Blog: Tech

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Sneaky malware vector

2023-05-23 from Dreamwidth

Tags: Tech

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit for info provided in a comment (thanks!): Also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful.

I might just edit my hosts file to wholesale block these domains.

Now pull the other one

2023-05-19 from Dreamwidth

Tags: Tech

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

We have hacked your website cellio.org and extracted your databases. This was due to the security holes you had in your your site/server which have gained us remote control of everything that was on the server.

Our team is mostly interested in customer, administrative, and employee information which we have extracted through your databases once we got remote control over the server. It still needs to be sorted out but it will be well-organized once finished. First, we will be going through the emails/sms information and contacting the recipient how you held in disregard about their information being exposed to a hacking group when you could have stopped it. This would be detrimental to your personal image with these relationships with these people. Lastly, now that we have information not only will we be monetizing off it with our methods but made public or sold to other people that will do whatever they wish with the information also after we are done.

Now you can put a stop to this by paying a $3000 fee (0.11 BTC) in bitcoin. You can find our address by visiting [redacted] where you can copy and paste the address or scan the QR code. We will be notified of payment which we will then delete the information we have obtained, patch the hole in the site/server which we got in and remove you from any future targeting in the future. You have 72 hours in doing so after viewing this message or the series of steps will commence. You can obtain bitcoin through such services such [...]

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

Avian socializing in the 21st century

2023-04-26 from Dreamwidth

Tags: Science, Tech

How nifty!

Parrots are social creatures. However, most pet parrots are singletons. They get lonely and sometimes that leads to destructive behavior.

From the Smithsonian:

Once the birds had learned how to initiate video interactions, the second phase of the experiment could begin. In this “open call” period, the 15 participating birds could make calls freely; they also got to choose which bird to dial up. Over the next two months, pet parrots made 147 deliberate video calls to other birds. [...]

For starters, they found that the parrots took advantage of the opportunity to call one another, and they typically stayed on the call for the maximum time allowed during the experiment. They also seemed to understand that another live bird was on the other side of the screen, not a recorded bird, researchers say. Some of the parrots learned new skills from their virtual companions, including flying, foraging and how to make new sounds. [...]

The birds forged strong friendships, which researchers measured by how frequently they chose to call the same individual. Parrots who initiated the highest number of video calls also received the most calls, which suggests a “reciprocal dynamic similar to human socialization,” per the statement.

The article links to this ACM paper. Yes, ACM-CHI, meaning it's from a technical conference not an animal-behavior conference. (Also, I guess this stretches the boundaries of the 'H' in CHI, which stands for Computer-Human Interaction, or at least did the last time I attended that conference.)

Pixel fail: followup

2023-02-26 from Dreamwidth

Tags: Tech

The replacement phone arrived Wednesday (faster than they said, good). I'd already done a manual backup on top of the automatic one, but migration from one phone to another of the exact same type and OS version is easier: connect them via a cable and wait. Basic data transfer happened within an hour, though it took a few hours for apps to get installed and Chrome was being especially finicky for some reason.

My settings were almost all there; I expected to have to do more manual configuration (including re-laying out the icons where I wanted them). Nope, that was all fine. I had to set up each individual app again, though; sometimes that was just a matter of logging in (for example, Tusky or Authy), but sometimes it required redoing everything (email client for my non-Gmail accounts). Chrome had a weird bug where tabs didn't work (!) but the update ("new version available", it kept saying) would hang; after a few reboots it sorted itself out.

There was a feeling of trepidation as I kept asking myself "are you sure you have everything you need?" before doing the factory reset on the old phone, but I finally did that today. It started doing the flashing-display thing during the reset, so I just left it for a while. The documentation says a factory reset can take an hour, so after a couple hours I power-cycled to see where it was.

I was greeted by the "new phone" setup screen, so that worked.

And then it started flashing again. Ha.

Yes, support person, I was right: that's a hardware problem. After another power-cycle (so I could see what I was doing) I shut it down and boxed it up, and tomorrow I will take it to FedEx.

The replacement they sent me was marked as "refurbished", but they are holding the price of a new phone against my credit card, which feels wrong. It's only a problem if the package doesn't arrive in time (which is why I will hand it to a human at FedEx and get a proper receipt), but it's still sleazy. And yes, if they were to charge the card they would add shipping charges, so it's not to offset that.

I've never had to make a warranty claim on a phone before, so I don't know how my experience with Google compares to what I would have had with other vendors. It's something I should try to find out before I buy my next phone, which I hope will be several years from now.

Section 230

2023-02-20 from Dreamwidth

Tags: Online Communities, Society, Tech

The Supreme Court will soon hear a case that -- according to most articles I've read -- could upend "Section 230", the law that protects Internet platforms from consequences of user-contributed content. For example, if you post something on Facebook and there's some legal problem with you, that falls on you, as the author, and not on Facebook, who merely hosted it. This law was written in the days of CompuServe and AOL, when message boards and the like were the dominant Internet discourse. While there's a significant difference between these platforms and the phone company -- that is, platforms can alter or delete content -- this still feels like basically the "common carrier" argument. This makes sense to me: you're responsible for your words; the place you happened to post it in public isn't.

Osewalrus has written a lot about Section 230 over the years -- he explains this stuff better and way more authoritatively than I do. (Errors are mine, credit is his, opinions are mine.)

When platforms moderate content things get more complicated, and I'm seeing a lot of framing of the current case that's rooted in this difference. From what I understand, that aspect is irrelevant, and unless the Supreme Court is going to be an activist court that legislates, hosting user-contributed content shouldn't be in danger. But we live in the highly-polarized US of 2023 with politically-motivated judges, so this isn't at all a safe bet.

The reason none of that should matter is that the case the court is hearing, Gonzales vs. Google, isn't about content per se. It's about the recommendation algorithm, Google's choice to promote objectionable content. This is not passive hosting. That should matter.

The key part of Section 230 says:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider. (47 U.S.C. § 230(c)(1)).

The court can rule against Google without affecting this clause at all. The decision shouldn't be about whether Google is the "publisher" or "speaker". Rather, in this case Google is the advertiser, and Section 230 doesn't appear to cover promotion at all.

I'm not a lawyer, and I'm not especially knowledgeable about Section 230. I'm a regular person on the Internet with concerns about the proper placement of accountability. Google, Twitter, Facebook, and others choose to promote user-contributed content, while platforms like Dreamwidth, Mastodon, and many forums merely present content in the order in which it arrives. That should matter. Will it? No idea.

Moderation is orthogonal. Platform owners should be able to remove content they do not want to host, just like the owner of a physical bulletin board can. In a just world, they would share culpability only if objectionable content was brought to their attention and they did not act. At that point they've said it's ok, as opposed to saying nothing at all because nobody can read everything on a platform of even moderate size. This is how I understand the "safe harbor" provision of the Digital Millennium Copyright Act to work, and the same principle should apply. In a just world, as I said, which isn't the world we live in. (I, or rather my job title, am a registered agent for DMCA claims, and I have to respond to claims I receive.)

I really hope that the court, even a US court in 2023, focuses on the key points and doesn't use this case to muck with things not related to the case at hand.

Pixel fail

2023-02-20 from Dreamwidth

Tags: Tech

I got my Pixel 5A in March of last year. So, fortunately, it is still in its warranty period.

This is the weirdest failure I have heard of. Yesterday, I took my phone out of my pocket, woke it up, and was greeted by a flashing screen. What it was flashing was a screen full of "snow", like what you get on a TV that's tuned to a station that's not broadcasting, but static -- the whole screen was flashing but the snow wasn't moving around. Hmm, very odd. As I tried to shut it down gracefully I could see that the "underlying" image was responding to me -- there were the usual buttons for "restart", "shut down", and whatever else -- but so fleeting that I couldn't catch them with my finger or read them. On to the hard reboot via the power button.

I Googled this but did not find answers.

I hoped it was a one-time glitch, but I wouldn't be writing this post if it were. Almost every time, but not every single time, since then, recovering from "sleep" mode gets me not the usual desktop but this flashing thing from which I can only hard-reboot. Rebooted about 20 times yesterday.

After the first reboot I had a new notification of a pending OS update, so I applied that. No change. I uninstalled the app I most recently installed, which should have been safe but it's basic troubleshooting. No change. I had, I think on Friday, gotten a batch of miscellaneous app updates, but I don't see a way to review exactly what now. But also, it wasn't right before this behavior. None of that was; that app (from my bank) was sometime last week.

Off to chat support I went. The agent I spoke with told me both that it's a software problem and that I would need to take it to their designated repair place for a hardware repair (for which you must first do a system reset); I asked her to reconcile those two things but she didn't. I pushed back on the repair place, noting that earlier in the warranty period I'd had a problem for which they said that was the solution, but the place couldn't help me and was kind of rude about it and it never got fixed. I asked if the software problem was something I could fix but her script didn't have any info about that. I said in that case, since it's under warranty, I want to exchange it, and I know they have a scheme where they send you the new phone (with a hold on your credit card), you migrate to it and send back the old one, and they release the hold. After I sent her a video of the behavior (an adventure of its own, as she was assuming I could do that from my phone and share it and I was like "uh, this is a video taken with my partner's iPhone and no it's not in my photo gallery and I need to upload or email it to you"), she collected some information from me and came back a few minutes later to say something like "good news, it's under warranty" (I knew that), and then gave me instructions for mailing back the phone and then they'd send me a new one, "or if you like, we could do" (exactly what I'd just asked for). Yeah that, I said.

Meanwhile, I installed Authy on my tablet lest the phone become completely unusable, because I wouldn't want to be locked out of anything that requires two-factor authentication. Today I noticed a seeming pattern where the phone would be fine so long as it was active, and if I set it on the desk next to me I could then wake it up but if I put it in my pocket we'd be back to the snow. This is, uh, the same pocket position I always use. But then the snow thing happened while I was using the phone, so apparently it's not that either. I am mystified.

It's going to be an aggravating several days, methinks.

Re: deja vu, all over again

2023-01-22 from Substack

Tags: Tech, Online Communities, Reflections

New_public published a post, Déjà Vu, All Over Again, about the evolution of the web and the early days when people made stuff for fun instead of companies making stuff for brand impact and algorithms, and it struck a chord. The author invited comments, so here's what I posted:

I've been feeling that deja vu too. I was on Usenet before the great renaming, and much later when I joined LiveJournal and this "blogging" thing (pulled in by friends), I remember thinking that a blog or LJ was basically alt.fan.me and would people really care about what I, a nobody, wrote? I expected to read and be read by about a dozen people who were already friends, but things have a way of spreading. And I knew that from Usenet, where I built friendships with people I've never met and sometimes didn't know "real" names for, and it was all very cool and friendly and broadening.

The net, when freed from algorithms and branding and bubbles so that ordinary people can interact with other ordinary people without barriers, is a remarkable way to learn about people and places and subcultures very different from my own. I've formed friendships from people halfway around the world walking very different paths in life from mine. There's a whole big world out there, and the last thing I want is to be trapped in a bubble of people just like me, or as close as Twitter et al think they can come to that.

The revival -- I hope it's a revival and not just a blip on the way to the next corporate thing -- of decentralized, direct, person-to-person online interaction excites me. Coincidentally, I've been working my way through my older posts on LiveJournal and then Dreamwidth, pulling together stuff on my own domain now that I have one, and I'm realizing how much more I used to write and share. I don't know how much of the change in my behavior has been due to people moving from blogs to social media and the vibe changing, how much has been due to modern social censors who retcon what's acceptable and what's offensive, and how much is me being more lazy or distracted or busy or whatever. But, facing the stark contrast to "online me 15 years ago" and "today", I'm motivated to try to get more of the old, personal, human writing back, somehow.

Review: desk lamp

2023-01-10 from Dreamwidth

Tags: Tech, Life

Why no, I never expected to review a desk lamp, but here we are.

My father, from whom I inherited my vision problems, got a lamp for himself that he really likes, and so he bought me one. The "Yeslights Business Desk Lamp" is a small desk lamp that fits nicely amongst the three computers, two sets of monitor/keyboard/mouse, assorted external hard drives, tablets, and charging cables, and other tech necessities on my desk. The base is about the size of my Kindle, and the light is on a folding, rotating arm that sits flush against a vertical support when not in use. The base has a USB port because of course it does, and a wireless phone charger that I can't evaluate because my phone charges the old-fashioned way, with a cable. The wireless charger has a red indicator light (I assume red because it doesn't detect a phone) that I've found no way to turn off; it's not bright, but it's an unnecessary light in my field of vision and I'd prefer to not see it.

The LED light (a bar, not a bulb) has adjustable brightness and adjustable color temperature; the first I'm used to, but the second I haven't seen in a conventional lamp before. Color temperature matters a lot to me, so this is a delightful surprise. The controls are easy to use (no finicky touchscreens or the like), and very sensitive. Mine's in a space where I don't expect to accidentally brush it much, but depending on where you put it, you could surprise yourself with unexpected lighting changes. If you have cats that jump up on your desk, this could be an issue.

That vertical support has an embedded clock; I discovered this when I plugged the lamp in for the first time and it started playing Auld Lang Syne at me. I was not expecting that. I set the time and date (doing so emits loudish beeps) and I hope it won't play music again. (There's a button battery, so I assume it will retain these settings during power outages.) It also reports temperature, though I'm not sure how accurate that'll be when sitting on a desk with computers and monitors. It currently thinks it's a couple degrees warmer than the thermostat in the hall thinks it is. The clock has an alarm and a snooze setting, so even though it's billed as a desk lamp, they seem to have also had the "bedside table" use case in mind.

The lamp does very well with its primary function, to produce light at the desired brightness and color temperature. It's got a good range from "bright enough to easily read by" to "a little supplemental illumination". The head rotates in two of the three dimensions: up/down and left/right, but you can't change the angle of the head. So far that hasn't prevented me from getting light where I need it.

Online payments and credit cards

2022-12-29 from Dreamwidth

Tags: Tech, Life

As I make the rounds doing year-end donations, I'm reminded of two things that have long puzzled me:

Some web sites auto-detect the type of credit card based on the number. Apparently all credit-card numbers that begin with "4" are Visa. (I don't know if the reverse is true: do all Visa numbers start with 4?) Being me, I've cycled through the other nine digits and nothing else produces a match based on a single digit. What are the patterns for other providers? And are all these sites using some standard library for this, or are programmers really coding that by hand?
Years ago, a three-digit code ("CCV") was added to cards to mitigate fraud. On a physical credit card, this number is stamped rather than embossed, so those old-style manual credit-card gadgets that took an imprint of your card (on actual paper, with a carbon!) couldn't record it. Um, that's fine I guess, but online, that number isn't any more secure than the card number itself. And someone who steals your physical card has the number; it's not a password. Does that number have another purpose?

Mastodon: thoughts after a few weeks

2022-11-27 from Dreamwidth

Tags: Online Communities, Tech

A few weeks ago I created an account on Mastodon and have been trying it out as an alternative to Twitter (and I suppose Facebook, which I don't use). I'm not leaving Dreamwidth, my friends here, and DW's support for longer-form posts; DW and "social platforms" are good at different things.

As I mentioned in a previous post, the part of the Mastodon community (-ies) that I've encountered so far feels to me like the earlier days of the Internet. It feels more friendly, helpful, and supportive than even pre-Musk Twitter (driven by algorithms and ad sales). It kind of reminds me of some of the more social Usenet newgroups of yore, like the Rialto and alt.callahans.

It's different, and different takes time to get used to, and different is sometimes better and sometimes worse. And getting set up isn't going to be as easy as going to Twitter or Facebook and clicking "sign up".

barriers to entry

I actually looked at Mastodon back in the spring, when the Twitter thing was starting to happen, but I bounced. You see, Mastodon isn't a service, like Twitter or Facebook is; it's a federated platform. The best analogy I've seen to setting yourself up on Mastodon is getting an email address. You can get email services from lots of places and they all inter-operate. Choose Gmail or outlook.com or your ISP's bundled account or your own server or anything else; no matter what you choose, you'll be able to send and receive email. Email providers aren't all the same and you might find your choices have consequences -- Gmail silently nukes certain messages and you'll never know, and aol.com is oft seen as a bad neighborhood. You choose an email provider, follow its rules, and deal with its issues -- and if you decide to move later, with some disruption you can. Your choice matters some, but it's not permanent.

Mastodon servers are like that. There are hundreds, maybe thousands, of Mastodon servers out there, and there are lists of recommended servers that you can find with a search for something like "find mastodon server", and from the outside it can be overwhelming. Back in the spring I saw that I had to Make Decisions first, and I didn't know enough to make decisions, and I hadn't seen the email analogy, and I was only casually looking and wasn't invested...and I walked away.

All of that is true today, too, except that more of my friends were moving there so I had a reason to dig a little deeper.

I found one of those pages of "50 servers you might consider" or some such, many of which are aligned to particular interests like Linux or open-source software or furries or art, and started browsing things I wouldn't mind being affiliated with. (Your Mastodon server, like your email provider, shows up in your "address", so there's an appearance aspect to it.) Servers can have their own moderation rules and terms of service and those are things I care about, so I read those pages on short-list candidates, eliminating some by what I found there. I identified a server that aligned well with my interests, my views on moderation, and the expected local conversation (more about that in a bit), and applied for an account.

Yeah, "applied" in this case. Some servers are totally open -- anyone can create an account. Some were but then Twitter started to implode and servers that had had 5000 people were seeing tens of thousands of new accounts and buckling under the load, so they went to a wait-list model. The server I joined asked for a short "why do you want to join this server?" message.

There are some huge, general-purpose, open servers. I recommend against trying to join them now. Across the network of all public Mastodon servers, there were something like a million new accounts in the first week of the Musk era. These servers aren't usually being run by well-funded megacorps but by mostly volunteers trying to keep up with demand.

the fediverse

Mastodon isn't a single site or a single thing. It'd decentralized and distributed. "Mastodon" is the name of the software. Strictly speaking, when you join a Mastodon server you are joining a server that is part of "the fediverse" -- "fed" like in "federated". People talk about being "on Mastodon", and what they mean is "on one of these servers", and sometimes a well-meaning person tries to correct your terminology, and I want to give y'all a heads-up.

The fediverse has other "things" besides Mastodon. There's a whole big set of open-source projects for sharing different kinds of things across a network, with an interface called ActivityPub at the center of it. I don't know very much about that stuff yet.

So, technically: there is the fediverse, and Mastodon servers are part of it, and so are other things. But there's no mastodon.com that runs it all, like twitter.com or facebook.com. Remember: like email, not like corporate social media.

(There is a mastodon.com. Of course there is; every URL you can imagine that consists of a single English word is claimed by someone. This one is a forestry site.)

sounds like a lot of work; how's this better than Twitter?

Still with me?

On the surface Mastodon looks kind of like Twitter, federation aside. You can see short posts from other people in a feed, and you can interact with them (liking them, replying to them, etc). There's a big difference, though, and I think it's an important difference that helps with constructive discourse instead of amplifying the loudest people.

Twitter creates, and Google+ after the early days created, a "feed" for you, curated by an algorithm. I don't know how G+'s worked; on Twitter, a post (tweet) is more likely to show up in your feed if it's posted by someone with a lot of reach (the reach get reacher), or if it has a lot of likes (encourages socks, bots, and echo chambers), or if it's somehow connected to someone you follow. That last seems to be the least important, anecdotally. I almost never use my Twitter feed because it's full of stuff I don't care about. In Musk's Twitter, rumor has it that paid members also get substantial priority.

Mastodon gives you multiple feeds (I'll get back to that), and the "algorithm" is "reverse chronological", like it is here on DW and probably on every blogging site you've ever used. You see stuff as it was posted, not something yanked out of its context from three days ago and pushed at you now, and not yanked out of its context of all the other conversation happening around it. Nothing has priority; you get what you asked for, in order. I've found the things I read and interact with here on DW to be much more thoughtful, nuanced, and civil than what I see on Twitter (granted post length is a factor too), and so far that's what I'm seeing on Mastodon too. (BTW, posts on Mastodon are by default 500 characters, larger than Twitter, and it's a server setting. I've seen one server that lets you use 5000 characters so long as you put most of it behind a cut tag.)

Mastodon also gives you multiple feed options, so you can choose the size of your fire hose. You can see just posts from (or boosted) by the people you follow, or just posts from your local server (regardless of who you follow), or a "federated" view that reaches out to other servers and does, um, something based on the people you follow and their connections. I haven't explored that one much yet. It's big. But it's still reverse chronological, no prioritization, no buying or shouting your way into top position.

I think that local feed will end up being pretty important. If you choose a server that aligns with some of your interests, then that "local" view can connect you with people who share those interests. Because people are usually multi-faceted and the instance is a home, not a topic restriction, you'll see a variety of content from the people there. It's not like Usenet newsgroups or Codidact communities where you can only talk about this thing here and not that thing, but there's a rough sort based on some shared interest, if you want to use that. (Of course, if you want to create multiple accounts on multiple servers, for example to separate personal and professional content, you can do that too.)

I'm being an armchair sociologist here with too few observations and no data, but I think this "local community of multi-faceted people" aspect will act somewhat like physical neighborhoods (back when we socialized with our neighbors, but maybe your barony or congregation is a model too) or like the more social Usenet groups. Because these online neighborhoods aren't bounded by geography or (probably) by culture, the people I see on that local feed are more heterogeneous, more diverse, more "like me in some ways, very unlike me in others". I hope easy interaction with that community will help build connections and resist polarization. I'm game to try the experiment, at least. On Twitter, only the loudest (and probably most extreme) "people not like me" would make it to the feed, the feed that was overrun with topics I don't care about from people I don't know so I never looked at it anyway -- but if I did look, I wouldn't find the "regular people", only the people with big fan followings.

(Aside: a week or so ago I came across a server for my city. So physical neighborhoods might be represented too.)

boosts and retweets

On Twitter, you can "retweet" something, which means "show this to my followers". On Twitter you can also retweet and add your own message. If you've seen tweets that embed other tweets, that's what's happening. So you might see Musk's latest policy flip-flop and retweet to your followers, adding a snarky comment of your own, and your retweet will be its own tweet, not part of the thread of replies to the original tweet.

On Mastodon you can "boost" something, which is like that first kind of retweet. I saw something that I wanted to add my own message to (further support in my case, not snark), and I couldn't figure out how to do it -- the "boost" button doesn't have an option for adding a comment. On investigation, I learned that this was an intentional design choice.

My initial reaction was "huh, weird". Then I thought "ok, maybe if you can't easily snipe at people you'll be less likely to snipe, so maybe that improves the climate?" and that sounded like a good idea. But since then I've seen more cases where it would have been helpful to either add something (as the booster) or comment to the booster not the original poster (as a reader). So I'm not sure how I feel about this now.

You can always do this manually, of course -- you can link to anything, after all. You won't get the fancy rendering, that thing that looks like an embedded tweet on Twitter. But if you decide to just boost something, instead of creating your own post, then people who want to respond to you can't. Like, if you didn't know that that thing you boosted has been debunked or has more context or something like that... no easy way to do that.

mindset

Mastodon, and the fediverse in general, exudes a scrappy "do more for yourself" mindset. There's no single entity making decisions for you -- what you see, how it's moderated, how the software works, etc. Servers are run by ordinary people who make those decisions for their servers only. Norms can vary. I expect that the most successful servers operate by some form of consensus, either up front or emergent (as people opt in or out). Servers can block other servers, so there's some level of shared baseline to operate in polite society. You can set up your own neo-Nazi server if you want to, but you might find that a lot of people don't want to talk with you.

I've seen the fediverse compared to anarchy (you and those with shared goals can do whatever you want), and I've also seen it compared to fiefdoms (somebody controls your server and it's probably not you). I don't think it's a fiefdom in the way that Twitter is; first, you can move to a different server, and second, that you can set up your own server for you and your friends mitigates if you don't like any of the options. A serf can't just say "well I'll take that land over there and do my own thing", because all land is ultimately owned by someone. On the Internet, you can buy a domain and set up shop -- the space isn't wholly owned. But whether you're a serf or an Internet denizen unhappy with the existing servers, you have to do work -- setting up your own place isn't free. And that effort can be a substantial barrier, too. So it's not a complete mitigation for networks with problematic owners, but I think we'll be better off on the fediverse than on Twitter or Facebook, which feels like an even bigger fiefdom to me. Time will tell.