Threads for Blame

  1. 3

    I’m going to write a blog post about how to reason and quantify reliability for a complex network of subsystems. I’ve seen people discussing it in comments on a few different platforms, and I think an accessible primer on the topic is needed.

    1. 5

      Some basic math for composing service reliability bc they look needed. De’Morgans law isn’t magic:

      Arbitrary probability X is ln(1-X)/ln(0.1) nines. 0.995 is NOT 2 and a half 9s it’s more like 2.3

      Assuming 2 services A and B which have independent failure modes (treat any shared infrastructure as it’s own service) and P(X) is the reliability of a system as a percentage uptime.

      Requests need both services A and B:

      P(A or B failing) =1-((1-P(A))+(1-P(B))-(1-P(A))*(1-P(B)))

      Basically: covert uptime to downtime, find the odds of either system having downtime. Then flip back to uptime. This is only so akward bc we talk about uptime, but the math focuses on downtime.

      Requests can be handled by either A or B as redundant systems:

      P(A and B failing) = 1 - (1-P(A))(1-P(B))

      = P(A)+P(B)-P(A)*P(B)

      Basically these add 9s together (almost, but not actually)

      If you want your over-arching system to have X nines, shared infrastructure is going to need to be a lot more reliable than component services or it will dominate failure modes.

      1. 31

        On a technical level it’s implemented very well.

        It is matching against a list, so unlike a general recognition AI, there’s very little chance of misidentification.

        The blocklist and matching process is split between client-side and server-side, so it can’t be easily extracted from the phone for nefarious purposes.

        Apple has spent a considerable effort to cryptographically ensure they know nothing until multiple matches are found. Phone even sends dummy traffic to obscure how many potential matches are there.

        So as far as scanning for the intended purpose, it’s a careful well thought-out design.

        I am worried about governments putting pressure on Apple to add more kinds of unwanted images to this list. The list is opaque, and for obvious reasons, it can’t be reviewed.

        1. 6

          This is an improvement over their existing policy of giving authoritarian governments access to iCloud keys for their users:

          This technology will allow Apple to expose only content that governments specifically ban rather than having to give them access to everything. We should be celebrating this for both its ability to combat child abuse and that it protects Apple’s customers from over-broad privacy invasion.

          1. 1

            This technology will allow Apple to expose only content that governments specifically ban

            Do governments always make fair and righteous decisions in when deciding what images to ban? I see this situation as disastrous for human rights because you know darn well countries like China will bully Apple into including whatever images they want in that database.

            1. 1

              But China including whatever images they want is WAY better for privacy than today when China simply has access to all of Apple’s Chinese users’ data.

              1. 1

                That’s not the case, unless you mean to say China bullying Apple into giving them a user’s decryption key? That scenario is possible with or without this system.

                1. 1

                  This has been the status-quo for the past 3.5 years:

                  China demand access to user data so many large American tech companies don’t have a significant presence there. Some American companies that are less committed to privacy comply with the conditions that China places for operating there. It’s a huge market so it’s been a great business move for Apple.

                  Having the ability to scan users’ content in device might be a way to achieve censorship without such indiscriminate access to user data.

                  1. 1

                    The article makes many speculations, but there is nothing concrete regarding the Chinese government having the kind of access you described written in it.

                    Also see this more recent article:

                    Documents reviewed by The Times do not show that the Chinese government has gained access to the data.

                    1. 3

                      Apple user data in China is not controlled by Apple, it’s controlled by GCBD, a company owned by a Chinese regional government. Instead of using standard HSMs they use a hacked up iOS system. Apple’s security chips are vulnerable to local attacks.

                      So there’s a government owned company that controls the user data which is encrypted with keys stored in an insecure system. If user data is not being accessed that’s a choice that the Chinese government is making, not a restriction on their access.

                      1. 1

                        GCBD is the Chinese company that provides apple with datacenter type services. This is not the same as “controls the user data”.

                        1. 2

                          From the New York Times article you linked:

                          U.S. law has long prohibited American companies from turning over data to Chinese law enforcement. But Apple and the Chinese government have made an unusual arrangement to get around American laws.

                          In China, Apple has ceded legal ownership of its customers’ data to Guizhou-Cloud Big Data, or GCBD, a company owned by the government of Guizhou Province, whose capital is Guiyang. Apple recently required its Chinese customers to accept new iCloud terms and conditions that list GCBD as the service provider and Apple as “an additional party.” Apple told customers the change was to “improve iCloud services in China mainland and comply with Chinese regulations.”

                          The terms and conditions included a new provision that does not appear in other countries: “Apple and GCBD will have access to all data that you store on this service” and can share that data “between each other under applicable law.”

                          So to get around US privacy laws and comply with Chinese surveillance laws a Chinese government owned company is the iCloud “service provider” (with Apple listed as an “additional party”) and per the ToS “will have access to all data that you store on this service”.

                          It was a great business decision. They’re the only major western tech company making a lot of money from the huge Chinese market. I personally wouldn’t want to work there but the people who do are doing very well.

          2. 2

            Could such a feature be “pretty easily” fooled to trigger law enforcement to someone as the article implies?

            Is it plausible to assume that they scan the cached Telegram/Whatsapp/Browser images? If so, how would it behave if someone sends you a set of known infractor images? (an evil chat bot, for example)

            1. 6

              Apple says they scan only images in the iCloud library, so images in 3rd party apps and browsers won’t be scanned, unless you save them or screenshot them to your iCloud library. Of course, Apple devices belong to Apple, not you, so Apple could later decide to scan whatever they want.

              With the current scheme, to cause someone trouble, you’d first have to have multiple banned images to send to them. I hope obtaining actual CSAM is not “pretty easy”.

              My big worry was that a plaintext blocklist on the phone could be used to generate arbitrary new matching images, but fortunately Apple’s scheme protects against this — the phone doesn’t know if images match. Therefore, you can’t easily make innocent-looking images to trick someone to save them.

              1. 3

                Of course, Apple devices belong to Apple, not you, so Apple could later decide to scan whatever they want.

                Is there a source for this information?

                1. 3

                  What’s your source for the “multiple banned images” part? Skimmed through Apple’s technical PDF descriptions a bit but didn’t find that part right away.

                  1. 4
                  2. 2

                    Apple says they scan only images in the iCloud library, so images in 3rd party apps and browsers won’t be scanned, unless you save them or screenshot them to your iCloud library.

                    I believe pictures in a lot of messaging apps are automatically uploaded to iCloud. So you could just send someone some pictures over WhatsApp, email, or whatnot. Not 100% sure of this though; I’d have to check. I disabled all the iCloud stuff because it kept nagging.

                    1. 1

                      That or you can generate adversarial images that trigger known hashes. It isn’t using cryptographic hashes, it is using perceptual hashes.

                      1. 1

                        No, you can’t, because the device doesn’t know if it has got a match.

                        1. 1

                          And you think there will be no other way to get ahold of any of the perceptual hashes that are being scanned for?

                          1. 2

                            What I’m saying is that you can’t easily abuse Apple’s implementation for this. They’ve anticipated that problem and defended against it.

                            If you get hold of some hashes or banned images from another source, that’s not Apple’s fault.

                1. 8

                  “locking down” My roommate and I are both immunocompromised and Delta variant is becoming a real scary thing in the SE U.S.

                  I’m considering writing pulp litrpg fiction to as a form of therapy.

                  1. 25

                    Cloudflair died for me during a presentation they made for students at my university in 2015. They talked about a revolutionary new secret way to “accelerate TCP connections”. They didn’t out and say it, but based on the performance graph the presenter was so proud of, the only way it could work was them deciding to ignore TCP congestion control ramp-up and bully other connections in congested networks. That was an interesting yelling match in front of a bunch of confused undergrads.

                    Cloudflair is not a “good guy”. They exist for the sole purpose of capitalizing on the destruction of a free and decentralized internet. This is only the latest action that abuses minority players in search for more control, centralization and profit.

                    1. 14

                      For me, it was the whole “if you report abuse, we send all your personal info directly to the alleged abuser with the report” debacle. (As well as immediately realizing that their core business is just centralizing the internet on themselves. Yeah, arguably AWS is the real giant eating the internet, but CF just feels scarier to me, probably because of how it targets all the little sites by giving unmetered-bandwidth caching for free.)

                      1. 2

                        For me, it was the whole “if you report abuse, we send all your personal info directly to the alleged abuser with the report” debacle.

                        I don’t see any reason to disbelieve it was a good-faith mistake. This seems like a much harder problem to solve then you’d might think at first sight. I’d say it’s almost impossible to “just get it right”.

                      2. 7

                        I can’t really find anything about Cloudflare ignoring TCP congestion, other than some stuff about optimizing it and such, which is fine.

                        And like it or not, Cloudflare does solve real issues for people.

                        1. 2

                          (edit: All of the following is wrong)

                          So, in retrospect I think this was an early implementation of TCP Cubic congestion control( Getting higher bandwidth than competition was an explicit claim of the presenter.

                          The RFC presents things as if they are universally good, but basically the result in a network dominated by older congestion control methods, is that it eager starts and converges slowly, resulting in it claiming a higher bandwidth share in similar conditions (

                          Now CUBIC is used everywhere to maintain the arms race.

                          1. 4

                            CUBIC is the default in Linux since 2006 (2.6.19), well before Cloudflare’s 2009 founding. Whatever the problems with CUBIC may or may not be, it seems a bit curious to blame Cloudflare for this.

                            1. 4

                              This is just me digging through docs this morning trying to find things much like you were. They wouldn’t talk to me about the details (unsurprising no matter how you interpret the incident.)

                              Looks like that theory is wrong. I updated my comment.

                      1. 12

                        Apologies for being pedantic, but Cloudflare is a publicly traded company so their only mission is paying the shareholders. Everything they say publicly is PR and marketing, including “working toward building a better Internet”.

                        1. 10

                          Of course. But I can attempt to publicly shame them with their own PR even though I don’t actually believe it. I’m trying to follow the best tactics I can think of for solving this specific accessibility problem, regardless of my (ambivalent) opinions about Cloudflare in general.

                          1. 1

                            I hope it works. Accessibility is always an afterthought unless the corporation is forced to support it, either via law or public shaming.

                          2. 4

                            Apologies for being pedantic, but Cloudflare is a publicly traded company so their only mission is paying the shareholders.

                            Then public shaming to threaten that bottom line is the only way to ever expect them to behave morally.

                          1. 3

                            It is posed here as “Evil”, but if you are or intend to become a Sr. SWE, this is a viable “good” thing to do. I’ve spec’d my skillset and career around it successfully. In complete self-honesty, if a problem doesn’t nerd-snipe me I am going to be mediocre at it anyways. An interesting hard problem is going to get my enthusiastic effort. Being a (successful) “troubleshooter” is often an important niche to be filled and if your current team doesn’t need one, don’t feel bad trying to find one that does.

                            1. 4

                              After driving with GPS, I have quickly degraded my natural ability to navigate. This is when I have decided to switch from an intelligent IDE to vim.

                              1. 3

                                After driving with a GPS that gets confused between left and right, I’ve lost my ability to feel confident in where I’m going. So I decided to pull out my vim setup to try and regain that confidence.

                                1. 3

                                  More seriously, I’ve found one of the easiest solution to get some of that semblance of navigation back is to configure your application/device to always point north. It makes you more aware of your absolute position and alternate routes that will take you to the same spot.

                                  I wonder what the IDE analogy is for this.

                                  1. 1

                                    Keep the high-end IDE in the toolbox, even if it isn’t your daily driver. The code generation and refactoring tools in Intelij let you perform miracles on the odd occasion they are needed. Honestly most people who use IDEs for everything don’t know how to use those tools.

                                  1. 4

                                    I’m really interested in how many thermal cycles this sort of product can take. It might be ironic if a processor essentially meant to be disposable might survive better than a silicon one.

                                    1. -1

                                      3:2 aspect ratio display? Great, I look forward to every game I own being distorted or letterbox’ed on it. I didn’t know they even made displays with that aspect ratio.

                                      1. 19

                                        People often complains about the lack of vertical space. Why would games be distorted? Only video will be problematic on this ratio.

                                        1. 16

                                          The screen was specifically what put me over the top to buy one. I’ve been dreaming about a taller aspect screen since they made everything “wide” ten years ago.

                                          1. 2

                                            I would prefer a “normal” 4:3. The pixel density of the 13.5” 2256x1504 display is too low for 2x scaling. Something like 2400x1600 should be the lowest option.

                                            1. 2

                                              Obviously it’s all subjective, but I’d say 4:3 feels “dated” while 3:2 feels “super cool”.

                                          2. 8

                                            It is a lot more pleasant for coding, reading, and writing in my experience. 3:2 is great for that and I prefer it, but I don’t play many videogames anymore.

                                            Work forced me to used a 16:9 display for a while. I use a ultra-widescreen now because that breaks into 3 reasonable panes, but 2 vertical 16:9s was ok. For me, xrandr is linux’s killer-app.

                                            1. 5

                                              3:2 is great. My old Surface Book has 3:2; I’d much rather get a few inches of vertical space for coding and reading than avoid letterboxing for movies.

                                              In my experience PC games work just fine with 3:2 as well typically.

                                              1. 4

                                                I used one of the original Chromebooks, the Chromebook Pixel, for several months in 2015 and adored the 3:2 aspect ratio for everything except media consumption. It was a little awkward for fullscreen 16:9 videos but fine for 4:3. I recognize that not much content is 4:3 anymore, though.

                                                I’m a little concerned about the pixel density of the Framework screen being too low for HiDPI but I’m unlikely to buy one anytime soon having just bought a Lenovo Flex 5 CB earlier this year for my main mobile computing device.

                                                1. 2

                                                  Yeah, I have one of those Chromebooks too. The aspect ratio is definitely the best thing about the whole machine by a long shot. If it weren’t for the glossy display I would have been tempted to use it as my daily driver (after wiping the OS of course).

                                              1. 2

                                                While I look forward to receiving mine, I think the other blog posts such as the one that paid lip service to right to repair are more on topic. This one excited me when it hit my inbox but seems off topic for this site.

                                                1. 1

                                                  I’m kinda new and I am still trying to build a solid model of “on topic for this site”. Is there a discussion or page you would recommend to that end? This is the closest I have found so far:

                                                  1. 6

                                                    imo it’s about the technical “meatiness” of the article, that is, you may learn or understand further something technical be it hardware or software outside of just the specifications of some given product.

                                                    1. 4

                                                      Its hard to explain. When people updvote it and the admins dont ban it then it is on topic. Sometimes its hard to determine this beforehand (also for experienced users). This for example as of the writing of this comment is upvoted by 35 people and only 3 think it is off-topic, so I would conclude it is on-topic. However the outcome could be way different on a very similar post.

                                                  1. 8

                                                    Choosing a random order is not a good idea, because there is a chance that both possibilities would eventually get inserted, and what would that mean?

                                                    We are just now going into the development of this very feature. And I have a feeling we have not taken this into the consideration. Thank you for saving us hours!

                                                    1. 2

                                                      haha awesome. Please share your experience with the schema that you decide on, later on when you’ve got some.

                                                      1. 2

                                                        You can use a cryptographic operation like the one described in this recent post:

                                                        Basically, there is a single row, single column model too. I don’t think it’s performance would be good for anything but pairwise friend testing. Basically any operation with the commutative property and a wide enough range to avoid collisions works. “Sort them and make them a tuple” is just an intuitive function with the commutative property that implicitly has the range needed.