
Reddit's website uses DRM for fingerprinting - smitop
https://smitop.com/post/reddit-whiteops/
======
echelon
While many Redditors are changing their "avatar" to dancing rainbow
cockroaches, I had the idea to set mine to the Digg logo as an act of protest.
I'm hoping it catches on. I suppose Reddit's new userbase may not even know
what that means.

Why the hell do we need avatars on Reddit anyway? Most of them are animated,
strobing distractions.

Reddit has jumped the shark. If there weren't significant opportunity cost,
I'd happily work on a replacement. It's become a low-signal, high-noise ad-
laden dumpster fire.

Advertising is eating the Internet alive. I fucking hate it.

~~~
FridgeSeal
I'm going to sound maximum hipster/back-in-my-day/gate-keeper here, but Reddit
circa 2015 and earlier was far better.

Nobody wants the redesign. Reddit doesn't need avatars. It used to nicely
tread the line between enough people to make it active, but not so many that
it didn't still feel niche. It feels very mainstream now, and I think it's
lost a lot of what made it actually good. It's asymptotically approaching a
social network, but to no benefit, and only the downsides that come with that.

~~~
fiblye
I joined HN right around the time I thought reddit had become a dump.
Apparently that was 10 years ago.

Early reddit was a really fun place. Not sure how to explain it, but it kind
of felt like one of those movie/cartoon mad science labs, but as a community.
Basically everyone was an engineer, programmer, or scientist of some sort, or
so it seemed. Most of the front page was science, tech, and programming news,
and the remaining bit was people posting about tech gadgets and other stuff
they made. It seemed pretty similar to HN, but more active and with a less
market-oriented crowd just making stuff for the hell of it (which HN still
gets a decent amount of).

Then people started posting pictures of cakes, political/religious discussions
were everywhere, and it just felt weird. Digg was starting to decline and
small waves of people started coming in, and once v4 launched and killed Digg,
reddit's comment section completely changed, and the submitted content soon
followed.

Now I go and see avatars and people buying gifts and gold (someone actually
took an old 4chan joke and turned it into a business idea) and endless fake
videos and random images. It looks like an absolute circus now.

People having been mentioning that finding niche subreddits is the answer, but
in my experience, it's just a game of musical chairs. Virtually all of them
get bad eventually.

~~~
dingdingdang
Honestly Digg can not be mentioned enough times here, what Reddit did with the
re-design almost feels like opt-in/wilful self-destruction. Is there a point
somewhere in there that once a platform becomes a powerhouse, in terms of
democratic user behaviour & numbers, that platform is in turn basically forced
into auto-destruct since the risks of having a sudden functional democracy the
size of a small nation state is basically too disruptive to current world
order/system?

~~~
dbspin
Pretty sure a community that can be disrupted by dancing avatars and a page
redesign is no threat to the stability of the international community.

'Never attribute to malice that which is adequately explained by stupidity.'
Especially when founders leave.

~~~
cameronbrown
The problem with founder culture is companies become dependent on their
founders. If Aaron was still around I think Reddit would look very different.

~~~
dreamcompiler
If Aaron was still around he would have invented something better than Reddit.
Probably several times.

------
indolering
The title is misleading because they are not using DRM to generate a unique
identifier like, for example, Netflix would use. Instead, it is using the type
of DRM implementation for fingerprinting/bot detection. It's just a few more
bits of unique entropy, along the lines of your screen size and user agent.

This might seem like a small difference, but reason activists hate DRM is that
it enables service providers to go a step beyond traditional fingerprinting
and gain a truly unique identifier.

~~~
type0
It's not misleading, they check for DRM presence and that's bad enough.

> but reason activists hate DRM is that it enables service providers to go a
> step beyond traditional fingerprinting and gain a truly unique identifier.

The reason is that in some places on Earth you can be sentenced for violation
of special computer laws prohibiting you to even look at such code and
disclose what it does, you just run it and see what happens

~~~
milkytron
maybe this a silly question, but isn't that like most closed source code?

~~~
Polylactic_acid
No. You can basically always decompile proprietary software and work out how
it works. And even publish most of your findings. In some places like the US,
if that code is DRM its now illegal to study (Under the DMCA specifically I
think).

~~~
brokenmachine
Is there a specific definition that makes something DRM?

Sounds like all software companies should add some trivial DRM only for the
specific purpose of exposing people to legal risk if they attempt to reverse
engineer their code.

------
TheAdamAndChe
How has Reddit not had its Digg 2.0 moment yet? They are blatantly user-
hostile in so many ways nowadays.

For those who don't know, a UI change at Digg triggered a mass exodus to
reddit years ago.

~~~
scrooched_moose
It seems like they learned a lot of lessons from the Digg redesign and are
being a lot smarter (or insidious...) about the transition. Digg rolled out
massive changes overnight which caused a sharp, immediate rebuke.

Reddit has been slowly rolling out changes for a couple years, and at least so
far are leaving the old interface available at old.reddit.com. The redesign is
as bad or worse in every way; but it's so slow there hasn't been the organized
revolt.

Reddit also has the advantage of doing it during a major UI shift - it's easy
to justify design changes when everyone is heading for mobile browsers anyway.
Digg didn't have that excuse.

It's funny though, I actually really like the new Digg. It's nothing like what
it used to be, but it's a nice curated list of interesting articles, major
headlines, and tech news.

~~~
DaiPlusPlus
> Reddit also has the advantage of doing it during a major UI shift - it's
> easy to justify design changes when everyone is heading for mobile browsers
> anyway. Digg didn't have that excuse.

On the contrary, Digg’s UI changes were happening when “Web 2.0”-hype was
peaking, including bold new web-design trends - many sites were actively
redesigning themselves with a brighter theme and better visual-effects: this
was around 2007-2010 when IE6-support was starting to be discounted by tech-
oriented websites so they could start using new CSS features and alpha-channel
PNG images that IE7, Firefox, and Opera supported.

I argue that the changes to their recommendation algorithm - and the
introduction - and eventual promotion - of mainstream news (especially sports
news) meant that their early users: technology news readers, lost interest in
the site. The redesign of the site was a contributing factor, but a bad
redesign is nowhere near as damaging to a site’s popularity than it losing
relevance to its core user base.

~~~
sparkie
Digg's decline began before Web2.0 and any redesign - it was mainly a result
of the "bury brigades" killing anything that was remotely interesting through
downvotes and leaving it to be a dull feed of mainstream news links, which got
progressively worse over time.

Reddit has the bury brigades too in some of the more popular subreddits (the
ones which you used to be subscribed to by default), but you can avoid them by
only participating in the subreddits that interest you. This is where Reddit
is a huge improvement over what digg was, but I wouldn't say it's immune to
failure. The more they try to be the arbiters of what people ought to find
interesting, the less people are going to put the effort into interacting with
the platform as a whole.

~~~
entropea
5 mods control 92 of the top 500 subreddits. Those bury brigades are real, but
instead they just remove what they don't want seen or promote content they do
want seen with huge influence in the most popular subreddits. The same issue
with Digg power users having too much control (among other reasons it failed)
is also apparent on Reddit.

[https://i.redd.it/bfhl8s6o2fn41.png](https://i.redd.it/bfhl8s6o2fn41.png)

~~~
vkgfx
Yep. Check out r/redditminusmods

On average, 80-100% of the content of the frontpage is removed by mods every
day.

------
userbinator
_i.e. the main redesign domain, not old.reddit.com_

If the old one didn't do this, there's yet another reason to use it...

I still believe that part of the reason a lot of sites are moving to JS-only
SPAs and the like is that it becomes much harder to block things like this.
Regardless of sandboxing, the idea of letting a site execute Turing-complete
computations on its visitor's computers, just to display what could be done
without, is quite repulsive.

~~~
kiwidrew
_> the idea of letting a site execute Turing-complete computations_

I'll admit that I have never been keen on the "browse with Javascript
disabled" idea, but after my digging around yesterday to figure out why Reddit
kept asking me to enable DRM _[which I totally should 've blogged about but oh
well....]_ it shocked me to see just how much JS code was being loaded on each
pageview.

Now I'm seriously considering taking the NoScript plunge.

The problem is that a light sprinkling of Javascript really can go a long way
towards making HTML more usable -- how can we find a way to permit the "good"
uses of Javascript while prohibiting all of the "bad"?

~~~
zamubafoo
Something that's surprised me is that there hasn't been a push to allow users
to restrict a websites access to JS APIs.

If I can restrict certain sites to different browser APIs, it would make it so
much easier to get rid of annoying browsing behaviour. For example, there is
no good reason to allow websites to sniff my clipboard or to play multimedia
without my consent.

~~~
zerocrates
I think there is a move toward that, certainly for newer features as of
several years ago (though they present their own issues to work out, see the
deluge of permissions prompts for notifications).

Clipboard stuff is permission gated on some browsers at least already, I
think. Autoplay disabling is an option for most (all?), though that's a little
different.

The issue with introducing a permission system to an older feature is always a
balancing act between increasing user control and potentially breaking older
content.

------
yalogin
It real stupidity to push for that 2.0 UI. I don’t know why reddit insisted on
that. It’s honestly really bad, pages feel real heavy and wastes a lot of
screen real estate. The only reason people haven’t migrated away is because
there isn’t an alternative.

~~~
MaxBarraclough
> The only reason people haven’t migrated away is because there isn’t an
> alternative.

I agree the new design is just awful, but you can switch to the old design in
the settings menus (equivalent to browsing
[https://old.reddit.com](https://old.reddit.com) ).

~~~
yalogin
This is what I do but recently they changed it so the mobile browser doesn’t
honor your settings. So I have to type the old.reddit url every time. I do
that and don’t give in to them

------
llacb47
@OP and others, here's how to enable this flag temporarily.

In the pretty printed version of
[https://www.redditstatic.com/desktop2x/Reddit.de2e3f279d82ee...](https://www.redditstatic.com/desktop2x/Reddit.de2e3f279d82eef14ab2.js)
add a breakpoint to the first line of this part of the code.

    
    
        if (!as(e))
            return;
        const t = e.user.account ? Jt()(e.user.account.id).toString() : void 0
          , s = document.createElement("script");
        s.src = Object(es.a)("https://s.udkcrj.com/ag/386183/clear.js", {
            dt: "3861831591810830724000",
            pd: "acc",
            mo: 0,
            et: 0,
            ti: $t()(),
            ui: t,
            si: "d2x"
        }),
    

Then when you are paused on the breakpoint evaluate this in the console:

    
    
      e.runTimeEnvVars.staging=true

------
tptacek
Lots of sites use "DRM" (content protection, obfuscation) techniques to
fingerprint for anti-abuse. Somewhere, there's a truly excellent writeup from
(I think?) Mike Hearn about the work they had to do to build anti-abuse for
Youtube; it involved nested VMs implemented in Javascript.

~~~
TedDoesntTalk
I’ve never heard obfuscation referred to as DRM. The author is referring to
the DRM browser checks.

> Specfically, it looks for Widevine, PlayReady, Clearkey, and Adobe Primetime

~~~
catalogia
DRM and obfuscation are traditionally related because unobfuscated DRM
wouldn't be effective for long. Hardware assisted DRM is newer and a bit
different.

~~~
TedDoesntTalk
Perhaps you mean encryption, not obfuscation.

~~~
tptacek
For content-controlled code, meaningful encryption tend to imply obfuscation.

------
arnaudsm
That's why I'm so happy that HN stayed roughly the same : fastest UI in the
west, respectable community, and non-profit. Just like Wikipedia and
Craigslist.

I wish we had an equivalent for every big website.

~~~
Cthulhu_
Still wouldn't mind some basic formatting options in comments like bullet
lists and code though.

The equivalent for websites is probably reader mode supported in various
browsers or addons, but that too is probably limited. Pretty sure it doesn't
work for Reddit, but for Reddit there may be browser addons that clean up the
interface by a lot.

~~~
Wingman4l7
There is a pretty popular one for Reddit, yes -- it's called Reddit
Enhancement Suite, adds a ton of features.

------
kahlonel
Just another reason why I am never going to touch the new reddit with a
10-foot pole. If they phase out the “old” design, I’m done with it.

------
tlear
Reddit as of late has crossed my enough is enough line, used extension to wipe
out 8+years of posts and deleted my account.

Alternative will happen, there is a pile already being promoted we will see
who wins.

~~~
thearchitect1
Why did you wipe out all of your posts and comments though?

That just makes it harder for people trying to see insightful comments from
years ago.

~~~
tlear
I do not want Reddit to earn a single cent from anything I ever posted.

------
kbenson
Is Reddit not doing enough to identify and remove bot accounts and bad actors,
or are they doing too much fingerprinting? The former is definitely a problem,
and I imagine most users care about it to some degree.

If you as a user care about both, perhaps a nuanced opinion is warranted.

------
codezero
A lot of these bugs are used to test for fake user agents. Even sophisticated
bots may not know that their fake user agent’s V8 version had a jit or
rounding bug. If you watch change logs you can spot this stuff. Most of these
are obvious and sophisticated fraudsters are well beyond that.

I could say it’s defensible but a big reason bots are a problem is the way the
entire online ad system is still the Wild West. There is no regulation so I
wouldn’t be surprised if a majority of the bots were just competitors. It has
to be tempting to use that black hat fraud defense knowledge against your
competitors, especially if there is so little regulation or transparency.

------
stevekemp
I have recurring thoughts of implementing something like reddit, by writing a
server which would present a list of groups/posts actually stored on an NNTP
server.

This would allow sharing posts, and decentralized hosting, because all the
real content would be stored on the NNTP host.

(A simpler approach would be to use an IMAP server - a different mailbox for
each group, and threads naturally being stored as .. threaded emails.)

Perhaps I should have a stab at actually implementing it!

~~~
Karrot_Kream
I've been thinking about this for quite a while and finally worked out a way
to do this in my head the other day and I plan on writing it down to code
soon-ish. I'm glad to see others interested in this, and would love to
collaborate if you're interested!

------
jakub_g
You know how this works those days on a big corp level: the CEO buys a
"solution" from 3rd-party "vendor". The solution does _things_ but no one
cares what exactly and how. A few insider developers get upset when they run a
debugger and notice weird stuff going on, but they don't have any power over
it. Anyway rolling this kind of things on your own in a non-creepy way is not
viable unless you're Google scale, so you pay the 3rd party like WhiteOps or
Distil or Cloudflare or use Google captcha.

------
peter_d_sherman
There's an interesting philosophical question raised here, which looks like
this:

User Privacy Vs. Troll/Bot Protection

If you want stronger privacy (weaker browser fingerprinting), then you must
equal-and-oppositely accept that that allows Trolls and Bots to flourish on
the network...

On the other hand, you can have less Trolls and Bots on the network -- but
this means that you must give up some of your privacy via stronger browser
fingerprinting...

So, the next logical question is, is there a way to have the best of both
worlds, that is, more privacy (less browser fingerprinting), and less Trolls
and Bots simultaneously?

The answer I come up with at this time is:

"No -- UNLESS Reddit were to call up every single user that registers, and
voice verify them and/or make sure they have a credit card or other valid ID
on file... and then they'd have to take extra steps to validate those..."

So yes, it could be done... but then Reddit might lose its automated
registration process -- and possibly casual users, who didn't want to provide
all of that information as well...

It's interesting, because all online user commmunities represent various types
of compromises between the different factors I've outlined above (there are
more factors, of course)... in the future, I should create a matrix of all of
them, and see where other various famous online communities exist as points on
it... I think such an exercise would be enlightening in some way or other...

------
simonsaidit
I joined reddit more than 14 years ago, before subreddits, when it was written
in lisp and top posts were Paul graham essays and Joel on software. Today HN
is the place for this kind of content. When digg died there was a fear what
their user base would turn the site into. I have no issues with the design but
probably because I’m mainly on my mobile. What did change for me though was
the amount of toxic people in almost every subreddit I frequent.

~~~
sillysaurusx
[http://www.paulgraham.com/re.html](http://www.paulgraham.com/re.html)
suggests the world may be getting “more toxic” (fragmented + interconnected),
rather than some underlying force (“It’s because Digg’s user base invaded”).

~~~
simonsaidit
Thank you!

------
mark_l_watson
I just followed the privacy URI FOR iOS Reddit on Apple App Store, the link is
no longer valid. I am searching and reviewing their privacy statements.

EDIT: their blanket policy I found on the web was what I expected. I donate
money to Reddit and I wish that as a perk I had more privacy “We may share
information between and among Reddit, and any of our parents, affiliates,
subsidiaries, and other companies under common control and ownership.”

------
Andrex
> Contains what appears to be a Javascript engine JIT exploit/bug, "haha jit
> go brrrrr" appears in a part of the code that appears to be doing something
> weird with math operations.

Ignoring everything else, this made me chuckle quite a bit. I can only imagine
how much funnier it'd be if I actually saw that line while picking apart
minified code.

------
idkcd
Reddit died with Aaron Swartz. Check out r/watchredditdie and
r/declineintocensorship to see blatant examples of how Reddit censors right
wing opinion. I left Reddit when they recently banned 2000 subs to curb
"racist" speech while racist subreddits against whites are okay because they
are the majority (America is the only country that exists). Reddit has become
such an echo chamber it's worse than Facebook now.

------
AlexCoventry
Does anyone know of a nice open-source desktop client for reddit which runs on
Linux?

~~~
dredmorbius
For CLI values of desktop, there's the (no longer maintained) rtv
([https://github.com/michael-lazar/rtv](https://github.com/michael-
lazar/rtv)), though last I checked it works well, and three others:

[https://gist.github.com/michael-
lazar/8c31b9f637c3b9d7fbdcbb...](https://gist.github.com/michael-
lazar/8c31b9f637c3b9d7fbdcbb0eebcf2b0a)

------
baybal2
Not a new phenomenon.

Google's anti-bot team in St. Petersburg had a lot of positions for such
"talent" good at using borderline exploit techniques to detect bots as far
back as 2012-2013

[https://news.ycombinator.com/item?id=17649371](https://news.ycombinator.com/item?id=17649371)

> You know, mobile ads companies resort to borderline exploits to fight
> botting, but even they loose out.

> Lockdown is a useless measure, from my experience. Both IOS and Android ad
> nets croak under 60-70% bot traffic.

------
cwhiz
Reddit is absolutely one of the worst things to ever happen to humanity.
Reddit invented modern bubble building.

It is impossible to understate how much better off this world would be without
Reddit.

~~~
Rebles
You meant 4chan, right? w.r.t. bubbling, how is Reddit as a platform different
than a forum?

~~~
simias
4chan is pretty niche these days, and for good reasons. It was never
mainstream but it definitely lost a lot of its prestige and relevance.

But at least 4chan was always upfront about its policies: you could always
basically post anything as long as it didn't put the site's existence in
jeopardy, so effectively as long as the lawyers/cops/fbi didn't come knocking
it was free for all.

Reddit is roughly the same thing except they hypocritically attempt to
maintain a façade of being "the good guys". I remember in particular how,
after having hosted "jail bait" and other very questionable content for years
they finally decided to no longer allow it they felt the need to publish a
heartfelt message about how "we thought about our daughters" and all that crap
instead of saying the truth, which is that it just generated too much bad
publicity and made the advertisers go away.

Reddit is 4chan pretending to be Facebook.

------
vehemenz
This isn't newsworthy. There are hundreds of ways to use the browser's built-
in API for fingerprinting purposes. It's actually overkill because you only
need a handful and a decent statistical model derived from device testing.

Any big company with ad revenue has their own research and proprietary methods
to catch fraudulent ads and TOS violators. It's been happening for years, and
as long as browsers "improve", it will continue.

------
est
Is it possible to use DRM to display a captcha? I tried to lookup Chrome's DRM
doc but it was removed and can be only accessed by DRM members.

------
Accacin
I wasn’t on Reddit often at the very beginning, I only really started to use
it when I found out about rage comics and would log on every morning before
university to check the new ones out.

That must have also been around the time the same guy who introduced me to
Reddit also asked me to check out a cool game he was playing called Minecraft!

------
sitkack
This is basically supercookie from Samy.

------
ComodoHacker
So fraud detection becomes a new excuse for tracking, when ads targeting
doesn't sound solid enough.

------
Quequau
I've been a Reddit user since about the time that the Digg Patriots poisoned
the well over at Digg... At least that's what prompted me to make an account.

Reading through the comments here is a bit weird for me because it seems like
I have a much different experience that most folks here. I suspect this is
because a) I use the RES browser extension to filter out a great many useless
or unpleasant subreddits and b) most of my time on Reddit is spent moderating.

The redesign however, is a bit of disaster. Even though I don't care for the
look I would have used it but when they rolled it out and made it the default
experience it lacked the basic functionality for moderators which is where I
spend the majority of my time on Reddit. For two years every time the admins
released some improvement to it, I would go back and try to use it and
couldn't... so I gave up and branded it "worse.Reddit"

Anyway, I suppose it's about time to find an alternative to Reddit but I've
yet to find a site where I can create and curate niche communities, like I do
on Reddit or where I could somehow transfer the collected data and experience
of the larger subreddits I moderate to some other site (which isn't already
home to unpleasant extremists who left Reddit).

So far I know about: [https://tildes.net/](https://tildes.net/) and
[https://dev.lemmy.ml/](https://dev.lemmy.ml/). I sorta lean towards lemmy but
I don't have a solid reason for that.

Lastly fingerprinting on Reddit seems like a very useful and very needed
solution to problems that have little to do with targetted advertising or
selling private user data.

~~~
TheSpiceIsLife
> Lastly fingerprinting on Reddit seems like a very useful and very needed
> solution to problems that have little to do with targetted advertising or
> selling private user data.

Ohhhh cliffhanger!

Tell us more?

I suspect you're referring to abuse???

------
Mindwipe
DRM is a bit clickbaity here.

The site does a lot of fingerprinting, and the EME module is one of the least
useful bits and doesn't really reveal anything the browser user agent string
doesn't already.

------
encom
As if another reason was needed to leave that cesspool behind.

------
avainlakech
I sat this every time I see a post about Reddit - selete your accounts. I did
this about two years ago and as a result I was multiples happier and more
productive.

------
jeppesen-io
Not to sound like an idiot - but aside from CPU usage, what's the downside to
this exactly?

~~~
filleduchaos
Honestly speaking a lot of the list pointed out in the article is weird that
way. For example, "Checks if function bodies that are implemented in the
browser contain [native code] when stringified" \- that's a very
straightforward way to check if a particular feature is browser-supported or
was polyfilled.

------
jaybeeayyy
>"haha jit go brrrr"

------
p2t2p
Ah, that’s why Firefox was notifying me that Reddit wants me to enable DRM
recently. We new it was only matter of time, since they got this crap into the
standard. Pity mofos.

------
kyleee
honestly disgusting behaviour IMO, everyone should use noscript or ublock
origin to turn off all js by default. Even though it's a hassle it gets easier
once you've established your allow/deny list for frequent sites over time.
First time visits remain a bear though since sometimes you have to do a bunch
of guesswork to determine which js bits are required for a given site to work

~~~
userbinator
_sometimes you have to do a bunch of guesswork to determine which js bits are
required for a given site to work_

I've been browsing with off-by-default JS basically since JS was invented, and
my list of trusted sites has remained very small (around a dozen) --- the
majority of sites I come across on searches that ask me to enable it will
simply cause me to go somewhere else. The rare occasion that I can't find the
information elsewhere, I will view source and sometimes it's sitting there, or
even RE the API, but actually getting me to enable JS is close to a "never",
as it's reserved for the very few sites I have far more trust in, e.g. my
bank.

Once --- and only once --- I was enticed by a site that doesn't need it to
"enable JS for a _better experience_ ", and immediately disabled it again when
I was bombarded with ads and other distracting, irritating shit (selecting
text causes a popup, elements animating around while I'm trying to focus,
etc.)

------
mensetmanusman
vprza.com strikes again

~~~
km3r
what is that domain? cant seem to find any useful info about it.

------
dilandau
Stallman was right. Holy shit.

------
mschuster91
GDPR says hello. Even something as easy as Google's recaptcha is impossible to
implement GDPR-compliant according to many German authorities, so I highly
doubt that _this_ kind of invasive tracking is in any way legal.

Why can't they just use something like a proof-of-work mechanism to combat
spam?

~~~
callalex
I agree that this is gross, but I do want to add some subtlety to the
discussion. Reddit is trying to combat a different kind of activity than
traditional spray-n-pray “buy our pills” spam. It is a large and influential
enough forum that corporate and nation-state actors try to manipulate the tone
and content of conversation with both words and votes. None of that is
necessarily a volume-based issue, which is what proof-of-work is effective
against.

~~~
toomuchtodo
Reddit could require users associate a mobile number with their account and
use an SMS to validate. Zelle (the payment network) performs fraud validation
using your mobile number as a signal, for example (using a Google Voice,
Twilio, or similar virtual number will cause onboarding to fail).

~~~
AnthonyMouse
A prepaid SIM card is $5.

There are also now services that do this for you so you don't even have to buy
the SIM card yourself. They add some new phone numbers every day and publish
the numbers along with every SMS they receive on a public site with ads on it.
The "higher end" ones give you your own personal throwaway phone number but
then you have to pay the $5.

This means sites should immediately stop using this verification method
because it obviously isn't going to stop adversaries with even trivial
resources, and the security implications of encouraging vulnerable populations
to use random sites like that is hugely bad.

SMS verification is also ridiculous to begin with because phone numbers get
recycled quickly and users should neither lose their account just because
their phone number changed nor have some stranger enabled to steal it.

~~~
toomuchtodo
This is a poor argument against a mechanism which clearly has both a cost and
time component against an attacker. Of course you're not going to subvert
attackers with enormous resources, but you will slow down most of them and it
is cheap to implement (both upfront and for ongoing SMS costs).

~~~
AnthonyMouse
What cost and time component? They go to a website like this (this is not an
endorsement, the security of doing this is terrible):

[https://receive-smss.com/](https://receive-smss.com/)

It costs zero dollars and takes the same amount of time as the SMS
verification would on a regular phone. If the sign-up site is continuously
vigilant enough to find and prohibit every number on every one of these sites
(not so cheap to implement) then there are sites that give you immediate
access to a non-published number for $5. Even this is not "enormous resources"
by any means.

But the even bigger implementation cost is that there are many people who
don't have a personal cell phone number to receive SMS, and you're either
disenfranchising them or pushing them to use sites like that which obviously
allow anybody to see the verification codes sent to the phone number which is
now associated with their account.

> A significant amount of online properties use SMS for 2FA and authentication

Using SMS for optional 2FA is a mediocre security practice but is mostly
harmless (because people can opt out; though it still makes it possible to
lose your account if you use it, your number changes and then the site
requires you to authenticate with it).

Using it for mandatory 2FA has the problems discussed.

But I also want to point out that actual major sites exist that use SMS as the
sole and mandatory authentication factor, and they are very powerfully
incompetent.

------
stonogo
I find the current title ("Reddit's website uses DRM for fingerprinting") to
be fascinating. Is there more to Reddit than a website? The headline just
sounds like "wrestler's body grapples and pins opponent" to me.

~~~
Mindwipe
They have native first party applications for iOS and Android now.

