortunately, shooting the messenger like this online is pretty common! The second responder wasn’t the one pushing [X]=[Y], but they were the one who responded and answered the question in its most literal interpretation. The problem is that the question itself was partially rhetorical because the first user knows what the answer ‘should’ be – which was “X actually DOESN’T equal Y” (although they may have also been asking for more clarification on how X could possibly equal Y and the second person just didn’t know what to tell them without writing an essay covering every possible corner of that problem), but many rhetorical questions just look like regular questions without the additional context of a normal social interaction. They ask, someone answers in good faith based on what others have said about the subject, they respond to it as if it wasn’t in good faith at all because it was missing information or wasn’t providing anything new.

Tone tags could be worth using here if only so neither side feels like they’re suddenly playing defense.

Asking Questions Accusatorily

Trolls have a nasty habit of asking questions that seem innocuous but are designed to eventually lead to an argument. Unfortunately, the point of those questions is that they’re plausibly deniable – maybe the person asking really didn’t know what or why something happened. For example: a question like “so why is your dog still wearing his correction collar in the house?” online can either be a real question asked with the intent to gain knowledge, or an attempt to pick a fight where the poster has to defend themselves against a stranger’s worst assumption. If this were real life, you’d almost certainly know immediately what that question was meant to do, but in an online environment where the other party is just some anonymous commentator you’ve never seen before, it’s impossible to tell until you’re already in the weeds of an argument! Tone tags here could prevent a lot of back-and-forth.

Semi-Intentional Misreading

There’s a joke online that tells you to load up on apples and pike them outside your house because it will keep doctors away. The joke here, of course, is based off the misunderstanding that “an apple a day keeps the doctor away” not because it’s a healthy thing to eat, but because doctors are afraid of or hate apples. This is funny! When it happens in an online argument and someone reaches for the poorest-faith interpretation of what you said, it’s… less funny. Especially in a close setting like a Discord chat, where you’re having to guess if this person is actually stupid enough to think you were criticizing X when you said Z was your favorite, or if they somehow never heard that people are allowed, individually, to pick a favorite, and your favorite overrides theirs. Yikes.

Jokes Are Just Funny Insults

Sometimes it can be hard to tell if someone was joking or if they were deliberately trying to be insulting. Some people even take advantage of this to become Schrodinger’s Douchebag, where the response to their joke determines whether or not they were joking with intent to insult or not. However, there are some amount of people who write a joke out, didn’t re-read it with an especially critical eye, and then posted. People online then mistakenly assume they were trying to pull a Schrodinger when they instead just didn’t fully think the joke through. Maybe they made a joke about an internet celebrity assuming that nobody outside their small circle of Twitter mutuals would ever see it. Maybe they made a joke that relied on sarcasm, but what they wrote wasn’t recognizable as sarcasm to less discerning audiences. Being able to tag what tone you meant to convey with a statement (half joking, joking, sarcasm, etc.) can save some agony if strangers have even a slight chance of misinterpreting your words in a misguided attempt to get some interaction or attention. Of course, it won’t stop all of them, but it may stop a dogpile started by yanking the joke out of context if the initial poster can point to a tag and say, definitively, that they meant it as a joke from the start. Not after they started getting mean retweets about it.

Actual Utility

There are cases where these just don’t work out. Of course a troll is never going to mark a comment as /trolling, and a certain subset of people are always going to interpret their own actions in the best possible light – so a question like “are you aware you’re literally killing the planet when you do [X]? /gen” is almost certainly still going to appear because they do think they’re being genuine and they do think they’re using the tag correctly despite the inflammatory phrasing.

The main problem is that these tags assume good faith! The best communication strategies decrease noise and increase the efficiency of message transmission, and these can only do that if everyone understands them and agrees to use them correctly. While these tags will work for well-regulated, well-moderated communities on the internet, I don’t think they would survive if applied to Twitter as a whole. That doesn’t mean they’re not worth using, it just means that they can’t be used everywhere – some online communities are finding they have a lot of utility already.

Don’t Make Shared Email Accounts

Elizabeth Technology September 15, 2022

A shared email box has plenty of utility, but it has to be set up right to reach its full potential. A shared mailbox should allow all it’s members to see the content, and can usually be set up so that members can send emails under the mailbox’s address. Essentially, the box is just a box that they have permission to access. Microsoft Outlook allows you to add your users to specific shared mailboxes, but only you, the admin, can decide who gets to see it, who gets to be part, who has the ability to send as the box, where forwards go automatically, if that’s even desired etc. etc. And they don’t have to have a Microsoft license to function!

A shared account, on the other hand, is an easy path to disaster! A shared box shouldn’t be a fully-fledged account that your users can log into using a password and username that you gave them, generally speaking. If your box is set up so that users are in the account instead of in the box only, they have way too many permissions!

For example – a user decides they want full control of the shared email account and simply logs in, changes the password, and doesn’t share it. Now what? You can do a lot of things to the user, up to and including firing them, but that might not be enough to get the email account back, especially if they left on bad terms. Or, an employee mistakenly believes that everyone in the company is meant to have access to a shared account, and gives the login credentials to an unauthorized employee when they ask. Or, an employee writes down the shared credentials somewhere, loses that, and then the company’s support or information mailbox is hacked and totally out of their control. If the account is set up as part of a security group, everything in that group is then put in jeopardy, because accounts can access shared drives. Accounts also take a license to keep functional, so that’s an added expense over a simple shared email box. The issues go on and on!

While some of this can be mitigated with steps such as two-factor authentication, the vast majority of it can only be stopped by making a box that has layers of separation between the account controlling it and the accounts allowed to use it. Microsoft’s system allows users to be added to a shared mailbox without giving them total control over it – that’s the ideal, as user permissions can be revoked without having to go through the song and dance of giving the login info back out to everyone still authorized to use it. As shared mailboxes can’t be signed in to, they’re also much less likely to be ‘hacked’ via a stolen password (although someone could still access it via someone else’s account).

Group Accounts – Social Media

On the other hand, there are social media accounts for the company. Almost no website allows multiple people to run an account with separation from said account the same way that Microsoft does – LinkedIn is a rare exception, and Facebook pages allow people to post to them, but the page can’t post to itself – the company account has to post to it. In cases like that, a shared account is still not ideal, but it becomes easier to manage if only a handful of people have the password, and only one person has the 2FA number. In a pinch, that makes it slightly easier to reclaim the account if the person in control decides to go rogue, but even then, some sites will allow you to change the 2FA number without verifying it to the current 2FA contact first, thus making all of the issues above also issues here. That makes it extraordinarily difficult to truly, properly, bombproof a social media account! Limiting the total number of people who have access to it as well as monitoring when it’s being used is the best solution. Instead of a group shared account, make it a two-person account – or less!

Alternatively, websites like Buffer and Hootsuite can provide some barriers, but for a fee. They may not stop an employee going rogue, but they can at least identify when and which one was responsible if something happens to the company Instagram.

The Panopticon Comes for Your Playlist

Elizabeth Technology September 13, 2022

Artists can see what playlists you add their songs to on Spotify.

That hasn’t really been a problem – most were polite enough to simply look the other way, understanding that users aren’t always aware of that feature and that a playlist can get pretty personal once you’re not assembling something for a party or a road trip.

Having the info and admitting that you actually look at it pretty closely was not something you’d want to post publicly. You may want to analyze where the song is ending up most often, as it can give you a hint as to where listeners are hearing you, who they associate you with, and how much they like you, but you do not need to post that info. That’s for you, the artist, not everyone else. If it was supposed to be for everyone else, they would have made it that way.

However, now TikTok is here, and Indie artists are not only posting where their songs are ending up, but criticizing their listeners for what they’re calling the playlist. The panopticon has come for your playlist titles.

The Panopticon

The panopticon is a concept for a prison in which the cells are arranged to circle a central guard tower that has visibility of all of them, and the prisoners cannot see where the guard is looking. As a result, most of the prisoners begin behaving as though they’re always being looked at, with all of the stress and lack of perceived privacy that entails, even if they’re not doing anything wrong and not planning to either. The digital panopticon may even be slightly worse as it’s constantly giving you signals that it is watching and hey, don’t you want these cool curtains we showed you? You looked at them. Your mouse hovered over them. Algorithms for ads and algorithms for content are aiming to make a profile out of you, so they can subtly manipulate your behavior into buying or consuming more. To do that, they must watch.

But it doesn’t stop there. Real people are often contributing to the panopticon, both willingly and unwillingly! Social media is constantly threatening to doxx people, even when the person in question, realistically, doesn’t deserve that sort of response. Look at West Elm Caleb – algorithmic recommendations on TikTok lead to all of the people he’d slighted seeing each other’s videos, because the algorithm weighs video makers close to viewers heavier than ones who are far away. He was dating a lot of women local to his area, so those women, who were total strangers in most cases, ended up seeing each other on TikTok and commiserating over this guy ghosting them. That would have been a simple ‘haha, this guy sucks’ moment for them as a group, something friends IRL have all the time… if it hadn’t all happened in full view of the completely public TikTok trending page, where anonymous strangers could watch.

Strangers online who’d seen those videos overreacted, trying to get him fired from his job, trying to find out his real location, trying in general to make his life miserable over ghosting some people. Most of the women who’d made or commented on videos with personal experiences about this guy didn’t want that to happen to him, but it was already too late! Others decided they had been slighted, and that he needed to be punished so other ghosting men would watch their backs or something. Sometimes witch hunts just happen because they’re fun for everyone but the alleged witch.

Even if they’d still made the same videos and comments, and even if they’d still been public, this wouldn’t have happened if the collective internet wasn’t so enthralled with ‘making examples’ out of total strangers in order to showcase how the anonymous hivemind, the social media panopticon, is always watching, always waiting for missteps so it can punish. Aberrations from the norm will not be tolerated. It took collaborative internet sleuthing to find this guy off the incredibly limited description ‘West Elm Caleb’, which only says that his name is Caleb and he lives in West Elm, but by golly did TikTok manage to do it. His internet footprint wasn’t anything special or distinctive, but it was enough to make his life scary for a few weeks until everyone lost interest again.

Social media is always watching, and even if they’re not, so much of you can be saved and then looked at later for review that they may as well be.

The Content Machine

Back to Spotify! As I said, TikTok is what turned this ability to see what playlists your songs have been used in into a problem. You can’t stop posting on any service using an algorithm, because that would make you a bad content creator, and bad content creators don’t get any favor with the algorithm even if said ‘bad’ creator is well-liked – just not constantly producing. Indie bands and music artists struggle more than most to get people to give their stuff a listen, and so they resort to producing content the algorithm will like just so they have a consistent content schedule and have a better shot at being seen – and then listened to.

A few musicians on TikTok realized that Spotify could be used for that easy schedulable content, and started doing that. At first, the videos were simply showing funny or potentially worrying playlist titles, sort of a wink and a nudge that the song was sad and putting it in ‘sad songs to listen to when you remember her’ might warrant that person seeking out actual help instead of just making a playlist about it.

And then I saw this one.

Always Watching and Scrutinizing

The text over the video at the start reads “Looking at the playlists y’all put my songs on until I find ones that isn’t made by a self proclaimed real life supervillain ( teenager who sometimes does a little pose in the mirror and pretends they are evil)” . The caption reads “YOU HAVE NEVER HAD A UNIQUE EXPERIENCE I SEE YOU ALL”. This post is about their song ‘Bad Luck!’.

Is this not completely bizarre? Even your playlist titles need to be ready-to-view and socially acceptable because an artist in the playlist might ‘call you out’ on it if you’re not unique enough, if you’re being too edgy, or if you’re otherwise being ‘cringe’. You thought that title was for you and your music sorting purposes? Think again, he can see it, and he’ll post about it online!

But it doesn’t matter if he thinks it’s cringe because it’s not for him. The playlist titles cater to the taste of the playlist creator, not him. He just happens to be able to see it, and as both a social media content creator and an eye of the panopticon, he must make an observation about it, consume it and synthesize an opinion and then give the opinion to other eyes, his TikTok following, so more consumption and opinion synthesis can be produced to fuel the algorithm and the machine behind that.

The Other Part of It

Besides that – which really is enough to end the argument by itself – if he’s going to make a video noting that a bunch of people who listened to his song put it in a themed playlist for when they want to listen to music and imagine a theme to go with it, why not… just admit that that’s the song he wrote? That the song ultimately fits the supervillain theme, instead of calling the listeners unoriginal? Even if they got the idea from each other, not all of those playlists are the same. The kids listening all have different ideas of what this playlist should be, otherwise they’d be passing around one playlist titled Supervillain Arc (because Spotify allows you to search for public playlists by name), not each making their own.

While some songs get added to playlists because the listener only heard a snip of it off TikTok and misinterpreted the song (hello Strawberry Blond by Mitski), at this point, the number of streams (which you can see in the video) should tell him that it hasn’t been removed from the supervillain playlists for a reason. Spotify playlist titles aren’t for the artists, they’re for the creator of the playlist, right? So their perception that this song belongs there, in their cringey uncool posing-in-the-mirror supervillain X3 playlist, is their call. Not the artist’s.

As a side note, it’s also not fair to dunk on kids and teens for having questionable taste in music, music mixes, and playlist titles – especially since they often end up being right about what’s actually groundbreaking and cool and history-making. Little Richard, The Beatles, the Rolling Stones, Elvis, more modern groups like Metallica, or even more modern groups like MCR and Paramore have had majority teen audiences in their time. Every time, the critics have had to begrudgingly admit that the teens were right and this phenomenon is actually cool, only to have to re-learn this lesson the next time something cool came around. Having a teen audience is a fine sign you’re writing something good – why be annoyed by it?

Does Digital Content Have to Be Made Scarce?

Elizabeth Technology September 8, 2022


The ever-unpopular NFT is a fantastic example of artificial scarcity, and how creating it can be actively harmful. An NFT, or non-fungible token, can be many things as long as it’s non-fungible and also a token. However, the first people to capitalize on the concept ended up creating hundreds of copycats, and what those trendsetters made was profile pictures. Big names in the NFT market create pictures of monkeys and lions with swappable accessories and attach them to a blockchain token, thus making them ‘rare’ and ‘expensive’. Nobody else is allowed to buy the exact orientation of accessories you have on your lion until you decide to sell (in theory – this article isn’t about security or the ethics of just making an identical image on a different token).

However, once you start analyzing this beyond a cursory glance, things start to fall apart.

Firstly, maintaining a social media presence and building hype for a project is more important than the project itself – better art and better ideas fall to the wayside of Bored Apes and Lions, who won the most followers with an ugly but mass-marketable artstyle that’s easily recognized and easily used as profile pics. Leagues of people buy tokens that become worthless once the project creators abandon the project, so buying from new people who don’t have hype and internet fame is riskier than sticking to who’s already known and who wouldn’t be able to disappear (the Bored Apes guys’ names are known).

Secondly, people aren’t in it because they love the art, they’re in it because it’s a business scheme. This was deliberate. The art is often, to describe it charitably, maximalist, not something you’d dump thousands of dollars into unless you thought you could sell it for thousands more.

Thirdly, the blockchain can’t store the entire image in high quality within it, so instead it sort of just acts as a link to a viewing platform. If the viewing platform goes down, so does the NFT. The actual image is usually just a PNG, so when someone saves it as a Twitter avatar, anybody else can come right-click and save the image, and there’s nothing the NFT owner can do to stop them. One party has slightly more rights to use the image for profit (NFT ownership often comes with the creators willing to overlook minor copyright violations because it means free advertising, but this is also a downside because nobody really knows how much freedom they have if it’s not laid out explicitly) but both can look at it, save it, use it non-commercially, etc.

Fourthly, NFTs are not great for the environment – creating a blockchain for a token requires a lot of computing power, and a lot of computing power means a lot of energy consumption. The ones that don’t aren’t really blockchain, and while that doesn’t matter in any sort of real way when it comes to the art (realistically, someone could just write the names of the buyers in a physical notebook and achieve the same “unhackable” record of ownership, although it wouldn’t update without notifying the notebook holder of a sale), it matters to the people buying, who are often targeted because they don’t fully understand what it is they own.

Every aspect of this suuuucks. It’s artificial scarcity in its purest form.


Flexplay is a close contender for ‘worst idea to make media scarce’. We do have a more in depth article of it, too, if you want to read more about it HERE. Essentially, media during this time period was mostly restricted by play protection on the discs, as well as the existence and quantity of the discs available for purchase. There were a finite number of discs of any particular movie, but those discs could be played effectively infinitely so long as they were stored properly. VHSs were on their way out, so they were often cheap as dirt; DVDs and Blu-Ray, the discs of the future, could cost 20$ for a new movie. Box sets were comically expensive. Movies were popular and plentiful, and rentals filled a valuable niche for content that wasn’t great but wasn’t awful. Buy the movies you loved – rent everything else.

Flexplay popped up in a time where people were shifting more and more towards convenience at the expense of experience. Blockbusters were facing competition from Netflix (which was sending subscribers DVDs through the mail), Gamefly (which did that but for games), Redbox (an automated kiosk for renting discs hassle-free), the internet (although by downloads and not streaming), and a number of startups. People didn’t want to rent something and then drive back to drop it off in two days’ time anymore if they could just get a letter in the mail, or get it from a box in front of the grocery store, and drop it right back off in the same place they picked it up. Flexplay wanted to capitalize on this.

Essentially, Flexplay’s premise was that it would allow people to rent a DVD without having to return it from where it came, something none of the other services could do. The disc, made of a special plastic, would begin to react once the packaging was opened and the disc was exposed to air, changing color until a DVD reader would no longer be able to read it. This would allow people to ‘rent’ the content for a price higher than a regular rental, but they wouldn’t have to return the disc anywhere once they were done with it. They could just throw it away and buy another Flexplay disc.

There are plenty of problems with this. Flexplay lead their sales pitch with the disposability of the discs, but people were beginning to realize the full impact of plastic pollution post Al Gore and mid-internet, so they had to pull back once they realized that was bad marketing. But how? The plastic wasn’t the kind you could put in regular bottle recycling, and the disc’s appeal was entirely in that you didn’t have to drive back to the place you got the disc from, so bringing it to a special recycling facility wasn’t the part they wanted to advertise. It was more expensive than Redbox and Netflix by a couple dollars to boot.

Thankfully, the reusable discs that were already in circulation won out big time before Netflix went to streaming and crushed a lot of the competition. Redbox still exists, too – the content doesn’t need to self destruct (or even be returned, really) for the company to make a profit off it. But that’s rentals, not unlimited forever-streaming or owning the disc.

Password Sharing

Speaking of which, Netflix!

Now that media can’t be restricted by the medium it’s in, how do you make money off of it? Netflix’s subscriber-based streaming service was a great deal for consumers, but it has almost always lost Netflix money. When Netflix began to stabilize, it started spending even more money on bigger and bigger projects, pulling people in with dramatic effects rivalling blockbuster movies. Content flowed freely, and money went out as soon as it went in.

But growth can’t be infinite if there aren’t infinite eyes to watch infinite shows. Now, Netflix is trying desperately to trim off programs to survive a recent downturn (as of 2022) but in the process it’s cut a ton of good media (and all of its animated series that were in development) in order to preserve a couple of backbone projects. This is not much different from what Netflix has historically done, unfortunately, and it may not save them. Showrunners and the people putting together a series get an upgraded contract of sorts after their second season, so Netflix almost always cuts the third season of a show unless it’s a wild success like Stranger Things. If you felt like Netflix was kneecapping shows right as they got good, you weren’t imagining it. They were churning through content to boast how big their library was, even if a huge chunk of it was unfinished. That worked great when trying to get people to cut cable by showing they’d still have plenty to watch if they switched, but now that everyone’s got a streaming service, it’s no longer a viable marketing technique. What is Netflix to do? It literally cannot continue to cut. But it can’t continue to produce when watchers are hesitant to get into a show that might not make it more than two seasons – they’ve been burnt too many times before.

They are having to come up with a way to make what they already have seen more desirable while also creating scarcity so they can actually make money. Everyone has a streaming service now, and what Netflix specifically has is no longer special, and their library, as mentioned before, is not better than Paramount’s or Disney’s. The ads announcement didn’t go well, because it’s totally opposed to what Netflix’s whole thing was, and the password crackdown announcement went even worse.

Pushing scarcity of access is the only real way to create scarce digital media, but as Netflix has shown, if you don’t do it right, you can tank your business – and people will pirate. The content itself is not actually ‘scarce’. Consumers won’t tolerate it.

HBO’s recent blunder of deleting a ton of animated content off it’s platform has lost it 20 billion dollars in market cap, and it’s as of yet unclear if it will fully recover (as of late August 2022).

The Overall Scene

Digital content can be replicated near-infinitely given the proper formatting and computing resources. In a world ever-more eager to pirate, from fashion companies stealing indie designs and prints to websites dedicated almost entirely to streaming TV shows illegitimately, what can creators do to ensure they still make profit on their product, or at least break even?

The answer lies somewhere in the middle of all of these problems. Netflix’s subscription model works great for shows but not so great for images; the NFT solution to infinitely replicable, high-quality images leaves something to be desired on almost every front, including illegitimately using indie artists’ work and prints, again. And it doesn’t work for streamed content.

Navigating this tricky future is going to require a focus on equity for the little guys, because if it doesn’t, they’ll be chased out by pirates.

“NPC Interactions” and the Death Of Social Cues

Elizabeth Technology September 6, 2022

What is An NPC?

NPCs, or non-playable characters, are side characters in video games. When people talk about NPCs, they normally mean characters like shopkeepers, the characters you (as your playable character) will interact with but not necessarily ever fight. While villains and killable enemies are also technically NPCs, they’re often just called villains or enemies, or sometimes mobs. NPCs come in many shades of complexity, from simple background character types with only one or two lines, to fully developed and complicated side characters who follow you throughout the entire game. NPCs are, by definition, part of a game – tabletop, electric or otherwise. You can’t have NPCs in a TV show because you can’t ‘play’ in the show, so they’re just characters. Interactable content defines the NPC. While a main character exists in every story, NPCs don’t.

Some NPCs are notably less lifelike than others, though. The lifelikeness of an NPC depends almost entirely on their scripting. For example, the video game Skyrim is famous for its town guard NPCs! The NPC guards in Skyrim never recognize you as anything but some random civilian even after you start accomplishing wild things in the game, like becoming the head of a college or essentially the mayor of their town, or slaying multiple dragons. The scripting leads to these NPCs acting completely detached from reality, just running through the motions of their programming as you run around kicking butt and taking names.

This Doesn’t Apply To Real Life

NPCs live boring lives, maybe. Many times, they live in relation to you. In some games, they only exist to serve you – to go back to Skyrim, shopkeeps will literally bankrupt themselves to buy useless junk from you, because the scripting of the game demands it. You are the main character, and the town’s economy does not factor into your gameplay because that’s not something you are concerned with. The game won’t punish you for draining their account, and it won’t give you bonuses for ethical business practices.

The main character has privileges none of the other characters do. The main character does what they want, when they want, picking good or evil, killing or sparing enemies, choosing what upgrades to buy, resolving decades-long feuds and curing blight wherever they go. In romance fictions, the main character is the love of someone’s life the second they see them; in YA books, the main character has some special trait nobody else does that allows them to break free of a tyrannical government. Even in stories grounded in reality, the main character is special because the main character is the character that you’re watching change. It’s a creation. A literary tool. The Protagonist.

Real life is not like this, of course. People are not ‘created’ the way that main characters are. Each individual has their own stories, their own histories, their own past, present, and future. To each individual person, they are their own main character – they experience their own consciousness and nobody else’s. Everyone is the main character. Therefore, nobody is the main character.

And Then Social Media Happened

Even before social media, some people wanted to be the cool guy right in the middle of everything. They want to be a main character in a book, where everything happening around them advances their story and somehow relates to them. If they wanted it obsessively, if they put looking cool before doing cool things, and they didn’t have talent or energy to back it up, they’d be pushed to snap out of it or drive people away. After all, if a friend is treating you like an accessory instead of an equal, you’d probably be hesitant to keep being friends, right?

The rise of social media encourages that narcissistic attitude and allows them to control the way strangers look at them. Most influencers are writing a dramatized story about themselves as the main character online, and the main character they’re writing does cool things like getting ice cream at midnight or running off into the ocean at sunset. Even when those folks don’t have a gigantic following, the ability to shape ‘reality’ to your own main-characterhood is addicting. They write the fiction of themselves where the world works as they demand it to.

An entire industry has popped up to support this. There are places where you spend money to take pictures within pre-made sets, so you, the main character of your social media, can write the next chapter where you’re briefly a model, or quirkily laying in a bathtub full of plastic ballpit balls. Fake private jet sets allow anyone with 50$ to pretend they’re rich and famous enough online to afford to charter one. Food that looks better than it tastes fetches a price tag worthy of the likes it’ll get.

It got slightly worse with TikTok.

 An audio clip of a woman saying “You have got to make yourself the main character” circulated all over TikTok in its first year in the US, a push for people to start taking control of their own lives and do the things they see the main characters of movies doing.  The thought behind the audio wasn’t bad by itself, just encouraging people to go do fun stuff and not worry so much about what strangers will think, but it was easy to misinterpret: ‘become the main character of other people’s lives too’, or ‘treat your life like a movie or video game in which you’re the main character’, or ‘do things that you don’t want to because only the main character would do that, so you have to’.

Thus, ‘main character’-ism became about becoming a viewable spectacle for others online, a magnification of everything already happening on Instagram. Dress in expensive, uncomfortable clothes, wait for thirty minutes in a line to go running down a pier so your friend can catch a 45-second video of it, do dances in extremely public places but only for your phone, etc. Become consumed by what other people think of you, whether you’re unique enough, whether you have a following or not, whether you’re trendy and chic enough to be the main character. The fictionalized version of a life overtook the importance of the real life underneath it for some because the social media machine rewarded it.

“NPC Moment”

Similarly, embracing this alternate definition of ‘main character’ resulted in a bizarre sort of depersonalization with other people who are, in this framework, ‘NPCs’.

For example: sometimes people are on autopilot in public. They’ll accidentally dump their keys into the trash along with their coffee cup, they’ll just stare out the window on the subway, they’ll eat their sandwich on a park bench and then accidentally try to eat the wrapper too. We didn’t see these moments online because they’re ordinary. Most people have moments like this.

But, between the constant demands of a content machine looking for new material, and a push for everyone to become the main character, these little moments where someone is just existing in public and not actively curating other people’s vision of them are getting posted online and labeled NPC moments, because obviously main characters don’t just exist, they’re made. Anyone not acting like they were made is an afterthought to some imaginary author writing a social media influencer’s story, people sprinkled around the park or pier because it would look weird if it were empty, not because they’re simply existing in the space.

In Comparison to NPCs…?

And then this lead to a worse trend!

Filming people in public just trying to go about their day while the filmer does something bizarre to ‘prove’ that other people are NPCs is a truly weird, dehumanizing trend on TikTok that is thankfully considered pretty cringe by everyone else, even on social media.

For example, this guy, Big C the Don. The vast majority of this guy’s videos follow the same premise: https://www.tiktok.com/@bigcthedon (link leads off-site) where he’s just kind of rambling generic fantasy-genre nonsense wherever he is, usually in places where it’s clear people are ignoring him instead of ‘not hearing’ him, like elevators. Maybe the reason nobody reacts when he starts monologuing in the elevator is because they’re worried he can no longer distinguish reality and fantasy, not because they weren’t ‘programmed’ to respond or because they’re choosing not to have fun. That is a textbook psychotic break. Interacting with someone who’s having one when you aren’t trained in conflict de-escalation could end badly, especially since guns are so common in the US. Nobody wants to get shot, or hit, or screamed at until the next floor, so everyone looks away to avoid potential conflict. The formatting of the videos is weird too, if somebody did want to interact with him, he doesn’t give them an opening to do so, he just keeps talking. Other people are politely ignoring him, and as a result he’s not having to check his behavior. He is his own main character. Maybe he thinks he’s disrupting the Matrix by making the morning weird for a bunch of people instead of just screaming in an elevator, it’s hard to tell. Either way, people have interacted with it online, so he may as well have won.

Meanwhile, this other guy, SideQuestz, is at least allowing the other side to talk, and most of his videos take place outside where people can leave if they don’t like being in his bit (link leads off-site): https://www.tiktok.com/@sidequestz?lang=en . This guy crosses a line a couple of times too, but he’s aware other people aren’t reacting because he’s dressed in a cheap wizard suit in the middle of the day on a public sidewalk and not because they’re ‘not main characters’. Notably, the second guy calls the other humans in his video ‘people’ or ‘strangers’ instead of NPCs, giving them some level of personal autonomy and humanity.