-
LibertarianLlama
edited
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
I don’t really think that you should be allowed to ask the users the sign a new EULA for security patches. You fucked up. People are being damaged by your fuck up and you should not use that as leverage to make the users do what you want so they can stop your fuck up from damaging them further.
Patches only count if they come with the same EULA as the original hardware/software/product.
-
Sure - you’re welcome to refuse the EULA and take your processor back to the retailer, claiming it is faulty. When they refuse, file a claim in court.
Freedom!
-
This suggestion reminds me of the historical floating point division bug. See https://en.m.wikipedia.org/wiki/Pentium_FDIV_bug
There was a debate about the mishandling by Intel. Also, there was debate over “real-world impact,” estimates were all over the charts.
Here, it seems that the impact is SO big, that almost any user of the chip can demonstrate significant performance loss. This might become even bigger than the FDIV bug.
-
They are being sued by over 30 groups (find “Litigation related to Security Vulnerabilities”). It already is.
As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed. The customer class action plaintiffs, who purport to represent various classes of end users of our products, generally claim to have been harmed by Intel’s actions and/or omissions in connection with the security vulnerabilities and assert a variety of common law and statutory claims seeking monetary damages and equitable relief. The securities class action plaintiffs, who purport to represent classes of acquirers of Intel stock between July 27, 2017 and January 4, 2018, generally allege that Intel and certain officers violated securities laws by making statements about Intel’s products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities […]
As for replacing defective processors, I’d be shocked. They can handwave enough away with their microcode updates because the source is not publicly auditable.
-
The defense could try to get the people who are discovering these vulnerabilities in on the process to review the fixes. They’d probably have to do it under some kind of NDA which itself might be negotiable given a court is involved. Otherwise, someone who is not actively doing CPU breaks but did before can look at it. If it’s crap, they can say so citing independent evidence of why. If it’s not, they can say that, too. Best case is they even have an exploit for it to go with their claim.
-
-
-
-
I don’t really think that you should be allowed to ask the users the sign a new EULA for security patches.
A variation of this argument goes that security issues should be backported or patched without also including new features. It is not a new or resolved issue.
Patches only count if they come with the same EULA as the original hardware/software/product.
What is different here is that this microcode update also requires operating system patches and possibly firmware updates. Further not everyone considers the performance trade-off worth it: there are a class of users for whom this is not a security issue. Aggravating matters, there are OEMs that must be involved in order to patch or explicitly fail to patch this issue. Intel had to coordinate all of this, under embargo.
-
This reminds me of HP issuing a “security” update for printers that actually caused the printer to reject any third-party ink. Disgusting.
-
-
It’s worth thinking on more broadly since it’s the second-largest driver of insecurity. Demand being the first.
The easiest example is mobile phones. The revenue stream almost entirely comes from sales of new phones. So, they want to put their value proposition and efforts into the newest phones. They also want to keep costs as low as they can legally get away with. Securing older phones, even patching them, is an extra expense or just activity that doesn’t drive new phone sales. It might even slow them. So, they stop doing security updates on phones fairly quickly as extra incentive for people to buy new phones which helps CEO’s hit their goalposts in sales.
The earliest form I know of was software companies intentionally making broken software when they could spend a little more to make it better. Although I thought CTO’s were being suckers, Roger Schell (co-founder of INFOSEC) found out otherwise when meeting a diverse array of them under Black Forrest Group. When he evangelized high-assurance systems, the CTO’s told him they believed they’d never be able to buy them from the private sector even though they were interested in them. They elaborated that they believed computer manufacturers and software suppliers were intentionally keeping quality low to force them to buy support and future product releases. Put/leave bugs in on purpose now, get paid again later to take them out, and force new features in for lock-in.
They hit the nail on the head. Biggest examples being IBM, Microsoft, and Oracle. Companies are keeping defects in products in every unregulated sub-field of IT to this day. It should be default assumption with default mitigation being open API’s and data formats so one can switch vendors if encountering a malicious one.
EDIT: Come to think of it, the hosting industry does the same stuff. The sites, VPS’s, and dedi’s cost money to operate in a highly-competitive space. Assuming they aren’t loss-leaders, I bet profitability on the $5-10 VM’s might get down to nickles or quarters rather than dollars. There’s been products on market touting strong security like LynxSecure with Linux VM’s. The last time I saw price of separation kernels w/ networking and filesystems it was maybe $50,000. Some supplier might take that a year per organization just to get more business. They all heavily promote the stuff. Yet, almost all hosts use KVM or Xen. Aside from features, I bet the fact that they’re free with commoditized support and training factors into that a lot. Every dollar in initial profit you make on your VM’s or servers can further feed into the business’s growth or workers’ pay. Most hosts won’t pay even a few grand for a VMM with open solutions available, much less $50,000. They’ll also trade features against security like management advantages and ecosystem of popular solutions. I’m not saying any of this is bad choices given how demand side works: just that the business model incentivizes against security-focused solutions that currently exist.
-
-
-
-
-
-
On your figure “Detailed architectural design of an entry level HFT system” the signal generation system is not linked to your order system. Is that an oversight (it is connected in your figure “Simplified diagram of an entry level HFT architecture”)?
How do you sort or filter your signals in to orders, particularly when the signals conflict? Where in this model are your actual positions stored an reconciled to the signals produced by your model?
-
Thanks for your questions. A: “the signal generation system is not linked to your order system.” R: I use a database table to register the signals
A: “How do you sort or filter your signals in to orders, particularly when the signals conflict?” R: I’m only using a signal generation table per asset to avoid conflicts between signals
A: “Where in this model are your actual positions stored an reconciled to the signals produced by your model?” R: The orders executed and opened come through the Websocket and are stored in tables on the database. The order execution service has the logic to reconcile it with the signals within a set of hardcoded boundaries
I accept any tips, =)
-
I’m going to conflate compliance and risk management. Compliance, for instance, is making sure you don’t put both a bid and an ask for the same equity at the same time (a so-called self-trade). Risk management, for instance, is making sure you don’t honor two buy signals that would expose you to more risk than you want (The buy signals are firing because of industry-wide news and the stock price changes are correlated).
Not every order is legal to put out to market, and not every signal is worth the risk you’re exposed to. Your order system, or your model, or another component need to do the work of making your signals risk-adjusted (consistent) and your orders (desired position) operationally possible.
Thank you for writing this up, and good luck.
-
-
-
-
I’m not sure I agree with Theo on this one. I don’t think it makes sense to always disable SMT. Single-tenant configurations that don’t locally execute remotely-fetched resources (for example, a browser) would be fine to keep SMT enabled. For example, a physical server (so, no multi-tenant virtualization) that only acts as a VPN server should be fine with SMT enabled.
-
In a perfect world, yes.
But since these vulnerabilities allow memory reads from other threads (including kernel threads) running on the other hyperthread of a core, it means that this escalates a code execution vulnerability (even in a limited, sandboxed environment) to kernel (or just other userspace process) memory reads, which could be a springboard in a more serious exploit chain.
SMT can still be safely used in some scenarios, like multiple threads of the same process if no isolation exists between those threads anyway, or when executing multithreaded code in the same sandbox, perhaps.
-
It is demonstrably true that there are workloads that benefit from Hyperthreading. I agree that we also see a subset of these use cases where the performance trade-off from disabling this feature is being contrasted with a security issue that is not directly exploitable.
I think the OpenBSD team, and others, have made a compelling case for not only preventing directly exploitable security issues but also that proactively fixing security issues can prevent exploits that require a chain or series of exploits, information leaks, or crashes.
While you can construct scenarios where this single exploit doesn’t apply, being vulnerable to it means that it can be composed or combined with other vulnerabilities where it may turn out to be necessary even when it’s not sufficient to successfully attack.
-
I think the OpenBSD team, and others, have made a compelling case for not only preventing directly exploitable security issues but also that proactively fixing security issues can prevent exploits that require a chain or series of exploits, information leaks, or crashes.
Of course. Both HardenedBSD and OpenBSD are doing wonderful work in this regard. I didn’t mean to convey that OpenBSD’s work was without merit or meaningless.
Instead, what I meant to convey is: with proper risk analysis and management, users can and should be able to decide for themselves whether to disable SMT.
While you can construct scenarios where this single exploit doesn’t apply, being vulnerable to it means that it can be composed or combined with other vulnerabilities where it may turn out to be necessary even when it’s not sufficient to successfully attack.
Sure. But at that point, local code execution is gained. It’s already game over at that point.
-
-
Basically, in light of these vulnerabilities, SMT is a risk whenever the system might be running untrusted code. The reality of today’s computing environment is that you’re almost always running unprivileged but untrusted code to some degree or another. Web browsers and multi-tenant VMs are the most obvious examples. The systems in the world which run only “trusted” code are few and far between. Some examples that I can think of are:
- HPC/research clusters with specialized applications in which nearly all code is written in-house
- Certain Enterprise appliances like storage servers that don’t allow running non-vendor-provided code
- Small general-purpose systems with all of their hardware dedicated to one specific task, like my backup server at home
And even these aren’t necessarily 100% safe because there might be a remote exploit of some kind that then allows an attacker to run some unprivileged code which can then abuse SMT for privilege elevation and then you have a rooted appliance. In which case, the only truly secure box with SMT enabled is an air-gapped one.
The only good news here is that these kinds of exploits seems to be quite difficult to actually pull off but as The Bearded One says, attackers only get better over time and attacks only get easier.
-
Through this discussion, my thoughts on the matter have changed somewhat. I still think that SMT should be supported, but disabled by default. After proper risk analysis and management are performed, users should decide whether to opt in to SMT.
there might be a remote exploit of some kind that then allows an attacker to run some unprivileged code
I view it as: if the attacker has gained reliable remote code execution, it’s already game over. SMT doesn’t matter anymore.
-
-
You’ve described your reporting structure, but not whether you’re responsible for staff or budget. Are you reporting on behalf of a team? Working solo but possibly cross-functionally? Advice is going to differ depending not only on who you’re reporting to but on what you’re reporting about.
That said, simple as the following advice is, not everyone does it:
- Show up on time.
- Do what you say.
- Finish what you start.
- Say ‘please’ and ‘thank you.’
Congratulations on your new job.
-
alynpost
edited
2 days ago
|
link
| on:
The Codeless Code - Fables & Koans for the Software Engineer
I had a manager pleasantly surprise me in a meeting when, due to free association, someone made reference to Ozymandias. This manager not only recited the poem from memory but it was a rousing performance.
-
I’m getting a 404 from this (and nothing in cache)
-
-
decision by the University of Minnesota to charge licensing fees for the use of their protocol
I would like to see an elaboration of this part. Wasn’t it always an open standard? If not, when it became an open standard? How do you even license a protocol if protocols are not subject to copyright? Or were they?
Also, there is no way to access gopher servers from the most popular web browsers without resorting to HTTP. I had Overbite working with Firefox and definitely enjoyed browsing the gopherspace with it, but now you can as well use floodgap.org directly without any plugins since with extension API for TCP connections broken, OverbiteWX simply redirects to it.
-
Here is an archived email on the matter, from 1993. University of Minnesota Gopher software licensing policy:
First, in the case of gopher servers run by higher education or non-profit organizations offering information freely accessible to the Internet, there is no change. No fees. They just continue to use Gopher like they have always done. If you fall under this category, please stop and think about it. Nothing’s changed.
In the case where gopher servers are being used internally by commercial entities we think a license fee is right. We don’t know what amount of a fee is reasonable: so YOU have to tell us and we need to negotiate on a case by case basis. What is loose change for a large corporation may be prohibitive for a small business. We’d like some kind of sliding scale.
The paragraph just above these two did not age well:
Remember when UNIX was given away free? How many of you are using UNIX now? It is licensed.
-
Oh well, so it’s about the original Gopher software, not the protocol. The post is misleading then. To be fair I’m surprised to learn that the original software was not open source.
The usenet post reads like a “Killing your product with bad marketing strategy HOWTO”. Not many proprietary software vendors think they are entitled to a sales commission from simply using your software!
-
-
Re: “We don’t know what amount of a fee is reasonable: so YOU have to tell us and we need to negotiate on a case by case basis.”
Oh hell no! That’s the same “call us for a quote” stuff all kinds of rip-offs start with. They say they’re doing it for nice reasons. It’s just inherently going to lead to discriminatory pricing for some customers. So, I push for clear, up-front pricing for at least common cases.
Re article. I enjoyed the article. I was confused by Lobsters saying “authored by alynpost” but article said Paul Scott. What’s that mean?
-
Re article. I enjoyed the article. I was confused by Lobsters saying “authored by alynpost” but article said Paul Scott. What’s that mean?
Paul is my technical writer and also helps us during maintenance windows when we need extra hands. He’s put together most of the high-quality wiki pages we’ve got.
On an unrelated and humorous note, he’s capable of holding a 3U server full of hard drives over his head, which we accidentally learned when removing one and having the rails on one side get stuck. He sat there stoically focusing on his breathing while I scrambled to clear the jam. The plan up to that point was that we’d derack it together, one person to a side.
I asked Paul to write this article and acted as his editor. I didn’t feel it appropriate to not click the authored by tab, as it’s easier to explain it was written by a group than suggest I was only involved as a submitter.
Is that clear as to what happened and does it answer your question?
-
I thought it might mean a group thing. I figured Id just ask instead of guess. Yeah, that answered it and entertainingly so. He sounds great guy to have around. Thanks.
-
-
-
-
-
tedu
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
UPDATE: Intel has resolved their microcode licensing issue which I complained about in this blog post. The new license text is here.
-
Here the ‘new’ license text: https://01.org/mcu-path-license-2018
Here the license text prior to the 2018-08 microcode drop: https://tracker.debian.org/media/packages/i/intel-microcode/copyright-3.20180703.2
They’re identical.
-
-
No mention of Pelican? Meh.
-
-
My blog runs on Pelican. So far it’s been a good experience. The greatest selling point for me was support for per-category (though not per-tag) Atom feeds. It’s a regrettably rare feature, but if you plan to ever add yourself to blog aggregators, or simply give readers an option to filter out the kind of stuff they are not interested in, it’s really nice to have.
-
Yes. A good thing about Pelican, among others is that it doesn’t require a gazillion dependencies and just works.
I also recommends https://github.com/spanezz/staticsite because it doesn’t force a filesystem layout or HTML contents or markdown formats on you. Contrarily to other generators, you can use it to improve an existing “handmade” website without having to start from scratch.
-
-
-
-
ssl
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
NB: debian developers have noted that they have troubles repackaging the code into the distribution due to the new EULA included https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158#14
-
From your link:
Intel has been made aware of the issue and pestered by just about everyone, and should get it straightened up soon.
This issue circulated through a Slack channel I’m on last week and we had the presence of mind to at least collectively ask Red Hat to bring the issue up with Intel for us. Nevertheless I consider “pestered by just about everyone” to be an accurate description.
-
-
feld
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
It occurs to me that if you do not have the right to benchmark then you do not have the right to test that the product works as advertised. This cannot be legal.
-
This license forbids systems integrators from publishing benchmarks related to this microcode. Presumably because Intel reserves that right to themselves. If you are not a systems integrator it doesn’t apply to you. If you are a systems integrator not only can you benchmark, clause 4 makes it clear you are under no obligation to share those results, even with Intel.
-
-
Shamar
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
Well, what if a researcher do all these things anyway?
When they publish the results, their licence ends. So what?
Also, no state could allow the installation of such microcode on its hardware exactly because of this clausole.
-
This license, whether on purpose or accident (see my other comment in this thread for elaboration), is granted to and focuses on OEMs :
- PURPOSE. You seek to obtain, and Intel desires to provide You, under the terms of this Agreement, Software solely for Your efforts to develop and distribute products integrating Intel hardware and Intel software. […]
If you are a systems integrator, there is more than this license agreement binding you and Intel together. If you are not a systems integrator, this license isn’t about you, making the bolded assertion in the article false by being too broad:
Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license.
Intel made either a mistake or policy change related to their systems integrators. We will all get our benchmarks.
-
-
alynpost
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
This is the license equivalent of a bug regression. If you need a microcode update, do you get it from Intel? Your OEM (BIOS and motherboard) manufacturer? Operating system vendor? Intel would prefer microcode updates be loaded from the BIOS. They support doing so from an operating system.
Earlier this year, one of the microcode updates for Spectre/Meltdown got packaged by Red Hat, who later reverted it and added the following message:
The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.
The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.
The license Intel granted earlier this month is clearly more targeted toward OEMs embedding microcode updates in their BIOS. Red Hat noticed the license change and reached out to Intel on the matter. I suspect that other OS vendors did the same. You can see the exasperation and coordination problems present before this microcode update, however.
I think Intel is still learning how to coordinate and release microcode updates when those updates also require software patches and may need hardware-specific handling by a subset of their OEMs. All under embargo. Here they tried solving part of that problem with a license change and caught OS vendors (and open source projects) out.
-
Since 2016 I’ve been in the support rotation for my company, prgmr.com. Interacting with and helping my customers has been one of the most pleasurable parts of my work. In the three years I’ve been here, my appreciation and respect for this community has kept me coming back to learn from and with all of you. I’m looking forward helping you continue to enjoy the time you spend here.
Thank you @pushcx for your tireless effort.
-
The last time I deployed a runner I used beanstalkd along with this Python binding. This tool doesn’t use scheduling, outside of it’s ability to restart / reorder jobs.
It is quite basic but it did the bit I needed: I had a threaded work queue that would sometimes need to fork. Rather than dealing with forking from inside a worker in a work pool, I would the send the job to beanstalk and fork from the runner instead.
-
Which company is it so we can avoid the same fate?
-
If you’re going to name a company asking people to avoid them you have to make a case as to why. Otherwise you’re naming and shaming. Unless you can show your complaint has merit it’s equally likely that the fate we’re trying to avoid is working with you, not your customer.
Asking for names without additional, event substantial detail about this conflict is incitement to mudslinging. If you want to avoid this “same fate” we need to better understand what it is.
-
Fair points! I read this bit and it seemed enough to be validate the question:
A company we have been working with has a big debt with us and with other freelancers from all around the globe. They have not answered for months and I have helped them hire other devs that won’t probably be paid. My biggest issue is that they don’t answer and I think that is a really bad attitude to have during this type of situations.
I’m more charitable in assuming the company is at fault than the contractors, though Lord knows I’ve seen contractors drop the ball (and hard).
That said, part of the reason we have problems in this industry is that the people doing the work are hesitant to mention issues that could impact others–it’s basically an issue of informed consent.
Naming and shaming is not as big a problem for big companies as it is for people or small contractors…there was a time where everybody knew for example that Arthur Anderson consulting were bozos on projects and ending up on projects with Androids was a recipe for a headache, and yet they kept getting contracts.
If we want things to get better, we have to look out for each other.
-
Highlighting questions raised by the statement from @unbalancedparentheses you quoted:
A company we have been working with has a big debt
How much, and how overdue? For full transparency, what is the total contract size and length, and what other contracts have been signed with this client that you could similarly report on?
and with other freelancers from all around the globe
For each of these cases there may be relevant, material facts that make each event a unique circumstance. We’ve got a group (other freelancers) that can be enumerated, not lumped together like a cluster of NPCs.
They have not answered for months
When did it start, what communication mediums were used, and what is the entire dated set of communication that demonstrates your complaint is being ignored?
I have helped them hire other devs that won’t probably be paid.
If this is relevant, and it certainly has not been shown to be irrelevant, it both can be enumerated (at least counted!) and includes speculation: we know neither who they are nor even whether they have or will be paid. It’s the quality of window dressing.
None of these statements are going to survive a test of membership in to the “problems in this industry” set you allude to. I doubt anyone would disagree with “want[ing] things to get better,” but picking sides in a potential, possible, we’re not even sure if meritorious civil complaint is putting the cart before the horse: We can decide on the facts, and we can measure, mitigate, and minimize risk without having to consult a counterparty.
There is not enough information here to know what we can improve.
-
Again, very good questions, and if @unbalancedparentheses can answer them that’d be awesome.
picking sides in a potential, possible, we’re not even sure if meritorious civil complaint is putting the cart before the horse:
Just to be clear: I’m not looking to pick sides in a conflict I don’t have a direct personal stake in here. I do do consulting and contracting work on occasion, and a datapoint of “so-and-so was complained about” is still useful.
Like, let’s Pascal’s wager this, assigning values of good (+1), neutral (0), and bad (-1). Assuming that they’re either in the wrong (W) or not (R), that we know if they’re in the wrong (K) or not (I), and that we know their name (N) or not (A):
- WKN: We don’t do business with them, or we do business and hedge our bets since it’s a problem. Neutral.
- WKA: We may accidentally do business with them and get burned. Bad.
- WIN: We may do business with them and get burned. Neutral.
- WIA: We may accidentally do business with them and get burned. Bad.
- RKN: We may do business with them and maybe even get a chance at a dropped ball. Good.
- RKA: We may accidentally do business with them and not get burned. Good.
- RIN: We don’t do business with them, or we do business and hedge our bets since it’s a problem. Neutral.
- RIA: We may accidentally do business with them and not get burned. Good.
Partitioning by knowledge of name, we see +1 versus 0 when we don’t know it. The outcomes seem strictly better when the company is named.
EDIT:
For completeness’ sake, outcomes by if they’re actually in the wrong or not have a -2 vs. +3, and by if we know they’re in the wrong or not a +1 vs. 0.
-
Just to be clear: I’m not looking to pick sides in a conflict I don’t have a direct personal stake in here.
That was a poor assumption on my part, thank you for correcting it.
For the wrong (W) case you are not performing full accounting, and therefor externalizing a cost: their unjustly damaged reputation (or conversely your reputation should you be shown to have lied).
-
From my point of view your answer would make sense if I would have given the name of the company. I did not. For the same reason there are a few things I can’t answer until I get some information from my attorney.
Instead of discussing the validity of my reclaim, let’s rephrase my question: Let’s suppose that a happy customer with whom you are working for stopped paying. After not getting the promised payments for a few months, What would you do? What have you done in the past? What would you do if you know that other people had the same problem? Would you tell about your problem to the new hires you helped interview? Would you tell the community about this so that nobody else has the same issue?
I am not saying that the questions you have asked are useless. However I can assure you that my case is pretty simple. We don’t need to go off at a tangent. I want to know and learn about what you have done with non paying customers.
-
After not getting the promised payments for a few months, What would you do?
The minimum necessary effort:
I would offer to submit a revised invoice with new “discount” line item (somewhere in the 10-25% range, but whatever you think will work. Anything you can recover is better than zero: 50% was reported here as a successful resolution in an unrelated dispute.) and contingent on payment consider the matter settled. I really do mean settled: be happy with that outcome, even when asked about this client (reporting on this event) in the future.
I’d then focus on systematically eliminating any errors I had made that brought me to that condition, but I would not bother this client with that effort. It’s your work, not theirs.
The good-faith, maximum effort short of litigation:
-
Write but do not yet publish a blog post or other long-form statement describing the event in as much detail as possible. Do not cherry-pick, do not avoid facts that make you look bad / incompetent / wrong, do not hide any detail that could possibly weaken the completeness of your testimony. Every shred of evidence: Who, what, when, where, why, how. The truth, the whole truth, and nothing but the truth. Make a calculable claim as to what you have lost based on the evidence (e.g., invoices, timesheets, contracts) presented in your testimony.
-
If other people or organizations are also involved, ask for the same from them -or- ask them to sign (i.e., attach their name to) your statement. Ignore them if you get neither: Bandwagoning doesn’t help your case. Don’t bother employees in contract disputes. (“Would you tell about your problem to the new hires you helped interview?”) it is by definition not their problem. Don’t conflate their contracts with yours.
-
Send your not-yet-published, factual, fully-informed, material testimony to the CFO of the organization you have a contract with. Offer to settle the matter via payment of the calculable claim you are making, post-discount. Alternatively, in lieu of payment, offer to include any statement they would care to make: you will include it in full along with publishing your own testimony. State also that if they have a superior resolution to either of your proposed outcomes you will do that instead. If the matter is not resolved via payment of what you are owed, publish on whatever deadline you have set for yourself and given them. Be happy with either (any) outcome, even when asked about this client in the future. You will have said all you need to say on the matter.
I frankly cannot imagine having to resort the later approach, but you have asked after it.
-
-
-
-
-
-
-
Litigate the hell out of them. Other than that good luck! I would not tell right now anyone as you may be bounded in litigation to not disclose anything, common law is different that the rest of the world.
-
-
For 1099 contract work, non-payment for time invoiced is one of the two largest financial risks you have to take. The other being exposure to a bidding process as part of getting a contract in the first place. In both cases you have tools available to minimize risk. NetD terms in the case of non-payment of invoices. (@gkop in this thread goes in to detail on how to use this tool.)
Would you tell the community so that other devs don’t have to go through the same problem?
It is clear by your post you are considering this option. I would recommend you be prepared to be fully transparent should you decide to do this: A complete timeline sufficient for falsification, not merely justification. Here you’ve given us an attorney’s quote (15k USD), but not quantified your outstanding AR nor your lifetime revenue from this customer. Further, you’ve made an accusation that could be interpreted as a smear (“I think that is a really bad attitude to have during this type of situation.”) when you’re capable of making a material complaint: You’ve invoiced a company for work performed and that invoice is now overdue.
Have you filled a legal complaint against a company before?
In 2017 I had an incident with one of my vendors that was criminal in nature. Before contacting them about it I performed the full discovery process, reconstructing a timeline of the event and falsifying every possible alternative explanation we thought of. I then provided all of this documentation along with my statement demonstrating what I had done to conclude a criminal act had occurred. Within 2 business days I had had a productive conversation with the relevant C-suite officer which resulted in a manifest, positive policy change. In that call I stated that any and all possible resolutions, from them as a vendor and me as a customer, were on the table. Over the following weeks we systematically worked through every possible mitigation and I am confident an event of this nature will not happen to us again. This vendor also answered every question that I could not answer from my own discovery process. There was no need to file a legal complaint–In fact it would have been counter-productive.
In 2014 I had a vendor call reporting an unpaid invoice. The work on the invoice had been performed before I was responsible for the department / team / group in question. I got statements from both the vendor and my own manager. Given the challenge of reconstructing what work had been performed and the nature of the complaint if any, I verified that the invoice did represent existentially possible work (i.e., it was not prima facae fraudulent). I asked them to submit a revised invoice for the same work at a discount, and then made sure it was paid that week. That was a better outcome for both of us than dealing with a legal complaint.
If you’re going to go to the trouble of filing a legal complaint, exhaust all other options. You’ll need the paperwork you collect in exhausting those options to be successful with your complaint anyhow. This is doubly true if you’re going to make a public statement on the matter.
Have you used a debt collection agency?
I have no experience here.
I’m sorry to hear you’re dealing with this.
-
Perhaps this is a reasonable place to open a discussion about why lobste.rs doesn’t have a politics tag. The way technology is built and used is political; it’s hard to entertain arguments against that. I have deep empathy with the point of view that technology is a craft and an engineering discipline and there is a whole set of discussions and a space to be made for talking about technology in as non political a way as possible, which is what lobste.rs currently does, and I do kind of like it like that.
However the reason I think it’s important to bring political discourse into this space is because you lobste.rs are making politics decisions when you choose your job, choose the work you do and make critical technological and political decisions as part of your work which affect All Your Relationships*; this is an intelligent, considerate and engaged community and I see much more harm than good in choosing to hide from that fact, though I will say again I have a huge respect for and enjoyment of this space as a non-political one.
So I suppose I’d like to pose the question, given that the tagging system allows any user to filter out posts they are not interested in, what does the lobste.rs community have to lose by opening itself to some political discussion? Is there a feeling that it will somehow pose a risk to this community? Is there a fear that a certain type of user will be attracted, that a certain type of behaviour will be allowed/promoted by this which will have a negative impact throughout the whole site?
I don’t want to promote the idea that lobste.rs should be a political space, I want to check in with everyone here that we are all ok that it isn’t and have properly checked in with what our fears and rationalisations are about that choice.
** The ‘All Your Relationships’ idea comes from the talk in this link which suggests the idea that all technologists are touching a huge network of people and that in some way you have a real relationship with many many people, e.g. all the people that worked to manufacture the phone in your pocket.
-
Short answer
what does the lobste.rs community have to lose by opening itself to some political discussion?
see
Long answerthis is an intelligent, considerate and engaged community
Tag usage
First, a note on tags: every tag we add is an explicit endorsement that that sort of content is acceptable and encouraged on the site–the omission of a tag is a hint that maybe that content would be better served elsewhere.
If we were to include a
politicstag, we’d in effect be saying “Okay, the distribution of topics appropriate for Lobsters now includes politics. This is valid to bring up in all conversations, because at worst it’s merely mislabeled and mistagged.” So, we’re then stuck with more politics in everyday use in the site.Availability elsewhere
Simply put, politics are better covered elsewhere:
- Daily Kos
- Breitbart
- Jacobin
- Reason
- Hacker News
- 4chan /news/ and 4chan /pol/
- NPR news
- Infowars
- Christian Science Monitor
It’s not like our fellow crustaceans can’t find something to slate their thirst for politics elsewhere–not only that, but they have dozens if not hundreds of sites to choose from to match their political requirements.
By contrast, Lobsters itself is a rare gem (if I may say so myself) in that it is relatively pure technical discussion, a refuge from a world of blathering bullshit and ponderous pandering.
Politics is the boardkiller
I’ve explored elsewhere how political submissions can be used to farm karma at the expense of discussion. The key things to note about political articles:
- They rarely have any technical content, as the point of politics is not education but subjugation
- They tend to cover topics that everybody has opinions about but few have expertise in
- They usually talk about things over which none of the discussion participants actually have any control, so you get a lot of yelling back and forth without any action
- There is a gigantic industry devoted to crafting the most divisive articles possible
We probably share this board with a few tankies. We probably share this board with a few Nazis. We have folks here that don’t recognize a standard arrangement of genders or possibly even human identities. We have folks that are from the US, from the UK, from the rest of the world. We even have a few Windows users.
And we all get along (mostly) because we aren’t constantly pitted against each other in pointless tribal ideological posturing and signaling. We all get to respect each other as practitioners of technology instead of representatives of some other out-group.
Why would we want to risk sacrificing that?
EDIT:
I’ll point out that 4chan has created at least 2 containment boards for politics (the equivalent of your proposed tag), and not only has that failed it’s only fostered some of the most corrosive drivel on the internet.
-
-
-
Fixed the chat link; should’ve been to
/chatnot/, sorry about that.Discussion filters back into meta threads. We’re generally just shooting the breeze or kicking ideas around, it’s not very serious because it’s so transient and has only a fraction of the community on it. The only important thing I can think of that’s come out of it was this comment (though it’s been a long couple days for me so maybe I’m forgetting something).
-
-
-
Perhaps this is a reasonable place to open a discussion about why lobste.rs doesn’t have a politics tag.
We don’t have a politics tag, in part and sufficiently, because the topic is too broad for a contributor to have a meaningful understanding of the topics and discussion that would fall under it. For folk that can make meaningful, informed, truthful, and constructive contributions in an on-topic matter, there is the law tag.
We’re a community of practitioners. The practice of politics is law. Practitioners of law, whether legislators, lawyers, judges, or any of the various roles in courts and the extant legal system are welcome here. Along with the technical discussions these practitioners engage in.
However the reason I think it’s important to bring political discourse into this space is because you…
This is called entryism: “…an organisation or state encourages its members or supporters to join another, usually larger, organisation in an attempt to expand influence and expand their ideas and program.”
Here you providing a totalizing reason (“All Your Relationships”) as to why a new tag should be added. Tags are deflationary, not inflationary. They identify areas where a subset of our readers and contributors can expect detailed, operational, consistent, and where possible even scientific discourse. And that further they can measure their own understanding of the topic because it has clear and defined boundaries.
Politics is off-topic here because it lacks parsimony. In order to create space for technical topics we do not discriminate on the basis of people, groups, or fields of endeavor. Folk are here to talk about and work on their own and their field’s issues in sufficient technical detail to coordinate with their peers. Ideology, politics, propaganda, framing, and other fictionalisms are an impediment to dealing with the technical and material nature of our work and world.
The chattering class has plenty of places on the Internet to proselytize. This isn’t one of them.
-
“Perhaps this is a reasonable place to open a discussion about why lobste.rs doesn’t have a politics tag.”
We did. The were a large number of people in support of or against politics or tags. No clear winner. Further, most that support it want to be able to talk about it on any article to push their political views. Of them, some want many views to be discussed as part of the political process and others want all opponents censored and/or ejected. For different reasons, both need political comments available on every thread. There’s some others but that’s the major groups based on what they said or did.
Im in the group that’s for banning most politics or limiting it to politically-focused threads tagged as such. Like I said, the prior discussions got nowhere for my side. So, I discourage even talking about it to avoid polluting more threads. We can just do a yearly meta or something to assess if the community’s preferences have changed. That’s assuming @pushcx would go with the popular vote to begin with. His own convictions might lead him to do something different.
Who knows except to say we’re better off not talking about banning politics or a new tag more than once a year since it’s wasted bandwidth that also often causes headaches for our moderators when fights break out.
-
-
I can’t find the ones about tags past the comments we just made. Search engine isn’t that good. The political arguments have mostly been scattered among many threads. No links to take you right to what you want. Sorry. The fact that I don’t have one readily available might be a good reason to do another one as a tag suggestion. Then, you’ll probably see people’s views real quickly. ;)
-
-
-
[Comment removed by author]
-
This talk is only tangentially about climate change, as one globally significant effect that technology has and a great example of how to think about the result of technological work.
‘politics’ is about how groups of people take action together, (in anything other than the most rudimentary ways). So climate change science is different from, but will inform climate change politics, which will be the process of figuring out as a group of people how to collectively respond to the information we understand from climate change science.
to bring this back to my original point, I’m suggesting that the lobste.rs community can have a positive benefit on politics (therefore directly influencing e.g. climate change) through technology by discussion, and therefore should consider carefully the choice to not do that.
-
You benefit politics by interacting with branches of government, bribes to politicians paid through lobbyists, court action, and last (in effectiveness for time invested) getting a huge pile of voters to push their officials for a specific thing. You can’t do any of that though a tiny, slow-moving, tech forum. We were neither setup for mass action or government interventions nor mostly capable of it. So, doing the people-oriented parts of reform on Lobsters is mostly waste.
Now, Lobsters can help on the legal or technical side by creating the alternatives along with cost-benefit analyses. Then, get folks to share and describe it in places that get lots of attention. Some can even be a business that becomes a Barnacl.es submission after succeeding financially and on mission as a nonprofit or public-benefit corporation. Lobsters has more talent for producing and reviewing the tech than many places. That’s what we should focus on, submit, and talk about here. As we already do. :)
-
-
-
IRC and I are the same age. It’s been 16 years of using IRC for me by now, and I’m still to see any real alternatives really take off. XMPP sadly died. Matrix is promising, but most people seem to still use it as an IRC bridge.
Matrix makes quite a fine IRC bridge though. Better mobile support, lets you see a list of when you were pinged, and image hosting. These days it has almost every feature I need to switch from telegram but the client is still too awkward to use.
Slack. ;)
The largest slack server I’m on has 70 people. That’s 1/4 of the number of nicks in #lobsters, half of whom are regular participants. Our channel is only the ~150th largest channel on Freenode. There are some significantly larger channels.
I don’t know what the largest Slack channel is (there surely must be some much larger than the largest one I’m on), but I don’t really see Slack going after that kind of audience. Slack feels to me like a meeting or conference room, whereas IRC feels like an auditorium or a stadium. It has tooling and social conventions to accommodate large, public audiences. I haven’t seen that replicated on other chat platforms.
Slack has been undeniably successful and has taken users from IRC in being so. I think it accomplished this through market segmentation, though, and isn’t trying to solve some of the scale problems IRC has solved.
When Slack kicked Reactiflux off the platform for having too many members, they had 7,500 members. Currently, Reactiflux on Discord has 35,000 members. At least one estimate puts freenode at ~88,000 users.
There are some enormous Discord “servers” (which is a total misnomer – they aren’t dedicated servers afaik, but it’s a word that resonates with gamers); maybe Discord would be a better spiritual successor from a scale perspective. I’m not sure what the biggest Discord is, but the biggest streamer I could think of (Ninja) has 40K people in his Discord, 8K of which are signed in right now (on a weekday during a workday/schoolday). These big-name streamers have big fan communities that use Discord a lot like I’ve always used IRC: partially for asking for help, but mostly for dumb jokes :)
I was just addressing the “alternatives take off” part. I agree they might be targeting different segment. I also think they did better job focusing on UX. The next alternative that addresses the segment you’re describing should similarly focus on good UX. Maybe charge for hosted versions or something to pay for developers to keep it a polished product, too. Users hate buggy software when their prior software worked well. They’ll switch back if they can.