Interesting tool, but I'm very surprised that they allow backdating posts.
Backdating posts opens up a world of social engineering scams. You can create an account that appears to have predicted a lot of past events, sports scores, or stock prices with timestamps prior to those events occurring. The scam is to create an account that appears to have great stock advice or sports betting predictions and then charge people for it.
I believe this is possible because of how the AT Protocol works. Bluesky shows a warning[1] on these posts and displays both times, but sorts them by the backdated time.
I think the reason it works that way is because they want strong guarantees for the future portability of your skeets. It's sort of a correction for Mastodon's reliance on server admins' goodwill.
Talking of "Jon" and "Skeet", there is a fairly well known programmer called Jon Skeet. If you are a C# developer good chance he has answered you stack overflow question!
If you are a bit older, you'd remember the same guy fighting for Java in bloody flame wars against C and C++ on Usenet. When I first saw him as a C# devotee on Stack Overflow, I was surprised it's the same guy.
Some people got the idea it has something to do with some song because (not an actual dictionary) Urban Dictionary said so when the actual meaning is "sky tweet."
They need to come up with their own term or confirm they are OK that the name skeet is a sex act. You don't get to just pretend the term doesn't exist because you didn't listen to one of the most popular songs of that decade using an already well established term. It's also heavily used in one of the most popular comedy shows of that decade as well The meaning is well established
UD documents existing connotations of words and expressions. That you don't think it's an actual dictionary doesn't change the fact that those connotations exist.
"sky tweet" is also a stupid name since a tweet is already the name for a post on a very specific platform.
I'm not sure I get why "sky tweet" is a stupid name. "Tweet" was a pretty arbitrarily chosen name for a post on Twitter, but now that "tweet" is a pretty established word, it seems reasonable to use a portmanteau based on that word for a platform based on that platform.
Though in practice I think "skeet" was a bit of a fad to be provocative, and most people just call them tweets, even on bluesky.
does anybody in this thread actually know what skeet means? i’m laughing as well at the idea of a bunch of people thinking they’re getting back at twitter by skeeting on the internet.
they could fetch the post reference on x.com with the real date, and store a zkProof of its existance, relying the verfiability-trust then to x not messing with them
Or use the Wayback Machine? You can trust its captures, courts do. Queue archiving jobs per handle, backfill from the archives after the initial archiving request has completed.
> they could fetch the post reference on x.com with the real date
Twitter posts are only available to authenticated users, and the API is really quite expensive now - that was one of the many reasons people have wanted to move off it!
nope. post here from 9/11 2001, no warning [0]. it's fine if they added a check recently to flag backdated posts, but there's no telling how many incorrectly-timed things went up before they added that ([0] is from about a year ago, fwiw). the whole early history of the platform is questionable, and it's just shoddy protocol design.
Looking at the JSON data in dev tools, it looks like there are separate `createdAt` and `indexedAt` fields, the latter of which was probably a later addition. For your—likely pre-migration—post, both are set to 9/11. On more recent posts, they're separate dates.
That post does indeed predate bluesky tracking index times, I remember seeing it before they announced that change. I believe it was motivated by other migration services becoming popular. Forward-dating was fixed even earlier, I think, since it might allow people to "pin" their posts to the top of reverse-chronological feeds.
Some of my favourite backdated posts are from the years 1776 and 1.
More specifically the reason we didn’t have an index time for that post was an architectural migration which lost our prior witness times. That was pretty early on. At this point we’d take pains to preserve those timestamps, and I’m fairly sure we will need to publish them for other folks to use at some point
You can still do that even without changing the timestamp. Back in the old days of the internet, people used to get famous by claiming they predicted all the results of the FIFA World Cup by posting every possible outcome and then deleting those where they were wrong. Then, they would publicize their account just before the final match, and people would go wild.
before this people used to send out stock predictions by mail to power of 2 people with each prediction and its opposite, eventually you get down to a person who you have always sent the correct prediction.
That was a scam used for betting. Call this phone number for your free “lock”. Half got team a, half team b. They did it twice then asked those who were winning and kept calling to pay for the next prediction.
Just realized the French lottery is only 19 068 840 combinations. You could send spam to 19 millions people, each with a number saying you can predict the lottery, and if they send you 10 000 euros in BTC, you could give them the next one.
You cannot do whatever you want on someone else's hosted website. They don't allow you to delete other users and edit other people's posts because everyone agrees that would make it useless.
> You cannot do whatever you want on someone else's hosted website
The whole thing with Bluesky and decentralized protocols is no server can enforce special rules.
Sure, they could come up with something that says "our PDS will not accept backdated events", but they will not be able to stop someone else to set up a server that does that without any issue.
Indeed, but you are not answering the question: how can you reconcile the idea that ATProto is meant to be decentralized (i.e, no single authority) and at the same time have rules that are enforced (purely by software, I'm not arguing that rules could be enforced socially) by any particular server?
You would need some form of distributed consensus mechanism, but then you either end up with some exclusive club to implement Paxos or you will need some blockchain-y solution, no?
Atproto and ActivityPub are both multi-polar governance, though AP more aggressively so (though we hope not for long as we pursue some lower-cost execution models for the appview). Consequently the realpolitik is, what's the business logic of the applications with the most users.
Bluesky consists of PDSs and a central indexing server. Bluesky themselves can say that their indexing server won't accept backdated posts, thus making all posts on the Bluesky app itself have valid dates, but others would then be able to make another version of Bluesky with the same posts that also does accept backdated posts.
ATProto is usable without Bluesky’s AppView. You just need to create another centralized indexing server of your own and have it index all PDSs. This is certainly less decentralized than other systems since there’s a barrier to entry (getting the compute power to index all PDSs), but that’s the tradeoff you make by not having server-specific namespaces like Mastodon does. They seem to also make their AppView implementation open-source, which seems to show their goodwill.
You do still get the benefits of being able to interoperate between different apps that may not know each other exist without the disadvantages of having server-specific namespaces, which is of course the point.
“A valid date” would be determined by said server (BlueSky’s or yours). You could choose to write a server that enforces consistent dates or one that does not, and the definition of a valid date would be different per AppView.
I acknowledge the other way of doing it which ActivityPub uses has some benefits as well.
ActivityPods implements ActivityPub vocabulary while using SOLID data stores. You get your identity and data, you can interact with other ActivityPub software and you do not need to rely or set up any centralized indexer.
There is no "goodwill". Bluesky's plan (from day one!) has been to create something that could have been used by Twitter to keep them as the gatekeeper of the data while removing them from any liability for custody. They know that their moat is on their expensive indexer and they will not take any measure that gives this power to end users.
One of our current projects is to create a partial sync model so that self hosted appviews can be run more cheaply. After that, it’s really just the cost of physics
Surprised why? A culture based around systems with privileged "root" and "admins" was always going to be fundamentally hierarchical. It was an accident of history that the network layer ended up getting developed in locations with a more horizontal culture (which partly explains why our network protocols are so loose and insecure). It took a big, conscious effort (Free Software) to force open at least some elements of it.
Without strong and deliberate efforts to maintain a culture of openness and freedom, IT is a heartless cager of men.
If you are syncing data from another PDS, there is no way to verify that posts have an accurate date, unless you have some central ledger which is antithetical to allowing self-hosting and being distributed.
Correct. The trade-off here is on Bluesky you can delete or re-order your posts which you cannot do on a network with strict message ordering. Your PDS webmaster can also rewrite your messages for you if they become unhappy with your messaging.
This isn't quite true. Your PDS can't rewrite your messages: all messages are signed with a key unique to your account.
That said, the PDS is effectively also your private key custodian. Most people who aren't nerds are happy to let Bluesky PBC manage their keys. But if that's your threat model, you should absolutely move to a self-managed PDS.
The protocol also actually allows you to manage your keys differently. You could in theory have a "read-only" PDS, and generate all your posts locally using a local key (conceptually much closer to a crypto wallet.)
In that scenario, the validity of posts as originating from a known identity is extremely strong.
Yes, and what if they had a tab in the Bluesky app where you generated a keypair, registered the pubkey at your PDS and then began signing messages in the app? You could rotate keys on demand and update the PDS every time you make a new one.
I don't think it should be the primary operation, not with the scale that Bluesky has achieved. We need this in the Bluesky App so a handful of p2p weirdos can feel they are authentically using a distributed social platform without caesars and all of that.
I'll look into the registry override too, maybe I can hack something together around that.
There's ways around it... the identity mechanism supports multiple keys so you could have a backup in escrow.
But most people don't want to worry about key management at that level. Hell, I know exactly how everything works, and key management still scares me. The consequences of a mistake are huge.
Yes, that key is screwed because it's lost, stolen, at the bottom of the river, etc. But this is when you generate a new key and store that pubkey at your PDS so the Appview can find and index your new posts from your new phone. It's the same thing that happens when I reinstall Debian on my Thinkpad and upload a new ed25519 pubkey to Github so I can push again.
Your PDS webmaster has a signing key for your repo, because they for all intents and purposes are you. That's the trust structure of how PDS' are setup. If you don't trust someone else to modify your repo don't give them your private (sub)key.
The fact it's a subkey means that you are also able to rotate the key that the PDS has access to and modify your repo back to pre-defaced state if need be.
Imagine if Github worked this way, then I wouldn't have to worry about storing my ssh keys on my local machine. Imagine the possibilities if Github could pull my repo instead of me having to go through all that darned trouble of pushing it.
Backdating posts opens up a world of social engineering scams. You can create an account that appears to have predicted a lot of past events, sports scores, or stock prices with timestamps prior to those events occurring. The scam is to create an account that appears to have great stock advice or sports betting predictions and then charge people for it.