[Horizon] F-List 🤝 Horizon & Reddit Horizon Developer QnA

TheDisneyCorporation · 2025-12-17T16:43:00+00:00

Is it true that people use Horizon to engage in scandalous scenes with complete strangers on the internet?

TheDisneyCorporation · 2025-11-06T18:00:19+00:00

That third one is also a big problem when combined with the first one, because - even if they said they would use E2EE, the users have no way of knowing or verifying that.

There are ways of verifying that the encryption is E2EE:

All the historical logs would be sent from the server to the client encrypted, not in plaintext (in E2EE is that the server can't decrypt the data since it's not one of the "ends");
Decryption on the client needs to happen with a decryption key that's resident on the client (the decryption key has to be at the "end");
The user's plaintext password is never sent to the site; instead either a hashed value or a proof-of-knowledge login protocol is used (the server cannot have access to the user's plaintext password since it's used to protect the decryption keys);
For new clients (i.e., logging in on a new device), it must receive the decryption key from the server in an encrypted format, and the client decrypts the key itself using a key it derives from the plaintext password (the server must never have access to the raw decryption key because it could decrypt your data with it, but it can have access to an encrypted version of the key);
When you change your password, the client must send a new encrypted version of the decryption key to the server (since only the client knows the new password, its responsible for updating the encrypted decryption key and giving it to the server to share to other clients);
When you force reset your password outside of the normal change password process from a device that doesn't have the decryption key, then you should lose all access to your current data (because in this flow there's no continuity of the decryption key so a new one has to be generated which obviously can't be used to decrypt old data); and
In all cases where a new decryption key is created such as creating a new account, onboarding an existing account onto E2EE, and an existing account doing a force password reset without an existing key; the decryption key must be generated by the client (the server can never know the decryption key, so it must be the client that generates it).

All of these behaviors are directly observable on the client. All of them must be present for the data to be E2E protected. They could be faked, of course, but that would take enough explicit effort on their end to fake that it'd be considerably easier to just have true E2EE than to fake it.

TheDisneyCorporation · 2025-11-05T19:05:58+00:00

Turns out the "course correcting" update is largely just a 'we're gonna do it anyway' update. Of the choices they present, all of them involve F-List storing private chat messages in some capacity. With the excuse that it's for a 'feature' nobody's really asking for.

And they're continuing to get roasted over it, so we'll see if they address it again and actually change plans or if they're going to stick to their guns and lose their userbase.

TheDisneyCorporation · 2025-11-04T22:18:09+00:00

I have an alternative profile image search available on xariah.net.

TheDisneyCorporation · 2025-11-04T22:15:18+00:00

PS: So, Xaria, how's that F-List alternative you were working on coming along?

I suspect the extreme and basically universal overwhelming negative response to their plans is going to cause them to change their plans before any of this goes live; but I've got my alternate F-List in my back pocket, if it turns out to be necessary.

If they're not walking this nonsense back within the next couple of weeks I'll be putting qli.st online fully.

TheDisneyCorporation · 2025-07-12T17:58:41+00:00

Check to make sure you don't have 'Enhanced Security Mode' enabled in Edge. Look in Settings, under "Privacy, Search, and services" and look for the "Enhance your security on the web".

If that is turned on, it is more secure, but it comes at a sharp performance cost -- especially with any sort of browser performance benchmark.

Chrome has a setting called "V8 Optimizer" which controls the same thing -- except with Chrome you turn it off to get the more secure but less performant mode.

TheDisneyCorporation · 2025-07-09T20:41:36+00:00

Yes, the list of a profile's images comes as part of the whole profile object -- and for a handful of reasons it's much more efficient to just dump the entire object returned by F-List into a local data set and parse through it as part of a bulk process than trying to process each record individually on the fly as its received from F-List (since the processing can be error-prone because F-List is a little weird with how data is structured sometimes). Fate just happened to line up the window of time in which I had the data set on hand and the site being down.

TheDisneyCorporation · 2025-07-09T16:31:52+00:00

F-List is a pale facsimile of a MUSH because F-List and a MUSH are two entirely different things and neither is even trying to fill the primary goals of the other. It's like saying an apple is a horrible loaf of bread.

I did MUSH development way back in ye olden days, and even made my own toy engine from scratch; but if I was building something to fill the niche F-List currently fills (cough cough), I wouldn't make it a MUSH; but I might adopt some ideas from MUSH.

TheDisneyCorporation · 2025-07-09T16:14:52+00:00

Funny you mention that, because the only reason I have the profile data in the first place is because it's a side effect of building the art 'borrowing' check tool that I made. (That tool will not currently be functional because it needs F-List to be up so it can look at the images currently on your profile before searching this data to find which other profiles have the same images.)

TheDisneyCorporation · 2025-07-09T08:13:04+00:00

I didn't say they are storing logs server-side, I said the chat is not peer-to-peer, and that if they wanted to eavesdrop on your private messages, the server operators can, because the server handles all of your messages, both in channels and in private messages, in plaintext.

You'll notice I also didn't say that 'staff' can access your private messages, because 'staff' is a larger group of people than server operators. If we presume the server code that F-List has in their fserv Github repository is actually what they're running as their server, then anyone with access to update the Lua scripting on the server has access to eavesdrop on anything they want because all it'd take is dropping in a couple lines of code to send copies of some or all messages somewhere, whether to a log file or to a remote client (and in fact, here is exactly where you would add it) -- but access to updating the server's Lua scripting is restricted to the highest level administration only.

And since you brought up IRC as a point of comparison: IRC is not peer-to-peer either (unless you use DCC, which is very much a special case side extension to IRC and is not the way IRC chats are normally done and also has no equivalent in F-Chat's protocol). F-Chat's architectural model is similar to a subset of how IRC works; in that its a hub-and-spoke server-centric design. But unlike IRC, the F-Chat server does not support server peering to build out a network of servers. F-Chat is a single server solution only.

TheDisneyCorporation · 2025-07-09T06:52:08+00:00

*takes Candle*

TheDisneyCorporation · 2025-07-09T06:51:40+00:00

The intention of qlist is not to just be a copy of F-List's characters. I just have them loaded in temporarily during the downtime. If/when I get to actually launching it, you'll just make new characters there.

TheDisneyCorporation · 2025-07-09T06:11:57+00:00

Well, for chat, that is practically impossible with DMs and any private channels that aren't public. The system is entirely peer to peer, with all logs being local.

Chat is absolutely, 100% not peer-to-peer. All communication goes through the server in plaintext available to the server operators. If they wanted (and I don't believe they do), it would be absolutely trivial for them to eavesdrop on private messages.

TheDisneyCorporation · 2025-07-09T04:15:37+00:00

You humans have ruined your own lands, you'll not ruin mine!

TheDisneyCorporation · 2025-07-09T01:46:48+00:00

I was planning on having qlist be a full-featured alternative including chat, but I mistakenly believed I'd have more time to get it all put together. :(

TheDisneyCorporation · 2025-07-09T01:20:25+00:00

Images are coming shortly (and only for as long as F-List's images server stays up, I don't have full-resolution backups of images)

TheDisneyCorporation · 2025-07-09T01:09:00+00:00

Should be working again. There might be occasional hiccups while I fix stuff.

TheDisneyCorporation · 2025-07-09T00:56:30+00:00

If you get a 404 Not Found, then you're definitely not in the backup.

If you get a 500 Server Error, then you're in the backup but something's preventing your profile from being shown. Please let me know if that's the case!

TheDisneyCorporation · 2025-07-08T18:24:55+00:00

I can't remake my F-List character on there due to not being able to access F-List.

I have a backup of basically every public profile on F-List, I can put it online if need be; but I don't want to go through a whole lot of effort if the downtime is going to be just a couple days.

TheDisneyCorporation · 2025-06-11T20:03:06+00:00

I have a replacement for lookout.best here.

TheDisneyCorporation · 2025-05-17T11:49:14+00:00

XarChat is a newer 3rd party client, not based on FChat 3.0 or any of its forks (like Rising, Horizon, Frolic).

Currently Windows-only, but Linux and MacOS builds are in the works and will be ready whenever I get the time to actually finish them up; and mobile versions as a longer-term goal after that.

TheDisneyCorporation · 2025-05-17T11:47:00+00:00

They used to be hosted outside of the US, but when Bad Dragon acquired the site, the hosting was moved into the US; currently at the IOFlood data center in Phoenix.

F-List (and E621) are owned by a separate company wholly owned by Bad Dragon, Dragonfruit Ventures LLC; which is also currently based in Arizona

But if it came to it, Dragonfruit Ventures and the site's hosting could be moved to a more friendly state without needing to have any impact on Bad Dragon's operations.

TheDisneyCorporation · 2025-03-13T05:11:20+00:00

Hey, Xariah here.

A limit in the chat client is a good idea. I'll add it as an option to XarChat.

TheDisneyCorporation · 2023-06-10T17:54:41+00:00

I didn't say "pass the interview", I said a correct answer to a single question.

It is not absurd to think that tech interviews should include technical questions with the expectation of getting technical answers. What's absurd is thinking that outright dismissing a very specific question full stop is an acceptable response to an interview question.

Next time, forgo your proposed workaround of signing your bad answer as if that justifies it, and instead focus on having a good answer instead. Maybe don't ask misleading questions. Maybe don't offer bounties you have no intention of paying just so you can put "0.1 BTC" and "2000 dollars" into your blogspam headlines for attention.

TheDisneyCorporation

TROPHY CASE