Tantek Çelik

inventor, connector, writer, runner, scientist, more.

💬 👏
  1. Running For Re-election in the 2025 W3C Advisory Board (AB) Election

    Tantek Çelik is nominated by Mozilla Foundation.
    Nomination statement from Tantek Çelik:

    Hi, I'm Tantek Çelik and I'm running for the W3C Advisory Board (AB) to build on the momentum the AB has built with transitioning W3C to a community-led and values-driven organization. I have been participating in and contributing to W3C groups and specifications for over 25 years.

    I am Mozilla’s Advisory Committee (AC) representative and previously served on the AB for several terms, starting in 2013, with a two year break before returning in 2020. In early years I drove the movement to shift W3C to more open licenses for specifications, and more responsiveness to the needs of open source communities and independent website publishers.

    Most recently on the AB I led the AB’s Priority Project for a W3C Vision as contributor and editor, taking it through wide review, and consensus at the AB to a vote by the AC to adopt the Vision as an official W3C Statement.

    Previously I also co-chaired the W3C Social Web Working Group that produced several widely interoperably deployed Social Web Standards. Mastodon and other open source software projects built a social network on ActivityPub and other social web specs which now require maintenance from implementation experience. As such, I have participated in the Social Web Incubator Community Group and helped draft a new charter to restart the Social Web Working Group and maintain these widely adopted specifications.

    With several members stepping down, the AB is experiencing much higher than usual turnover in this election.

    I am running for re-election to both help with continuity, on the Vision project and other efforts, and work with new and continuing Advisory Board members to build a fresh, forward looking focus for the AB.

    I believe governance of W3C, and advising thereof, is most effectively done by those who have the experience of actively collaborating in working groups producing interoperable specifications, and especially those who directly create on the web using W3C standards. This direct connection to the actual work of the web is essential to prioritizing the purpose & scope of governance of that work.

    Beyond effective governance, the AB has played the more crucial role of a member-driven change agent for W3C. While the Board and Team focus on the operations of keeping the W3C legal entity running smoothly, the AB has been and should continue to be where Members go to both fix problems and drive forward-looking improvements in W3C to better fulfill our Vision and Mission.

    I have Mozilla's financial support to spend my time pursuing these goals, and ask for your support to build the broad consensus required to achieve them.

    I post on my personal site tantek.com. You may follow my posts there or from Mastodon: @tantek.com@tantek.com

    If you have any questions or want to chat about the W3C Advisory Board, Values, Vision, or anything else W3C related, please reach out by email: tantek at mozilla.com. Thank you for your consideration.

    Addendum: More Candidates Blogged Nomination Statements

    Several other candidates (all new candidates) have also blogged their nomination statements, on their personal websites, naturally. This is the first AB election I know of where more than one candidate blogged their nomination statement. Ordered earliest published first:

    And one more candidate blogged about why he is running:

    on
  2. Last Friday I published my second Cybersecurity Friday post with three more key steps for cybersecurity. In summary:

    1. Different email address for each account, AKA email masking. Use or create a different email alias for each service you sign-up for.
    2. Different password for each account. This is a well known security technique against credential stuffing attacks.
    3. Use a password manager to autofill. Always using a password manager to autofill your login username (or email) and password can be a very effective method of reducing the chances of being phished.

    Full post with details: https://tantek.com/2025/122/b1/more-steps-indieweb-cybersecurity

    #CyberSecurity Friday #cyber #security

    Previously: https://tantek.com/2025/055/t1/three-steps-indieweb-cybersecurity

    on
  3. ↳ In reply to issue 12 of GitHub project “authentic-web-workshop” Additional suggested pre-read for workshop participants, given the primary topic of this meeting:

    * "C2PA Is Not Going To Fix Our Misinformation Problem" (https://lowentropy.net/posts/c2pa/) by Martin Thomson (@lowentropy.net @github.com/martinthomson)

    I have a conflict for most of the duration of this mini-workshop instance.

    The time of this second instance is also the same as the first, which is exceptionally unfriendly to participants in Asia and Oceania, such as the author of the above pre-read.

    If there is an intention to continue this mini-workshop series, I request rotating future event instances across times that are more friendly and accommodating across timezones in order to be more inclusive of global participants.

    Lastly, here is another suggested pre-read on a fallacy I noted in the prior mini workshop^1:
    * "Politician’s Syllogism" (https://en.wikipedia.org/wiki/Politician%27s_syllogism)

    Thank you for your attention to both of these suggested pre-reads.

    Stay skeptical, my friends.

    Tantek Çelik, Mozilla Advisory Committee Representative, Member of W3C Credible Web Community Group (https://credweb.org/)

    ^1 https://github.com/w3c/authentic-web-workshop/blob/main/minutes/2025-03-12AuthWeb.md

    on
  4. May the Fourth be with you!

    There’s a movie discussion podcast that I discovered via my pal Tom Coates (@plasticbag.org @tomcoates@me.dm @tomcoates) when he posted their episode on the movie Gattaca^1 where they had him on as a special guest.

    Originally started in 2020 as “Dune Pod” about all things related to the then upcoming Dune movie, as they covered more and more movies of a certain kind from mostly the 1980s and 1990s, they renamed themselves “Escape Hatch”.

    For their 250th episode which they coincidentally released yesterday or today depending on your timezone, they decided to cover the classic 1980 Star Wars sequel Empire Strikes Back.

    An intelligent, nerdy, well researched, and overall entertaining discussion of what may be one of the greatest movies of all time — certainly the best Star Wars film.

    Check it out: https://www.patreon.com/posts/episode-250-back-128092542

    #DunePod #EscapeHatch #StarWars #EmpireStrikesBack #TheEmpireStrikesBack
    #MayTheFourthBeWithYou #MayTheFourth #MayThe4thBeWithYou #MayThe4th

    ^1 https://open.spotify.com/episode/6BUuNvkhqwdrZGIkKAYBya

    on
  5. CSF_02: Entropy Is Your Friend In Security

    Deliberate use of entropy, randomness, even changing routines can provide a layer of defense for cybersecurity.

    More Steps for Cybersecurity

    Here are three more steps (in addition to Three Steps for IndieWeb Cybersecurity) that you can take to add obstacles to any would be attackers, and further secure your online presence.

    1. Different email address for each account, AKA email masking. Use or create a different email alias for each service you sign-up for. With a single email inbox, like any username at Gmail, you can often append a plus sign (+) and a brief random string. If you use your own #indieweb domain for email addresses, pick a different name at that domain for each service, with a bit of entropy like a short number. Lastly, another option is to use an email masking service — try a web search for that phrase for options to check out. Each of these works to limit or at least slow down an attacker, because even if they gain control of one email alias or account, any “forgot password” (AKA password reset or account reset, or sometimes called recovery) attempts with that same email on other services won’t work, since each service only knows about an email address unique to it.
    2. Different password for each account. This is a well known security technique against credential stuffing attacks. I.e. if someone retrieves your username and password from a data breach, or guesses them, or tricks (phishes) you into entering them for one service, they may try to “stuff” those “credentials” into other services. Using different passwords for all online services you use can thwart that attack. Note however that different passwords with the same email address will not stop an account reset attack, which is why this tip is second to email masking.
    3. Use a password manager to autofill. All modern browsers and many operating systems have built-in password managers, most of which also offer free sync services across devices. There is also third party password manager software and third party password manager services which are designed to work across devices, browsers, and operating systems. Regardless of which option you choose, always using a password manager to autofill your login username (or email) and password can be a very effective method of reducing the chances of being phished. Password managers will not autofill forms on fake phishing domains that are pretending to be a legitimate service. Password managers can also help with keeping track of unique email addresses and passwords for each service. Most will also auto-generate long and random (high entropy) passwords for you.

    I’ll close with a reminder that Perfect is the enemy of good. This post has been a draft for a while so I decided to publish it as a summary, rather than continuing to iterate on it. I’m sure others have written much longer posts. Similarly, even if you cannot take all these actions immediately everywhere, you can benefit by incrementally taking some of these steps on some accounts. Prioritize important accounts and take steps to increase their security.

    Previous post in this series: CSF_01: Three Steps for IndieWeb Cybersecurity

    Glossary

    Glossary for some terms, phrases, and further reading on each.

    credential stuffing
    https://en.wikipedia.org/wiki/Credential_stuffing
    data breach
    https://en.wikipedia.org/wiki/Data_breach
    entropy
    https://en.wikipedia.org/wiki/Entropy_(information_theory)
    password manager
    https://en.wikipedia.org/wiki/Password_manager
    phish, phished, phishes, phishing
    https://en.wikipedia.org/wiki/Phishing

    Syndicated to: IndieNews

    on
  6. Welcome to the May 2025 edition of IndieWeb Movie Club!

    As your host for this month^1, I invite you to (re)watch the film “Tomorrowland” (https://movies.disney.com/tomorrowland), with an optional prequel book reading assignment!

    “Before Tomorrowland” (https://books.disney.com/book/before-tomorrowland/) was released about a month before the film, so it’s fine to read before watching.

    #Tomorrowland is available in various physical media formats, and via streaming on DisneyPlus^2. 130 minutes, rated PG.

    This month is the 10th anniversary of Tomorrowland’s release.

    The world was quite different in 2015.

    I had my own impressions of Tomorrowland when I first heard about it and then watched it much later (which I won’t link to yet to avoid spoilers or biasing your opinions). The film made such a strong impression on me that I held a group film viewing and discussion party in 2015!

    I’m curious how both first time viewers in 2025 and folks watching a second (or more) time think of Tomorrowland.

    If you would like to participate in this month’s IndieWeb Movie Club:
    * optional: read the prequel book
    * watch the film
    * blog a read^3 (for the book), watch^4, review^5, or even a simple note^6 post of your impressions, or some or all the above and link to this post

    If you want your post(s) to be included in the May 2025 IndieWeb Movie Club roundup, notify me with a Webmention^7 from your post, or drop a link in the IndieWeb chat discussion channel^8 and @-mention me.

    Since this is an IndieWeb community activity, please both follow the Code of Conduct^9, and also keep your post within the same rating (PG) as the movie. I may curate the roundup accordingly.

    Happy reading, watching, and dreaming!

    #TomorrowlandFilm #BeforeTomorrowland #IndieWeb #IndieWebMovieClub

    This is post 11 of #100PostsOfIndieWeb. #100Posts

    https://tantek.com/2025/077/t1/what-are-words-for-blogging
    → 🔮


    References:

    ^1 https://indieweb.org/IndieWeb_Movie_Club#2025
    ^2 https://www.disneyplus.com/en-gb/browse/entity-3355a91d-addb-4c66-91a6-136325e6ecf7
    ^3 https://indieweb.org/read
    ^4 https://indieweb.org/watch
    ^5 https://indieweb.org/review
    ^6 https://indieweb.org/note
    ^7 https://indieweb.org/Webmention
    ^8 https://indieweb.org/discuss#indieweb
    ^9 https://indieweb.org/code-of-conduct

    on
  7. 👍 to a comment on issue 269 of GitHub project “AB-public”

    on
  8. ↳ In reply to a comment on issue 77 of GitHub project “security-request” @github.com/simoneonofri wrote:

    > is there a specific reason why “safe” was used in this context and "security" in the ethical principles?

    I believe we used the term “safe” as in safety as inclusive of both privacy and security in the linked principle as you noted. Both of those (and potentially more) are aspects of user safety, which is the perspective we wanted to capture and express, the human’s perspective.

    From a copywriting and readability perspective, we tried very hard to keep those specific points as short and broadly understandable (without any jargon implications) as possible.

    Simone, if you find that answer satisfactory, please feel free to close this issue as completed. Thanks again for your diligent review and follow-up, appreciated.

    on
  9. 👍 to a comment on issue 269 of GitHub project “AB-public”

    on
  10. 👍 to issue 269 of GitHub project “AB-public”

    on
  11. ❤️ to issue 269 of GitHub project “AB-public”

    on
  12. My Garmin watch did not sync activities with the Garmin Connect iOS app upon returning home from a week of travels. It did sync my steps from the day I landed, my sleep that night, and steps the following day. It just failed to pick up my running, hiking, and other activities logged when I was abroad.

    After a little searching and filtering out obvious tips (make sure Bluetooth is on and paired), I found the key steps and fixed it.

    How to get the Garmin Connect iOS app to sync Garmin watch activities that are seemingly being ignored:

    1. unpair watch from phone (iOS Settings > Bluetooth > (i) next to watchname > "Forget This Device")
    2. hard restart watch (e.g. hold down backlight button on a fenix 7S Pro to turn it off)
    3. restart Garmin Connect app (force quit and re-open)
    4. re-pair watch to phone
    5. wait a while for all the activities to sync

    It seemed to sync hikes and walks first, then runs, roughly in reverse chronological order.

    The syncing spinner indicator in Garmin Connect took a while and prematurely completed the progress circle ○, and kept “spinning” the arrows 🔁 inside the circle for many minutes.

    Note: having some idea how software is written and handles queues etc., I highly recommend fixing any syncing problems like this before recording another activity in your watch. There is a chance that the software bug(s) that caused the syncing problem in the first place may inadvertently only pick up the latest activity and make it even harder to recover or sync the previously unsynced activities.

    I had no luck with web searching, e.g. for
    * why is Garmin ios app not syncing recent activities from my Garmin watch
    and similar queries.

    All “AI Overview” results were useless.

    Only after going to https://support.garmin.com/ and entering my watch model name and number did I somehow find this article:
    * Garmin Connect App: Device Is Paired but Not Connecting to App: https://support.garmin.com/en-US/?faq=9BcXLSQ4A22gasLarkUvH6

    Which while not the exact problem I was having (my watch did connect, and sync two days of steps and one night of sleep), it felt close enough to be worth reading.

    Steps 3 and 4 in the article gave the key steps to try (though I split step 4 into two parts, and in the middle only restarted my watch, there was no reason to restart my phone)

    That article linked to another article on "How Do I Restart My Garmin Device?" which I also found useful: https://support.garmin.com/en-US/?faq=A6gOR1U2zDAFqmJVdap6k6

    Hopefully by blogging this, the next person that has a similar problem (my guess is the Garmin Connect Android app works similarly) can more quickly find this solution and key steps by searching the open web.

    #Garmin #watch #GarminWatch #sportsWatch #GarminConnect #troubleShooting #GarminTroubleShooting

    on
  13. I’m happy to announce that something I and others have worked on very hard for the past few years has been published by the W3C Advisory Board (AB) and sent to the W3C Advisory Committee (AC) for a vote to make it official:

    Vision for W3C: https://www.w3.org/TR/2025/NOTE-w3c-vision-20250402/

    Official announcement: https://www.w3.org/news/2025/proposal-to-endorse-vision-for-w3c-as-a-w3c-statement/

    If your company is a W3C Member^1, please ask your Advisory Committee Representative^2 to vote to support publication of the Vision for W3C as an official W3C Statement:

    https://www.w3.org/wbs/33280/Vision2025/ (W3C Member-only link)

    Thank you for your support.

    #W3CVision #Vision #VisionForW3C #W3C (@w3c@w3c.social) #W3CAB (@ab@w3c.social)

    ^1 https://www.w3.org/membership/list/
    ^2 https://www.w3.org/Member/ACList (W3C Member-only link)

    on
  14. “Tell me, what are words for?” They are for blogging!

    Earlier today during an informal espresso live stream in the #indieweb cafe, Spotify was playing an auto-generated daylist, something like “romantic 80s tuesday morning”, and the 1982 song “Words”^1 by the band Missing Persons came on.

    When we heard this lyric:

    🎶 What are words for when no one listens? 🎶

    I remarked half-jokingly in response:

    Words are for blogging, whether anyone is listening, reading, or not.

    Another participant noted that blogging sometimes feels like screaming into the void.

    I noted it doesn’t matter if anyone is reading (or listening), it’s fine to blog for an audience of one, yourself, even just to have something to refer to or reference in the future.

    When I write a post it’s often directed at only a small number of people, who may be part of a larger conversation. The point of publishing it publicly is to assert a level of confidence and credibility by the act of “putting it on the permanent record” (since nearly everything blogged is promptly indexed and archived.) with a permalink.

    The lyrics have some quite prescient bits, like this:

    “No one notices, I think I'll dye my hair blue
     Media overload bombarding you with action
     It’s getting near impossible to cause distraction”

    Written and sung more than forty years ago. Long before the web (or #socialWeb) was a thing.

    Rewriting the lyrics as a parody could be a fun project, e.g.:

    🎶 What are blogs for when no one reads them? 🎶

    some existing lyrics barely need any edits, like:

    “It’s like the feeling at the end of the page
     When you realize you don't know what you just read”

    perhaps an exercise for the reader for now.

    Previously: “Inbox Zero” (parody of The Fixx “Saved by Zero”^2)
    * https://tantek.com/w/InboxZero (2009-01-29 https://tantek.com/twttr/status/1160324190)


    This is post 10 of #100PostsOfIndieWeb. #100Posts

    https://tantek.com/2025/055/t1/three-steps-indieweb-cybersecurity
    https://tantek.com/2025/120/t1/indieweb-movie-club-tomorrowland


    Glossary

    blog
      https://indieweb.org/blog
    blogging
      https://indieweb.org/blogging
    permalink
      https://indieweb.org/permalink
    why blog
      https://indieweb.org/why_post


    References

    ^1 https://libre.fm/artist/Missing+Persons/track/Words (YouTube link inside)
    ^2 https://libre.fm/artist/The+Fixx/track/Saved+by+Zero (YouTube link inside)

    on
  15. ❤️ to a comment on issue 211 of GitHub project “AB-public”

    on
  16. ↳ In reply to bsky.app’s post Thanks @zeldman.com (@zeldman.bsky.social @zeldman@front-end.social @zeldman) 🙏🏻

    Appreciate your kind words, and same appreciation of your decades of dedicated work & words right back at you.

    I feel we’re all doing what we can to keep at least parts of the web a positive place to connect and collaborate. #indieweb

    These recent words of yours (tweeted 2024-11-26) struck a chord that resonated:

    “Our euphoria during the first 25 years of web design turns out to have significantly overestimated human intelligence, compassion, and decency.”

    Here’s to decades more work & words, perhaps with some acceptance of your observation, and shifting our designs to meet people where they are, enabling and encouraging them to be and do better.

    on
  17. Something I wrote in the W3C Authentic Web Mini Workshop’s Zoom chat:


    Another implicit assumption (flaw) that is often a part of "purely technical solutions" is the neglect or ignorance (innocent naïveté) of existing technical solutions.

    A technical proposal should not be praised for what it claims to solve.

    A technical proposal must be evaluated by what marginal difference or advantage does it provide over existing technologies.

    Any technical proposal that ignores prior technologies is itself doomed to be ignored by the next technical proposal.


    In addition to the slide presentations (links to come) in the mini workshop and Zoom verbal discussion which was minuted (link to come), there was a lot of very interesting discussion in the Zoom chat, which was not minuted. Sometimes such quick back & forth can help inspire summarizing of points which one had not previously written down.

    I was encouraged by a fellow workshop participant to blog this one so here it is!

    #W3C #credweb #credibleWeb #authenticWeb #technology #technical #proposal #technicalProposal #history

    on
  18. I just participated in the first W3C Authentic Web Mini Workshop^1 hosted by the Credible Web Community Group^2 (of which I’m a longtime member) and up front I noted that our very discussion itself needed to be careful about its own credibility, extra critical of any technologies discussed or assertions made, and initially identified two flaws to avoid on a meta level, having seen them occur many times in technical or standards discussions:

    1. Politician’s Syllogism — "Something must be done about this problem. Here is something, let's do it!"

    2. Solutions Looking For Problems — "I am interested in how tech X can solve problem Y"

    After some back and forth and arguments in the Zoom chat, I observed participants questioning speakers of arguments rather than the arguments themselves, so I had to identify a third fallacy to avoid:

    3. Ad Hominem — while obvious examples are name-calling (which is usually against codes of conduct), less obvious examples (witnessed in the meeting) include questioning a speaker’s education (or lack thereof) like what they have or have not read, or would benefit from reading.

    I am blogging these here both as a reminder (should you choose to participate in such discussions), and as a resource to cite in future discussions.

    We need to all develop expertise in recognizing these logical and methodological flaws & fallacies, and call them out when we see them, especially when used against others.

    We need to promptly prune these flawed methods of discussion, so we can focus on actual productive, relevant, and yes, credible discussions.

    #W3C #credweb #credibleWeb #authenticWeb #flaw #fallacy #fallacies #logicalFallacy #logicalFallacies


    Glossary

    Ad Hominem
      attacking an attribute of the person making an argument rather than the argument itself
      https://en.wikipedia.org/wiki/Ad_hominem

    Politician's syllogism
      https://en.wikipedia.org/wiki/Politician%27s_syllogism

    Solutions Looking For Problems (related: #solutionism, #solutioneering)
      Promoting a technology that either has not identified a real problem for it to solve, or actively pitching a specific technology to any problem that seems related. Wikipedia has no page on this but has two related pages:
      * https://en.wikipedia.org/wiki/Law_of_the_instrument
      * https://en.wikipedia.org/wiki/Technological_fix
      Wikipedia does have an essay on this specific to Wikipedia:
      * https://en.wikipedia.org/wiki/Wikipedia:Solutions_looking_for_a_problem
      Stack Exchange has a thread on "solution in search of a problem":
      * https://english.stackexchange.com/questions/250320/a-word-that-means-a-solution-in-search-of-a-problem
      Forbes has an illustrative anecdote:  
      * https://www.forbes.com/sites/stephanieburns/2019/05/28/solution-looking-for-a-problem/


    References

    ^1 https://www.w3.org/events/workshops/2025/authentic-web-workshop/
    ^2 https://credweb.org/ and https://www.w3.org/community/credibility/


    Previously in 2019 I participated @misinfocon.com #MisinfoCon:
    * https://tantek.com/2019/296/t1/london-misinfocon-discuss-spectrum-recency
    * https://tantek.com/2019/296/t2/misinfocon-roundtable-spectrums-misinformation

    on
  19. Ten years ago today I coined the shorthand “js;dr” for “JavaScript required; Didn’t Read”

    * https://tantek.com/2015/069/t1/js-dr-javascript-required-dead

    in reference to (primarily content) pages that were empty (or nearly so) without scripts.

    Since then js;dr found its way into a book:

    Page 88 of “Inclusive Design Patterns” by @heydonworks.com (@heydon@front-end.social)

    Cropped photo of part of page 88 of Inclusive Design Patterns at an angle
    and stickers!

    A hand holding about a dozen stickers with the “js;dr” in black on white text die-cut around the edges of the lettering

    At the time I made the claim that:

    “in 10 years nothing you built today that depends on JS for the content will be available, visible, or archived anywhere on the web.”

    I’ve seen and documented many such sites, built with a hard dependency on scripting, that end up dead and unarchived. Many of these have been documented on the IndieWeb’s js;dr page:

    * https://indieweb.org/js;dr

    I have to ask though: does anyone remember building a site 10 years ago (Internet Archive citation) with a Javascript library/framework dependency to display content, that still works today?

    E.g. using one of the popular libraries/frameworks used to build such sites back then like AngularJS (discontinued 2022), Backbone.js, Ember.js, or even React which was still quite new at the time.

    The one almost exception I found was Facebook, e.g. this Smashing Magazine post on Facebook barely renders some content and all commentary is missing, in the earliest (2019) version saved on the Internet Archive:
    * https://web.archive.org/web/20191123225253/https://www.facebook.com/smashmag/posts/10153198367332490

    You can extract the direct Facebook link if you want to try viewing it in the present.


    Regarding those libraries/frameworks themselves, I wrote:

    “All your fancy front-end-JS-required frameworks are dead to history, a mere evolutionary blip in web app development practices. Perhaps they provided interesting ephemeral prototypes, nothing more.”

    Of all those listed above, only React has grown since, likely at the expense of the others.

    However instead of fewer such libraries and frameworks today, it seems we have many more (though it feels like their average hypespan is getting shorter with each iteration).

    Since I wrote “js;dr”, the web has only become more fragile, with ever more dependencies on scripting just to display text content. The irony here is that Javascript, like XML, has draconian parsing rules. One syntax error and the whole script is thrown out.

    This means it’s far too easy for any such JS-dependent site to break, in one or more browsers, whenever browsers change, or Javascript changes, or both.

    You wouldn’t build a site today (or 20 years ago) that depends on fragile draconian XML parsing, so why build a site that depends on fragile draconian Javascript parsing?


    I’ll repeat my claim from ten years ago, slightly amended, and shortened:


    In 5 years nothing you (personally, not a publicly traded company) build today that depends on Javascript in the browser to display content will be available, visible, or archived anywhere on the web.


    There’s a lot more to unpack about what we’ve collectively lost in the past ten years of fragile scripting-dependent site-deaths, and why web developers are choosing to build more fragile websites than they did 10 or certainly 20 years ago.


    For now I’ll leave you with a few positive encouragements:


    Practice Progressive Enhancement.

    Build first and foremost with forgiving technologies, declarative technologies, and forward and backward compatible coding techniques.

    All content should be readable without scripting.

    Links, buttons, text fields, and any other interactive HTML elements should all work without scripting.

    Scripts are great for providing an enhanced user experience, or additional functionality such as offline support.

    Then make sure to test your pages and sites without scripts, to make sure they still work.


    If it's worth building on the web, it's worth building it robustly, and building it to last.

    on
  20. Last week I published my first Cybersecurity Friday post with three key steps for indieweb cybersecurity. In summary:

    1. Email MFA/2FA. Add multi-factor authentication (sometimes called two-factor authentication) to everywhere you store or check email. Do not use phone/cell numbers.
    2. Domain Registrar MFA. Add multi-factor authentication to your domain registrar account.
    3. Web Host MFA. Same for your web host and any intermediate name servers (DNS) or content delivery network (CDN) service accounts.

    Full post: https://tantek.com/2025/052/b1/steps-indieweb-cybersecurity

    Next time: entropy is your friend in security.

    If you want my #Cybersecurity Friday posts as soon as I publish them, follow my site https://tantek.com/ directly in your reader rather than using #socialMedia or #Mastodon or some other notes-centric #fediverse client.

    You can subscribe to my site directly with an h-feed supporting #indieweb Social Reader, or if you use a classic feed reader, it can auto-discover my Atom feed from my home page.

    You can also read my article blog posts and those from other Mozillians on the Mozilla Planet:
    * https://planet.mozilla.org/
    If you look closely you might even find my not-so-secret articles-only Atom feed linked there if you prefer.


    This is post 9 of #100PostsOfIndieWeb. #100Posts #cyber #security

    https://tantek.com/2025/020/t1/seek-2024-year-in-review
    → 🔮


    Glossary

    article post
      https://indieweb.org/article
    Atom
      https://indieweb.org/Atom
    content delivery network
      https://indieweb.org/content_delivery_network
    cybersecurity
      https://en.wikipedia.org/wiki/cybersecurity
    DNS
      https://indieweb.org/DNS
    domain registrar
      https://indieweb.org/domain_registrar
    entropy
      https://en.wikipedia.org/wiki/Entropy_(information_theory)
    feed reader
      https://indieweb.org/feed_reader
    h-feed
      https://indieweb.org/h-feed
    MFA / 2FA
      https://indieweb.org/multi-factor_authentication sometimes called Two Factor Authentication or Second Factor Authentication
    mobile number for MFA
      https://indieweb.org/SMS#Criticism
    note post
      https://indieweb.org/note
    social reader
      https://indieweb.org/social_reader
    web host
      https://indieweb.org/web_hosting

    on
  21. CSF_01: Three Steps for IndieWeb Cybersecurity

    Welcome to my first Cybersecurity Friday (CSF) post. Almost exactly one week ago I experienced (and had to fight & recover from) a cybersecurity incident. While that’s a much longer story, this post series is focused on sharing tips and incident learnings from an #indieweb-centric perspective.

    Steps for Cybersecurity

    Here are the top three steps in order of importance, that you should take ASAP to secure your online presence.

    1. Email MFA/2FA. Add multi-factor authentication (MFA) using an actual Authenticator application to all places where you store or check email. Some services call this second factor or two factor authentication (2FA). While checking your email security settings, verify recovery settings: Do not cross-link your emails as recovery methods for each other, and do not use a mobile/cell number for recovery at all.
    2. Domain Registrar MFA. Add MFA to your Domain Registrar(s) if you have any. Optionally disable password reset emails if possible (some registrars may allow this).
    3. Web Host MFA. Add MFA to your web hosting service(s) if you have any. This includes both website hosting and any content delivery network (CDN) services you are using for your domains.

    Do not use a mobile number for MFA, nor a physical/hardware key if you travel internationally. There are very good reasons to avoid doing so. I’ll blog the reasons in another post.

    Those are my top three recommended cybersecurity steps for protecting your internet presence. That’s it for this week. These are the bare minimum steps to take. There are many more steps you can take to strengthen your personal cybersecurity. I will leave you with this for now:

    Entropy is your friend in security.

    Glossary

    Glossary for various terms, phrases, and further reading on each.

    content delivery network
    https://indieweb.org/content_delivery_network
    cybersecurity
    https://en.wikipedia.org/wiki/cybersecurity
    domain registrar
    https://indieweb.org/domain_registrar
    email recovery
    A method for recovering a service account password via the email account associated with that account. See also: https://en.wikipedia.org/wiki/Password_notification_email
    entropy
    https://en.wikipedia.org/wiki/Entropy_(information_theory)
    MFA / 2FA
    https://indieweb.org/multi-factor_authentication sometimes called Two Factor Authentication or Second Factor Authentication
    mobile number for MFA
    https://indieweb.org/SMS#Criticism
    web host
    https://indieweb.org/web_hosting

    Syndicated to: IndieNews

    on
  22. Some solid #ResilienceStrategy advice in here:

    https://bidenwhitehouse.archives.gov/wp-content/uploads/2025/01/National-Resilience-Strategy.pdf (20 page PDF, a well-written quick read or skim)

    January 2025

    "National Resilience Strategy:
     A Vision for a More Resilient Nation"


    While explicitly a #NationalResilienceStrategy, it has a lot of sound guidance for understanding, analyzing, and developing a resilience strategy at all levels, for yourself and your home, with your neighbors and relationships, to civic resilience, and beyond.


    Here is an overview of the sections, to get an idea (if you avoid PDFs), and to help with discovery across various services:

    * The Need for Collective Action toward National Resilience
    * Defining Resilience
      * Adaptive
      * Protective
      * Collaborative
      * Fair and Just
      * Human-Centered
      * Interdependent
      * Sustainable and Durable
    * Understanding the Resilience Landscape
    * Strategic Approach to Build Attributes of a Resilient Nation
    * Throughlines of a Resilient Nation
      * Cross-system and cross-sector use of resources
      * Resilience manifests in adaptive capacity and communities
      * Layered resilience
      * Cascading reliance
      * Environmental hazards, including climate change
      * Technology innovation and digital transformation
      * Cyber infrastructure
      * Iterative continuous feedback loops
      * Supply chains
      * Robust safety nets
    * Resilience Pillars
      * Pillar I: Governance Systems
      * Pillar II: Social and Community Systems
      * Pillar III: Economic Systems
      * Pillar IV: Infrastructure Systems
    * Conclusion

    And yes the text contents of the PDF include the terms #diversity #diverse #equity #equitable #inclusivity #inclusive, in many contexts (including and beyond the ones that may come to mind).

    Related: https://tantek.com/2025/011/t1/remembering-aaronsw-twelve-years

    Previously, previously:
    * https://tantek.com/2024/336/t1/disruptions-how-to-prepare
    * https://tantek.com/2024/313/t1/reflecting-listening-thoughts

    #NationalResilience #Resilience #Strategy #Biden #BidenWhitehouse

    on
  23. ↳ In reply to issue 27 of GitHub project “standards-positions” Note that since this issue was opened, the spec was adopted by the Web Apps WG, and published as a W3C Recommendation as of 2023-05-30:
    * https://www.w3.org/TR/2023/REC-web-share-20230530/

    Updated latest editor’s draft AKA
    * Specification or proposal URL: https://w3c.github.io/web-share/

    Dropping label "position:positive" until we resolve the conflicts between negative, neutral, and positive historical comments upthread, to avoid miscommunicating our position (which is semi-orthogonal to any implementation status — see individual bugs cited above for that).

    on
  24. ↳ In reply to issue 27 of GitHub project “standards-positions” Re-opening this due to unresolved comments (mix of negative, neutral, positive), and substantial new information about the UI that current implementations are presenting as of 2025.

    Previously, previously, previously:
    * 2018-01-10 https://github.com/mozilla/standards-positions/issues/27#issuecomment-356793352 “harmful”
    * 2018-01-10 https://github.com/mozilla/standards-positions/issues/27#issuecomment-356784523 “pour more fuel on the centralization”
    * 2017-12-18 https://github.com/mozilla/standards-positions/issues/27#issuecomment-352661649 “lowers friction purely for content silos … bad for the web.”

    And a minor unaddressed concern from Martin:
    * 2018-11-08 https://github.com/mozilla/standards-positions/issues/27#issuecomment-437243973 “Giving sites the ability to share something else reduces the incentive to set window.location to something usable”

    Since those concerns were written (validated by screenshots at the time showing centralized content / social media silos in browser UI), it appears browsers (perhaps OS updates) no longer show such silos in browser UI for “share” (as of 2025).

    Need updated screenshots.

    on
  25. My Seek 2024 Year in Review:

    * 141 new species observed, of those, the top three kinds:
      * 79 plants
      * 20 insects
      * 16 fungi
    * 56 challenge badges earned

    June was the month I observed the most new species in 2024, followed by March, and then July.

    Seek also gave me a graph of observations per month, and also a map of where I made my discoveries.

    Rather than posting screenshots of the Year in Review that Seek provided me in the app, I am posting the relevant content here in a post on my personal site, which I know I’ll be able to search and look up in the future.

    Seek is a delightful free (like actually free, free of tracking, free of surveillance) native mobile application for identifying species.

    Made by the iNaturalist folks (https://www.inaturalist.org/pages/seek_app), Seek works without creating an account, and is able to work completely offline to identify species out in the wild (and add them to your local collection).

    Seek awards you Species Badges when you discover a number of species of a particular grouping, as well as Challenge Badges when you complete one or more of their monthly challenges that they post.

    In some ways it’s like Pokemon Go, except based on finding and collecting observations of real living things.

    I have found it quite useful especially when traveling, and wondering is that plant (or animal) the same as one I’ve seen elsewhere, perhaps around home, or is it a slightly different species?

    I also really like the good example that Seek provides for how an app can be immediately useful without requiring extra labor (like creating an account, or logging on) on behalf of the person using it.

    Lastly, Seek is an excellent example of a truly offline capable app where nearly all of its functionality works just fine without a network connection.

    Both of these capabilities (offline first, no login wall) are what we should aspire to when we build #indieweb apps or websites for ourselves and our friends.


    This is post 8 of #100PostsOfIndieWeb. #100Posts #yearInReview #iNaturalist #SeekApp

    https://tantek.com/2025/012/t1/eight-years-webmention
    https://tantek.com/2025/055/t1/three-steps-indieweb-cybersecurity


    Glossary:

    login wall
      https://indieweb.org/login_wall
    offline first
      https://indieweb.org/offline_first

    on
  26. 16 years ago today I wrote up and posted a proposal for a new calendar: newcal.org

    Having long been frustrated by unnecessary unevenness and other quirks of the Gregorian calendar, I designed and wrote up a more ordered, mathematically simpler, and more continuously consistent calendar.

    Building up from the atomic calendar unit of a 'day':
    * five day weeks
    * six week (30 day) months
    * two month (60 day) + a sync day bims^1
    * six bim years (minus a day for non-leap-years)

    After giving it an obvious name, “New Calendar”, and somehow getting a short speakable .org domain (newcal.org), I wrote code to do all the calendar computations and conversions.

    The simpler calendar computations made me realize I had invented something that would help solve a completely different problem I was working on: an efficient date-based storage format for my new blog.

    It‘s rare that an invention, or reinvention of something inelegant, actually serves a useful purpose. This was one of those rare exceptions.

    I also taught myself and have kept practicing the use of ISO 8601 Ordinal dates for my own personal calendaring, which literally gave me a new perspective of time. A much smoother and more linear progression of time across the duration of a year.

    Previously: https://tantek.com/2019/015/t1/10-years-ago-today-new-calendar

    ^1 https://tantek.com/2015/228/t3/bim-definition
    ^2 https://en.wikipedia.org/wiki/ISO_8601#Ordinal_dates

    on
  27. 🎉 Eight years ago today, the #IndieWeb Webmention protocol was published as a W3C REC https://www.w3.org/TR/webmention/

    As a social web building block, #Webmention was designed to work with various other building blocks. Small pieces, loosely joined. Every year developers find new ways to work with Webmention, and new subtleties when combined with other building blocks.

    The primary uses of Webmention, peer-to-peer comments, likes, and other responses across web sites, have long presented an interesting challenge with the incorporation and display of external content originally from one site (the Webmention sender), on another site (the Webmention receiver).

    There are multiple considerations to keep in mind when displaying such external content.

    Two examples of external content are images (e.g. people’s icons or profile images from the author of a comment) and text (e.g. people’s names or the text of their comments).

    For external images, rather than displaying them in full fidelity, you may want to compress them into a smaller resolution for how your site displays the profile images of comment authors.

    If you accept Webmentions from arbitrary sources, there’s no telling what might show up in author images. You may want to pixelate images from unknown or novel sources into say 3x3 pixel grids of color (or grayscale) averages to make them uniquely identifiable while blurring any undesirable graphics beyond recognition.

    For external text, one thing we discovered in recent IndieWeb chat^1 is that someone’s comment (or in this case their name) can contain Unicode directional formatting characters, e.g. for displaying an Arabic or Hebrew name right-to-left. Text with such formatting characters can errantly impact the direction of adjacent text.

    Fortunately there is a CSS property, 'unicode-bidi', that can be used to directionally isolate such external text. Thus when you embed text that was parsed from a received Webmention, possibly with formatting characters, you have to wrap it in an HTML element (a span will do if you have not already wrapped it) with that CSS property. E.g.:

    <span style="unicode-bidi: isolate;">parsed text here</span>

    Though even better would be use of a generic HTML class name indicating the semantic:

    <span class="external-text">parsed text here</span>

    and then a CSS rule in your style sheet to add that property (and any others you want for external text)

    .external-text { unicode-bidi: isolate; }

    Previously: https://tantek.com/2023/012/t1/six-years-webmention-w3c


    This is post 7 of #100PostsOfIndieWeb. #100Posts #socialWeb #openSocialWeb

    https://tantek.com/2025/004/t1/micro-one-onramp-open-social-web
    https://tantek.com/2025/020/t1/seek-2024-year-in-review


    Glossary

    HTML class name
      https://tantek.com/2012/353/b1/why-html-classes-css-class-selectors
    IndieWeb chat
      https://indieweb.org/discuss
    pixelate
      https://indieweb.org/pixelated
    small pieces, loosely joined
      https://www.smallpieces.com/
    Unicode directional formatting characters
      https://en.wikipedia.org/wiki/Bidirectional_text#Explicit_formatting
    unicode-bidi CSS property
      https://developer.mozilla.org/en-US/docs/Web/CSS/unicode-bidi  


    References

    ^1 https://chat.indieweb.org/dev/2025-01-05#t1736092889120900

    on
  28. remembering losing #aaronsw twelve years ago today, and drawing connections with:

    * Lawrence Lessig’s https://lessig.tumblr.com/post/56888930628/on-the-emptiness-in-the-concept-of-neutrality
    * Ben Werdmüller’s https://werd.io/2025/building-an-open-web-that-protects-us-from-harm

    Two points of connection:

    1. Neutrality in ethical or policy matters is insufficient, empty, and cowardly. Especially when you know better, neutrality in action is not ethical, it is negligent and wrong, like a lie of omission.

    “Allyship demands more than neutrality — it demands action.” — @werd.io (@ben@werd.social)

    “… there are obviously plenty of contexts in which to be ‘neutral’ is simply to be wrong. ” @lessig.org (@lessig.tumblr.com @lessig@mastodon.world @lessig)

    2. Building community for collective action is required for resilient resistance

    Aaron helped inspire and drive numerous acts of resistance against foes better funded and connected, many acts which succeeded to some degree or completely such as preventing the passage of SOPA.^1

    Similarly he built community for collective action, such as co-founding the Progressive Change Campaign Committee and the Demand Progress political advocacy group^2 which remain active to this day.


    One of the best ways to honor Aaron’s memory is to build on the good examples he set that succeeded and continue to succeed.

    The only neutrality that Aaron supported was net neutrality, prioritizing those that use the internet over those that build & serve it, a priority of constituencies strongly aligned with the W3C’s official Ethical Web Principles.^3

    If you too reject neutrality and instead embrace allyship & action, some of those actions will require resisting the status quo with the intent of changing it.

    If resistance with the goal of actual change is your primary objective (rather than recognition), build community to bring about that change, resist collectively not alone, both in the near term, and sustainably into the future.

    Still miss you Aaron.


    Previously:
    * https://tantek.com/2024/013/t1/remembering-aaronsw-eleven-years (links to prior posts)


    ^1 https://en.wikipedia.org/wiki/Aaron_Swartz#Opposition_to_the_Stop_Online_Piracy_Act_(SOPA)
    ^2 https://en.wikipedia.org/wiki/Aaron_Swartz#Progressive_Change_Campaign_Committee
    ^3 https://www.w3.org/TR/ethical-web-principles/#noharm

    on
  29. Alan Watts wrote in the “The World As Emptiness”:

    “So in the same way, the coming and going of things in the world is marvelous. They go. Where do they go? Don’t answer, because that would spoil the mystery.”

    I have to disagree with Watts here.

    Do ask and DO answer. Again and again. Embrace curiosity, explanation, understanding.

    Any mystery you can explain will reveal another mystery underneath.

    There is no spoiling the mystery, there is only the journey of one mystery after another.

    #meditationThoughts #Kula #meditation #liveMeditation #groupMeditation #AlanWatts #mystery

    on
  30. The team @micro.blog have done it again.

    They soft-launched https://micro.one yesterday^1.

    This may be the most accessible onramp to the open social web ever.

    Cost: $1 a month. Yes you read correctly.

    This is the simplest and cheapest (where you are the customer, not the product) way to own your identity and content online^2.

    Stop posting in someone else’s garage^3.

    Time to export your Twitter, and migrate your Mastodon handle to your own home on the web.

    Of course you can bring your own domain name. Additionally:
    * blog posts, naturally, both articles and microblogging notes
    * photos
    * podcasting
    * custom themes
    * web-clients and native mobile posting clients
    * WordPress, Tumblr, Mastodon, Medium import
    More details (and alternatives) at https://micro.one/about/pricing

    And yes, it interoperates with the open #socialWeb, including:
    * #ActivityPub support, #Mastodon and #fediverse compatibility
    * #IndieAuth to sign-in to third-party apps
    * #microformats support in all built-in themes
    * #Webmention for sending and receiving replies across websites
    * #Micropub standard posting API, supporting dozens of clients
    * #Microsub standard timeline API, supporting social readers
    More #indieweb support details at https://micro.one/about/indieweb

    Did I mention the the superb micro.blog (and micro.one) Community Guidelines?
    * https://help.micro.blog/t/community-guidelines/39

    Well done @manton.org and team.

    This is post 6 of #100PostsOfIndieWeb. #100Posts #ownYourIdentity #ownYourData #openSocialWeb

    https://tantek.com/2025/003/t1/lastfm-year-in-review-playback24
    https://tantek.com/2025/012/t1/eight-years-webmention


    Glossary

    IndieAuth
      https://indieweb.org/IndieAuth
    microformats
      https://microformats.org/wiki/microformats
    Micropub
      https://indieweb.org/Micropub
    Microsub
      https://indieweb.org/Microsub
    Webmention
      https://indieweb.org/Webmention

    References

    ^1 https://www.manton.org/2025/01/03/microone-was-effectively-a-softlaunch.html
    ^2 https://tantek.com/2025/001/t1/15-years-notes-my-site-first
    ^3 https://tantek.com/2023/022/t2/own-your-notes-domain-migration

    on
  31. Yesterday https://last.fm/ (@lastfm) emailed their year in review reports, which they called #Playback24 and Last.Year.

    Kudos to them for waiting until the new year to do so, and breaking with the pattern of services prematurely posting year in review summaries.^1

    They’re also available on the web, without requiring a native mobile app to view.

    Mine is here: https://www.last.fm/user/tantekc/listening-report/year

    You can find yours (if you’re a last.fm user) by going here:
    * https://www.last.fm/user/_/listening-report/year

    The page title calls it your #YearInMusic, and the URL your #ListeningReport.

    It has many interesting elements, from various top listened lists (artist, album, track), to what percent of 2024 listens (which they call scrobbles) were new artists, albums, and tracks.

    Their “Top Tags” time chart is quite cool. Fascinating to see the differences in music listening over the seasons and the whole year.

    The report has many interactive features, so it will take me some time to figure out how to save, export, and/or republish my listening report on my personal #indieweb site.

    For now I used Firefox to save the page as an .html page to my laptop, and was quite impressed with how much of the information was available in that one file. Much more than #Spotify’s #Wrapped.

    That’s step 1. Step 2 is figuring out a good way to blog at least some of it.

    This is post 5 of #100PostsOfIndieWeb. #100Posts #LastFM #YearInReview

    https://tantek.com/2025/002/t1/indieweb-third-place-community
    https://tantek.com/2025/004/t1/micro-one-onramp-open-social-web


    Glossary:

    scrobble
      https://indieweb.org/scrobble
    year in review
      https://indieweb.org/year_in_review


    ^1 https://tantek.com/2025/001/t2/first-new-year-review-prior

    on