1.  

    Awesome post. For those curious, the field of Immunity-Aware Programming tries to address some of this problems.

    1. 8

      If you’re interested in learning Prolog, the SWI Prolog folk are hosting a free online class!

      1.  

        Appreciate the tip! People could probably start with that class with books like I submitted being a supplement.

      1.  

        The math tag goes on this, right?

        1.  

          Id say so.

        1.  

          The HN thread I got this from had some interesting comments, too. The author is in it as “triska.”

            1. 13

              “Truly immutable timestamps could be useful”

              As with most stuff, there’s already a standard for that. One company, Surety, even puts the hash of their timestamp ledger (hash chains) in the New York Times to create a paper trail. I’m sure the decentralized checking part could be scaled horizontally a bit without much change in protocol or energy usage. The individual operations are still simple enough to do on chips that are a few bucks each.

              1. 7

                there’s already a standard for that. One company…

                The big feature that Bitcoin and other blockchains bring to the table is decentralization. If you can rely on a company for stewardship of your ledger, then by all means use a permissioned database like Surety does.

                On the trusted timestamping page you linked, if you skip to the decentralized section, you can see it immediately starts talking about Bitcoin.

                I’m not sure how much Surety’s service costs, but piggybacking on the Bitcoin or Ethereum blockchains is likely far cheaper. Here is a tutorial on how to store a message as an Ethereum contract. The cost is variable with the string length, but in this case only cost about $0.20. It works by deploying a solidity contract that is just a couple string variables. The output is observable on etherscan.

                1. 4

                  In my model, several foundations in different countries run by different people would agree on a protocol. It would store stuff in SQLite, FoundationDB, or something similarly fast/resilient. A web or app server with plenty of cache would give snapshots of the ledgers. They’d charge a fixed price for bandwidth and storage which could go up as the tech improves.

                  This setup for something small like hashes with a niche audience could run on $5/mo VM’s. Even dedicated servers, 5-way redundancy with years of compute, storage, and bandwidth would be just over a $1,000 a month. The components theyd use are so vanilla the admins could be part-time. How much does Ethereum or Bitcoin cost in comparison?

                  1. 4

                    Check it out, this message cost $0.80. Zero sysadmin effort on my part due to leveraging a preexisting system. Also, the message won’t vanish if I stop paying VPS bills.

                    If you’re a large corporation that wants to timestamp thousands or millions of messages, the centralized approach could very well be cheaper. For me, verifying maybe a handful of messages per year, it’s way easier to piggyback on a large blockchain project.

                    1. 4

                      That’s a decent point. If you’re just externalizing and aimjng for low cost, you can post the messages in threads of diverse forums, Pastebin, etc. I used to do that with hashes on blogs. Never cost a cent.

                      1. 3

                        verifying maybe a handful of messages per year

                        What’s your actual usecase for this? I struggle to see viable usecases for the blockchain beyond speculation so it’s interesting to hear what people consider are valid usecases for it.

                        1. 2

                          I should have worded that differently… I don’t timestamp messages all that often. What I meant to convey is that $1000/mo is definitely overkill for anyone with intermittent needs.

                          Pastebin and forum posts are fine, but centralized. If Pastebin ever goes down, or starts manipulating old posts, then the integrity of your verification is compromised. Embedding the message in Ethereum’s blockchain is a much stronger guarantee of permanence and immutability.

                          What sorts of blog posts need such tamper-proofing? Anything dealing with warrant canaries, reverse engineering, or low-level firmware might deserve it.

                          1.  

                            I should have worded that differently… I don’t timestamp messages all that often. What I meant to convey is that $1000/mo is definitely overkill for anyone with intermittent need

                            The $1,000/mo is for the hardware and bandwidth to run the alternative to a blockchain. In the blockchain, you’re a user that pays for a tiny portion that you use. In the alternative, you’d similarly pay for a tiny portion that you use. Maybe a membership fee that covers general cost of operations with you paying the usage parts at cost. I gave the examples of $5 VM’s to illustrate the difference between whatever Bitcoin is doing for mining or transactions. I imagine it takes a bit more hardware than $5/mo.

                            The other article today said companies were paying $10,000 a unit for what supports this system. My hypothesis was getting orders of magnitude better performance with a year of usage at the same price with five-way checking. Adding actors that don’t trust each other just adds small amounts to the system without dragging down the speed of its main DB’s. Whereas, the folks buying the ASIC’s are spending tens of millions to support almost nothing in terms of transactions. The traditional tech is so cheap that I was using blogs to do my version of it. They didn’t even notice. That’s the difference between crypto-currency tech and traditional tech w/ decentralized checking.

                            1.  

                              Pastebin and forum posts are fine, but centralized. If Pastebin ever goes down, or starts manipulating old posts, then the integrity of your verification is compromised. Embedding the message in Ethereum’s blockchain is a much stronger guarantee of permanence and immutability.

                              It doesn’t solve the permanence problem, but just signing text is sufficient to address tampering, which doesn’t use a lot of electricity. So is being permanent the selling point? There is also ipfs which doesn’t require PoW but is decentralized, would that + signing be sufficient for your needs?

                              Basically, I’m still struggling to figure out what the blockchain does that makes the excessive energy usage worthwhile. Maybe I’m just being narrow minded, but I still only really see financial speculation as the primary motivator, so if that becomes unviable, why would anyone continue to run a bitcoin node (and there goes the permanence?)

                            2. 1

                              Yeah, you’d really need to know the use case to try to use it as justification for the Bitcoin blockchain and all its baggage. As the full quote from the linked article says:

                              Truly immutable timestamps could be useful — assuming anyone finds a timestamp use case so important that it warrants a country-sized percentage of the world’s electricity consumption.

                              1. 2

                                Ah, sure. Immutable timestamps are a fun way to piggyback on the existing Bitcoin and Ethereum blockchains, but timestamping by itself is not a justification for those coins existing.

                      2. 3

                        plenty of hype here too: https://guardtime.com/ for example

                        1. 3

                          Oh Lord… they gotten bitten by the bug. No surprise, though, since it’s a fad with momentum and lots of money. I expect any company that can do a blockchain product to build one just to make money off it. Given their prior work, there’s little reason to think they actually needed a blockchain vs hash chains with distributed checking and/or HSM’s. Just cashing in. ;)

                          Btw, do check out that Functional-Relational slide deck I submitted. It shows the Out of the Tar Pit solution is essentially what the new, GUI frameworks are doing. It was just years ahead. So, maybe some practical uses for some version of their model.

                          1. 5

                            Guardtime’s KSI Blockchain is probably my favourite blockchain hype. The product was first released in 2007 and they only branded it “blockchain” a few years ago … for marketing reasons.

                            I have a post about it here. In one of their white papers, they literally redefine “blockchain” to mean containing a Merkle tree:

                            Unlike traditional approaches that depend on asymmetric key cryptography, KSI uses only hash-function cryptography, allowing verification to rely only on the security of hash-functions and the availability of the history of cryptologically linked root hashes (the blockchain).

                            I hear cryptocurrency people touting Estonia’s BLOCKCHAIN REVOLUTION as great news for Blockchain, and even great news for cryptocurrency. It’s not even a blockchain.

                            I mean, I have no reason to think there’s anything wrong with it. I’m sure it does its job just fine. But goodness me, it’s the greatest marketing success “blockchain” the buzzword ever saw.

                            1. 4

                              If anything, it was a great way to show we didnt need a blockchain when our older concepts were working fine. They might benefit by using the buzzword. Yet, such misleading usage just reinforces the phenomenon where the BS spreads further.

                              Im not even sure it’s reversible at any level given these fads usually either level off or implode with the name and reputation damage permanently attached to whatever the name touched. AI Winter, expert systems, and Common LISP are some of best examples.

                              1. 1

                                There’s probably a post I need to write on this topic: basically, we’re going to see a resurgence in the popularity of linked lists with hashes, and they’re going to be branded “blockchain(tm)”. There are a few non-bogus projects along these lines, but it’s not so great actually and in all cases they should have just used a frickin database.

                                Likely case, we get mostly-working systems that have an eternally painful “blockchain(tm)” implementation at the core that can’t easily be replaced by something sane.

                        2. 2

                          I had no idea about surety or even the ability to do that — thanks!

                          1. 3

                            Sure thing! Trusted timestamping is actually one of my goto examples for hash-chain-using tech that predates blockchain craze. What timestamping-on-blockchain folks hope to achieve is what such companies have been doing reliably and efficiently for years now. Better to just invest in and improve on efficient models that already work.

                          2. 2

                            The standard isn’t the hard part, the trust is.

                            How much money would it take to bribe the Surety employee who has the fewest scruples? That’s about the ceiling for which you can bet on their authentication service.

                            1. 4

                              The thing I push is centralized, standard ledgers with decentralized checking. For Surety done that way, it would take you bribing all the checkers. Alternatively, the HSM’s can mitigate some of the insider risk.

                          1. 3

                            I’m always curious about the intended audience with these types of posts. The posts typically paint a straw man picture that there are people unwilling to change the operating model to be more efficient given the option, which is absurd. Should we abandon bitcoin? Is that the thesis here?

                            Clearly the non technical people would probably not know PoW is inefficient but they also have little to no control over the dominance of bitcoin and the way it works. There are strong economic incentives for actors supporting the current structure to keep supporting it as is and the blog post does not address this problem at all.

                            1. 7

                              The cryptocurrency posts themselves paint a strawman that we cant do anything better than corrupt, for-profit, centralized tech unless we switch over to blockchains. That’s a lie with many counterexamples. Bitcoin itself also has huge hype and drawbacks in practice.

                              The author is highlighting that hype and drawbacks. He’s also highlighting a social phenomenon where many proponents try to talk like bad things are good things to downplay them. I’d straight up call that fraud since they’re trying to get people’s money.

                              1. 5

                                I understand that you have a strong opinion on the subject but you’re essentially calling anyone who has an interest in decentralized systems a fraudster. I think it’s disingenuous to say “people who have interests different from my own are by definition fraudsters”.

                                Decentralized, trustless systems have important applications. Bitcoin was created as a response to the banks being involved in widespread fraud. Calling Bitcoin users frauds seems to miss the point in the largest way possible.

                                1. 2

                                  “ Bitcoin was created as a response to the banks being involved in widespread fraud.”

                                  So were credit unions and non-profits in response to earlier fraud. I don’t see a lot of them involved in things like 2008 crises. I thought even Bitcoin had a non-profit/foundation controlling or supporting it.

                                  He’s also highlighting a social phenomenon where many proponents try to talk like bad things are good things to downplay them. I’d straight up call that fraud since they’re trying to get people’s money.

                                  That was the key circumstance that I brought up fraud on. The need to use as much energy as Ireland to avoid unscupulous parties screwing up a few transactions a second is one such implication. It’s a total lie since the regular, banking system prevents or catches lots of stuff like that on a daily basis. From there, I pointed out in another comment that a system using regular databases and protocols with distributed checking might take a $5 VPS or one server per participant. Those don’t take the energy of Ireland, insanely-slow transactions, or crypto magic.

                                  That the very-smart proponents of Bitcoin don’t investigate such options or tell their potential investors of such alternatives with their risk/reward tradeoffs means they’re more like zealots or con artists. I mean, most people might trust such alternatives since they’re using the regular financial system. They might love solutions that knock out all the real problems they’ve dealt with efficiently plus make plenty of headway on the more rare or hypothetical risks many cryptocurrency proponents worry about all night.

                                  Save the best for last. If it’s Bitcoin, they might also want to know it’s primarily a volatile, financial instrument used for speculation instead of a stable currency they can depend on as its proponents are selling it. I know people who are day trading these things right now riding the hype waves profitably while the adopters driving them and sustaining the systems aren’t getting the much better thing people probably promised them. Many of them have also lost money they wouldn’t have lost storing currency in traditional, financial system. Looks like fraud to me.

                                  1.  

                                    The need to use as much energy as Ireland to avoid unscupulous parties screwing up a few transactions a second is one such implication. It’s a total lie since the regular, banking system prevents or catches lots of stuff like that on a daily basis. From there, I pointed out in another comment that a system using regular databases and protocols with distributed checking might take a $5 VPS or one server per participant. Those don’t take the energy of Ireland, insanely-slow transactions, or crypto magic.

                                    It sounds like you might endorse the notion that PayPal is more effective than Bitcoin. PayPal supports more transactions per second, catches a lot of fraud, supports chargebacks when fraud does happen, and doesn’t require proof-of-work – it all runs safely on PayPal’s verified servers. This is all true, and for many people PayPal is fine enough.

                                    However, the centralized nature of PayPal does have some problems. There’s always the risk of getting your account frozen, which has happened to countless people. Minecraft made too much money in 2010. Wikileaks pissed off powerful entities in 2012. Google has over 600,000 results for “paypal accounts frozen”. I hear that PayPal freezes lots of crowdfunding efforts in particular.

                                    What it comes down to is trust. If you can trust the corporate entity PayPal to expedite your transactions and send you on your way, then the status quo is fine. But if you have a problem with PayPal, or PayPal has a problem with you, then you need to find an alternative.

                                    You can see the same problem on a larger scale with the SWIFT network. Nearly every international interbank transfer takes place on SWIFT, and it works fine as long as everyone trusts each other. But if you find yourself on the wrong end of US sanctions, suddenly your banking system comes to a screeching halt. Russia, China, and Iran are all too aware of this problem and are trying to build alternatives. Russia is working on SFPS and China is building CIPS. They’re also both stockpiling gold; another asset that won’t freeze you out at a moment’s notice.

                                    Bitcoin never freezes anyone out of their funds. If you have the private key, you control the bitcoin wallet, period. It’s math, not bureaucracy.

                                    1.  

                                      “This is all true, and for many people PayPal is fine enough.” “However, the centralized nature of PayPal does have some problems”

                                      You’re almost there. The centralized solution like PayPal works really well except in well-known failure modes. SWIFT is another good example I bring up myself in these discussions as better than Bitcoin so far. There’s centralized companies, esp credit unions or nonprofits, that aren’t doing all the shady stuff PayPal does. That’s by design. There’s cooperatives leaner than Swift, too. So, the logical, first thing to explore is how to mix those protections with centralized companies like PayPal. If we do decentralized, the first thing to explore should be proven tech for centralized case with distributed checking maybe at a granularity of participating organization like with banks and SWIFT. So, so, so much more efficient to do that.

                                      Instead, cryptocurrency proponents paint a false dilemma between for-profit, greedy banks vs distributed, energy-sucking, blockchain system. It’s misleading given all the designs in between. Not to mention they seem to only focus on what for-profit, scumbag banks do instead of what centralized organizations designed for public benefit can do. A little weird to sidestep the whole concept of nonprofit, consumer-focused banks or companies, eh? It’s like they want a specific solution ahead of time looking for justifications for it instead of exploring the vast solution space trying to find what works best for most peoples’ goals.

                                      “Bitcoin never freezes anyone out of their funds. If you have the private key, you control the bitcoin wallet, period. It’s math, not bureaucracy.”

                                      You’re telling me Bitcoin ledgers, exchanges, and/or hardware can’t be blocked or made a felony in a country. I doubt that. Hell, the mining situation makes it look more like a traditional oligopoly. I can’t remember if they’re all in China or not. That would be even worse given it would be an oligopoly whose companies are under control of one government that’s not about libertarianism and greater good. There’s currently more diverse control and subversion difficulty in traditional, banking system right now if not doing business with banks that are scumbags. I’d avoid any of them on the bailout list to start with.

                                      1.  

                                        Good points all around. On second thought, what you’re describing sounds less like PayPal and more like Ripple.

                                        In May 2011, [the creators of Ripple] began developing a digital currency system in which transactions were verified by consensus among members of the network, rather than by the mining process used by bitcoin, which relies on blockchain ledgers. This new version of the Ripple system was therefore designed to eliminate bitcoin’s reliance on centralized exchanges, use less electricity than bitcoin, and perform transactions much more quickly than bitcoin.

                                        It’s targeting the interbank/SWIFT space, and purports to “do for payments what SMTP did for email”.

                              2. 7

                                there are people unwilling to change the operating model to be more efficient given the option, which is absurd

                                There are absolutely lots of these people unwilling to change the operating model to be more efficient given the option. This is why I looked for claims from reasonably noteworthy bitcoiners and not random nobodies - though the random nobodies use the same arguments, and quote the noteworthy arguments - and linked and quoted them at length to make it clear that this is not straw but actual arguments they make in real life. This is all real. I’m not sure how I could make that clearer.

                              1. 4

                                Ok, it’s time to stop developing software, get some Verilog books, and go after them coins. That’s what we need to do people. :)

                                On a serious note, one thing the author didn’t mention that might reduce barrier to entry are structured ASIC’s. They use a bit more energy, they’re a bit slower, and have much lower cost to develop/deploy. The main company doing it is eASIC with their Nextreme’s. I remember their 90nm option had prototyping of fifty to sixty grand for a pile of chips at one point. Get it working on an FPGA designed for a conversion. Then, see if they can put it on a Nextreme.

                                1. 2

                                  It’s an interesting situation. Essentially China is extracting wealth from the world with this lock on asic production (Bitmain) and cheap hydro.

                                  1. 3

                                    It’s not China, but people of influence in China who are extracting money from China (which has currency controls).

                                    The electricity is cheap because the ‘right’ people are being paid off (ever wondered how electronics ordered on Amazon, that comes from China, has zero postage?)

                                1. 1

                                  These were single-CPU machines with 500-700MHz, 64-bit MIPS processors. SGI had unique graphics and memory architecture that maximized performance while minimizing bottlenecks. You can skip to here to see how well it handles load with such a weak processor.

                                  1. 4

                                    Indeed, major cryptocurrencies like Bitcoin and Ethereum have maintained their security quite well — better, arguably, than any other digital asset/payment system in history …

                                    That’s a hell of a claim.

                                    1. 2

                                      Yeah, the MULTOS-based solutions seem to be fairing quite well. Mondex did, too, on its software and protocol assurance. The weakness was storing the value on a card with limits on tamper-resistance. There’s cryptocurrency “wallets” essentially doing the same thing with less security put into their software stacks. A few HSM’s and smartcards are also doing better on the hardware side for tamper-resistance. That different banks use different ones to check transactions within and between banks adds security through diversity.

                                      I think the claim is well-refuted between the stronger implementations of prior work and fewer known compromises.

                                    1. 3

                                      For the past few days/weeks, I’ve been piecing together a theory. We like to solve problems, but that only creates new problems. In other words, solution is just another way to spell tomorrow’s problem. Two very nice examples for my evidence bucket here.

                                      1.  
                                        1. 1

                                          “We like to solve problems, but that only creates new problems. “

                                          Not true even though it looks good on the surface. Maybe true but not as much as it seems. I’m not sure. The counter I have in mind is there’s at least two ways to solve problems:

                                          1. Use a solution that worked for something similar whose justifications/assumptions also fit the current context pretty well. Modify it carefully introducing just enough additions to get the job done.

                                          2. Use a novel idea whose potential drawbacks aren’t well-understood instead. This creates new problems at a much faster rate. The new problems can also be catastrophic.

                                          The cryptocurrency people are doing No 2 when doing No 1 makes more sense. This is also true for many crowds in tech aside from cryptocurrencies. Also, No 1 always makes more sense by default.

                                        1. 6

                                          Since I’m graduated, I have loads of free time now before starting my new job in a few weeks :)

                                          As an exercise to learn D, I’ve been working on reimplementing MPD in D (https://github.com/charles-l/mop). I am really liking it so far - I feel far more secure in the correctness of my code than with C or C++, and the compile-time code generation is the most flexible I’ve seen for a systems-level language.

                                          I’m writing some bindings for the Zumo 32u4 robot for microscheme (https://github.com/charles-l/zumo-32u4-ms), and hoping to get most of the sensors working this week.

                                          Also, I’ve been messing around with J, hoping to learn it well enough to use it sort of as a desktop calculator on steriods for writing throwaway scripts. I wrote a Kalman filter with J last week, and will probably write an Extended Kalman filter or something similar this week.

                                          I’ll probably also work a bit more on my graphics engine (https://github.com/charles-l/ugg) and possibly a new language project.

                                          1. 3

                                            All of that sounds really cool. :) On desktop calculator, anyone interested in calculators mixed with programming should check out Frink. It’s a neat, little project.

                                            1. 2

                                              Neat - I’ll definitely check out Frink if only because its unit conversion is really nice :)

                                              1. 1

                                                That’s the main reason I kept it. I was thinking having common units in mainstream languages would be a good idea. Frink would be a reference if I ever tried to add it to my own.

                                                1. 2

                                                  Here are a few other languages with support for units of measure:
                                                  F#
                                                  Swift

                                          1. 7

                                            Going meta: this is a great use of the story description to add context, thank you.

                                            1. 2

                                              Thank you! Ive tried hard to find ways to use but not abuse it.

                                            1. 11

                                              overreaching Code of Conducts.

                                              The author realizes that you don’t have to follow the code of conduct to use the software? Also 80% of the items on the freebsd code of conduct are illegal. the four that stick out to me that aren’t are these.

                                              Comments that reinforce systemic oppression related to gender, gender identity and expression, sexual orientation, disability, mental illness, neurodiversity, physical appearance, body size, age, race, or religion.

                                              Unwelcome comments regarding a person’s lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment.

                                              Deliberate misgendering.

                                              Deliberate use of “dead” or rejected names.

                                              Author basically feels that if the developers can’t get intimately involved with another developer’s personal life without consent then the author does not want to use the software. Frankly it seems like you could just create a code of conduct with the line “Thinking code of conducts are bad” and you’d filter out everyone who apparently wants to get in your grill.

                                              The other rules are okayish but would rule out basically everything if applied strictly.

                                              1. 11

                                                Also 80% of the items on the freebsd code of conduct are illegal.

                                                Code’s of conduct don’t have anything to do with law, though. An organization can block your participation in it for any reason they see fit. There are restrictions for businesses and employers, but they don’t apply to open source projects.

                                                1. 17

                                                  Right and if you don’t agree with those reasons you don’t have to contribute or you can create your own organization. I was saying 80% of them are illegal to do as an individual. Sexual harassment? Stalking? Threatening? A lot of the CoC is basically just “We won’t enable your criminal behavior and allow you to use the organization as a way to find targets”. The 4 here are basically, “Don’t purposely be an asshole to other members, here are four ways of being an asshole that are explicitly not allowed.”. If you think Open Source means “I get to be a dick to other people and get away with it because it’s not a job” then you’re honestly doing more harm than good and should do something else with your life.

                                                  1. 6

                                                    Oh sorry, I misunderstood what you mean by illegal. I thought you were saying much of the CoC was illegal.

                                                    1. 14

                                                      The 4 here are basically, “Don’t purposely be an asshole to other members, here are four ways of being an asshole that are explicitly not allowed.”.

                                                      That kind of playing with definitions is one of reasons I fight broad Codes of Conduct. It’s not how they play out. Instead, those promoting or enforcing will be specific groups of people having specific, political views on everything from words to identity to societal structures, expecting the entire world to comply with those views, and punishing anyone in their immediate setting who doesn’t using whatever methods are available. Those methods range from shaming to exclusion to removing their ability to pay bills.

                                                      To me, that sounds like being assholes that shove their politics down others’ throats telling them to get lost if they don’t like it. Even more so when I see plenty of people be civil without going that far in mischaracterizing or banning other groups’ means of expressing themselves. Then, a person supporting such politics shows up saying it’s just about not being an asshole. People reading that get a different impression than “no political disagreement or differences are allowed in this list of categories whose reach increases whenever we say.” I don’t expect more honesty from most promoters about the goals since subterfuge and “end justifies the means” is the norm in that group.

                                                      1. 12

                                                        What about it shoves politics? I would think all the points I mentioned are basically apolitical. There’s no rule against “political disagreement” within the CoC. You can be super hard line conservative and still follow these rules. I’m specifically talking about the FreeBSD CoC.

                                                        1. 7

                                                          It’s not really based on “politics”, but on basic respect. If you’re a conservative who is respectful of people’s preferred names and doesn’t shit all over people because of their lifestyles, you won’t have a problem. If you’re a liberal or Leftist who is super racist, anti-Semitic (hello, tankies) or constantly judges poor people overly harshly (of which there are many), you will have one.

                                                          That said, if you feel that trans people asserting that we should be called by the names we choose for ourselves is somehow a political act, then yes, the purpose of the CoC is to “shove politics down your throat”.

                                                          1. 2

                                                            if you feel that trans people asserting that we should be called by the names we choose for ourselves is somehow a political act

                                                            Isn’t it? I have no problem with calling you as you like, really.

                                                            And I’d like it would be the common ground of our international culture.

                                                            But it is Politics. I’d argue that it’s the best expression of politics at all, as it establish a kind environment where we can confront on.

                                                            On the other hand, “keep the discourse on topic or you will be banned” should be a pretty good CoC, everywhere.

                                                            Now, if we can go off-topic, and you tell on a public space (say IRC or a mailing list) you do something I consider bad, you are engadging a discourse. You can’t say “I like eating people, cannibalism improve my health” and than invoke the CoC if anyone object.

                                                            People should understanding that speaking in public implies a will to listen.
                                                            More exactly, speaking implies a will to challenge own opinions, putting them at stake in the conversation.

                                                            If you don’t want to listen any objection, if you don’t want to change your mind, why speak in the first place?
                                                            Are you doing propaganda? Marketing? If so, you are the problem, not who engage with you.

                                                            Also, if we can go off-topic, and you tell you like to hurt your children, I’ll comment on that, whatever the CoC. After the denounce obviously, with all the reference I can get to find you (including your email, ip, os, whatever I can get through my technical knowledge and tools).

                                                            So in general, the CoC is a political tool. It could be used for good or evil.

                                                            But it doesn’t fix the lack of a democratic culture of dialoge in a community.

                                                          2. 1

                                                            Without a CoC you are at the mercy of the hidden political views of the project owners. Their decisions to ban start looking arbitrary. Either way, you deal with political views. Wouldn’t you prefer to know what they are before engaging? Worst would be spending a lot of your time on a project only to find out you get banned because you said something that was in disagreement with the owners of the project.

                                                      2. 14

                                                        They are too broad (e.g. large swaths of the population would violate it by with their daily interactions), which puts selective enforcement at charge. If its selective enforcement, then its just an power instrument with the rule makers at the power end, even if the contents of the CoC are all well-meaned and good in their intentions.

                                                        Its not directly about the contents of the CoC, its about taking peoples moral autonomy.

                                                        1. 12

                                                          I think it’s reasonable to treat open source work within an organization with the same level of respect and dignity that you would expect from a job. You could get fired at a job for nearly every one of these. Using dead names even, if an employee asks you to stop and you don’t and they file a complaint against HR, HR might decide that you’re creating a hostile work environment for basically no reason. Most people don’t get fired for misconduct, so I’m going to actually say that you can’t possibly be right about that claim.

                                                          Keep in mind that the responses are

                                                          A private reprimand from the working group to the individual(s) involved.

                                                          A public reprimand.

                                                          An imposed vacation from FreeBSD Project controlled spaces (e.g. asking someone to “take a week off” from a mailing list or IRC).

                                                          A permanent or temporary ban from some or all FreeBSD Project controlled spaces (events, meetings, mailing lists, IRC, etc.)

                                                          A request for a public or private apology.

                                                          A request to engage in mediation and/or an accountability plan.

                                                          These aren’t that extreme. Sure you can be banned but that can happen in any OSS project where they can say “We won’t accept pull requests from dirt bags like you.”. In this case the things you can do wrong are at least actually laid out so that you know what behaviors to avoid and which ones to follow.

                                                          1. 16

                                                            Still, the CoC assumes moral authority over me, which is an no-go for freedom lovers and hackers like me. That people like you don’t exercise their own moral autonomy and fail to understand that others do (with different results) is the reason why CoC create unnecessary controversy and drama.

                                                            And yes, the FreeBSD CoC makes me feel violated in my moral autonomy, and yes, the FreeBSD CoC embodies political views i do not share.

                                                            1. 9

                                                              A CoC has no moral authority and frankly morality isn’t even a real thing. It’s merely a set of rules that people who work together have agreed to follow while working together. You don’t have to work with them and you don’t have to use their software, but since you wanted to be on record disagreeing, I wanted to be on record agreeing with CoC and why I feel the way I do.

                                                              1. 4

                                                                Again, this is a strong pro-CoC statement. If they are successful in excluding people like you, they are working as intended.

                                                                1. 10

                                                                  I was hoping to keep things civil. Perhaps there’s a more generous way you could phrase this?

                                                                  1. 5

                                                                    Not really, given that the author has emphatically stated their disagreement with either the values motivating the rules, or the rules themselves. Regardless, such a person is a real risk to the health of the community, and it’s nice that there’s such an effective repellent.

                                                                    1. 18

                                                                      I’m honest about not being a feminist. I consider the concept of gender harmful (from an philosophical standpoint), but people like you seem seem convinced that not sharing your point on that makes me an bad person.

                                                                      But thanks for determining i’m a hazard to community, it surely helped me to recognize the superiority of your standpoint.

                                                                      1. 7

                                                                        By “considering the concept of gender harmful” you are willfully ignorant to the way that society works and by effect you are a part of the problem creating inequality and fostering an environment where harassment and hate crimes can thrive.

                                                                        You don’t get to invent your own reality and pretend this one doesn’t exist.

                                                                        1. 16

                                                                          Yeah also you can consider gender harmful without refusing to respect how other people would like to be referred to. For example I will now out of respect for your disdain for the concept of gender refer to you strictly in non-gendered nouns. Notice how I disagreed with your viewpoint but didn’t invalidate your identity.

                                                                        2. 1

                                                                          I don’t care about your honesty. I don’t care to have you recognize the superiority of my viewpoint; I know nothing I can say will sway you. I care to prevent you from contaminating the spaces I care about.

                                                                          1. 22

                                                                            You’ve and @liwakura have both explained well how you differ fundamentally, and I appreciate that. This comment is pulling that discussion into a dark place, please don’t continue on this theme casting someone as an unredeemable danger who must be eradicated. Lobsters is not good at being “Tinder, but for finding a nemesis”.

                                                                          2. 2

                                                                            You don’t fight the concept of gender by standing on the sidelines watching those that do have the concept of gender dominate half the population. Just because you believe there isn’t gender, doesn’t mean people who consider themselves women aren’t getting the short end of the stick in our society.

                                                                          3. 3

                                                                            thanks, that’s much clearer. :)

                                                                    2. 6

                                                                      You could get fired at a job for nearly every one of these.

                                                                      Depends on the job. Many employers won’t punish people who have political differences. Especially in Mid-South where we’re quite a diverse bunch of liberals, conservatives, white, black, latino, etc. The rule is that we either avoid those topics entirely to keep things civil or you better be able to take the kind of discussion you were dishing out. Essentially, we recognize those claiming disagreement is “offensive” to just be silencing their opposition. They’re trying to attack and control the other person. People still try that but don’t get far.

                                                                      So, in such a truly, inclusive environment, people will be saying things that bother others since there’s conflict on a deep level. My relatives and I have worked in many such places. They’ll have heated arguments sometimes. It almost always ends up “agree to disagree” with them making up for it being nice to each other later. Sometimes people figure out who each other are underneath, permanently dislike each other, work together just enough to get the job done, and avoid one another otherwise.

                                                                      People almost never quit over this sort of thing. It’s also not what most gripe about. Those griping or quitting over assholes bring up people who folks in every group agree are assholes. We wouldn’t need a CoC to deal with them. Just decent managers or owners that respond to employee complaints. If managers or owners aren’t decent, then no policies or CoC’s are going to make the work environment better.

                                                                      1. 13

                                                                        I really don’t understand how you got this from the CoC mentioned. There is no rule in the CoC that you must conform politically. I would be very shocked to hear that the entire FreeBSD team is not conservative. The rule is merely that you treat other people with dignity. I live in the south and every single one of my workplaces would fit this CoC save for maybe the rules around transgendered folks. Frankly even when I was a deeply religious and hardline conservative I would have no trouble following these rules. I never treated anyone less than human because they had different views than me. Furthermore that “rule” you gave is a kind of CoC and CoC’s matter once the size of the organization grows. Its very easy to fall into a tyranny of structurelessness as an organization gets larger. This is because nobody can agree on what is right or wrong or what the response should be to a problem. By having a CoC you can agree as an org what actions are against the group and what a good response looks like. If you don’t have any response strategy mob mentality kicks in and things can escalate to threats and violence. After all if someone is a huge asshole and nobody is doing anything about it it would seem natural to find a way to make them stop.

                                                                        Frankly there’s nothing in this CoC that has any bias against conservatives whatsoever. Nothing in the CoC says you have to be a liberal, and it specifically protects people from false claims. Your micro-CoC actually fails to protect individuals from false claims.

                                                                        Publication of non-harassing private communication without consent.

                                                                        Publication of non-harassing private communication with consent but in a way that intentionally misrepresents the communication (e.g., removes context that changes the meaning).

                                                                        Knowingly making harmful false claims about a person.

                                                                        1. 11

                                                                          Depends on the job. Many employers won’t punish people who have political differences.

                                                                          This is such a disingenuous frame shift of the issue that it invalidates everything else about your argument. Being respectful is not political. Enforcing consent in interactions is not political. Being gay or tolerant of same is not political. Asserting that any effort to shift culture away from the status quo is an out-of-bounds “political” act is a cowardly way to attempt to silence those that you disagree with. You are personally guilty, to an incredibly advanced degree, of every evil thing you claim to be against.

                                                                          “Politics” is the process by which humans come to consensus for shared interests. Shitting on the less powerful and providing moral or intellectual cover for those that seek to do the same is not politics; it’s craven thuggery disguised as keeping things peaceful.

                                                                          1. 1

                                                                            Politics is whatever action affects the polis, and by extension any group of humans.

                                                                            Thus being respectful is political.
                                                                            Enforcing consent in interactions is political.
                                                                            Being tolerant of anything is political.

                                                                            In Italy we have the same kind of differences that @nickpsecurity describes, and we are used to joke about our differences a lot. And we debate harshly about many things, but usually these debates grow our relations.

                                                                            As an example, I had a girlfriend that was a deeply religious Catholic when I was atheist (and rather angry at Church). And we talked a lot about religion and politics back then, without that affecting negatively the relation.

                                                                            One of the best engineer I worked with voted for the worst political party we had in Italy for decades. I had the opposite view. We debated a lot. We debated so much about politics that when we had to design a framework together to under a huge pressure, we keep debating with the same style. And after 10 years in production, the framework still rocks the customers are satisfied and we can’t find anything remotely on par with it around.
                                                                            Why? Because we were used to listen deeply and respectfully the other’s opinion.

                                                                            1. 2

                                                                              I grant that being tolerant is political, and so it follows that everything is political. Which means that my point is still relevant: it’s disingenuous to dismiss concerns about behavior as “political”, as though that made it irrelevant.

                                                                              In Italy, you are allowed to have those debates because the stakes are much lower: you’re less likely to die from poverty, your livelihood is less contingent upon social approval, etc.

                                                                              In the United States, it’s not like that. If you lose your job, you could die. If you are systematically excluded from high-paying industries, like digital technology, your quality of life massively suffers in comparison to those who are welcomed by that industry. All policies must be considered in the context of an entrenched and reactionary old guard that dominates all other effects. Any overt attempt to improve the lives of the marginalized is treated as a threat to the old order, and rightfully so. The stakes are literally life and death.

                                                                              Mr. P. Security doesn’t work in the the industry, and largely speaks from a position of willful ignorance about these issues.

                                                                              1. 1

                                                                                In Italy, you are allowed to have those debates because the stakes are much lower

                                                                                I do not know United States enough for a comparison, but sadly we have poverty here too. Our livelihood is not based on social approval, but it’s often strongly based on social relationships.

                                                                                We just know we are all on the same boat.

                                                                                So I don’t know if we are free to talk because we have lower stakes, or we have lower stakes because we are free to talk.

                                                                                In any case, an international project should not be ruled according to the issues of a single country.

                                                                                1. 1

                                                                                  In any case, an international project should not be ruled according to the issues of a single country.

                                                                                  I don’t understand what this is in reference to, or what it could possibly mean in terms of what kind of governance structure or details. I was pointing out that there are cultural differences that make it easier or harder for people who are forced together to have disagreements about their values, or be able to set aside those differences in order to do something together.

                                                                          2. 10

                                                                            The CoC is about civility, not politics. And I can’t believe you don’t know that. So what is your purpose? Are you standing up for the right to humiliate people or be rude to them? That’s a principle for you?

                                                                            1. 0

                                                                              Just decent managers or owners that respond to employee complaints…

                                                                              Poor employees, at the mercy of their benevolent dictators.

                                                                          3. 3

                                                                            Wait, you believe without a CoC, owners of a project have less power? An owner of a project already has views of what kind of behavior they think is good and what they think is bad. If they don’t write it down in CoC, you are still at their mercy, but now you have to guess what the hell they are thinking.

                                                                            I’m not sure how a CoC increases any power they already have. You still don’t have moral agency because we live in a society where there are owners and non-owners. There is still a power differential. If you want democratic rule, then you need to fight against ownership by paper.

                                                                            1. 2

                                                                              Even without a CoC the project owners selectively enforce hidden rules. I’m not sure how making the rules hidden is better than making them explicit.

                                                                          1. 1

                                                                            The fact that they’re already using continuous operations gives me an project idea for whoever wants to one-up it. They could build it as a dedicated, analog computer. The game doesn’t have a lot of functions or value range either. Should make it easier. It will then run this in real time on real values using hardly any circuitry or watts. Could even be turned into a toy appliance if combined with a screen. Something to look at like the old, lava lamps.

                                                                            1. 3

                                                                              An analog electronic computer can model small (whole!) numbers of continuous variables and relations between them, but I’ve never seen one that can actually model a continuous space of variable points. For that we’d use real chemistry: the most famous are the B-Z reactions, but the generic term is reaction-diffusion system. Of course, the chemicals are made up of discrete molecules, but their motion is continuous at least down to the Planck length!

                                                                              This Python thing isn’t properly continuous either, of course: it’s using floating point numbers for the values, and a numpy mrange for a 2D cell grid. The neighborhoods are circular discs which cover a relatively high number of cells, thereby approximating a continuous space. It’s a little ironic, because Conway explicitly described Life as a discretization of a differential equation system.

                                                                              If you think this stuff is cool, check out some of the work on “artificial chemistry” systems composed of discrete particles which move and interact in a continuous space. My personal favorite examples are from Sayama’s “swarm chemistry” experiments, but I haven’t really kept up with the field.

                                                                              1. 2

                                                                                Great video. They take on an organic look reminiscent of cells combining and dividing.

                                                                              1. 12

                                                                                When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile. It’s triply frustrating when, at the end of the linked rant, they actually recognize that PGP isn’t the problem:

                                                                                It also bears noting that many of the issues above could, in principle at least, be addressed within the confines of the OpenPGP format. Indeed, if you view ‘PGP’ to mean nothing more than the OpenPGP transport, a lot of the above seems easy to fix — with the exception of forward secrecy, which really does seem hard to add without some serious hacks. But in practice, this is rarely all that people mean when they implement ‘PGP’.

                                                                                There is a lot wrong with the GPG implementation and a lot more wrong with how mail clients integrate it. Why would someone who recognises that PGP is a matter of identity for many of its users go out of their way to express their very genuine criticisms as an attack on PGP? If half the effort that went into pushing Signal was put into a good implementation of OpenPGP following cryptographic best practices (which GPG is painfully unwilling to be), we’d have something that would make everyone better off. Instead these people make it weirdly specific about Signal, forcing me to choose between “PGP” and a partially-closed-source centralised system, a choice that’s only ever going to go one way.

                                                                                1. 9

                                                                                  I am deeply concerned about the push towards Signal. I am not a cryptographer, so all I can do is trust other people that the crypto is sound, but as we all know, the problems with crypto systems are rarely in the crypto layers.

                                                                                  On one hand we know that PGP works, on the other hand we have had two game over vulnerabilities in Signal THIS WEEK. And the last Signal problem was very similar to the one in “not-really-PGP” in that the Signal app passed untrusted HTML to the browser engine.

                                                                                  If I were a government trying to subvert secure communications, investing in Signal and tarnishing PGP is what I would try to do. What better strategy than to push everyone towards closed systems where you can’t even see the binaries, and that are not under the user’s control. The exact same devices with GPS and under constant surveilance.

                                                                                  My mobile phone might have much better security mechanisms in theory, but I will never know for sure because neither I, nor anyone else can really check. In the meantime we know for sure what a privacy disaster these mobile phones are. We also know for sure the the various leaks that government implant malware on mobile devices, and we know that both manufacturers and carriers can install software, or updates, on devices without user consent.

                                                                                  Whatever the PGP replacement might be, moving to the closed systems that are completely unauditable and not under the user’s control is not the solution. I am not surprised that some people advocate for this option. What I find totally insane is that a good majority of the tech world finds this position sensible. Just find any Hacker News thread and you will see that any criticism towards Signal is downvoted to oblivion, while the voices of “experts” preach PGP hysteria.

                                                                                  PGP will never be used by ordinary people. It’s too clunky for that. But it’s used by some people very successfully, and if you try to dissuade this small, but very important group of people to move towards your “solution”, I can only suspect foul play. Signal does not compete with PGP. It’s a phone chat app. As Signal does not compete with PGP, why do you have to spend all this insane ammount of effort to convince an insignificant amount of people to drop PGP for Signal?

                                                                                  1. 4

                                                                                    I can’t for the life of me imagine why a CIA-covert-psyops-agency funded walled garden service would want to push people away from open standards to their walled garden service.

                                                                                    Don’t get me wrong, Signal does a lot of the right things but a lot of claims are made about it implying it’s as open as PGP, which it isn’t.

                                                                                    1. 2

                                                                                      What makes Signal a closed system?

                                                                                      https://github.com/signalapp

                                                                                      1. 12

                                                                                        Not Signal, iOS and Android, and all the secret operating systems that run underneath.

                                                                                        As for Signal itself, moxie forced F-Droid to take down Signal, because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries, which even if you are ok with in principle, on Android it mandates the use of the Google Play Store. If this is not a dick move, I don’t know what is.

                                                                                        1. 3

                                                                                          I’m with you on Android and especially iOS being problematic. That being said, Signal has been available without Google Play Services for a while now. See also the download page; I couldn’t find it linked anywhere on the site but it is there.

                                                                                          However, we investigated this for PRISM Break, and it turns out that there’s a single Google binary embedded in the APK I just linked to. Which is unfortunate. See this GitHub comment.

                                                                                          1. 2

                                                                                            because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries

                                                                                            Ehm… he chose the wrong license in this case.

                                                                                      2. 4

                                                                                        As I understand it, the case against PGP is not with PGP in and of itself (the cryptography is good), but the ecosystem. That is, the toolchain in which one uses it. Because it is advocated for use in email and securing email, it is argued, is nigh on impossible, then it is irresponsible to recommend using PGP encrypted email for general consumption, especially for journalists.

                                                                                        That is, while it is possible to use PGP via email effectively, it is incredibly difficult and error-prone. These are not qualities one wants in a secure system and thus, it should be avoided.

                                                                                        1. 4

                                                                                          But the cryptographyisn’t good. His case in the blog post is intentionally besides all of the crypto badness.example: the standard doesn’t allow any other hash function than sha1, which has been proven broken. The protocol itself disallows flexibility here to avoid ambiguity and that means there is no way to change it significantly without breaking compatibility.

                                                                                          And so far, it seems, people wanted compatibility (or switched to something else, like Signal)

                                                                                        2. 4

                                                                                          Until this better implementation appears, an abstract recommendation for PGP is a concrete recommendation for GPG.

                                                                                          Imagine if half the effort spent saying PGP is just fine went into making PGP just fine.

                                                                                          1. 2

                                                                                            I guess that’s an invitation to push https://autocrypt.org/

                                                                                          2. 3

                                                                                            When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile.

                                                                                            Without wanting to sound rude, this is discussed in the article:

                                                                                            The fact of the matter is that OpenPGP is not really a cryptography project. That is, it’s not held together by cryptography. It’s held together by backwards-compatibility and (increasingly) a kind of an obsession with the idea of PGP as an end in and of itself, rather than as a means to actually make end-users more secure.

                                                                                            OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                                                            I think most people unless they are heavily involved in security research don’t know how encrytion/auth/integrity protection are layered. There are a lot of layers in what people just want to call “encryption”. OpenPGP uses the same standard crypto building blocks as everything else and unfortunately putting those lower level primitives together is fiendishly difficult. Life also went on since OpenPGP was created meaning that those building blocks and how to put them together changed in the last few decades, cryptographers learned a lot.

                                                                                            One of the most important things that cryptographers learned is that the entire ecosystem / the system as a whole counts. Even Snowden was talking about this when he said that the NSA just attacks the endpoints, where most of the attack surface is. So while the cryptography bits in the core of the OpenPGP standard are safe, if dated, that’s not the point. Reasonable people can’t really use PGP safely because we would have to have a library that implements the dated OpenPGP standard in a modern way, clients that interface with that modern library in a safe and thought-through way and users that know enough about the system to satisfy it’s safety requirements (which are large for OpenPGP)

                                                                                            Part of that is attitude, most of the existing projects for implementing the standard just don’t seem to take a security-first stance. Who is really looking towards providing a secure overall experience to users under OpenPGP? Certainly not the projects bickering where to attribute blame.

                                                                                            I think people kept contrasting this with Signal because Signal gets a lot of things right in contrast. The protocol is modern and it’s not impossibly demanding on users (ratcheting key rotation, anyone?), there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama. Of course Signal-the-app has downsides too, like the centralization, however that seems like a reasonable choice. I’d rather have a clean protocol operating through a central server that most people can use than an unuseable (from the pov of most users) standard/protocol. We’re not there yet where we can have all of decentralization, security and ease of use.

                                                                                            1. 2

                                                                                              OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                                                              One assumes the NSA has backdoors in iOS, Google Play Services, and the binary builds of Signal (and any other major closed-source crypto tool, at least those distributed from the US) - there’s no countermeasure and virtually no downside, so why wouldn’t they?

                                                                                              there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama.

                                                                                              Not really the response I’ve seen to their recent desktop-only vulnerability, though I do agree with you in principle.

                                                                                              1. 3

                                                                                                Signal Android has been reproducible for over two years now. What I don’t know is whether anyone has independently verified that it can be reproduced. I also don’t know whether the “remaining work” in that post was ever addressed.

                                                                                                1. 2

                                                                                                  The process of verifying a build can be done through a Docker image containing an Android build environment that we’ve published.

                                                                                                  Doesn’t such process assume trust on who created the image (and on who created each of layers it was based on)?

                                                                                                  A genuine question, as I see the convenience of Docker and how it could lead to more verifications, but on the other hand it create a single point of failure easier to attack.

                                                                                                  1. 1

                                                                                                    That question of trust is the reason why, if you’re forced to use Docker, build every layer for yourself from the most trustworthy sources. It isn’t even hard.

                                                                                            2. 1

                                                                                              the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA

                                                                                              I’m pretty ignorant on this matter, but do you have any link to share?

                                                                                              There is a lot wrong with the GPG implementation

                                                                                              Actually, I’d like to read the opinion of GPG developers here, too.

                                                                                              Everyone makes mistakes, but I’m pretty curious about the technical allegations: it seems like they did not considered the issue to be fixed in their own code.

                                                                                              This might have pretty good security reasons.

                                                                                              1. 3

                                                                                                To start with, you can’t trust the closed-source providers since the NSA and GHCQ are throwing $200+ million at both finding 0-days and paying them to put backdoors in. Covered here. From there, you have to assess open-source solutions. There’s a lot of ways to do that. However, the NSA sort of did it for us in slides where GPG and Truecrypt were worst things for them to run into. Snowden said GPG works, too. He’d know given he had access to everything they had that worked and didn’t. He used GPG and Truecrypt. NSA had to either ignore those people or forward them to TAO for targeted attack on browser, OS, hardware, etc. The targeted attack group only has so much personnel and time. So, this is a huge increase in security.

                                                                                                I always say that what stops NSA should be good enough to stop the majority of black hats. So, keep using and improving what is a known-good approach. I further limit risk by just GPG-encrypting text or zip files that I send/receive over untrusted transports using strong algorithms. I exchange the keys manually. That means I’m down to trusting the implementation of just a few commands. Securing GPG in my use-case would mean stripping out anything I don’t need (most of GPG) followed by hardening the remaining code manually or through automated means. It’s a much smaller problem than clean-slate, GUI-using, encrypted sharing of various media. Zip can encode anything. Give the files boring names, too. Untrusted, email provider is Swiss in case that buys anything on any type of attacker.

                                                                                                Far as the leaks, I had a really-hard time getting you the NSA slides. Searching with specific terms in either DuckDuckGo or Google used to take me right to them. They don’t anymore. I’ve had to fight with them narrowing terms down with quotes trying to find any Snowden slides, much less the good ones. I’m getting Naked Security, FramaSoft, pharma spam, etc even on p 2 and 3 but not Snowden slides past a few, recurring ones. Even mandating the Guardian in terms often didn’t produce more than one, Guardian link. Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches. Although I’m not going conspiracy hat yet, the relative-inaccuracy of Google’s results compared to about any other search I’ve done over past year for both historical and current material is a bit worrying. Usually excellent accuracy.

                                                                                                NSA Facts is still up if you want the big picture about their spying activities. Ok, after spending an hour, I’m going to have to settle for giving you this presentation calling TAILS or Truecrypt catastrophic loss of intelligence. TAILS was probably temporary but the TrueCrypt derivatives are worth investing effort in. Anyone else have a link to the GPG slide(s)? @4ad? I’m going to try to dig it all up out of old browser or Schneier conversations in near future. Need at least those slides so people knows what was NSA-proof at the time.

                                                                                                1. 2

                                                                                                  Why would TAILS be temporary? If anything this era of cheap devices makes it more practical than ever.

                                                                                                  1. 3

                                                                                                    It was secure at the time since either mass collection or TAO teams couldnt hack it. Hacking it requires one or more vulnerabilities in the software it runs. The TAILS software includes complex software such as Linux and a browser with history of vulnerabilities. We should assume that was temporary and/or would disappear if usage went up enough to budget more attacks its way.

                                                                                                    1. 2

                                                                                                      I’d still trust it more than TrueCrypt just due to being open-source.

                                                                                                      What would it take to make an adequate replacement for TAILS? I’m guessing some kind of unikernel? Are there any efforts in that direction?

                                                                                                      1. 1

                                                                                                        Well, you have to look at the various methods of attack to assess this:

                                                                                                        1. Mass surveillance attempting to read traffic through protocol weaknesses with or without a MITM. They keep finding these in Tor.

                                                                                                        2. Attacks on the implementation of Tor, the browser, or other apps. These are plentiful since it’s mostly written in non-memory safe way. Also, having no covert, channel analysis on components processing secrets means there’s probably plenty of side channels. There’s also increasingly new attacks on hardware with a network-oriented one even being published.

                                                                                                        3. Attacks on the repo or otherwise MITMing the binaries. I don’t think most people are checking for that. The few that do would make attackers cautious about being discovered. A deniable way to see who is who might be a bitflip or two that would cause the security check to fail. Put it in random, non-critical spots to make it look like an accident during transport. Whoever re-downloads doesn’t get hit with the actual attack.

                                                                                                        So, the OS and apps have to be secure with some containment mechanisms for any failures. The protocol has to work. These must be checked against any subversions in the repo or during transport. All this together in a LiveCD. I think it’s doable minus the anonymity protocol working which I don’t trust. So, I’ve usually recommended dedicated computers bought with cash (esp netbooks), WiFi’s, cantennas, getting used to human patterns in those areas, and spots with minimal camera coverage. You can add Tor on top of it but NSA focuses on that traffic. They probably don’t pay attention to average person on WiFi using generic sites over HTTPS.

                                                                                                        1. 1

                                                                                                          Sure. My question was more: does a live CD project with that kind of aim exist? @josuah mentioned heads which at least avoids the regression of bringing in systemd, but doesn’t really improve over classic tails in terms of not relying on linux or a browser.

                                                                                                          1. 2

                                                                                                            An old one named Anonym.OS was an OpenBSD-based, Live CD. That would’ve been better on code injection front at least. I don’t know of any current offerings. I just assume they’ll be compromised.

                                                                                                        2. 1

                                                                                                          I think it is the reason why https://heads.dyne.org/ have been made: Replacing the complex software stack with a simpler one with aim to avoid security risks.

                                                                                                          1. 1

                                                                                                            Hmm. That’s a small start, but still running Linux (and with a non-mainstream patchset even), I don’t think it answers the core criticism.

                                                                                                    2. 2

                                                                                                      Thanks for this great answer.

                                                                                                      Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches.

                                                                                                      If you can share a few of your search terms I guess that a few friends would find them pretty interesting, with their research.

                                                                                                      For sure this teach us a valuable lesson. The web is not a reliable medium for free speech.

                                                                                                      From now on, I will download from the internet interesting documents about such topics and donate them (with other more neutral dvds) to small public libraries around the Europe.

                                                                                                      I guess that slowly, people will go back to librarians if search engines don’t search carefully enough anymore.

                                                                                                      1. 2

                                                                                                        It was variations, with and without quotes, on terms I saw in the early reports. They included GPG, PGP, Truecrypt, Guard, Documents, Leaked, Snowden, and catastrophic. I at least found that one report that mentions it in combination with other things. I also found, but didn’t post, a PGP intercept that was highly-classified but said they couldn’t decrypt it. Finally, Snowden kept maintaining good encryption worked with GPG being one he used personally.

                                                                                                        So, we have what we need to know. From there, just need to make the programs we know work more usable and memory safe.

                                                                                                1. 2

                                                                                                  How much traffic on average does each Netty node process? Kind of interesting that you can get the kind of performance you need out of a JVM app, but I suppose the secret is scale, not individual node throughput.

                                                                                                  1. 2

                                                                                                    The way we run it isn’t necessarily indicative of how performant the OSS core version is. We’ve added a ton of stuff to it like hashing, encryption, decryption, auth, metrics, geo etc. that makes us heavily CPU-bound. In terms of performance on the JVM, Netty is really good. They go to great lengths to limit the creation of garbage and use native bindings to optimize moving byte buffers around.

                                                                                                    Generally you are correct though, it’s not about individual nodes, it’s about fleet size. We tend to favor running more, smaller nodes than few large ones. This lessens the impact of any single node failing and allows us to do incremental rollouts to test new features (i.e. canary testing).

                                                                                                    1. 3

                                                                                                      Very cool, thanks!

                                                                                                      Always makes me laugh when I hear hipsters bemoaning the death of Java, they get so incredulous when you mention that it’s still running everywhere doing mission critical work and shows no signs of slowing up anytime soon.

                                                                                                      1. 2

                                                                                                        The local, grocery chain just upgraded to touch screens from their DOS-looking stuff. The menu’s have little coffee icons on top of a weird UI. Gotta be a Java app with its non-native GUI. Most of the jobs out in my area similarly are asking for C# or Java. Stuff is everywhere.

                                                                                                        1. 3

                                                                                                          Gotta be a Java app with its non-native GUI

                                                                                                          I am always baffled by these comments. We are living in a world where almost everything is a web-app (chat, email, documents, wikis, sales processes whatnot) and they all look totally different. Nobody seems to care there.

                                                                                                          1. 2

                                                                                                            On desktop, we should do better, expected better, and we used to be better. But I guess Swing begets Electron in the end…

                                                                                                  1. 4

                                                                                                    My first sysadmin job ever started out by hauling these beasts into our store room so they could be sent off for scrap, as all the developers were getting PCs running Franz Lisp insted.

                                                                                                    Kinda makes me sad that all of this is still proprietary as hell. Would love to see them do a ‘hobbyist license’ like DEC -> HP do with VMS so people who want to could play with it legally.

                                                                                                    There was a VMWare appliance floating around the warez sites a while back, but I’ve reached a point in my life where stealing software isn’t something I’m particularly wild about.

                                                                                                    Genera’s “You have crashed to firmware” message is still my all time favorite OS crash error: “You are lost in a maze of twisty little passages, all alike” or similar :)

                                                                                                    1. 3

                                                                                                      There are some articles floating around on getting Genera or OpenGenera to run on Linux. This article was the last one I saw. I did just find this one. There’s also a Youtube video but it was pretty long with a lot of steps. Just skimmed it to see the author had Genera running. Lot of steps, though, so can’t say how much value it has.

                                                                                                      Always seemed like Genera could use a pre-packaged and mostly-set-up VM. There’s at least Movitz now if anyone wants a modern, building block.

                                                                                                      1. 1

                                                                                                        That is exactly the pirate distro I was referring to. It’s actually OpenGenera running on Alpha Linux.

                                                                                                    1. 10

                                                                                                      (Warning: not an embedded guy but read embedded articles. I could be really wrong here.)

                                                                                                      “This big push is causing a vacuum in which companies can’t find enough embedded software engineers. Instead of training new engineers, they are starting to rely on application developers, who have experience with Windows applications or mobile devices, to develop their real-time embedded software.”

                                                                                                      I don’t know. I was looking at the surveys that Jack Ganssle posts. They seem to indicate that the current embedded developers are expected to just pick up these new skills like they did everything else. They also indicate they are picking up these skills since using C with a USB library or something on Windows/Linux isn’t nearly as hard as low-level C and assembly stuff on custom I/O they’ve been doing. I’m sure there’s many companies that are either new not knowing how to find talent or established wanting to go cheap either of whom may hire non-embedded people trying to get them to do embedded-style work with big, expensive platforms.

                                                                                                      I think author is still overselling the draught of engineers given all the products coming out constantly indicate there’s enough to make them. Plus, many features the engineers will need are being turned into 3rd party solutions you can plug in followed by some integration work. That will help a little.

                                                                                                      “developers used “simple” 8-bit or 16-bit architectures that a developer could master over the course of several months during a development cycle. Over the past several years, many teams have moved to more complex 32-bit architectures.”

                                                                                                      The developers used 8-16 bit architectures for low cost, sometimes pennies or a few bucks a chip. They used them for simplicity/reliability. Embedded people tell me some of the ISA’s are easy enough for even assembly coding stuff to be productive on kinds of systems they’re used in. Others tell me the proprietary compilers can suck so bad they have to look at assembly of their C anyway to spot problems. Also, stuff like WCET analysis. The 8-16-bitters also often come with better I/O options or something per some engineers’ statements. The 32-bit cores are increasing in number displacing some 8-16 bit MCU’s market share, though. This is happening.

                                                                                                      However, a huge chunk of embedded industry is cost sensitive. There will be for quite a while a market for 8-bitters that can add several dollars to tens of dollars of profit per unit to a company’s line. There will always be a need to program them. If anything, I’m banking on RISC-V (32-bit MCU) or J2 (SuperH) style designs with no royalties being those most likely to kill most of the market in conjunction with ARM’s MCU’s. They’re tiny, cheap, and might replace the MIPS or ARM chips in portfolios of main MCU vendors. More likely supplement. This would especially be true if more were putting the 32-bit MCU’s on cutting-edge nodes to make the processor, ROM, and RAM’s cheap as 8-bitters. We’re already seeing some of that. The final advantage on that note of 8-16 bitters is they can be cheap on old process nodes that are also cheap to develop SOC’s on, do analog better, and do RF well enough. As in, 8-16-bit market uses that to create huge variety of SoC-based solutions customized to the market’s needs since the NRE isn’t as high as 28-45nm that 32-bits might need to target. They’ve been doing that a long time.

                                                                                                      Note to embedded or hardware people: feel free to correct anything I’m getting wrong. I’ve just been reading up on the industry a lot to understand it better for promoting open or secure hardware.

                                                                                                      1. 3

                                                                                                        nit: s/draught/drought

                                                                                                        1. 2

                                                                                                          Was just about to post the same thing. I don’t normally do typo corrections, but that one really confused me. :)

                                                                                                        2. 2

                                                                                                          Yup. Jack Gannsle is always a good read. I highly recommend anyone interested in embedded systems subscribing to his Embedded Muse news letter.

                                                                                                          Whether the Open Cores will beat ARM? Hmm. Arm has such a strangle hold on the industry it’s hard to see it happen…. on the other hand Arm has this vast pile of legacy cruft inside it now, so I don’t know what the longer term will be. (Don’t like your endianess, toggle that bit and you have another, want a hardware implemented java byte code, well there is something sort of like that available, …..)

                                                                                                          Compilers? It’s hard to beat gcc, and that is no accident. A couple of years ago Arm committed to make gcc as performant as their own compiler. Why? Because the larger software ecosystem around gcc sold more Arms.

                                                                                                          However, a huge chunk of embedded industry is cost sensitive.

                                                                                                          We will always be pushed to make things faster, cheaper, mechanically smaller, longer battery life,….. If read some of what Gannsle has being writing about the ultra-low power stuff, it’s crazy.

                                                                                                          Conversely we’re also always being push for more functionality, everybody walks around with a smartphone in their pocket.

                                                                                                          The base expectation these days a smartphone size / UI/ functionality / price / battery life ….. which is all incredibly hard to achieve if you aren’t shipping at least a 100000 units…

                                                                                                          So while universities crank out developers who understand machine vision, machine learning, and many other cutting-edge research areas, the question we might want to be asking is, “Where are we going to get the next generation of embedded software engineers?”

                                                                                                          Same place we always did. The older generation were a rag tag collection of h/w engineers, software guys, old time mainframers, whoever was always ready to learn more, and more, and more…

                                                                                                          1. 1

                                                                                                            This week’s Embedded Muse addresses this exact article. Jack seems to agree with my position that the article way overstates things. He says the field will be mixed between the kinds we have now and those very far from the hardware. He makes this point:

                                                                                                            “Digi-Key current lists 72,000 distinct part numbers for MCUs. 64,000 of those have under 1MB of program memory. 30,000 have 32KB of program memory or less. The demand for small amounts of intelligent electronics, programmed at a low level, is overwhelming. I don’t see that changing for a very long time, if ever.”

                                                                                                            The architecture, cost, etc might change. There will still be tiny MCU’s/CPU’s for those wanting lowest watts or cost. And they’ll need special types of engineers to program them. :)

                                                                                                            1. 1

                                                                                                              Thanks for the inside view. Other thing about Jack is he’s also a nice guy. Always responds to emails about embedded topics or the newsletter, too.