irooster VS trualias

I just published the source code for the first app I ever built, all the way back in 2003: https://github.com/aaronbrethorst/irooster

It "turns your Mac into a $2,000 alarm clock."

I originally made it because I had endless amounts of trouble waking up for my morning classes in college, and found that the only alarm that could get me up was a subwoofer right underneath my bed. So I hooked a 2.1 speaker system up to my Mac, wrote a little app to start playing an iTunes playlist at a particular time, and ended up productizing it.

It was never a huge commercial success; I think the best I ever did with it was about $2,000 in sales one month after Apple featured it in a newsletter (different times!), but it taught me several important lessons about building a commercial software product that still guide me today.

Enjoy checking out my super janky code!

They've settled on a set of features and non-features, similar to how we do it with threat indicators. If it's error prone for threat indicators it's error prone for user tracking and vice versa.

There are reasons not to care. For instance in the threat indicator space false negatives (a threat which is not caught) doesn't cause nearly the pucker as a false positive (something which is not a threat which is flagged as one). Their calculus and minimum may be driven by somewhat different objectives, because their audience is advertisers not security practitioners.

You can still 1:1 addresses to purposes and if you see crosstalk you can draw conclusions. Their normalization is lossy; that's the point.

The cynic in me notes that given the absolute lack of originality in password choice, similar lack of entropy could be seen in 1:1 mappings and perhaps they can infer that if you're hansolo@ and they're example.com, that the email address you'd use is han.solo+example@. The cynic also says: that's on you.

But damn, I'm looking better all the time: https://github.com/m3047/trualias

If it has "artistic" or other redeeming value, go for it. Write a README or blog (or three) covering what's unique or important, or how it fits into some historical narrative. Just be clear with yourself on what you expect to get out of it, and how much work you're willing to put into feeding your pet.

I published something once which was three lines of code. It was useful; anyone could do it, but nobody did (a modem dialing script, of all things). The (often multipage) requests for releases to publish were an unexpected annoyance; I always tried to respond politely that I didn't feel it manifested the requisite originality to be a protected work, and that if they printed the email out and sent it to me with a self-addressed stamped envelope I'd sign it and send it back.

I publish https://github.com/m3047/trualias (checksummed on-the-fly email aliases) even though I consider the code far from perfect: it works, it defines a grammar (which I'm happy with), and it has (pretty comprehensive) tests for that grammar. The most important aspect in my opinion is the grammar and a working proof of concept. (To my bemusement it also has the most stars of any of my projects on GitHub, go figure.)

The phone thing has veered into outright fraud. Twitter just paid a $150,000,000 fine to the (US) FTC for letting advertisers match on telephone numbers provided for 2FA.

I am really tired of people selling my burner phone to the credit people; and no, I don't own that phone number. Prove I do.

Take my local credit union. Please. Jackasses let someone have access to my checking account. I don't bank online with them either, or I didn't, but last summer was trying to talk to them about a refi and I had to register online and they wanted a phone for 2FA. So of course instead of calling the land line, which is clearly and incontrovertibly mine, they called the burner. Several times.

Eventually I answered it with "fuck you you frauds" and they were "oooh sir, call me back on my direct line" so I tried... from my land line in the same area code, you get the idea... and their system won't route the call to their fraud department. So I ignored them for a couple of weeks.

Seriously they were so incompetent that when the actual fraudsters were probing, the first transaction was a /deposit/. When they were finally trying to clean their mess up, they /credited/ me the same amount. I'm the one who figured it out and told them well you gave me 2x their original deposit, when you really should have debited the amount in the first place.

People like that are not going to safeguard your information.

Ob relevance: I have my own reasons for not wildcarding domains and use this instead: https://github.com/m3047/trualias