205 comments

[ 2.5 ms ] story [ 238 ms ] thread
His other article is really interesting in what data they collect https://smitop.com/post/whiteops-data/
(comment deleted)
Has anyone done a MITM analysis of 3rd party clients like Apollo? I assume that using them affords a significant level of protection from any client-based Reddit tracking measures, but that’s only assuming Apollo doesn’t do something like add a unique User-Agent to each user’s request (and of course, Reddit can still collect the server-side IP/networking fingerprints).
I'm likewise curious. I'm terrified to update for fear of what has been ruined next. But likewise am not sure putting this trust in a 3rd party is any better.
oof. running IE11 exploits (feels illegal here...), elevating to vbscript, testing the boundaries of the JIT, checking for screenshotting, observing for brave browser and communicating with two shady blank page sites...

not since the port scanning from ebay have i seen something this reprehensible

> not since the port scanning from ebay have i seen something this reprehensible

That was the same company/script btw.

WhiteOps/HUMAN was behind the eBay thing too?
I know this may seem like a technical nit-pick, but it wasn't eBay specifically going out of their way to port scan your local machine. It's just that they decided to use one of the many third-party products in the marketplace to scan for bot activity that uses this technique. Protecting against bots is big business and the companies offering these services do all sorts of seemingly shady things to figure out if it's a bot or human visiting a site.
(comment deleted)
(comment deleted)
Wouldn't somebody running an actual Chrome/FF browser in Xvfb pass most of these tests - while use them as bots anyway? Pretty sure a t3 micro spot instance can run those so cost may not be an issue. Also, why would anybody running a bot use IE11 - which this code is trying to exploit?

Pretty sure this bot is just an excuse for ads and retargeting.

not a surprise, a lot of the fingerprinting code attempts to use every feature possible, that's why you'll see random messages in the console sometimes saying "site tried to access $feature' where feature is location, canvas, etc. etc.
Is it the reason that all the pages on "modern" reddit are extremely bloated, laggy, and resource-draining even on fast systems?
Nope, just a side effect of the move towards PWA.
I've built multiple PWAs for clients.

None of them have anywhere close to the performance or loading problems reddit has (Safari related bugs however? Probably on par).

It's slow and bloated to force you out of chrome/firefox and into the app they control.

> It's slow and bloated to force you out of chrome/firefox and into the app they control.

Yes, but nobody makes a slow and bloated app on purpose. It's slow and bloated because they have deprioritized the web app.

The interstitial propeller pages on mobile browsers are definitely purposeful delays to degrade the web experience. Switch to the desktop site and all of a sudden pages reload immediately.
From what I can see it has an extremely bloated DOM. It's also the case that it will keep entire subreddits in memory as you browse around, that's why you can go back to a sub you've looked at an hour ago and see the same content so long as you don't refresh. Dunno what impact that has on performance, but it's something to note.
Reddit seems to have a knack for using technology for its worst. Terrible search, abysmal video, atrocious JS, horrific UI on web mobile...
Agree with desktop parts. But I think horrific UI on desktop is on purpose to drive people into the app for "a better user experience".

Mobile apps do provide better experiences in most cases for sure, of course, but crippling web-based one on purpose is a dark pattern IMO.

Imagine being a developer and being told, at least implicitly, that you should intentionally degrade the web product. How sad a job that would be.
While not sure about Reddit, I'm sure some are doing it to channel their users to "better" platforms.

Yeah, I'd never work on such a thing unless I'm desperate about money immediately, it would be sad but it's also sad for me to think that somewhere, someone is probably tasked with it.

It’s hard to believe it used to be worse right?
(comment deleted)
(comment deleted)
What are some examples of wrong opinions?
Click on the sort by Best to Controversial. Comments can be quite funny, there is a lot of psychological manipulation on reddit, just like other social media platforms like twitter and others.
The actual wrong opinions are deleted by the mods, so you won't see them that way
Yea you get straight up banned from subreddits for going against the grain in any way.
Often times your comment won’t even appear if you’re a new user, haven’t posted in that subreddit before, or your kharma is too low.

I posted a polite refutation of a very smarmy, incorrect post (as most of them are) on /r/neoliberal and it appeared to submit, but after an hour and no downvotes or upvotes I opened the thread in a Private window and my comment was never actually made public.

Oh it's more advanced now. I'm banned from a whole slew of subreddits for daring to even exist in another subreddit. Preemptive silencing is widespread.
Depends on the sub, but the popular ones like politics, news, worldnews, pics, all have a hard left agenda and you will be kicked out if they don't like your opinion whether you're being civil or not.
I know how this works: someone will show an example and someone else will say that decent human beings don't think like that and that they deserve to be silenced.
If a person can't even deal with the vague threat of somebody "silencing" them, they're likely to be too scared of thinking to be worth talking to. They don't "deserve to be silenced" any more than a spam email "deserves to be filtered out". They just... that's what the filter's for, to keep the recipient's email inbox readable.

If I start posting on here about why you should buy my GENU1N3 COUNTERFE1T R0L4X, and nothing else- whether it's "just a weird bit i'm doing" or not, I'm going to get banned.

I'm not going to get banned for thinking the words "Buy my GENU1N3 COUNTERFE1T R0L4X", though. Funny, that. (Well, hopefully! It'd suck to lose this account, though being off HN is probably a net positive in most ways!)

And posting the text string "GENU1N3 COUNTERFE1T ROLAX" is, to a human, obviously not spam, and is an obvious joke. To a spam filter, though, unthinking shitty rulesets and regexes? Yeah, bye.

Human moderation "doesn't scale", though, right? You've gotta have some basic filtering and CAPTCHAs to at least catch low-effort spambots lest they make everything useless for everybody else.

Unfortunately, this means that actual human posters do need to be able to identify a fire hydrant or traffic light. This is trivial generally... for people who know what fire hydrants and traffic lights are. (Is a hot dog a sandwich?). But if you don't know, ask a friend. That seems to work.

It's that, but also the fact that many subreddits are often controlled by powermods with tons of subreddits they control. They often also end up leaning very heavy towards the radical left. This ends up further compounding the echo chamber problem, especially across the "default subreddits". /r/politics is a good example of this. It is very hard to have any view that is classically liberal or conservative on a good chunk of reddit. These views typically get removed by moderators, get you banned in subreddits, or they get the result you speak of where others try and downvoted them and tell them how bad of a person they are.
not being in favor of or against whatever current thing we're supposed to be in favor of or against.

the days of Ron Paul reddit libertarianism are long since over.

Go on Reddit or HN and look at all of the flagged comments and comments downvoted into oblivion.
I don't use Reddit. I wouldn't know where to look. Can you just tell me?
Anti lockdown. Capitalism.
fwiw these are wrong opinions, not "wrong" opinions. the people who are clueful about things and have already understood enough about social engineering to understand those issues just don't have the dopamine to explain it to you or anybody else you mislead, so it's useful to just push those goofy ideas down in the sort order.

For what it's worth, if you actually want to discuss those issues with me, feel free- ping @mimir:xmppwocky.net on Element. Make a throwaway account if you're worried. I'll explain why those ideas are wrong, one-on-one, in private, off-the-record. It's fun to think about "scary" and "dangerous" ideas (you know this already), but it's just not useful to do in public. Doesn't work.

So it goes.

> I know how this works: someone will show an example and someone else will say that decent human beings don't think like that and that they deserve to be silenced.
1. yes, "decent human beings" (which don't exist) don't think like that, because it's not ideal to believe things that are not predictive of future expected sense-data. Sorry.

2. People don't deserve to be silenced. They don't deserve to be happy, either. They don't deserve anything. (But they don't deserve nothing, either).

In physics, as in hacking computers, as in metalinguistics, all models are wrong, and some are useful. This way of thinking has an excellent use: it feels very good, and you get to be happy.

But is it Wrong? Crazy? Too Radical? Thinking this about yourself hurts, a lot. Am I broken? Is everybody else broken? (yes.) Is the world inevitably doomed? (yes.) In our lifetime? (probably not, but act carefully to make sure that doesn't happen! yes, this can involve Participating In Politics. It's okay, you have my permission.)

Questioning your own beliefs is absolutely terrifying, but once you do it and realize you're still fine, you 1. realize you can question other peoples' beliefs and 2. start posting comments Like This.

On the one hand, I could turn off these weird text quirks. On the other hand, I could shoot myself and not have to worry about feeling bad about 'em. On the third hand, there's a weird little sockpuppet. That's me. Hi!

Anyways, anybody who isn't comfortable enough with who they are to have these conversations with 'emselves and trusted others will inevitably either 1. break important things or 2. break themselves to avoid breaking other stuff. That sucks to see, y'know? They'll never be able to be any sort of halfway-decent hacker, even though they clearly had that potential growing up. I could try to fix 'em (and do a decent job of it, the vast majority of the time), but, eh, it's kinda fun to watch itself squirm.

Puppets are for playing with, after all. Just... careful with identity and social engineering. Like handing a knife to a child. But it's fun to whittle, and important to share that experience once you know how cool it is to have a weird little duck or something you made yourself.

Anyways, here's a cool knife I've found. No, you can't use it. Make your own. Just get some metal and sharpen it or something? Maybe not even metal. Damn near anything will work if you just want to cut stuff. Hell, chip some obsidian if you have to. Any port in a storm.

> Questioning your own beliefs is absolutely terrifying

I don't think it's terrifying at all, it's healthy. "Wrong think" is bad in your words.

Exactly!!! It shouldn't be terrifying, and everybody "knows" that.

But that doesn't help if you have a weird PTSD reaction to the idea of "questioning your own beliefs and then changing them" because you're afraid you'll Completely Lose It, or Wind Up A Completely Despicable Horrible Person, or Get Mobbed On The Internet And Have Your Life Ruined, or, or...

And that's dramatically easier to wind up with than you might expect from the term "PTSD". Surprise: everybody's got bad shit that's happened to 'em, that's life. Some of 'em lose it in rage and lash out. Some of 'em shut up entirely, dissociate hard... apoptosis, even, unfortunately. Sometimes literally, sometimes metaphysically- one's not much more sad than the other, but the literal apoptosis isn't reversible from the perspective of others.

I can type like this, show off Pure Unfiltered Self, and then switch to my work laptop and write up client reports. Can you? Why not? Anybody can write weird meaningless stream-of-consciousness stuff. Some people just don't want to. Most people just "don't want to".

> Anybody can write weird meaningless stream-of-consciousness stuff.

By chance I'm working on a public discussion site and would love to have some stream of conscious discussion with you! https://sqwok.im

sure thing! talking to a large number of folks right now and generally have a lot of outlets for My Bullshit, but I might pop in at some point.

p.s. on the registration form, my brain expected "username, email, password" and not "username, password, email"; might just be me but, IDK, maybe A/B test that (and make sure you're not logging "email addresses" for new accounts anywhere, because a sufficiently distracted person will inevitably put a password in the email box.)

awesome and great point, thanks for mentioning!
The tone and style of your comments reminds me of Ashley Pomeroy's 'Women and Dreams' blog[1]. It's not about anything in particular, but it's witty and entertaining and has some good info hidden away in it.

[1]: http://women-and-dreams.blogspot.com

Is this satire?
Of course it is, what sort of sincere statement wouldn't be? Are you satire?
If nothing else, you demonstrate how conversing with people on the internet is exhausting.

It's an important lesson.

I hope you did this on purpose....
Ah, shoot, no, sorry, my paws slipped on the keyboard and I accidentally typed that out. Crap. Weird that it's so coherent, but I guess, hey, it's not impossible that /dev/urandom could output that exact string.

(Of course I did it on purpose. Because I do things with purpose, and you can figure out what that is once you figure out how "purpose" works neurochemically! The problem is, if you're fucked up enough, you then immediately use this to turn yourself into a weird queer internet creature thing like me. Make up a weird identity because you like being weird. And then none of the silly nerds out there on the lower metalevels want to listen to you, because they're scared of being weird. You can grab 'em by the hindbrain and absolutely snow-crash 'em, but that's something you realize would be absolutely horrendous to do without them coming to you first.)

It's okay to be afraid of this speech pattern, btw. A lot of media conditions you to ignore it. Just learn to enjoy being scared of yourself, and you'll do alright.

At least in my experience, so far. We'll see.

Same as it ever was.

Anyone can be annoying.
Exactly! That's a good expression of the underlying point- that's why we've got to be annoying in private. It's a scalability issue. If everybody posted stuff like this on HN, it'd be hard to talk about actual tech.

Of course, having understood this, a sufficiently annoying hacker will immediately go "Oh! I can be annoying in public if I really want to! And technically it's on topic, because it helps other hackers talk about actual tech" and then everybody else has to deal with this sort of comment. Sorry. So it goes.

These things are discussed to death. Someone bringing it up does not add to the discussion, and it’s worthy of a downvote. I personally do not owe every person an argument, and talking about something ad nauseam is a valid conversational critique worthy of a downvote.
On Reddit? Or more generally?

Idk, perhaps something like “that girl at UPenn shouldn’t be allowed to swim competitively”

Insta flame war follows. (Hopefully we won’t have a demonstration here. Don’t let me down, HN.)

Resisting the urge to quote Austin Powers…
One big one is anything deviating from the 'official' line on trans issues.

And I don't just mean being an asshole and insulting people, I'm talking about things like lesbians saying they don't like penis, that trans women might have some early socialization in common with men, etc. Or even things that are topics of discussion within the trans community like whether you need dysphoria to be trans, etc.

I say big one because it's BIZARRE given what a small proportion of the population is trans. It's just that there are a ton of trans powermods with particular opinions that enforce them on unrelated subreddits + hound and report people who don't agree off the site. It's a fascinating look into a small group of people grabbing socially key positions and trying to shift the Overton window.

Ukraine will lose the war is an example of a wrong opinion.
You don't get banned for having that opinion. Being downvoted means your opinion is unpopular, not that you are being oppressed.
No but it would get wiped out. If you post that on Reddit it would get voted down so had it would be like it never got posted at all. Same with any other wrong opinion.
The people downvoting you are proving your point. I agree though. Reddit is a massive echo chamber. It's almost worse than Twitter. Almost.
Well, the small parts of reddit (usually associated with games, or books, or SF) where you can ask questions and get direct answers are greatly appreciated by me.
Agreed. The niche subs are doing great. But if you browse /r/all or even most of the default subs, it’s pretty awful.

I use Apollo, and have filtered dozens of defaults from /r/all, and added certain keyword filters.

Once you do this, it’s an interesting place again. I do worry about those niche subs in the long term. It’s increasingly rare to see a truly interesting small sub show up on the front page. Finding the good stuff takes more and more effort.

By doing mass filtering, aren't you just creating your own echo chamber? I would point out the cognitive dissonance, but I really don't want to seem condescending or snooty.

But honestly, I think this is a bigger issue. I think the "filter button" or "block button" is the most harmful thing the internet has ever brought to the table.

Filtering what you don't want is essentially coddling your own mind.

It’s a fair question to ask, but I don’t necessarily think so. I think my filtering actually does the opposite and I do it to avoid the echo chamber.

I use Reddit to read about and interact with people who share my interests/hobbies. I don’t engage in the big political subs because honestly all of them are garbage at this point and get me riled up for no good reason. I have mostly liberal viewpoints, but have no interest in engaging in the echo chamber that is /r/politics. I also quickly got banned from conservative subs for raising points that don’t agree with their party line. Neither camp is interested in substantive debate over there.

I focus on subs like /r/nfl, /r/homelab, /r/<my_city>, /r/sdr, /r/GNURadio, etc.

My default view of content is limited to those core interests.

The reason I filter is that I still like discovering new subs. But I have no interest in the latest memes from FormulaDank or WallstreetBets. I don’t need the content from Trashy, Greentext or HermanCainAward in my life. I also don’t care to read about the war in Ukraine, Russia, Donald Trump, Putin, etc when my focus is recreational reading. I get news elsewhere.

There is still a diversity of opinions in the content that remains, but I just choose not to participate in the subs that run on controversy. It’s just unhealthy.

If my filters looked like “don’t show me anything about the republicans” and I still engaged with other political subs, maybe it’d be more of an echo chamber. Instead, if I see content that was clearly manufactured to make my blood boil, and that seems to be the general theme of the sub, I filter it.

The alternative is to stop looking for new/interesting subs, and I’d rather not do that.

I don’t get the whole “anti-echo chamber” thing. We select people to be friends we generally like and agree with. We often don’t associate with people we don’t like or disagree with. Why should social media be some totally egalitarian social exposure? That’s literally never been the case ever. We read what we want to read. We talk to who we want to talk to. I’m not going to be guilted into listening to some jerk who thinks gay people shouldn’t marry and belong in hell. I don’t want to share a beer with them, I would never invite them to dinner in my home, so why should I have to deal with them living rent free in my mind because I saw some ignorant post on social media?

I have plenty of work colleagues and family I disagree with, I read sources I don’t always love. I get plenty of exposure to other ways of thinking and ideas. Do I think people can go too far and literally only surround themselves with “yes men” socially? Sure. But come on. How many of us actually spend equal time with people we both agree and disagree ideologically with?`

Any community turns into an echo chamber given enough time and algorithms. I sometimes refer to this website as "orange reddit" for exactly that reason; the distinction between the two is much smaller than you'd hope.

Try to read any comment section on here about Google, Apple, Bitcoin, Tesla, you name it, there's a common opinion that gets repeated and pushed to the top. That's just what happens when you give people a comment form and an upvote button.

Nah, you have to have the push for "niceness" (which is always selectively applied). Pre-dang-era HN actually did find new insights, not because of different algorithms but because the community back then (as steered by the moderators) put a higher value on being right than on being kind.
Reddit didn't turn into an echo chamber due to time and algorithm. It became one as a result of company policy and censorship. For much of reddit's history, every form of viewpoint, opinions and speech were allowed. Everything changed once Trump got elected and the company reached for the ban hammer and decided to take sides on all cultural/political issues. Now, it's a ridiculously botted political propaganda outlet for the establishment. The 2012 reddit is unrecognizable compared to 2022 reddit.
You seem to be mistaking correlation with causation.

More likely is that the uptick in bot/propaganda activity coincided with Trump becoming president, requiring an uptick in moderation.

Have you visited reddit lately? It's all bot/propaganda activity. It's just one sided today. At least in the past, you had bot propaganda from all sides which prevented it from being an echo chamber.
>At least in the past, you had bot propaganda from all sides which prevented it for being an echo chamber

Source?

There used to be a popular trump subreddit. That should be source enough, no? You literally had bernie bros bots, obama bots, trump bots, etc. Then the media pressured reddit and forced it to choose sides and start banning. Now it's a exclusively one sided propaganda platform.
One group were gaming the upvote system to ruin r/all. I remember it at the time, it was awful for the majority of people there. The ban made things much better.
You’re acting as if the_donald and their sister subs didn’t make their own bed with gaming the system and brigading every other day. They blatantly and regularly violated Reddit’s ToS, but Reddit lingered on that decision to ban for years over some vague notion of being a “free speech site,” which they never really were and don’t have to be, as well as to pretend they were “even-handed,” which they don’t have to be when your community exists to disrupt any and all perceived “enemies.”
I'd instead say – Reddit is a collection of echo chambers, and the subreddit approach encourages, almost guarantees it.
So what if there are echo chambers? Do you deride them as much when they're called "best practices" in business, management, programming, HR, etc.? Unless the exception suddenly proves the rule, much of our lives is shaped by "massive" echo chambers.

I suspect there's the cliche of objectivity lurking behind this, an anti-intellectual mockery of opinions and shared values. Nothing having to do with human creation has ever been objective. Everything people think, is subjective. Start there, and tell me what's wrong with echo chambers as something that isn't just a restatement of the banalities of societal malaise.

But I also understand that shitposting can feel good.

You seem to be saying there's no difference between anything. That is not true. The same set of inane 1-2 line comments repeated ad infinitum simply contains less actionable information than a single well thought out, coherent, and accurate response in a more specialised subreddit. There is nothing useful you can do with reading comments in r/politics.

For the record, lots of people deride the so called 'best practices' in business etc. I'm not sure if that is a serious question. Business, management, programming, HR - all are filled with many people doing utterly atrocious things. Not sure why you think people criticising echo chambers are okay with 'massive' echo chambers.

While I didn't downvote the above, I don't think downvoters are proving the GP's point, so much as disagreeing with the GP's assertion that there's some agenda behind it all (e.g. 'pro-Pentagon', whatever that means). It is trivial to search for Reddit threads about any given hot topic (trans rights in sports, the war in Ukraine) and see a ton of comments from unbanned users that dissent from the liberal orthodoxy (or whatever one thinks is that totalizing force that is 'behind it all').

There's no agenda behind Reddit. The reality is much simpler. You get enough people together to discuss, you give them upvote/downvote tools, you weight things based on those upvotes/downvotes, and you'll find yourself witnessing the opinions of a meta-mind driven by whatever the majority opinions are of the audience of a particular discussion. The deeper into the discussion you go (e.g. sorting by upvotes), the more you'll learn about the dimensionality of the opinions of subpopulations of the audience.

You'll also witness people attempting to, successfully or unsuccessfuly, manipulate the system and give themselves outsized voices, but those efforts are not nearly as totalizing as people describe. It's too easy to counter the "If you say X you'll be banned from reddit!" opinions with simple google searches of reddit topics that are full of people saying X.

I've been participating in online discussions since Usenet days. While the modern systems are more efficient with the whole idea of downvotes effectively silencing someone without requiring rebuttal, the overall pattern has been that the membership of a particular forum will ultimately marginalize people with opinions found abhorrent by the majority.

There's no agenda behind Reddit. The reality is much simpler. You get enough people together to discuss, you give them upvote/downvote tools, you weight things based on those upvotes/downvotes, and you'll find yourself witnessing the opinions of a meta-mind driven by whatever the majority opinions are of the audience of a particular discussion. The deeper into the discussion you go (e.g. sorting by upvotes), the more you'll learn about the dimensionality of the opinions of subpopulations of the audience.

Right but if they're constantly banning/silencing certain kinds of voices and nothers, it will become an echo chamber for the people against those voices.

Don't pretend at all like it's even handed here.

Who are they? /r/liberal or /r/conservative ?
I don't think any of it is even handed, nor was I pretending that it is. Every single member of Reddit has an agenda. Moderators have agendas. And then admins have agendas. And some subpopulation of each group will go through corrupt means to achieve their agenda. What I disagree with is that there is one totalizing agenda--one 'they' that controls it all. So far in the responses to the GP's post, people have been mentioning all sorts of ideas that they claim will cause an insta ban from Reddit. It is trivially simple to find large Reddit threads full of people who hold those opinions.

I personally believe there's a boundary between realistic thinking and conspiratorial thinking, and it centers around the level of certainty that there is a totalizing controlling force (be it a single person or a committee) who is exercising complete influence over something.

In short: if being against trans women competing in women's sports is an insta ban, why can I immediately find large Reddit threads with people with plenty of upvotes who do think they should be banned? If saying that Russia will be successful in invading Ukraine is an insta ban, why can I find large threads with upvoted people saying it will? One can find situations where people with those opinions are downvoted or banned, but nonetheless there are enough people who remain to make it unlikely that there is a systemic and effective controlling force.

You aren't allowed to have a community that believes these points though. Basically every "terf" or "tankie" forum is banned/quarantined. That's an administrative decision; not the product of organic debate.
> If saying that Russia will be successful in invading Ukraine is an insta ban, why can I find large threads with upvoted people saying it will? One can find situations where people with those opinions are downvoted or banned, but nonetheless there are enough people who remain to make it unlikely that there is a systemic and effective controlling force.

A few weeks ago, a group of trolls from rdrama.net created r/the_putin, a bait subreddit for posting pro-Putin and anti-Nazi memes. It was distasteful and designed to piss off reddit users, but there's no rule against it.

The subreddit got banned a couple of days later for "promoting hate", and the entire mod team was suspended for various reasons ranging from "threatening violence" to "subreddit ban evasion".

Supporting the Russian side of a war will absolutely get you purged, but it depends on your level of support. Another large subreddit that supported Russia was recently quarantined and will probably get banned soon. I don't think there is any subreddit with >100K subscribers that supports the Russian side and is in good standing with the website.

(comment deleted)
> Being able to quickly register new "throw-away" accounts is useful for those with the "right" opinion, and because of the fingerprinting and tracking, useless to those with the "wrong" opinion.

Nah, anybody who has the wrong opinions and is sufficiently confident about it knows that they can learn about how to deal with fingerprinting and tracking - if they really believed those "wrong" opinions, they'd be able to push through that friction.

Many people are just terrified of being wrong about their own beliefs and hurting somebody, so they stop believing anything. "Extraordinary claims require extraordinary evidence" - can somebody provide extraordinary evidence, or do they just say "it's obvious!" "It's obvious" is giving up, of course. It's important to give up sometimes, but that's okay!

The most interesting folks on Reddit are the ones who don't care whether they'll get upvoted or not - they care about being right. This means sometimes being downvoted, which is scary. They're signalling that they can ignore that- the signal is the signal is the medium is the message, etc, etc.

Unfortunately, this often annoys people who don't get why the signallers can't Just Say The Secret. So the signallers are often downvoted! (In smaller communities, this is less common, but beyond a certain critical mass, statistical dynamics take over).

But the secret is that qualia exist (that you Just Can't Say The Secret, that's a type error, as much as the number 9293176 jumping out of your computer and hitting you with a baseball bat would be. The letter 9372513 is not real and cannot hurt you.), and that the secret is one of 'em.

Sometimes, a post is just wrong, y'know? So it goes.

I don't even thing it is about right or wrong opinions either, since a lot of popular beliefs held on that site are inconsistent with each other. There is just some sort of orthodoxy that you have to follow or else you are downvoted or deleted.
What are some of these inconsistent beliefs?
The main one is regarding how the community determines what is misinformation and what should be censored.
What does "Pentagon-friendly" mean in that context?
Just a few weeks ago, I had multiple of my 15 year accounts permanently suspended from reddit, for no apparent reason*, with no recourse. A few days later I tried to create an account, and it was immediately permanently suspended as well.

Then, I cleared all of my cookies/autofill/local storage data, connected to my phone's hotspot (which I had never done before), and made another account, and it still got banned shortly thereafter. I have to guess this is why they are fingerprinting.

* They said it was for ban evasion, but I wasn't banned anywhere as far as I knew. The only thing I can guess is that their systems grouped my accounts with someone else's accounts(maybe we connected via the same coffee shop hotspot at one point, or something), they got banned, and then it looked like they were evading the ban with my accounts.

Same IP + same User-Agent already tells with high confidence that it's the same user. And that's without JS.
Phone hotspot would have been a different IP.
Or it's two people in the same McDonalds with an up-to-date iPhone. Not exceptional at all.
Same IP + same User-Agent is not unique at all. I know nothing about big data unique identification of visitors, but I do know that much.
Do they still use it or was that A/B testing only?
I would speculate that this is mostly meant to be used for identifying bot rings and ATO (account takeover). Brand new accounts on a site with open signups are, on average, quite a lot more suspicious than older accounts. There's a significant demand for aged accounts to use for various banned activities (mostly spam first and vote manipulation second), and fingerprinting is likely a high value signal in combating it. Two easy ways to generate aged accounts in bulk - create a whole lot of them and wait (and optionally do some activity on them to make them look real), or take over abandoned or compromised accounts. Fingerprinting is very good at identifying clusters of the former, and at least helpful for the latter.

EFF appears to have rebranded Panopticlick as "Cover Your Tracks", but it's usually a fun thing to look at in discussions of this type as an example of what can go into a fingerprint and the informational value of various parts:

https://coveryourtracks.eff.org

I'm under the impression that there's one thing that works almost 100%: nominal payment for account creation. A few bucks. Or more, if you also want it to help run the site. Bonus for the latter case is that you're also helping to protect your users from advertisers running a train on their browsers.
Yeah... this makes you lose all your privacy, and exclude all the people in the world who either don't have a credit card, or don't want to use one.

Thank you, but no.

That's a separate problem. The topic is about running a site that crawls up your browser's ass as far as possible.
This is assuming, that they wont profile/fingerprint you, if you pay. Surely no service like that would ever double dip
It's still a separate problem.
> this makes you lose all your privacy

The alternative (advertising) is not better.

> exclude all the people in the world who either don't have a credit card, or don't want to use one.

Advertising also excludes everyone except a tiny minority (the advertisers) who are allowed to call the shots because they’re paying the bills.

>> this makes you lose all your privacy

> The alternative (advertising) is not better.

Umm, adblockers, tor and whatnot can help with ads tracking and but you can't take back your privacy once you've given identifying information.

>> exclude all the people in the world who either don't have a credit card, or don't want to use one.

> Advertising also excludes everyone except a tiny minority (the advertisers) who are allowed to call the shots because they’re paying the bills.

You have no idea how extremely white this part of the internet is that we're currently on. Comparing not having credit card to having ads in your browser is ridiculously out of touch with reality.

> adblockers, tor and whatnot can help with ads tracking

Ad-blockers only work as long as there's a majority who does not use them. If everyone uses ad-blockers, the system collapses. Furthermore, ad-blockers encourage a game of cat & mouse where both the provider and the consumer are constantly at odds, with nasty side-effects like alternative clients being forbidden, etc.

> you can't take back your privacy once you've given identifying information.

My argument is that you should be able to give identifying information without it being abused for nefarious purposes.

> You have no idea how extremely white this part of the internet is that we're currently on

Oh come on, there was no need to bring race into this. But hey, if that's your argument, I'd say that having a bunch of white tech-bros in the ad & social media industry control the entire communications infrastructure and social fabric of "non-white" (to use your words) nations is not better.

> Comparing not having credit card to having ads in your browser is ridiculously out of touch with reality.

Do you really think that ad-supported platforms just offer service to the credit-card-less third-world for free? No, they do so because there are advertisers who are happy to pay, and those advertisers in turn know how to get their money back (and more than that) from those people without credit cards.

Definitely not intending to shill crypto (on HN of all places), but it seems like a good (as good as it gets, possibly) use case for anonymous – zero-knowledge – cryptocurrency transactions.
Now you've just raised the barrier to entry even higher for normal people, and lowered the barrier to entry even lower for cybercriminals with crypto that they would need to launder if they were going to attach it to an actual identity.

I doubt this is a win.

It's important to recognize that there's a glut of cryptocurrency collected from illegal transactions, and that money needs to be laundered if the holders want to liquidate it. It would be dumb to go to exchanges, so they need to rely on shady groups to cash out, ensuring that there's a lot of cryptocurrency in the hands of questionable people or organizations.
> Now you've just raised the barrier to entry even higher for normal people

How so?

They have to figure out how to use a new (to them) payment system...
Oh, I misread as the barrier of entry to crypto. My bad.

On topic, you could just have multiple payment methods side by side.

It seems like the anonymizing cryptocurrencies get blackballed by exchanges, meaning most people won't have access to them.

Coinbase, for example, only allows transfers of Zcash to transparent addresses, which can be traced, and buying Monero isn't possible.

That's not really an impediment in the Zcash case you're mentioning. Upon making a withdrawal to a transparent address, you can immediately do another transfer to a shielded address. Some wallet apps explicitly include a feature to automate exactly this ("auto-shielding") [1].

Exchanges don't need to have this limitation, and some others don't have such a limitation. Gemini, to name probably the most prominent example, supports withdrawing to shielded addresses [2].

  [1] https://f-droid.org/en/packages/com.nighthawkapps.wallet.android/
  [2] https://www.gemini.com/blog/youre-one-step-closer-to-financial-freedom-with-shielded-zec-withdrawals
As we all know, it's impossible to automate a crypto transaction.
If someone is running a bot farm to do malicious things, they are probably the same types to have a list of acquired card numbers as well. Using a site like this would allow for users to be created while validating a new acquired list of card numbers.

A black hat's wet dream of a site.

So? Make them use those card#s, a limited asset, and put the banks to work protecting those interests instead of leaving all the load for us.
If you are accepting credit cards, you are liable for the charge backs that occur. If you are only nominally charging <$1 for accounts, then maybe fraudulent charges wouldn't be noticed by the card holder as it wouldn't noticeably alter the balance on a quick glance. However, if you do get a lot of people challenging these charges, then the site owner can pottentially lose their privileages with which ever card processor they are using regardless of the values of those charges.

Eventually, the site owners won't want to deal with that either. So, who's court do we put the ball in now?

Yea, the incentives in the wrong place for credit card processors. They actually charge credit processing fees for fraudulent purchases, and then get to charge processing fees again for the chargeback when the fraud is discovered, even though the merchant sends all the info they have to the processor and the processor okays the transaction. The credit card processors have the most information, but the least incentive to fight fraud.

At LimeWire, for a while, the price for LimeWire Pro was a hidden field in the order form, because the CTO (rightly) wanted to minimize the amount of logic running on anything that touched credit cards. The form was generated on one host and posted to another, and the logic for experimenting with lower prices at certain times, etc. was kept off of the host that processed credit cards.

As a result, some more technical users could order LimeWire Pro for $1. But, they could also find LimeWire Pro using the free version, so no real loss there. However, some carding gangs also noticed, and would validate huge batches of credit card numbers by buying LimeWire Pro for $1. The cargebacks were a bit painful, but more importantly, if your fraud rate is above some threshold, your fees go up, and at some point our credit card processor gave us 2 months to bring down our fraud rate or they'd cancel our merchant account. The processor also refused to give us fraud information updates with any finer granularity than monthly, so we basically had two tries to bring the fraud rate down.

All of the existing CAPTCHA systems I could find required a shared filesystem between the process generating the CAPTCHAs and the process checking the answers. That was a no-go with our policy of minimizing attack surface of our credit card processing host. So, I wrote a CAPTCHA that used HMAC to generate a 96-bit tag from a timestamp (at 1 minute granularity), the user's IPv4/24, and the price. The other 64 bits of SHA1-HMAC output were used to seed the prng that generated the CAPTCHA. The timestamp and 96-bit tag became hidden fields in the HTML purchase form. That way, the credit card processing box could validate the time, IP address, and price, and check the CAPTCHA answer, all from the submitted form data. Answers with timestamps more than 20 minutes old were rejected, so the processing box only needed to remember all of the correct CAPTCHA answers over the past 20 minutes to avoid replay attacks. Making the timestamp 1-minute granularity prevented bots from hammering the system until they got easy CAPTCHAs.

The first day we put my CAPTCHA system in production, we saw an IP in Virginia very rapidly trying to make purchases without the CAPTCHA. Then it paused for a few minutes while the attacker figured out what was going on and manually solved one CAPTCHA. Then a rapid-fire batch of purchases came through with the same CAPTCHA answer, and only the first purchase came through. A couple minutes later, that exact same CAPTCHA 96-bit tag and answer came in from a UK IP address, but it was rejected because the 96-bit tag didn't match the HMAC.

Those were fun days, but it's a shame incentives are so misaligned.

We had the same issue for our $3 price point plan. We never used CAPTCHAS. We fingerprinted browsers, used proxy detection, and other methods to detect them. They would script the page, so we would move live url to a new one and then feed bad data on old page which polluted their data set. It was quite fun messing with them. Most of the bot nets would get caught on browser fingerprinting and that they were falsifying their user agent. Our browse fingerprint ban would say their IP was banned so we would watch them jump from bot net computer to not bot net computer.
> It was quite fun messing with them.

While I can appreciate that, how much time did this take, of how many people, for how long? I ask all of that as someone about to launch a public facing retail site, and absolutely dread this type of stuff. It's a side hustle project on top of my actual day job/contract jobs, AKA I don't have a lot of time to dedicate to this.

Not much time. Probably a couple days. We used maxmind proxy detection and FingerPrint.js. We also used source of traffic. Bots never come in on ads. They come in direct.

Stuff we built at a neoBank to prevent credential stuff from password leaks was a lot more sophisticated. Couldn’t trust email based 2fa because people re-used passwords. We did invasive hashing of internal networks with webRTC and also pierced proxies with STUN. Along with using a commercial waf that did real time profiling.

The day we turned on our CAPTCHA, I also remember being horrified at the number of people likely running LimeWire on US Navy vessels. One IP address in the DC metro area had multiple purchases per minute, with half of the email addresses ending in .navy.mil, so I added an IP address whitelist to not drop those CAPTCHA answers into the replay-prevention cache. I'm pretty sure that IP address was the base station for a US Navy satellite.

I mean, not horrified enough to prevent them from paying my company $18.88, but still horrified.

In retrospect, given that we were a 13 person company selling software with a marginal cost near zero, we should have left the system in place and never processed the $1 charges. Instead, we should have used a CRC32 of the upper-cased name and credit card number (in case they verified consistency) to accept 98% of $1 purchases without ever charging any of the cards. Even better would be to do a 2-part credit card transaction, first placing a hold on the credit card for the full purchase price, and waiting one minute to see how many different credit card numbers came from the same IP address in the next minute. If less than 4 different numbers came in the past minute, go ahead and complete those transactions, otherwise put the IP on the hellban list to start getting randomized results. Injecting pure noise into the carding ecosystem would have cost us nearly nothing (and given a 100% discount to a bunch of active duty sailors).

Something like a Stripe Payment Link [1] would help with this, right? The payment is directly on Stripe.com so they have the best chance at stopping fraud across the whole platform.

[1]: https://stripe.com/payments/payment-links

I'm pinning my hopes on that. It's the only 3rd party JS library I'm using, and hope to not have to deal with the nightmare of fighting these battles
Me too. Stripe's chargeback protection is just 0.4% per transaction, which is well-worth it when the products are under ~$5 and chargebacks cost $15, but it's unavailable for payment links as per customer support just now :/
Interesting. Is Stripe itself not available or just this chargeback protection? Mind sharing what type of business?
Stripe offers Payment Links [0], which makes it really easy to accept payments (just paste a link into your product page and handle a webhook serverside; a single href is adequate).

They also have a separate "Checkout" offering [1], which requires some code client- and server-side to generate the page.

So far, Stripe has been awesome for me selling $2.50/mo subscriptions using just the link [2], and as far as I know, suspicious transactions are very likely to be blocked by Stripe Radar which is across all of Stripe.

However, their chargeback protection service (0.4%/tx for total protection for any chargeback) [3] is only offered for the Checkout version. This means I won't be protected in the case of a chargeback, whether by a customer or fraud that slipped past Radar. ("Currently, Chargeback Protection is only available on the new version of Checkout" is what I was told by support)

[0]: https://stripe.com/payments/payment-links

[1]: https://stripe.com/docs/checkout/quickstart

[2]: As a student I get fees waived for the first $1000 in volume, otherwise fees would eat through 20% of my revenue immediately at this price point. I posted about this side business recently as a Show HN if you would like to know more :)

[3]: https://stripe.com/radar/chargeback-protection

I was unware that the Links mentioned originally was a specific Stripe product. It makes sense now. I've been integrating with the Checkout API, and was hoping Radar would be worth including the stripe.js on every page as they recommend.

I've had the displeasure of getting hit with a bunch of fraud charges and the resulting chargebacks. It literally ended our small 2-person operation as we not only lost the money from the sale but also the product that had been shipped. This was early '00s, and online merchant accounts back then were not any where like Stripe. This is the one area of a trying a new online biz that concerns me the most.

For sure, chargebacks are really worrying especially to a small business. I can only hope Radar is as good as they say :/

A sad state of affairs in finance when this is a legitimate concern.

Stripe payments are available only in US, Canada, EU + few other select countries and that's it, maybe 40 total out of 195.
Just force 3d secure. It shifts the liability from you to the customer’s bank
I don't know how you "just force" something like this. I had to look up what it even is. If I visited a website that "forced" this, I would be unable to complete the transaction. I've never seen this to even see how it would work. Doesn't seem like it's one of those things that should "just" be done and expect it to not negatively impact things.
All banks in the EU support 3ds (SCA is mandatory since 2019). The majority of banks which don't support 3ds are located in the US, but even there it's only a *zero point x percentage. Turns out that banks don't like fraud either :P

You can manually trigger a 3ds authentication flow when setting up the payment intent: just set payment_method_options[card][request_three_d_secure] to "any".

Ran a 3.000+ tx/day business with this and got less than double digit disputes per month which are usually lost by the customer. Those disputes are also not for "stolen credit card", but "not delivered product" or similar bs.

Fun fact: If three_d_secure.authenticated is false but three_d_secure.succeeded is true, the bank did not authenticate the payment but you are still protected from chargebacks since the bank accepted the liability shift. (Happens for smaller purchases, e.g. < 30€ && known device && customer authenticated another purchase in the last three purchases he did with the card)

If you are using a no-code solution and are not setting up your payment intents manually, you can also subscribe to radar and create a rule for 3ds if amount >= 0€.

* These numbers are from my experience of running our shop for a software company.

If you make 30k per successfully abused account, you can spend a lot on stolen credit cards.

Or if you want, use virtual credit cards that give you a new number every time, and will pass without a name/address match

The amount of people that have access (and pay for access) to stolen cards is far less than the amount of people running bots. Running bots is seen as harmless. Using stolen credit card numbers is credit card fraud and will lead to imprisonment if you are caught.
I don't think it is about the number of people, but the type of people. These people are much better funded to do things than I am to fight against it. If they succeed using my site, I'm then on the hook to refund the money and other fees. It cost the fraudsters nothing. They more than likely aren't even afraid of criminal prosecution as they are in a location protecting them.

For small business, this kind of thing could be the death of that small company.

That's true. The obvious tradeoff is that nobody wants to add friction to account creation, especially when they're first starting out and don't have network effects, and abuse detection is tomorrow's problem. And then if you try to add it afterwards when you've gotten popular you'll be deafened by the screams of everyone who's gotten used to a free experience. Plus, your support load goes way up because all your users are now paying customers.

I've heard that it worked for Metafilter but I wouldn't be surprised if it prevents a site from scaling users past a certain point. (I mean, sounds great to me, but probably isn't what someone running something like Reddit wants.)

Not wanting to "add friction" means you're making it easy for bots, it's as simple as that. Bots don't have bank accounts and the people running bots don't want to be identified via bank information or using up all their stolen CC#s on simple account creation.
This was one of the original use cases for crypto, before the ghouls moved in. You could pay $0.05 to sign up for an account, something that remains impossible to this day due to payment providers' transaction fees.
> something that remains impossible to this day due to payment providers' transaction fees.

I wonder if you've looked at the Bitcoin transaction fees for a $0.05 payment lately...

That switches cheap attacks from registration to account take over.

Highly profitable attacks, or using stolen credit cards bypasses this protection, since it's either still worth your while, or somebody else is paying

Reddit's business model only works because there are people willing to spend their time posting content for free. If they start charging for accounts, even a few cents, they're going to lose a lot of new users. The psychology alone would completely change the site dynamics. Humans are weird.
It's probably worth it, given the alternative. Depends on the people making the decisions, though.
Yup. their ad targeting is context. super basic 'interests' and specific sub reddit placements. I haven't found it to be valuable.

I just looked to double check nothing changed since I last bought something and it looks like the have a customer match but only as a holdout/narrow. Which is weird if true? as in can't upload a list and target those users if i'm reading their page correctly

pushing their s*t redisign and mobile app on us with more feed ads might mean they are trying to push for 1st party data based targeting though

I use Apollo on iOS to avoid this nonsense. However, since I do happen to use reddit A LOT, I also pay for a premium subscription. An added perk (above no ads, etc.) of the subscription is you are awarded 500 reddit coins a month, so you can reward others for good content.
The Reddit award system is so flagrantly abused. It needs to be dismantled. People use alts (which still get daily free awards) to convince the folks their comments are “good” or “correct” all the time. I’ve sat in marketing meetings where folks talk about buying awards to push their content.

Unlike the vote system there is nothing the admins do to counter this problem.

(comment deleted)
>there’s a significant demand for aged accounts

I kid you not, I had an offer for $500 to sell my account.

Okay, I guess I didn't mean quite _that_ significant.

At that level I'm curious if you have some sort of special high value account (ton of karma, a mod of major subreddits, or have a lot of domain specific reputation), or if that offer is coming from someone who's trying to scam you in some way.

Edit: From a sketchy account buying site that I wouldn't trust too much, the price for Reddit accounts runs from ~$3-16 per thousand accounts, depending on age. For comparison, Twitter accounts with 100 followers are ~$4, Instagram accounts with 500 followers are ~$12, Hotmail accounts are ~$100, and GMail accounts are several times that, depending on age and provenance.

This was actually a “legit” site I’d seen before. My account was over a decade with all sort of Reddit gifts awards and mod of a few subs, one of which is over a million people (back when I had the patience to mod subs haha). They also tend to value email verified accounts.

They offered $200 and I haggled to $500 then ghosted them just to see how far I could take it for kicks. Definitely didn’t sell it. I don’t drink the Reddit kool-aid but I’d rather not directly contribute to astroturfing for pay.

And the most frustrating thing is that even if I don’t actually use Reddit I find myself ending up on it just because a lot of times it happens that a lot of dev related interesting material has been posted on it: so a call to any dev out there, can we stop posting stuff on Reddit please (and also discord )

Make forums great again please

You can block Javascript for reddit domain by default and still use old.reddit.com url if you're just browsing the website. There is absolutely no need to run Javascript for that.

It's true there is a need for a programming focused community that is outside reddit. Reddit host objectively depraved material along with scientific or programming subs, and has been caught spreading revenge porn or grooming minors multiple times. Never used discord.

I'll never stop finding it hilarious that the very first step of the "Reddit crackdown" was the subreddit fatpeoplehate. They left up all the subreddits about abusing women, people getting murdered, revenge porn, outright racism and targeted harassment groups. But making fun of fat people? Gotta stomp that right out.
There were multiple waves of bans of varied types, I stumbled on it when it was still mostly admin sockpuppets (the horror unidan !) And the jailbait stuff was the first almost serious effort, albeit externally coerced by an old favorite "wont someone please think of the children" the first major overall regression was the absurd velocity reduction for front-page posts and its been downwards since. although as mentioned in these topics about Reddit/forums smaller subs, very specific topics, and the uhh one? Well-regulated large sub are informative with a decent S/N.

Unfortunately it's a single point of failure and randomly entire types of subređdit are banned and disappear forever a recent example that springs to mind were the "sporetrading" mushroom ones, some 12+years old guttednowhosting none of the same content although the topic is only legally restricted in 3 states.

So it goes.

> Make forums great again please

For that to happen, someone's going to need to write some great (and ideally open-source) forum software -- something that's as engaging to use as the centralized alternatives like Reddit and Discord. Most of the classic forum packages like phpBB have fallen by the wayside; more modern solutions like Discourse or Invision fail to hit the mark for various reasons.

How about the software running HN?
It does a great job on HN, but I don't think it would be a good fit for most communities. Too spartan.
Reddit and HN also kill long-term discussions. When a submission is 1 day old, it dies. If you want to have a conversation about a timeless topic Reddit and HN are fairly bad.

With forums you sometimes have threads of over 100 pages that started in 2015 or older where people are still talking about the same thing and newcomers can diagonally read through the pages and see the progress of something.

It doesn't even have to be a discussion, per se. One common fixture in old-school community forums are participation topics -- open-ended, low-effort topics like "what music are you listening to" or "what did you have for lunch today" that can give people a low-commitment way to be active in a community. Link-centered forums like HN or Reddit don't handle this well.
Quite a few big forums running xenforo
They already exist and have their uses. Competing with Reddit just isn't one of them.
Why isn't reddit considered a forum? It has posts and replies. Use old.reddit.com for a more traditional experience and I don't see why you need something else which, if it got popular enough, would just be reddit again anyway.
Yeah, you can count on old.reddit.com sticking around. What are they going to do, deprecate it in favor of some new dark-pattern-filled UI?
I'm a bit annoyed that some subreddits are pushing their Discord servers. I think Reddit is a great forum but Discord definitely isn't..
Discord has the same problem as IRC, although the latter at least might have provides logs. But Discord content is not discoverable because it cannot be crawled. A lot of good info is hidden behind a proprietary wall.
It/its users have become focused on a live feed pattern. Posts might become popular for a day or so, but after that nobody pays any attention to them. Search sucks, and categorizing posts with flair seems pretty futile. The way voting is tied to post/comment visibility means that most subreddits, if not all once sufficiently large, devolve into corrupt ideological cliques, and anyone outside of them will essentially be invisible. Some subreddits are exceptions, but I think those may just be the ones that are so small they're essentially ghost towns.
I feel the same about GitHub issues. We’ve regressed to a place on the internet that the only way to know what the right answer to a problem is by painstakingly scrolling and counting the number of heart and thumbs up emojis.
> Make forums great again please

I see this sentiment a lot here but people don't seem to understand why reddit "won." You essentially have access to thousands of forums without having to maintain an account on each of them. You may see this as a feature not a bug but given the popularity of reddit, I'd say most people disagree.

That's what it always appeared to me as-- a constellation of forums with SSO. The fact a new account is so low-cost-- not even email required-- makes it feasible to split your identity as necessary.

I recall in the old days there were a few services that would do hosted forums, but nobody seemed to think "hey, let's combine them under one hood and ebable discovery."

Actually, forums like EZBoard (https://en.wikipedia.org/wiki/Ezboard) and I think Proboards had a SSO solution (EZBoard Gold).

Forums, for reasons we could go into, just never were as compelling to most people as Reddit's solution, though they are good for other things.

I don't think reddit is what actually killed forums. It was a factor, but what was the final nail in most coffins was the software they ran, which often was old LAMP code that needed constant patching and upkeep. Most of these message boards were run more or less non-commercially, as someone's pet project.

They were also extremely juicy targets, not only from a "steal a bunch of emails and password-hashes" angle, but to spam with links for SEO-purposes. I think this constant attrition is what ultimately killed them. It simply became untenable for one person to stem the tide. Reddit lives because it has the economies of scale on its side.

I can see this as well. A lot of old forums I used to run on have been hacked and spammed to death.
A .forum TLD costing more than $1k is also ridiculous.
Does the browser allow sites to check for installed extensions?

If yes, is there an extension to block extension checking

It's not something you can query, but many extensions inject JS or markup into the DOM, and you could scan the DOM for such changes. For instance, password managers inject a "fill password" button into login fields that you could detect.
While I agree that PW managers alter the DOM elements that could be identified, I've never seen 1Pass inject a button like this. I have however seen it add data attributes to elements though. What PW Managers add a button like that?
Even the data attribute is enough.
> ... Checks if devtools is open ... Detects installed text to speech voices ... Detects if some Chrome extensions are installed ...

No web code should be given technical means to do such things in the first place. A big part of the problem is browsers are too liberal in exposing various unreasonable APIs.

It's almost like the browser was made by an advertising company.
Like Mozilla? :-) I use Firefox happily (and have DRM support disabled completely) but doubt it differs seriously in this aspect.
Mozilla is a Google funded project whose main driving force is keeping up with Chrome, isn't it? It's not like they determine browser standards... Google and Apple set those and everyone else follows or dies.

Edit: Even in the IE days they were always playing catchup. Firefox is just the poor/free man's alternative to the corporate browser of the moment. They don't really steer the ship, just follow trends.

And these days Mozilla is basically an adware company anyhow. They just keep bundling random crap with their browser.

Just don't visit websites you don't trust. There is nothing wrong with exposing useful functionality.
You can’t be serious. Does this mean not clicking on any links in the search that dont lead to a “trusted” site? Not following any links that your friends send you?

I think fixing the browser is a less tedious task than limiting useful internet surface like this.

All the leading anti-bot companies do similar things (see: Shape Security, Datadome, Imperva).

I often wonder what the GDPR implications might be for these providers; given the amount of invasive, uniquely identifying telemetry they hoover up.

With this Reddit lost at least one reader, me.