1. 2

    I wonder if the FCC’s ruling on one-touch make-ready would’ve been helpful for the author. I’d imagine that it’d be far more cost effective, and a quick Google Street View tour of his area looked like there are plenty of utility poles to use.

    1. 1

      It appears that one-touch wouldn’t be available in PA.

      1. 4

        That wikipedia article is outdated after the FCCs announcement in August.

        In this map the blue states are ones that could make their own regulations - the white ones would fall under the new federal regulations clearing the way for OTMR, I believe.

        It’s also an interesting question if the language the FCC used would have impact on those 20 self regulating states as well:

        in a Declaratory Ruling, the FCC made clear that blanket state and local moratoria on telecommunications services and facilities deployment are barred by the Communications Act because they, in the language of Section 253(a), “prohibit or have the effect of prohibiting the ability of any entity to provide any interstate or intrastate telecommunications service.”

        1. 1

          Thank goodness, about time!

    1. 1

      I worry about the weight/inertia of a change process where adding _ support within constant integers takes months of feedback and review (e.g. const MB = 1_024 * 1_024). At first glance, that seems like a straightforward and purely additive change so why the baggage?

      1. 4

        Because of Golang’s backwards compatibility promise it is crucial to ensure even “straightforward” changes are carefully considered. Once _ support is landed, it will not go away.

        1. 2

          Go isn’t somebody’s weekend hobby sandbox. Hundreds of thousands of programmers write code in it, lots of tools generate code for it, millions of lives and livelihoods are affected by code written in it. There is no “at first glance” on that level. Welcome to the big leagues.

        1. 7

          This is why we still use dedicated hardware kept in locked cages inside secure datacenters.

          1. 5

            This is why we still use dedicated hardware kept in locked cages inside secure datacenters.

            What is your threat model? What actors are you looking to protect yourself from?

            Don’t get me wrong: there’s absolutely nothing wrong with not using a cloud vendor for any number of reasons. I’m just curious what lead you down to this decision.

            1. 4

              In the case I wrote about it’s primarily due to the hardware being used being pushed to its limits (about 5,000-6,000 cores in total); however the data involved is extremely sensitive in nature and so must be protected from all potential threats both electronic and physical in nature.

              1. 2

                My best guess would be physical access. With the access controlled in your own DC and encrypting the disks, plus notifications on when doors / racks open (or cameras), you at least know there is a breach.

                With vm’s, there is no way to know.

                1. 1

                  Well, this automatically stops all inadvertent or intentional leaks that come from just sharing the physical machine. There’s both endless attack surface plus a ton of focus on it right now by folks developing attacks.

                  It might also reduce complexity, aka downtime, if their setup is more boring than all the wild things the cloud providers must be doing to squeeze all kinds of companies, services, and features into shared boxes and spaces meeting their many requirements.

                  The dedicated boxes also have better, more-predictable performance than shared boxes. This ties into no downtime a bit. I’ll call it maximum results with less surprises caused by others.

                  Just a few, potential benefits of bare metal to consider.

              1. 15

                I have a story about this.

                A while ago I was interested in getting the statistical medcouple function into Python’s statsmodels. The problem is that this function is computed via a nontrivial but clever algorithm. It was described in an obscure paper from the 1970s that was really hard to read. The implementation in statsmodels is using a slow O(n^2) algorithm, whereas better O(n log n) implementations exist.

                So I find such an implementation in R, written by the same authors of the medcouple paper. Now, R is GPLed. Statsmodels is GPL-phobic. I could have just translated the R implementation into Python, but it didn’t seem fair to me, because I really did not understand the medcouple implementation until I read and translated the R code. Since statsmodels won’t accept the GPL, they shouldn’t accept the code I wrote.

                My solution was to write the medcouple Wikipedia article in generic pseudocode (that looks suspiciously like Python). This is now the spec part of the clean-room reverse engineering process. I’m glad to see that some people have stumbled onto that page and used it to create new implementations of the algorithm. Now I’m just waiting for someone to use this page to fix statsmodel’s implementation.

                1. 1

                  Hold on - have you’ve just told on yourself?

                  I really didn’t understand the medcouple implementation until I read […] the R code.

                  Isn’t this effectively creating a derived work in another language based upon the original GPLed code? Shouldn’t your derived work also be GPLed?

                  1. 4

                    It should be and it is:

                    http://inversethought.com/hg/medcouple/file/default/medcouple.py

                    But I also wrote a spec, the Wikipedia article. I described the algorithm in as much detail as I could. The spec should be enough for someone else to reimplement this.

                    1. 3

                      I don’t understand your reasoning. Why do you consider your python code to be a derivative work, but you don’t consider the Wikipedia pseudo-code you wrote to be a derivative work (and therefore GPL and not Creative Commons)? If your python code is a derivative work, why does the copyright notice only have your name?

                      1. 3

                        The Wikipedia article is a description of the algorithm that I cobbled together from various sources, which I amply cited. At no point do I just grab the R code and translate it for Wikipedia. The pseudocode I wrote based on my understanding of the algorithm as described by the papers I read and cited. I did do separate “literal” translations into Python and C++, and those I do consider derivative works of the original, which is why I GPLed them.

                        As to why my copyright notices don’t mention the original copyright holders, I’m not sure if that’s necessary. Am I required to keep their names in order to satisfy my GPL obligations?

                1. 12

                  I made a long thread about this (and other properties of voting systems) a couple weeks ago

                  A very important property of voting systems is secrecy. Once you drop in your vote, nobody should be able to tell who you voted for. This includes yourself – you should not be able to prove who you voted for.

                  This protects against candidates paying for votes, as well as people forcing you to vote a certain way. Once you’re out of the polling place, you’re free to lie about who you voted for and nobody – not even someone with power in the government – can tell if you’re lying.

                  Coercion is absolutely a problem in the united states. Often families are forced to vote the way the patriarch does. Many polling places in the South will even help families get adjacent voting booths (this is bad).

                  Secret ballot is a property of voting systems that is there quite universally – most countries have it.

                  Alameda County – the county in which I was helping run a polling place –does give you ballot stubs that you can take home. These don’t have your vote on them (they do have a unique ID) but you can use them to prove you voted (e.g. if you need to prove to your employer you voted so you can justify taking the 2 hours paid leave California requires employers to give you on election day)

                    1. 2

                      Reading your thread about ID, and about secure elections (no personally identifying paper trail) made me realize it’s actually quite easy to be ineligible to vote and still vote and there is no way to track this. A certain someone keeps harping on illegal voters and I drink the kool-aid that this is all over blown, but now I realize that anyone with any kind of id can just vote and we can’t track legality - we can only, after the fact, identify people who registered to vote illegally and only after systematically going through the whole voter roll and tracking down everyone and checking their citizenship. In the polling station I went to in Mass they don’t need any signature, so one can claim someone else voted in their name and so on. They took my ID, but I can’t remember if that was just because they initially couldn’t find me on the rolls, so I think you just need a name and address.

                      1. 12

                        You sign the voter roster under penalty of perjury, and if you’re voting provisionally that all gets dealt with later.

                        If you are voting for the first time they often need ID because of the HAVA act, but otherwise there is no ID requirement in many states (california too).

                        A lot of things in this country operate under trust that you’re not lying in a situation where lying is illegal. It works out.

                        There’s plenty of research showing that the threat of illegal voting is extremely low. Illegal voting is very hard to scale, and if you’d like to flip an election you’d need a lot of illegal voters. The chances of getting caught go up dramatically as you try to scale this. It’s not worth it; and very few people do it.

                        Your argument is that you can game the system. That is true, but that doesn’t mean people do game the system, and that doesn’t mean that it’s worth it to game the system.

                        OTOH a lot of people don’t have photo id. The cons of requiring id outweigh the pros. Disenfranchising a large segment of our poorer population is totally not worth it to catch a couple cases of voter fraud.

                        1. 3

                          Don’t want to start this discussion on lobste.rs but that makes me worry - because now there is an incentive for candidates to treat illegal voters as a voting block and cater to them, just like any other voting block. This creates a market for this. May be I should try and understand more from you via message.

                          I recall telling someone canvassing for votes a few years ago (local election) that I couldn’t vote because I wasn’t a citizen (at that time) and she just shrugged in a strange way. I always puzzled about that. It wasn’t “Oh, yes you can’t vote, bye.” almost a wink-wink.

                          1. 10

                            That could also be because non-citizens can still be politically active – in fact iirc non citizens are often over-represented amongst campaigners because that’s all they can do to affect the election.

                            I know non-citizens who have been canvassed and asked to help phone bank or whatever when they explain they’re not citizens.


                            Again, scaling a process of catering to illegal voters is hard. Every single vote you try this for is an opportunity to get caught; you can’t do it in bulk. And a wink-and-nudge isn’t enough since you still have to explain how to impersonate a different voter or whatever – most people don’t know how voting works.

                            It is totally possible for a single person to vote illegally. This process is very hard to scale without getting caught. Furthermore, it has not historically been a problem, and still isn’t.

                            Voter fraud fearmongering is typically used to enact hurdles to voting that end up disenfranchising legitimate voters.

                            1. 6

                              One of the most salient political issues in the US right now is the presence of tens of millions of illegal immigrants on US soil, and the question of what, if anything, should be done about it (anything from “national borders are inherently illegitimate” to “greatly expand the size and power of the government’s law enforcement apparatus in order to deport them all”). Many illegal immigrants have some kinds of official documentation, because not all parts of the government are the ones that check for citizenship/legal residency, and because deliberately not checking for citizenship/legal residency when interacting with government services is a politically-popular pro-immigrant position in many jurisdictions (of course, it’s also a massively unpopular position in other jurisdictions).

                              If someone’s presence in the country at all is illegal, but they are part of a group of tens of millions with similar status, know that enforcing the law (i.e. deporting them) is logistically difficult for law enforcement and very politically contentious, and in general feel like they are rightfully Americans, just without documentation, I find it very plausible that they might decide to cast a vote, and that the mechanisms to detect illegal voting wouldn’t detect them doing so. I don’t think that doing something under penalty of perjury is a significant deterrent to someone whose is already subject to deportation if the parts of the government that enforce immigration law learn about it.

                              1. 6

                                I find it very plausible that they might decide to cast a vote

                                They can’t cast a vote under their own name though, they have to be registered.

                                And as the OP mentioned it’s much easier to be caught during the registration process.

                                What they have to do is turn up at a voting place, and impersonate someone else. This is very much an actively malicious act, not a passive “I feel like I’m american, i’ll vote” act where there’s more misunderstanding than malice.

                                1. 2

                                  hah I just brought up where that happened to my great grandfather, the misunderstanding option though. He thought he had done all the proper paperwork but he had not. I don’t have the full story though he may have gotten a visa confused with citizenship or something, the world will never know.

                                  1. 2

                                    You don’t need proof of citizenship to register. I did it online.

                                    1. 4

                                      Sure, but once done it’s something they can look for and catch at any time they want. Unlike voting under someone else’s name – if not caught that day (e.g. if the person being impersonated comes in and tries to vote later), it won’t be caught at all (but this is fine because it doesn’t scale).

                                      When you register online you’ll provide an SSN or state id number, both of which can be traced to citizenship status. The state may not be interested in helping the federal government deal with illegal immigrants, and may not care about citizenship status in general, however the registrar of voters definitely will care about these things.

                                      1. 1

                                        I gave my drivers license I think. Don’t recall if that is tied to my ssn. If registration is linked to ssn then its less scary because automated scans can be done re: eligibility

                                        1. 2

                                          I’m registered in california; I registered through my state id (you can autoregister when you apply for an id). When you register online you either provide an id number or ssn.

                                          When I want to access my voter settings (change vote by mail preference, check if my VBM ballot was counted, check my polling place, etc) it asks me for an id number or ssn. Being too lazy to fish out my id I just use my SSN, which I know. It still works, despite having registered through my state id.

                                          This stuff can be linked if they want to, usually.

                                          And again, evidence shows that none of this is actually a problem.

                                  2. 5

                                    Yeah except all research on this issue shows that voter fraud is exceptionally rare. Some of the most recent examples were conservatives who thought voter fraud was easy with this exact mindset and got caught. My great grandfather found out he wasn’t actually a citizen when he went to vote, they told him he couldn’t because he wasn’t a citizen, and then went to mexico and applied for proper citizenship in the US.

                                    The reality is voter fraud, intentional or accidental is actually deceptively difficult. There are actually many layers at every step of the process that end up preventing this from being a problem. Voting machine based voter fraud, that may be a real thing, and we’ll probably never know how much. Humans walking in to do voter fraud, accidental or purposeful is statistically not a thing.

                                    Even Trump’s voter fraud investigation turned up dust.

                                    1. 5

                                      I don’t think that doing something under penalty of perjury is a significant deterrent to someone whose is already subject to deportation if the parts of the government that enforce immigration law learn about it.

                                      But the threat of deportation definitely is - have you met anyone who’s undocumented? The ones I know are terrified of every interaction with law enforcement, DMVs, employers, etc. Go to any restaurant kitchen anywhere in the country, any farm anywhere in the country, and see if you can even get them to tell you their full name without knowing why you’re asking.

                                      I sense you’re not close to any of these people. You would be subjecting yourself to an immense personal risk of losing access to all personal property, friends and family, etc just by putting yourself on a voting roll when you aren’t a citizen. I would never risk losing access to my children because of my desire to vote on anything.

                                      This is outside any discussion as to what we should do about the fact that large portions of our economy depend on labor that is undocumented – but their voting power is nil.

                                      1. 4

                                        yeah I found that part of the argument absurd, but it seemed very subjective so I left it alone

                                        I’ve known some illegal immigrants, all of them are very careful about this.

                                        1. 2

                                          I sense you’re not close to any of these people.

                                          That’s painfully clear.

                                          My wife works with a community organization that serves undocumented migrants. The list of services public or private they avoid to avoid any interaction with government officials who might question their immigration status would amaze you.

                                          The thought that an organized voting fraud bloc would arise around them is positively risible.

                                          As noted in the thread, the evidence clearly shows in person fraud is a non issue; in reality, strict voter ID laws are the real problem, as they serve to disenfranchise the poor and those underserved by government while providing no real benefits.

                                  3. 3

                                    Way too many unsourced assertions here. And I hope I’m not the only Lobster for whom “just trust, don’t verify” rings hollow.

                                    1. 4

                                      here’s a whole bunch of sources from a non-partisan org: https://www.brennancenter.org/analysis/debunking-voter-fraud-myth

                              1. 24

                                I think the arguments around coercion and bribery for votes are quite compelling. Any system that proves to me who I voted for can also prove to someone else who I voted for; this feels extremely risky.

                                And offering a sweepstakes as an incentive seems interesting, but doesn’t seem to drive a politically engaged populace. I guess it would force the government to ensure that adequate voting sites are available which is a net positive, but I’d rather drive people to the polls by having candidates that push policies that improve their material conditions.

                                Voting in my county works in a way that addresses your concerns: a voter makes selections on an electronic machine that prints a paper ballot. The ballot contains the names of the candidates you voted for, as well as a “Scantron” representation. Once your ballot is printed by the machine, you run it through an optical scanner that records the votes, and you then seal it in an envelope and put it in a locked box. Certifying the vote involves taking random samples from across the county and comparing the recorded optical vote against the printed paper vote. And all paper ballots are preserved for recounts/full audits.

                                In my mind, this appears to be a fairly tamper resistant system: an attacker would need to effectively change two counts - the electronic count, and the paper ballots as well. Any attack I thought of had many moving pieces.

                                1. 4

                                  The biggest attack on paper + electronic systems is to not routinely count the paper ballots. As we saw this week, it also makes it easier to restrict voting opportunities by doing a crappy job at deploying the machines.

                                  Your comments on coercion are valid and at the heart of secret voting.

                                  1. 4

                                    This is decent but a problem with such systems (and similar systems that use a VVPAT printer for the paper trail) is that this stuff isn’t obvious. Consider the latest texas goof up, where texas machines were switching votes and many people didn’t really think to verify before submitting. There’s a risk the machine messes up and people neglect to check the paper ballot.

                                    The system we have locally is a paper ballot you mark, which gets scanned in (scanner can detect problems and tell you, too). Scanner keeps an immediate internal tally (printed out by the end of the day), and also keeps the paper ballots in an internal receptacle. The scanner printout, the scanner’s memory bank, and the contents of the internal receptacle all get sent out to the registrar of voters at the end of the day.

                                    Marking the ballot is easy and hard to mess up (and you don’t have to check anything for machine-caused mistakes), but there’s still a paper trail.

                                    So this system is okay, but you can make it better by removing machines from the ballot-marking stage of the process entirely.

                                    1. 1

                                      Instead of offering rewards, like a lottery, we could make voting mandatory. That would help enforce adequate voting sites.

                                      I think San Francisco is getting something like the process you mention, in 2019.

                                    1. 1

                                      This starts as a listing of previous hijacks but quickly takes a turn towards General Buck Turgidson in the war room yelling about an ASN gap.

                                      I don’t see any way to achieve the proposed “access reciprocity” without dramatically increasing US regulation of the Internet, which is about the last thing I’d want to see.

                                      1. 2

                                        I don’t see any way to achieve the proposed “access reciprocity” without dramatically increasing US regulation of the Internet, which is about the last thing I’d want to see.

                                        Serious question: you’re more comfortable with long-term route hijacking and subjecting large numbers of people here in North America to NSA-style data slurping by the Chinese government (along with the attendant industrial espionage and occasional blackmail that is its goal) than you are with fairly straightforward legislation around the presence of networking equipment owned by a foreign government’s national telecom on domestic soil?

                                        1. 1

                                          I’m entirely unconvinced this “fairly straightforward legislation” actually solves the problem. So let’s say we push it out, Verizon gets a PoP in China, and China Telecom path prepends AS701’s routes out of use. Then what? We force US networks to retaliate?

                                          That imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the US and its allies.

                                          The paper doesn’t beat around the bush with what this is about, so why should we? The US government is angry that it can’t shoot back.

                                          If you want fairly straightforward legislation to prevent BGP hijacking, mandate that all tier one networks implement BGPsec. That’s some regulation I’d like to see - I’d rather see disarmament over brinkmanship.

                                        2. 2

                                          I don’t see any way to achieve the proposed “access reciprocity” without dramatically increasing US regulation of the Internet, which is about the last thing I’d want to see.

                                          Well, the private sector’s incentives so far have been to screw people over maximally, especially ISP’s (examples). As this comment shows, every major advance with wide impact on the U.S. came with government intervention. The Internet itself was a product of government-funded R&D that the private sector was doing the opposite of: digital, toll roads w/ lock-in and tons of limitations. Now, we have the ISP’s snooping on our data and Tier 1-3’s refusing to do much about DDOS attacks facilitates by their inaction.

                                          So, I’m fine with a tiny bit of regulation that’s mostly result-oriented (eg net neutrality) and only prescriptive when strong evidence backs it (eg secure logins for routers vs Telnet). I pointed out here in last paragraph that ISP’s could mitigate DDOS’s via regulations prescribing a few, simple things mostly using existing hardware. The big companies waste tens of millions or more on useless bullshit but can’t afford tens to hundreds of thousands to secure their modems and routers. (rolls eyes)

                                          In this longer comment, I pointed out regulation worked before for boosting INFOSEC of systems/networks and is currently boosting safety/correctness/predictability in regulated, software markets (esp aerospace and rail). As Bell pointed out, the private market rarely made anything secure on their own since it’s more profitable to minimize quality of service and/or charge people for support/upgrades of shitty products. Pretty much the entire software market is doing that. That argues convincingly against trusting private sector to do it with or without demand. That leaves government. And remember I had qualifications like results-oriented, minimal prescriptions, and so on. We don’t want another million dollar pile of paperwork and hand-waiving producing insecure, certified systems like Common Criteria turned into for vast majority of certifications.

                                        1. 27

                                          Takes us back to the days when we had more trust that the NSA and other institutions were genuinely working to keep America safe. We don’t seem to have that anymore. Were they always doing creepily over-broad surveillance? Are they actually worse now than they were then? Or is it just our trust that’s changed, and they’re still mostly the good guys? Maybe all three are true, I don’t know.

                                          1. 17

                                            I mean, yes, they always were doing creepily over-broad surveillance. Many of the old allegations about them have since been confirmed by declassified documents. Long after anyone would care, of course…

                                            When there’s an alleged abuse of power, though, in general I don’t think it’s all that useful to ask, did this specific set of events happen. Instead, a much better question is: What would stop that from happening? What controls are built into the system to make those actions difficult or impossible? Very often, the answer turns out to be that people are nice and wouldn’t do that. When that’s the answer, I think there’s a problem that needs to be addressed, regardless of what can proximately be proven.

                                            1. 11

                                              the “good old days” of trusting the intelligence community were artificially extended because watergate dominated the new cycles when COINTELPRO came out.

                                              1. 13

                                                Were they always doing creepily over-broad surveillance?

                                                They also installed brutal dictators throughout the world.

                                                1. 2

                                                  To be fair, that’s mostly been the CIA’s wheelhouse. Different office.

                                                2. 6

                                                  Takes us back to the days

                                                  The good old days fallacy; longing for a better time that never really existed.

                                                  1. 1

                                                    I’d strongly suggest (re-)watching “The Good American” documentary to understand the impact that 9/11 had on ethics and priorities at the NSA.

                                                  1. 36

                                                    When reading this article I wanted to echo the same thing that Daniel Steinberg basically said.

                                                    DoH is necessary because the DNS community messed up over the past two decades. Instead of privacy, hop-to-hop authentication and integrity, they picked end2end integrity protection but no privacy (DNSSEC) and wasted two decades on heaping that unbelievable amount of complexity on top of DNS. Meanwhile cleanup of basic protocol issues with DNS crawled along at glacial pace.

                                                    This is why DNSSEC will never get browser support, but DoH is getting there rapidly. It solves the right problems.

                                                    1. 4

                                                      I haven’t studied DoH or DoT enough to feel comfortable talking about the solutions, but on the requirements side, intuitively I don’t get where this all-consuming “privacy” boundary is supposed to be. Is the next step that all browsers will just ship with mandatory VPNs so nobody can see what IP address I’m talking to? (Based on history, that wouldn’t really surprise me.) So then there’s a massive invisible overlay network just for the WWW?

                                                      And by “nobody” I mean nobody who doesn’t really matter anyway, since I’d think no corporation with an extensive network, nor any country with extensive human rights problems, is going to let you use either protocol anyway (or they’ll require a MITM CA).

                                                      1. 5

                                                        The end game is all traffic is protected by a sort of ad hoc point to point VPN between endpoints. There can be traffic analysis but no content analysis.

                                                        1. 6

                                                          We’re slowly moving towards “Tor”. It seems all privacy enhancements being implemented slowly build up to something that Tor already provides for a long time…

                                                          1. 4

                                                            “Tor all the things” would be awesome.. if it could be fast

                                                            1. 2

                                                              Or what dnscurve did years ago.

                                                            2. 1

                                                              But the point of this seems to be making the “endpoint” private as well. The line between “traffic” and “content” is ever blurrier — I wouldn’t have thought DNS is “content”. If it is, then I don’t know why IP addresses aren’t “content” just as much. Is this only supposed to improve privacy for shared servers?

                                                              1. 8

                                                                I’ve never thought of the content of DNS packets as anything other than content. Every packet has a header containing addresses and some data. The data should be encrypted.

                                                                1. 1

                                                                  I don’t think the argument is that simple. ICMP and ARP packets are also headers and data, but that data surely isn’t “content”. I would have made your statement just about application UDP and TCP.

                                                                  I think of “content” as what applications exchange, and “traffic” (aka “metadata”) as what the network that connects applications needs to exchange to get them connected. Given that both DNS names and IP addresses identify endpoints, it’s not obvious to me why DNS names are more sensitive than IP addresses. The end result of a DNS lookup is that you immediately send a packet to the resulting IP address, which quite often identifies who you’re talking to just as clearly as the DNS name.

                                                                  No doubt I’m just uneducated on this — my point was I don’t understand where that line is being drawn. When I try to follow this line of reasoning I end up needing a complete layer-3 VPN (so you can’t even see the IP addresses), not just some revisions to the DNS protocol.

                                                                  1. 2

                                                                    The end result of a DNS lookup is that you immediately send a packet to the resulting IP address

                                                                    This is a very limited view of DNS.

                                                                    1. 1

                                                                      Is there another usage of DNS that’s relevant to this privacy discussion that’s going on?

                                                                      1. 3

                                                                        Most browsers do DNS prefetching, which reveals page content even for links you don’t visit.

                                                                        1. 1

                                                                          Good point! It makes me think that perhaps we should make browsers continually prefetch random websites that the users don’t visit, which would improve privacy in much the same way as the CDNs do. (Actually, I feel like that has been proposed, though I can’t find a reference.)

                                                                          iTerm had a bug in which it was making DNS requests for bits of terminal output to see if they were links it should highlight. So sometimes content does leak into DNS — by either definition.

                                                                          1. 1
                                                                        2. 1

                                                                          CNAME records, quite obviously, for one

                                                                          1. 1

                                                                            OK, obviously, but then is there something relevant to privacy that you do with CNAME records, other than simply looking up the corresponding A record and then immediately going to that IP address?

                                                                            If the argument is “ah, but the A address is for a CDN”, that thread is below…I only get “privacy” if I use a CDN of sufficient size to obscure my endpoint?

                                                                            1. 3

                                                                              OK, obviously, but then is there something relevant to privacy that you do with CNAME records, other than simply looking up the corresponding A record and then immediately going to that IP address

                                                                              I resolve some-controversial-site-in-my-country.com to CNAME blah.squarespace.com. I resolve that to A {some squarespace IP}

                                                                              Without DoH or equiv, its obvious to a network observer who I’m talking to. With it, it is impossible to distinguish it from thousands of other sites.

                                                                              If the argument is “ah, but the A address is for a CDN”, that thread is below…I only get “privacy” if I use a CDN of sufficient size to obscure my endpoint?

                                                                              Yes, this doesn’t fix every single privacy issue. No, that doesn’t mean it doesn’t improve the situation for a lot of things.

                                                                  2. 5

                                                                    IP addresses are content when they are A records to your-strange-porno-site.cx or bombmaking-101.su.

                                                                    They are metadata when they redirect to *.cloudfront.net, akamiedge.net, cdn.cloudflare.com, …, and huge swaths of the Internet are behind giant CDNs. Widespread DoH and ESNI adoption will basically mean that anyone between you and that CDN will be essentially blind to what you are accessing.

                                                                    Is this better? That’s for you to decide ;)

                                                                    1. 6

                                                                      Well, here again I don’t quite get the requirements. I’m not sure it’s a good goal to achieve “privacy” by routing everything through three giant commercial CDNs.

                                                                      1. 3

                                                                        Because three CDNs are literally the only uses of Virtual Hosting and SNI on the entire internet?

                                                                        I’d venture to say that the overwhelming majority of non-corporate, user generated content (and a large amount of smaller business sites) are not hosted at a dedicated IP. It’s all shopify equivalents and hundreds of blog and CMS hosting services.

                                                                        1. 1

                                                                          Well, the smaller the host is, the weaker the “security” becomes.

                                                                          Anyway, I was just trying to understand the requirements behind this protocol, not make a value judgment. Seems like the goal is increased obscurity for a large, but undefined and unstable, set of websites.

                                                                          If I were afraid of my website access being discovered, I personally wouldn’t rely on this mechanism for my security, without some other mechanism to guarantee the quantity and irrelevance of other websites on the same host/proxy. But others might find it useful. It seems to me like an inelegant hack that is partially effective, and I agree it’s disappointing if this is the best practical solution the internet engineering community has come up with.

                                                                          1. 2

                                                                            I have multiple subdomins on a fairly small site. Some of them are less public than others, so it would be nice to not reveal their presence.

                                                            1. -10

                                                              People’s poor financial discipline is why employers have power over you. If you have fuck you money, then you can just quit and find another job.

                                                              The fact that you can’t just quit is why employers have power because they can afford to end the relationship but you can not.

                                                              If you used your money to buy a holiday in the Caribbean then you don’t have it to buy your freedom.

                                                              1. 31

                                                                I have fuck you money. Not lots of it, but enough that I managed to bring my boss to the table and get a raise and a promotion out of it.

                                                                However, virtually none of that money was acquired by my merit: I got it by selling the house my father left for me and my two sisters. I’m a clear example of how fuck you money is, in the overwhelming majority of cases, a privilege, not the result of merit.

                                                                But there are other kinds of privilege, more subtle ones, that amount to the same. We’re you able to study without having to work to provide for yourself or your family? We’re your parents college educated? Did they encouraged you to go to college? Do you have students loans? Do you have a safety net you can fall back to if shit goes wrong?

                                                                All of these things are essential in acquiring fuck you money. None of them are your merit. None of them are things you worked hard for. They’re all accidents of birth. A.K.A., privilege.

                                                                Is it impossible to get fuck you money without those things? Surely not. But it’s much, much harder.

                                                                So, tldr: don’t blame people for not getting through hard work something that, most people that have it, got it through accident of birth.

                                                                1. 2

                                                                  That can be valid at the beginning, getting exploited in pay the first few jobs but then it boils down to people’s negotiation skills and confidence.

                                                                  I negotiated hard my very first gig while I know people who still don’t ask for a little more when getting their 20th contract.

                                                                  That’s why I find it silly when people say that certain people are just bound to make less, if you don’t negotiate when people need your expertise then when are you going to do it? And if you don’t then who’s to blame the employer if he gives you exactly what you are seemingly ok with?

                                                                  1. 4

                                                                    This is a simplification of a very complex subject. Pay gaps, be it gender, race, social class, or whatever other line, is a complex, multi-factored issue. It can not be explained away by “if you’re getting paid less is because you deserve less”.

                                                                    This is the kind of question where, honestly, your experience is kind of irrelevant (and so is mine. You can argue that I’m contradicting myself, because I used my own case in the first comment, but in my defense, I was posing myself as a counterpoint to an idealized example of someone who acquired fuck you money through pure merit, so, I was trying to point that individual cases don’t matter in this question, generic trends do). Great, you negotiated well your first job. Good for you, but a) you’re likely overlooking your own privilege and b) you’re a single data point. For every one of you, good negotiator person, I can probably find 20 that got continually fucked over by factors beyond their control and found themselves unable to negotiate pretty much anything.

                                                                    And finally, yes, employers are almost always the part to blame, because they have more power. It’s like sexual assault. A boss can’t claim a employee consented in being foundled daily if the alternative was being fired. Employers hold the power, so it’s their responsibility to not take unfair advantage of employees. If conditions are setup in a way that creates incentives to employers to be unfair, than we need government and employee organization to step in a guarantee that employers are not dicks.

                                                                    1. 4

                                                                      Employers hold the power

                                                                      They do control the means of production and leave us to sell our labor for a wage. But the power is ours for the taking, if we decide to take it.

                                                                      1. 3

                                                                        Fair enough. My country is on the verge of electing a homophobic racist buffoon that openly supports torture and the return of a military dictatorship, though, so you can understand why I don’t place much hope in a popular uprising.

                                                                        1. 1

                                                                          Brazil?

                                                                          1. 1

                                                                            Shit, I’ll be really sad if you’re not from Brazil yourself. But yes, Brazil.

                                                                2. 17

                                                                  Spoken like someone who has never known poverty!

                                                                  Am I having poor financial discipline when all my wisdom teeth got impacted and infected simultaneously and I have to choose between keeping my hard-earned savings and not having a mouth? I have ten false teeth through no fault of my own. Should I have thrown away my ability to chew solid food to keep “my freedom” instead? I guess I could drink Soylent for the rest of my life!

                                                                  1. 2

                                                                    Yup, that’s why people don’t have fuck you money. Because of all the Caribbean holidays they buy.

                                                                    /s

                                                                  1. 63

                                                                    C-level executives and board members antagonize employees and threaten unemployment, knowing full well that they’ll never miss a meal or a mortgage payment and that their children will still have health insurance and good schools: freedom.

                                                                    Workers thinking they should organize to present common concerns to management: not freedom.

                                                                    Remember, they only call it class warfare when we fight back.

                                                                    1. 14

                                                                      Workers organizing is freedom.

                                                                      Workers being coerced to join or pay an organization is not freedom.

                                                                      This is true even when the organization itself exists to protect freedom.

                                                                      1. 23

                                                                        Workers being coerced to join or pay an organization is not freedom.

                                                                        Yes and no. My being forced to pay taxes isn’t freedom. My living in a society with roads and clean water and educated children (and my own education, which given my home life at the time wouldn’t have happened without compulsory and free education) dramatically increases my overall freedom, far more than was lost by paying taxes.

                                                                        The power imbalance between most employers and most employees is such that the vast majority of people are almost-serfs in all but name. The tech sector can sometimes forget that because of the high salaries and relatively competitive employment market…but for most people, their health and home are literally tied to the whims of someone who views them as nothing more than expendable labor. Sure they’re “free” to change jobs, but saying “you’re free to risk your children’s health!” isn’t really freedom at all.

                                                                        Correcting that power imbalance might take away some freedom, but it would add a lot more freedom on the other side of the balance sheet, IMHO.

                                                                        Universal health care and a strong social safety net is the other way to fix this, if labor unions are determined to be too problematic. That allows you the freedom to change jobs without worrying that you couldn’t pay for your child’s healthcare.

                                                                        To provide a real example: a friend of mine has a chronically ill daughter. Without health insurance he literally cannot afford to keep his daughter alive. Thanks to the repeated attempts at removal of the preexisting condition clause by the GOP recently, he runs the very real risk that he could end up with his daughter uninsured and potentially in dire straits if he were to lose his job. His employer knows this and, as the provider of his health insurance, could demand literally anything of him. If he were unemployed long enough that he could no longer pay for COBRA between employers, he’d literally be unable to keep his daughter alive. That is not freedom; that it’s not the government who holds the power is immaterial.

                                                                        (Note that his employer is awesome and doesn’t do anything bad, but that’s not true of everyone and it shouldn’t have to be…)

                                                                        1. 4

                                                                          I think you made a great case for universal healthcare – which can be argued to either side of the political fence. If you lean left, universal healthcare is a right and a true good. If you lean right, universal healthcare drives competition, flexibility and allows people to create new companies and more around more quickly.

                                                                          That said, I am not sure you made a great case for unions. Unions don’t fix the fundamental problem around healthcare in any form. You still can’t leave to a non-union shop, can’t leave to start your own company, etc without giving it up. If anything it makes it more entrenched.

                                                                          1. 5

                                                                            You seem to be fixating on a single example, not the thrust of his argument. You do realize other first world countries have universal healthcare and wayyy higher union participation than the US? There must be other things unions are useful for.

                                                                        2. 20

                                                                          The point of labour organizing is not ‘freedom’, especially not in the anglo sense of formal freedom on the marketplace, that everyone on the English-speaking internet seems to assume to be the only true and natural kind of freedom there is. It’s merely improving the conditions of labour, nothing more, nothing less.

                                                                          That said, unions can be terrible because they’re often loci of concessions, nationalism, taming, and other reactionary politics, rather than struggle.

                                                                          1. 11

                                                                            They can have issues. Most of the problems I see are caused by apathy and/or incentives at the top with problems they cause being externalities. Unions also seem to stop more problems than they create. They also counter the trend paid with political bribes to make people easy to fire without cause in as many states as possible. That’s on top of executive compensation always going up in companies that “can’t afford” good wages or benefits for production works. These all lead me to be pro-union in general.

                                                                            1. 4

                                                                              Idk how it is in the US honestly, but that part of my comment wasn’t anti-union in general just noting that they definitely have limits in a political sense.

                                                                              However for workers they’re obviously a huge net-positive.

                                                                              1. 1

                                                                                Oh ok. That makes more sense.

                                                                            2. 3

                                                                              You make a good point. The immediate goal of a union is not freedom of its workers. I think workers unionize, though, because they desire more freedom. Limiting work hours means freedom to choose what to do with the rest of the day, for example.

                                                                              1. 3

                                                                                Yes, that’s one of the broader conceptions of freedom I was referring to:)

                                                                            3. 12

                                                                              I agree with you here. I’m all for workers being able to collectively bargain for their own interests, but not at the expense of imposing on the liberty of others.

                                                                              I don’t mind if my co-workers unionize, but I want to be able to choose my own terms of employment with my employer without having a third party interfere without my consent.

                                                                              1. 17

                                                                                I don’t mind if my co-workers unionize, but I want to be able to choose my own terms of employment with my employer without having a third party interfere without my consent.

                                                                                You can’t have your cake and eat it too: if the strength of your coworkers’ union results in your employer entering into a favorable health insurance contract with an insurer, are you really going to reject that insurance and try to negotiate your own? Even if the insurance you purchase will invariably be more expensive and will cover you less?

                                                                                1. 9

                                                                                  I don’t really care what a third party does with regards to my contractual agreement with my employer. The agreement I enter in is between myself and the company employing me.

                                                                                  In your hypothetical, I may indeed choose to cover myself. It’s hard to guess without actually having the numbers and going through a negotiation. I likely value different things at different levels than a potential union does, and would be better served negotiating based on my preferences rather than letting a group decide the terms of my contract.

                                                                                  1. 6

                                                                                    Except you would end up with a significantly less favourable contract, as you lack the negotiating leverage of the union.

                                                                                    1. 11

                                                                                      I don’t understand why you care so much about my contract. It’s up to me to decide what is favorable for me and what isn’t. I have the leverage of my own skills and experience, and that I can take a better offer from a different employer at any time.

                                                                                      1. 17

                                                                                        I don’t care about you, per se, but if everybody privileges abstract notions of freedom over concrete gains from their employment, you have a collective action problem and everybody ends up strictly worse off.

                                                                                        1. 13

                                                                                          Strictly worse off by whose definition? I’m under no moral obligation to sacrifice my own values to appease yours. If you’re worried about me not joining your union, then make your union attractive enough that I want to join it over negotiating my contract myself. Don’t force me into a contractual agreement that I never consented to.

                                                                                          1. 9

                                                                                            If you’re worried about me not joining your union, then make your union attractive enough that I want to join it over negotiating my contract myself.

                                                                                            In all likelihood, it will be attractive - but the benefits it confers will end up available to all employees, not just those in the union.

                                                                                            Now, if the choice was a strict “join the union and receive benefits which it negotiated” or “do not join the union and you are solely responsible for negotiating every part of your employment” I’d be happy, and it sounds like you would be as well.

                                                                                            Would you decline to accept any benefit - work conditions, time off, retirement, etc. - which was negotiated by your workplaces union if you planned to not join the union? If your answer is yes, I’d applaud your consistency.

                                                                                            The problem that @jfb identifies is that most people would say “no” - they’d chose to benefit from things negotiated by a union they’re not a member of.

                                                                                            1. 6

                                                                                              Now, if the choice was a strict “join the union and receive benefits which have been established” or “do not join the union and you are solely responsible for negotiating every part of your employment” I’d be happy, and it sounds like you would be as well.

                                                                                              Yep, perfectly fine with me.

                                                                                              Would you decline to accept any benefit - work conditions, time off, retirement, etc. - which was negotiated by your workplaces union if you planned to not join the union? If your answer is yes, I’d applaud your consistency.

                                                                                              In a contract negotiation between myself and my employer, it’s impossible for me to know what parts of their offering are influenced by the presence of the union, or to what extent they are. For example, imagine an employer that would negotiate for some sort of health insurance regardless of existence of a union. If the existence of a union changes that relationship via a change of insurer, I can’t just ignore it and keep whatever insurance plan I chose before the union came in.

                                                                                              I don’t care to take advantage of a union. I won’t take drinks from your “union members” fridge or take breaks on your union schedule and hope nobody notices. I will, however, negotiate the best deal for myself with my employer, and not handicap myself by trying to figure out what I would or would not have access to if the union didn’t exist. The union is an outside agent that I don’t have control over, and the extent that its existence benefits extend beyond its members are for the union to figure out.

                                                                                              1. 6

                                                                                                Would you decline to accept any benefit - work conditions, time off, retirement, etc. - which was negotiated by your workplaces union if you planned to not join the union?

                                                                                                I certainly wouldn’t refuse all time off because the union gets some, but I wouldn’t automatically assume to have the same. If I get three weeks, and the new union contract gives four, then I guess I’m stuck with three.

                                                                                                But observing that the company gives four weeks off is a data point I might consider when asking for more time off. That’s not strictly a union thing, though. If I saw a non union worker getting more time off, I might want that too.

                                                                                                Is that how it works in the non union case? If you hear a coworker got a raise, do you refuse to ask for your own?

                                                                                                1. 12

                                                                                                  My wife has a saying: Good and Evil don’t exist, it’s just selflessness and selfishness.

                                                                                                  Eric is talking right around the crux of the matter, but he missed something.

                                                                                                  I’m under no moral obligation to sacrifice my own values to appease yours.

                                                                                                  Sure you are, buddy. You aren’t under any legal obligation, nor any ethical obligation. The obligation is in fact, a moral obligation.

                                                                                                  When you throw your lot in with a group, you are sacrificing some of your autonomy in exchange for the group’s strength. Due to network effects, many groups are stronger than their strongest member, but yes, sometimes a member will become weaker by joining. (I’m ignoring here the second order effects like community respect gained due to being described as selfless, etc.)

                                                                                                  EDIT: reworked the bottom, sorry.

                                                                                                  1. 7

                                                                                                    Sure you are, buddy. You aren’t under any legal obligation, nor any ethical obligation. The obligation is in fact, a moral obligation.

                                                                                                    You and I have very different moral preferences if you think it’s ok to impose your values on someone else without their consent.

                                                                                                    When you throw your lot in with a group, you are sacrificing some of your autonomy in exchange for the group’s strength.

                                                                                                    When I join a company I am entering an agreement with an employer in which I exchange my labor for (primarily monetary) compensation.

                                                                                                    Your assumption that joining a company means joining an subset of coworkers for an unspecified goal of “group strength” seems entirely arbitrary to me.

                                                                                                    1. 4

                                                                                                      Look, the simple fact is that unions allow for more favorable price fixing by Labor.

                                                                                                      The benefit should be obvious.

                                                                                                      1. 3

                                                                                                        You join the work force as a worker and that makes you a worker. There are social expectations from that and you can be aware of them well before deciding to join the workforce. There’s an unwritten social contract and in the same way by living in a nation-state you’re implicitly a citizen, by joining the workforce you’re implicitly a worker and then subject to all the moral obligations that come with it. Most of them are not protected by law, because in non-socialist states one of the goals of the legal system is to repress the worker, but nonetheless you’re held responsible by other workers. This, most of the times just boils down to “he’s such an asshole” but in other times it meant more than that, because your action was directly and undeniably hurting your peers.

                                                                                                        1. 1

                                                                                                          You and I have very different moral preferences if you think it’s ok to impose your values on someone else without their consent.

                                                                                                          Don’t worry, I’m not in a position to compel you! That would be wrong. I may only ask.

                                                                                                          1. 3

                                                                                                            But, that isn’t the case we are discussing is it? We are talking about compulsory unionization. Join the union or no job seems to be what they are referencing.

                                                                                                            1. 1

                                                                                                              Right, the closed shop. It’s a way to limit individual liberty to allow for stronger collective liberty. I’m perfectly ok with this, but there are those who have a different conception of liberty who might not be. I think it’s totally wrong, but it’s not a nonsensical way to conceptualize the relationships between people.

                                                                                            2. 1

                                                                                              But the situation of a union being part of the negotiation is not much different than the situation where just you and the employer negotiate. Typically in a non-unionised company your boss is heavily restricted in what they can offer you by company policy and HR. Unionization is the same kind of rules just optimized for other goals.

                                                                                              The notion that you are somehow more free negotiating in non-unionised jobs is - I don’t know - self-deception?

                                                                                              I started at a unionized company which gave me a 20% pay increase that my previous employer was unwilling to match (their competitive offer was 10% after telling me before I applied that they could notpay me more). Now the union negotiates for me the annual pay increases. I can also negotiate directly with my employer in the sense that my employer can put me into a more senior position which means I would get more 💰.

                                                                                              If the union contract was bad, i could still negotiate with my employer that they pay me above the union contract. But since the union contract is quite generous and above the typical competition I would have a hard time negotiating that in the same way as i have a hard time negotiating for that kind of a salary at non-unionised competitors.

                                                                                              1. 1

                                                                                                , i could still negotiate with my employer that they pay me above the union contract

                                                                                                It was my understanding this was explicitly not allowed by union agreements. This is because to have collective bargaining power and a “union contract” requires that contract to be adhered to by all union members. Can you link me to a union that says you can negotiate individually in their rules? How does that even work – so you get a floor but then can ignore the ceiling and push for whatever additional you want? Doesn’t that take a lot of the positive upside away from a contract from the employer side?

                                                                                                1. 1

                                                                                                  My union has around 16 pay levels plus some kind of an individual components. If you want to earn more than the highest level you can definitely get such a non-union contract (it’s what management gets in any case).

                                                                                                  You can also negotiate for being grouped into a different category.

                                                                                                  You could also try to be hired as a contractor (this would mean that you have the biggest negotiation freedom).

                                                                                                  Anyways the question is pretty theoretical in the sense that the union contract is fairly good and on average better than what individuals with the same competency get on the free market here.

                                                                                          2. 9

                                                                                            “I don’t mind if my co-workers unionize, but I want to be able to choose my own terms of employment with my employer without having a third party interfere without my consent.”

                                                                                            In our unionized company, everyone gets the benefits and small restrictions that come with the work of the union and its members. Some people think only the union members should get benefits union negotiates. We know how badly that might end up, though. Especially fights internal to the company. We don’t push that. We do encourage people to highlight benefits union brought: ending fire-without-cause of hard workers; reducing perjury on your references; great health/dental for $25 a month; right to sleep between shifts (a bit…); paid holidays, sick leave, and vacations; fair-ish, standard pay based on position, experience, and time in company. I’m not saying it’s best terms but better than most competitors.

                                                                                            That said, I see your position. That people choose competitors to union companies for their different terms supports it a bit. :) I’ve considered letting union people get their negotiated terms while others get theirs. The first thing I ask those people is: “Do you want to work for least they can pay over minimum wage, overtime without overtime, unsafe working conditions (maybe even no bathroom), have little to no benefits, and potentially be fired without cause after years of hard work with bosses giving you no or falsified reference? And while we get the opposite?” Outside high-pay areas like highly-skilled techs, most companies are giving employees as little as they can. They get more commoditized without even being sure they’ll get a job reference for a better job. Might have to endure a lot to get it in some companies. A lot of people don’t have that opportunity.

                                                                                            Now, if you do, there’s another thing to consider. These companies that are offering you a good deal at some five to six digit wage might be pocketing multiples of that with folks in suits doing less than you getting a bigger cut or higher cut vs beneficial work ratio. They will similarly be paying lobbyists on Washington and at state levels similarly large sums to reduce what you can gain at an individual level. The unions are one of few groups lobbying for people like you. If more technical workers unionized, then there’d be more lobbying effort toward getting such individuals better deals. That sector also has the kind of money where donations and campaigns might bring some serious results in terms of expected compensation, work environment, better share of I.P. ownership or equity, paid leave (maybe maternity leave), or even better housing in high-rent areas. Again, may not interest you. I just wanted to mention people dealing with you might have been paying politicians to reduce size of those deals, your perks, or rights as a worker.

                                                                                            1. 4

                                                                                              Thanks for the thoughtful response. Your company’s union sounds like it’s doing good work, and you’ve done a good job making a case for it. I would not rule out joining a union without looking at the terms of membership, but I would also be extra wary of joining a company that had compulsory union membership.

                                                                                              I don’t have a problem with people making more money than me at the same company, regardless of their beneficial work to pay ratio (which I can’t assess anyway), or what kind of clothes they wear ;)

                                                                                              As the lobbying question, there is a high chance I would make the ethical judgement not to join a company (or union, for that matter) based on their lobbying efforts.

                                                                                              As an aside, I appreciate your posts and comments on Lobsters in general; anything from nickpsecurity is must-read for me.

                                                                                              1. 2

                                                                                                I appreciate the kind words! I was hoping some of us could chill the thread a bit. It seems like you just prefer to have more insight into and control of job or other commitments letting other people do their thing. A union shop may or may not be right for you depending on how flexible the terms are for non-members. Glad you would consider turning down an offer if it supports corruption. Most wouldn’t.

                                                                                              2. 2

                                                                                                reducing perjury on your references

                                                                                                Are you referencing bad-references as a way of punishment? I didn’t realize that was a common enough thing to warrant protection from.

                                                                                                1. 2

                                                                                                  Many poverty or working class people I know has either experienced it or had to mitigate it with careful exits knowing it could happen. The middle class and up folks with more to loose or carry with them usually play exits safe because they know it can happen. I don’t know how often it does happen to them, though. I know there’s laws in some countries where they have to give you references without any badmouthing. Apparently, it happened enough to make laws against it over there.

                                                                                                  Not here, though. Still can get hit with the shit.

                                                                                              3. 3

                                                                                                this is slightly tangential to the direction this went in, but I’m curious. Why? Bargaining as a group is always more advantageous than doing so individually.

                                                                                                1. 6

                                                                                                  I’ve worked in a unionized industry; it’s not the utopia you make it out to be. While the average income may be higher under collective bargaining, this is done by making some people worse off than they would be under individual bargaining.

                                                                                                  There’s also a huge issue with people who really should be fired, but who aren’t because of the overhead imposed by the union. Honestly, I’d prefer to work for less remuneration than to work with under performers. Particularly when you know those under performers are getting paid the same amount as you. It’s completely demoralizing.

                                                                                                  1. 4

                                                                                                    “There’s also a huge issue with people who really should be fired, but who aren’t because of the overhead imposed by the union.”

                                                                                                    I don’t have any hard data, only 8 years personal experience working in a (partially) unionised white collar job.

                                                                                                    It might vary union by union or company by company but there’s patterns I noticed at management level. My union won’t protect people who do nothing: only people who work as instructed by management who are written up, suspended, or terminated by poor results of management’s plans. There are people at my company who we can’t seem to get rid of. Management uses union as excuse but I’ve seen no use of established procedures against those workers. It seems management in those areas either lets them talk their way out of it, ignores those that argue or intimidate the most, and gets hard on the more compliant workers (aka easy targets or outlets) that probably don’t deserve it.

                                                                                                    The performance metrics also suck so bad at this company and a lot of others (including non-union) where many workers artificially look like they’re not good workers. Some of these companies fail workers if they don’t achieve a arbitrary expectations with no proof they matter (see Office Space) or from managers without real-world experience. If they do this to everyone or many, then the bad workers just fade into the background of what looks like a problem with everyone. A made up problem. If the requirements were sensible, then most people would meet them visibly working at a steady or fast pace (context dependent) with some barely working and some getting way ahead. The bad workers become much easier to identify, discipline, and/or eliminate with a fair baseline.

                                                                                                    I’ve talked with people in a few other industries that are unionized. They usually have examples of the above two points happening that mostly come from top-down, ignore-workers management and office politics. I still can’t be sure how much “the union” was responsible for workers being hard to get rid of if management was that inept. It’s all the more believable by how much non-union workers and books on management talk about the same failures. My theory is most managers and corporate offices suck in a lot of ways with unions countering them usually in pretty generic ways focusing on what members value most. Outside the focus areas, the rest of the dynamic becomes back and forth battles with plenty of potential inefficiencies. Companies with competent, take-care-of-workers management usually has less of these problems and workers don’t ask for unions. Hmm… ;)

                                                                                                    1. 6

                                                                                                      I agree. Unions are not a panacea for every issue workers may have with a company, and in fact can cause many of their own.

                                                                                                      However, the issues you mention here are also universal:

                                                                                                      While the average income may be higher under collective bargaining, this is done by making some people worse off than they would be under individual bargaining.

                                                                                                      True! But considering the current state of tech salaries, I think that’s acceptable from a macro level view. I say that as one of those that would likely see a pay decrease under a union contract – I tend to negotiate quite a bit with potential employers.

                                                                                                      There’s also a huge issue with people who really should be fired, but who aren’t because of the overhead imposed by the union.

                                                                                                      There are two parts of this argument:

                                                                                                      • Unions tend to keep around poorly performing people longer

                                                                                                      and

                                                                                                      • Unions introduce extra overhead with process into the firing process

                                                                                                      I think both are false personally, and I don’t think there’s any data to prove either, I’d love to be proven wrong! For the first, I’ve personally found the opposite – the bar to entry for IBEW-NECA was much higher than that for non-unionized electricians, and the bar for firing was extremely clear. For the second, process can add more time, but it can also reduce it by clarifying for all the bar for firing. I find in most tech companies, the standard months of bad perf -> PIP -> eventual firing process can take a long time due to trepidation on the part of all parties.

                                                                                                      1. 2

                                                                                                        I think both are false personally, and I don’t think there’s any data to prove either,

                                                                                                        I don’t have any hard data, only 8 years personal experience working in a (partially) unionised white collar job. I’d have thought it was rather logical though that unions would, in their capacity of protecting their members, make firing more difficult. Which can be a good thing, but can also be horrible for org culture and performance.

                                                                                                        The idea of a union as a quality filter is interesting, and not something I’ve come across. IME, unions will take anyone in their industry who’s willing to pay the fee.

                                                                                                        1. 2

                                                                                                          Yeah I agree largely. If only there was a set standard for unions across the board — unfortunately their independence produces wildly disparate results at the tail. For that reason I can never begrudge someone that is against a union in good faith too much, I can only make my persuasion towards unionization more effective. Thank you!

                                                                                                          1. 1

                                                                                                            Unions are typically very strict on safety, and few things are more dangerous in the workplace than an incompetent electrician.

                                                                                                            1. 3

                                                                                                              But in an office job, incompetence isn’t dangerous, it’s just useless. Perhaps that accounts for our differing points of view.

                                                                                                            2. 0

                                                                                                              I’d have thought it was rather logical though that unions would, in their capacity of protecting their members, make firing more difficult

                                                                                                              There are also reasons not to make firing harder, notably the reputational damage that would occur (and which, evidenced by you, has already occurred :) ).

                                                                                                              As others have said, unions tend to make the bar for firing very clear, which also tends to mean bureaucratic. This isn’t a bad thing; bureaucracy is what we use in place of trust when trust is hard to establish or otherwise damaged. It’s also not necessarily a slowdown, as others have pointed out.

                                                                                                              It does mean that it’s harder for a manager to fire someone at a whim, or based on a longstanding issue that’s not been written down or communicated. But that’s a good thing. At the very least, documentation helps someone who is fired know why (and therefore what to work on in the next job). At the best, starting the documentation process is enough to turn a bad employee into a productive one.

                                                                                                              It also means that it’s harder to fire someone for something that’s inconvenient to the employer, but not the fault of the employee. In some places, for example, it’s very common for union construction sites to have a position called “lift operator”. It’s been used as an example of union waste in the past – it’s just someone who sits in the elevator and presses the buttons for everyone. But that position was originally created for (and is usually still used for) union members who have had injuries or other physical problems which make it hazardous or impossible for them to do mainline construction work.

                                                                                                              In a union-free situation, that person would be fired, through no fault of their own.

                                                                                                        2. 4

                                                                                                          Bargaining as a group is always more advantageous than doing so individually.

                                                                                                          Not it isn’t. I can’t be more clear than that. There are lots of cases where negotiating as an individual is a far more advantageous position. If your values differ than the group. If your skills differ from the group. If you needs are in direct conflict with the group (for example, you want a 20% raise and don’t care if it is taken from $personX because they are bad at their job). This idea that the group think is magically always what is best for you is fundamentally untrue.

                                                                                                          1. 3

                                                                                                            since neither of us have given data yet, I guess I left myself open to be rebutted in this way. There is data showing that on average union workers make more and have better insurance and benefits in general than non-union workers, but since we haven’t applied that to the tech fields yet, I won’t bring that up as proof. Do keep in mind that for non-tech fields, all of the above is already established as true. in addition:

                                                                                                            for example, you want a 20% raise and don’t care if it is taken from $personX because they are bad at their job

                                                                                                            is not really how raises are ever allocated, and if they were, I think that company needs a union.

                                                                                                            Instead I’ll provide three opinions:

                                                                                                            • Letting yourself be lulled into believing that you have more leverage than you do is pretty common amongst workers in highly competitive fields in bull markets. In a bear market where tech isn’t as desirable, you might change your mind.
                                                                                                            • The only metric you care about in this instance is salary, however collective bargaining would provide benefits far beyond that. It’s (relatively) easy for an individual to argue for more money, not so easy to argue for better healthcare packages or other benefits. In particular, I’d note that a lot of the benefits I have in mind probably wouldn’t apply to single dudes, but would to fathers, women/mothers, or non-binary folks (not even to mention race and religion).
                                                                                                            • To attack the salary question specifically, IMO the huge disparity within and between bands because of negotiation is bad. Responsible companies should tie pretty tight salary ranges to level bands and stick to it. Anything else widens disparities in worker pay. I know that a lot of tech folks will rebut this by saying that their work deserves 300k more than their coworkers, but I think that’s probably not true in 99.99% of cases.
                                                                                                            1. 3

                                                                                                              There is data showing that on average union workers make more and have better insurance and benefits in general than non-union workers

                                                                                                              “average” and “always” are very different – but since this wasn’t the thrust of your argument, we can move on past it.

                                                                                                              is not really how raises are ever allocated

                                                                                                              This is also simply not true – I have sat in exactly such hard decision making meetings. People fired, positions collapsed to give raises to other people, whole teams let go to give budgets to other higher performing teams. You put forth this idea “this isn’t how raises are ever allocated” when it simply isn’t true. It makes it very hard to have a fair and rational discussion with you. Budgets are well – budgets and in bad times hard decisions have to be made.

                                                                                                              Letting yourself being lulled … your mind.

                                                                                                              Absolutely agree. Tech workers commonly think they are worth more than they are. I suspect the Worth despair poster is commonly applicable: https://i.imgur.com/G7yMiXu.jpg (“Just because your necessary doesn’t mean your important.”)

                                                                                                              The only metric you care about in this instance is salary

                                                                                                              No, what I care about is individual interests. Some individuals value salary very highly, others a company car, others vacation, others healthcare, others still childcare and others more disparate and interesting things. I don’t find find fathers, women/mothers or non-binary folks to be any less individual than “single dudes”.

                                                                                                              Anything else widens disparities in worker pay.

                                                                                                              The silent implication here is the disparity in worker pay is a bad thing, which I don’t agree with.

                                                                                                              I know that a lot of tech folks will rebut this by saying that their work deserves 300k more than their coworkers, but I think that’s probably not true in 99.99% of cases.

                                                                                                              Sure, you say 300k to make your strawman seem obviously true – knock an order of magnitude off that number and ask if a reasonable person at the same tier believes they are worth 30k more… hell, even define how you makes these “bands” – arbitrary experience in terms of years?

                                                                                                              1. 1
                                                                                                                1. You’re right that average and always are different. To be more explicit, I only care about the average. Individuals can get pay raises and better benefits for any reason at all, deserved or undeserved, union or no union.
                                                                                                                2. You’re right — what I should’ve said is this: a company that makes the decision to fire one individual purely to justify giving a raise to another is not a place I would want to work. There are a number of factors that go into hiring, firing, and salary decisions, and I believe your original example was a little too simplistic.
                                                                                                                3. In normal working conditions, these groups you described will be looking individually for the benefits they want and need. However, their bosses often don’t or won’t share in desire for or see the value in those benefits for a variety of factors. Some of those are economic — workers and their bosses have completely different world views, especially at tech companies. Unions are a way for workers who are by and large powerless individually to fight for those shared benefits collectively.
                                                                                                                4. Disparity in worker pay is a bad thing from a social standpoint, especially in the same level. If two engineers are both seen as being at staff level, why would they make more than a difference of 50-100k in total comp? It contributes to gender and racial wage gaps for the benefit of a small set of engineers.
                                                                                                                5. I said 300k because I’ve seen it in real life. Two engineers, one male, one female, both evaluated as being senior. One got a sizable equity grant, large sign on and a 15% bonus. The other got a pittance in equity, no sign on, and a 10% bonus. In reality, the gap was much larger because of the appreciation after the initial grant. And standardized levels and bands based on data are pretty standard at most modern startups and FAANG. For an example of what I’m referring to here, Camille Fournier open sourced hers while she was at Rent the Runway as CTO: http://dresscode.renttherunway.com/blog/ladder. Those should be tied to pay bands. Bands and levels should never be tied strictly to YOE.
                                                                                                                1. 2

                                                                                                                  To be more explicit, I only care about the average.

                                                                                                                  Worth clarifying which average you mean while you’re at it (mean vs median yield quite different answers)

                                                                                                          2. 3

                                                                                                            Assuming your interests are the same as the group’s. Even when they are, priorities differ. Everybody wants more pay and more vacation, but which do you care more about? If I want to work 30 hours for 75% pay, will the union negotiated contract offer that flexibility?

                                                                                                            1. 1

                                                                                                              It’s more likely to if you are a voting member.

                                                                                                              But your employer will be more than happy to reward you for defecting, until the union is gone and they again have leverage.

                                                                                                              1. 0

                                                                                                                If you are a part of the union, you get to help decide that. :)

                                                                                                                A democratic union would take its workers wants and needs into mind when crafting the contract with the employer. Right now, you can probably only get those benefits by either being very lucky to find a company that supports it, by altering your lifestyle by working on contract, or by earning it after some time proving yourself. Hypothetically, a tech industry with a standardized contract for workers could extend those benefits to all companies, saving you the time of doing one of the above or opening your own business.

                                                                                                            2. 3

                                                                                                              I don’t mind if my co-workers unionize, but I want to be able to choose my own terms of employment with my employer without having a third party interfere without my consent.

                                                                                                              I’m assuming a lot by your avatar, but my guess is that you serve a lot less to gain from unionization than, for example, a woman of color. In other words, you still want to benefit from a system that rewards white males even if that mean weakenings an institution that would bargain for people lesser off than you.

                                                                                                              1. 0

                                                                                                                You’re assuming a lot more than you think you are.

                                                                                                                you serve a lot less to gain from unionization than, for example, a woman of color

                                                                                                                A woman of color? Which one? All of them? What color? In what way?

                                                                                                                you still want to benefit from a system that rewards white males

                                                                                                                What system? Where does it reward white males?

                                                                                                                I’m assuming a lot by your avatar

                                                                                                                I’m a minority. The company I work for is less than 5% white.

                                                                                                                1. 3

                                                                                                                  I have no desire to engage with semantic games with you, especially if it’s just going to be screenshotted to Twitter with ad hominem attacks.

                                                                                                                  Have a good day.

                                                                                                                  1. 1

                                                                                                                    Since I don’t expect you to respond to this message, I’m just posting this to clear my record.

                                                                                                                    I have not played any semantic games. All I asked you to do was concretely define your statements and back them with something other than conjecture. I can’t argue with someone who doesn’t clarify their own argument.

                                                                                                                    Ad hominem is an argumentative strategy, of which I have not engaged in. I think what you want to say is that I insulted you, which is also false, unless you count “white, male Bay Area resident” as an insult.

                                                                                                              2. 2

                                                                                                                You are agreeing with something I did not say.

                                                                                                                1. 1

                                                                                                                  In most of human history, the only people who rented themselves for wages were slaves. Up until recently, wage labor was called wage slavery. It takes a certain mental gymnastics to equate ‘consensual contract with employers’ as liberty. Think about how absurd it is to rent your time, especially for creative work like programming for example.

                                                                                                                  1. 1

                                                                                                                    But at the same time, people like getting wages. They don’t know how to make society value their time, so they get an employer to do that instead.

                                                                                                                    1. 1

                                                                                                                      When a few people in society hold all the money (inequality is huge) and the only way they value the rest of society is through wages, then doesn’t it follow that wages are the only realistic way for most people to get money? It’s really the only choice they have. Since wages

                                                                                                                      a) Don’t change any power relations b) Don’t change any ownership relations

                                                                                                                      They are an attractive vehicle for the people who hold all the cards. The alternative is people have percent ownership in where they work! that would be lovely.

                                                                                                                      1. 1

                                                                                                                        I suppose I’m less cynical. Money is justa recognition that someone else appreciated what you did, and most people have no idea how to help society, or have no will to risk their own lives to help society. Thus, we get salaried positions with benefits to make sure we are safe and able to live. Wages are just the employer saying they appreciate your contribution to whatever the employer wants to do.

                                                                                                                        1. 1

                                                                                                                          It’s a nice sentiment, but Rome wasn’t built in a day. The system we live in was built piece by piece over a period of time. There are historical reasons why things the way they are. If you could magically wave a wand and create it anew, would you have wages? Wages are a modern concept anyway. Why not something better?

                                                                                                                          Or are you saying the system we have is ideology-free and it’s people’s human nature that governs it?

                                                                                                                          1. 1

                                                                                                                            What’s wrong with the way we have constructed work? It has created the modern world, without which we both may never have had this discussion

                                                                                                                              1. 1

                                                                                                                                So? People in general love to be miserable anyway, so I reject the notion that you can fix misery with something other than wages.

                                                                                                                                1. 1

                                                                                                                                  You believe people love to be miserable? This is simply an absurd view and allows you to justify vast harm. Did you know, for example, that wage theft (wages are stolen from workers) is the largest theft? It dwarfs thugs and criminals by a mile.

                                                                                                                                  1. 1

                                                                                                                                    And wage theft is wrong. Two people entered an agreement and one party broke it.

                                                                                                                2. 5

                                                                                                                  “Freedom” is not a useful word, here.

                                                                                                                  1. 2

                                                                                                                    And if the existence/non-existence of a union depends on whether the company can hire non-union workers, you have to decide between one kind of freedom and another.

                                                                                                                    1. 1

                                                                                                                      Yes, exactly. But how can we choose? Both have merits and consequences.

                                                                                                                1. 63

                                                                                                                  First of all, equating “points” with “value” is a big and common fallacy you should reject, but I think other people will cover that much more eloquently than I can. So, my “one thing”:

                                                                                                                  Slow down.

                                                                                                                  Plan ahead before diving in. Take the time to build infrastructure. Do research, do cost analysis, do risk assessment. Make decision tables and sketch out state charts. I’ve even started writing outlines of programs in a notebook before vimming out the code. As long as you’re thinking ahead.

                                                                                                                  This helped me far more than any other advice I heard. I don’t write code as fast as I used to, but overall I’m a much more productive developer when I move slow.

                                                                                                                  1. 29

                                                                                                                    What was one thing that made you a faster/better developer?

                                                                                                                    …working for a company (Amazon) that treated code like a liability and encouraged solving problems with the minimum amount of it - like preforming surgery with the minimum number of incisions.

                                                                                                                    1. 4

                                                                                                                      treat[…] code like a liability

                                                                                                                      Preach.

                                                                                                                      @pab: Go sit down with whoever does operations for your team/org/company and watch how they work. You’ll learn why those tools written in the 70s are still on your laptop today, and how you can use them to solve some problems much faster and more reliably than other developers on your team can :)

                                                                                                                    2. 8

                                                                                                                      Velocity is a by-product of quality. And quality only comes when you think deeply about what you’re building, which requires that you escape the frenetic move fast and break things ideology.

                                                                                                                      Aim to write code that’s good enough not to return to unless requirements change. Because then you can focus deeply on the next thing at hand.

                                                                                                                      1. 3

                                                                                                                        First of all, equating “points” with “value” is a big and common fallacy you should reject

                                                                                                                        Don’t tell me—tell my manager! 😉

                                                                                                                        In all seriousness, the things you are suggesting sound like they’re outside the scope of my job role (the things you listed are normally dictated down to me). Perhaps taking on more responsibility or pushing back may unlock some knowledge?

                                                                                                                      1. 6

                                                                                                                        the proc file system is great for all kinds of stuff: like determining where a process is in reading a file:

                                                                                                                        https://gitlab.com/snippets/1757653

                                                                                                                        Super useful when you have a process reading a massive file with no indication of progress.

                                                                                                                        1. 3

                                                                                                                          cp /proc/$pid/fd/$fd /tmp/important.conf is a classic sysadmin trick that I’ve actually used precisely one time to great applause (okay, extremely moderate appreciation).

                                                                                                                          1. 1

                                                                                                                            I recently found that one could actually see all the fd’s a process is using and now I am seeing this it’s so cool. I read a lot about “use strace, use ptrace” when do you actually use these? I work on small C projects and don’t really know when should I be using them.

                                                                                                                            1. 2

                                                                                                                              A few times recently I’ve wanted to know why a process wasn’t working properly. Looking at my bash history, I have run strace startx and strace openssl s_client -host rout.nz -port 443. If I remember correctly, I wanted to see the log output from startx which wasn’t being written to disk properly, and I wanted to see where openssl was looking for certificates.

                                                                                                                              Both times I’m pretty sure I ran strace then grepped for things like open(, read(3 and write(3. There are probably better ways of doing this, but they worked for me both times.

                                                                                                                            1. 6

                                                                                                                              A little more convincing: if you correlate with just “fifa”, the peaks do align. (And there are “fifa” spikes in the last week of June that are 10x bigger, and don’t align with “web” anything). Good reminder as to what’s really popular outside our expanding tech bubble.

                                                                                                                              1. 4

                                                                                                                                Wow, it’s the kind of thing that puts our little web development bubble into perspective. Just searches for a single web app are enough to swamp the numbers for “web app” in general :|

                                                                                                                                1. 3

                                                                                                                                  Why does FIFA popularity increase every September?

                                                                                                                                  1. 8

                                                                                                                                    Like most sports franchise games, a new iteration is released annually, and in FIFA’s case it is released around September: typically $59.99 gets you minor gameplay and graphics updates, maybe a new gameplay mode nobody really cares about, and (most importantly) you get new player and team adjustments.

                                                                                                                                    Why is it released in September? Players are free to move from club to club during transfer windows which are only open twice per season — and the leagues most people play and follow (England, Spain, most European leagues) close mid to late August. So this gives the developer time to handle any late transfers and set the rosters before release time.

                                                                                                                                    Whether or not this is why “web app” spikes I’m not sure. But that’s why FIFA spikes in September.

                                                                                                                                    1. 2

                                                                                                                                      Ah, thanks for explaining! I didn’t know that.

                                                                                                                                  2. 1

                                                                                                                                    Wow, I think that’s it!

                                                                                                                                  1. 9

                                                                                                                                    Current job (small team):

                                                                                                                                    • Commit and push changes
                                                                                                                                    • Concourse CI picks those changes up and
                                                                                                                                      1. if they’re not tagged, it runs the unit tests and stops
                                                                                                                                      2. if they’re tagged, it runs the unit tests and continues
                                                                                                                                    • It builds docker images and pushes them to ECR
                                                                                                                                    • It deploys those images to ECS in the staging environment
                                                                                                                                    • We monitor the changes in staging (metrics are scraped by Prometheus w/ graphing from Grafana)
                                                                                                                                    • If everything looks good in staging we push a button in Concourse to send the images to ECS in the prod environment

                                                                                                                                    Concourse build pipeline definition, tasks and scripts are defined in the repo and infra is managed with Terraform (which Concourse runs). It took me about three days to set everything up and it has been running smoothly ever since (~6 months).

                                                                                                                                    To roll back, we just re-run older deployment jobs.

                                                                                                                                    We don’t have a dedicated QA team. Everyone tests their own changes or asks someone else on the team for help and we have an extensive unit test suite.

                                                                                                                                    Side projects (just me):

                                                                                                                                    • ./scripts/deploy runs tests and deploys either to GAE or Heroku and that’s it.
                                                                                                                                    1. 1

                                                                                                                                      Same, but Jenkins and Datadog. It just works.

                                                                                                                                      1. 2

                                                                                                                                        Oh, using the tags to decide whether to deploy or not is a niiiice idea, I’ll steal it.

                                                                                                                                    1. 2

                                                                                                                                      Quote from Wikipedia:

                                                                                                                                      An enumeration is a complete, ordered listing of all the items in a collection.

                                                                                                                                      Could someone enlight me on this? What the Article describes doesn’t seem like “complete listing”.

                                                                                                                                      1. 3

                                                                                                                                        To enumerate can also mean “to build a list” which is closer to this usage, but I’d agree it was used imprecisely.

                                                                                                                                        I’d prefer calling this a username oracle attack!

                                                                                                                                        1. 4

                                                                                                                                          A couple decades late I think. Guess and check attacks have been called enumeration for quite a while.

                                                                                                                                          1. 2

                                                                                                                                            it’s never too late to tilt at windmillsencourage precise speech!

                                                                                                                                            Legitimately though - good to know this is common parlance in the security community.

                                                                                                                                          2. 2

                                                                                                                                            Given enough time (possibly heat death of the universe scales) this method could create a full enumeration.

                                                                                                                                          3. 1

                                                                                                                                            It could be seen as a complete listing, if the “collection of usernames” isn’t interpreted to be the collection of all usernames the server has, but rather all usernames the attacker cares about.

                                                                                                                                          1. 3

                                                                                                                                            Trivia related to computer graphics + early Linux: Bruce Perens was the leader of Debian for awhile, and also worked at Pixar for 12 years.

                                                                                                                                            I assume that Pixar was an early adopter of Linux, because otherwise they would have to pay commercial OS licensing fees for the hundreds / thousands of machines they used to render movies.

                                                                                                                                            Although I read Ed Catmull’s recent book and I don’t think he mentioned Linux? That book did mention the NYIT graphics lab.

                                                                                                                                            https://en.wikipedia.org/wiki/Bruce_Perens

                                                                                                                                            https://en.wikipedia.org/wiki/New_York_Institute_of_Technology_Computer_Graphics_Lab

                                                                                                                                            1. 2

                                                                                                                                              I vaguely recall some news around 2003 (I think it was) about Pixar switching from Sun to Intel hardware, and porting renderman.

                                                                                                                                              1. 1

                                                                                                                                                Sun? I know they bought a ton of SGI Octanes for Toy Story.

                                                                                                                                                1. 3

                                                                                                                                                  found this: https://www.cnet.com/news/pixar-switches-from-sun-to-intel/
                                                                                                                                                  May have been what I was recalling.

                                                                                                                                                  Maybe they used SGI before that?

                                                                                                                                                  1. 1

                                                                                                                                                    Cool! I didn’t know that.

                                                                                                                                                    You are probably right - buying SGI in the 2000s isn’t likely a smart move ;)

                                                                                                                                                  2. 2

                                                                                                                                                    This story said they used SGI for desktops and Suns for rendering.

                                                                                                                                                    Also for @trousers.

                                                                                                                                                    1. 2

                                                                                                                                                      This story said they used SGI for desktops and Suns for rendering.

                                                                                                                                                      Also for @trousers.

                                                                                                                                                      They used Suns for trousers? Sparc64 pants? A novel usecase for sure. ;)

                                                                                                                                                      I kid, I kid. Thanks for the link. :)

                                                                                                                                                      1. 3

                                                                                                                                                        They were rendering them in the movie. Had to get accurate lighting, ruffling, and so on. Geek producing it spent so much on the hardware they couldnt afford all the actors. Show got cancelled.

                                                                                                                                                        Many investors now suspect the Trouser Tour documentary was a ruse devised so the producer could play with a bunch of SGI and Sun boxes. Stay tuned for updates.

                                                                                                                                              1. 6

                                                                                                                                                Like with voting, this is a scenario where adding technology, esp Internet-enabled, is just a bad idea. The less tech (and potential attacks) the better. The best ways to do espionage were those in the Cold War with people, drops, and ways of hiding stuff in other stuff. If distance is a problem, then burst radio was the best way to do it. There’s still spies being caught in the U.S. using radio. It’s probably a safe route for Chinese spies if the NSA and its wireless partners still haven’t clamped down on it domestically.

                                                                                                                                                Additionally, they could just put the files encrypted in online storage from a random, hot spot. Then, send a coded version of the link via the shortwave, hidden message in mail, or drop.

                                                                                                                                                1. 5

                                                                                                                                                  I couldn’t help but compare this to the Russian(?) operatives who were communicating via coded comments on a particular Britney Spears instagram post.

                                                                                                                                                  1. 4

                                                                                                                                                    This reminded me of the number stations, broadcast on short wave. Its reasonable for any civilian to have a radio and the broadcasts can be encoded with any book freely available from a library.

                                                                                                                                                    When it comes to keeping hidden, low tech is best tech.

                                                                                                                                                    1. 4

                                                                                                                                                      the broadcasts can be encoded with any book freely available from a library

                                                                                                                                                      Running key ciphers are bad tradecraft, use one time pads ;)

                                                                                                                                                    2. 2

                                                                                                                                                      Internet monitoring has gotten terrifyingly powerful - although it’s worth noting that the article doesn’t say that the Chinese found the communication channel, only that they escalated their access a lot once they’d found the channel in the first place - but radio monitoring has also advanced, with cheap and powerful software-/FPGA-defined radio and very powerful post-processing. How sure are you that radio is a good option?

                                                                                                                                                      1. 2

                                                                                                                                                        @c12 has the right idea. There’s both burst transmission and number stations being used by spies in the US. Goes back to Cold War at least. Watching the prosecutions, we rarely see anyone get caught with that method described despite NSA operating the largest array of SIGINT collection in existence. That means they’re letting spies they know about continue to operate (eg poisoned intel) or they can’t find them.

                                                                                                                                                        Im thinking it’s the latter. If it’s analog radio, they also can’t remotely hack it like they might try with a cellphone or computer.

                                                                                                                                                    1. 10

                                                                                                                                                      It’s all about the threat model, right?

                                                                                                                                                      If you’re worried about the NSA intercepting your DNS traffic, we don’t have any good solution today - I’m guessing that the only real difference between ISP DNS and DNS over Tor (if you’d be crazy enough to use it) is hiding in a big crowd and hiding in a very tiny, heavily watched crowd… your traffic will be monitored either way. I’m really hoping for this “Russian alternate DNS” that’s heavily be-FUDded to launch and allow some level of encrypted access for non-Russian citizens, as I think NickP’s antagonistic jurisdiction model is the only real chance we have.

                                                                                                                                                      If you’re worried about leaking data to big businesses, Cloudflare has a ton of it anyway as they host so many endpoints. But being able to pull them out of the loop sure would be an improvement.

                                                                                                                                                      This definitely solves the script kiddie in the coffee shop attack though, which seems to be the only traffic interception risk we can seem to get meaningful traction against, so hey - that’s a win.

                                                                                                                                                      1. 5

                                                                                                                                                        Seems to be some kind of viewport issue on iOS / Safari- text on the left and right is clipped off:

                                                                                                                                                        https://imgur.com/a/kl9P6PG

                                                                                                                                                        1. 4

                                                                                                                                                          I have the same issue on mobile chrome.

                                                                                                                                                          1. 1