Yes, I regularly remove stories that seek customer service via public shaming. I don’t want Lobsters used to whip up a mob in an outrage and direct them at targets. It always feels righteous at first and becomes an awful tool for abuse.
I don’t think it’s right to call this a post seeking customer service. It’s a post calling attention to a policy change made by Automattic that immediately affected the privacy of all Tumblr users, and all Wordpress.com users. Users of those platforms have to revoke the consent that Automattic assumed it had - wrongly, in the view of OP. Is that outwith the scope of Lobsters?
tumblr & WordPress posts were already being scraped by AI companies, just like the rest of the public Internet, and users had no control over it.
Automattic just gave control to users, allowing them to increase privacy. The opt-in nature means there is no change in behavior unless the user chooses to take action, which seems reasonable to me.
It is explicitly opt-out, not opt-in. The original post rightly flagged this as a problem of the platform assuming user consent.
Content scraping is already happening, yes, but as SoapDog said below, Automattic is directly profiting from this sale of data, and that data originally dumped by Tumblr included private and deleted posts, not just public ones. It’s unclear whether this was given to OpenAI.
As far as I am aware, it is “opt out” and not “opt in” and that is quite different. Also, the posts being scrapped by AI companies harvesting the Web is already a problem, but then the problem is with the AI companies. Automattic PROFITTING from users content by packaging it and selling it without consent is even worse and makes it their problem.
The opt-in nature means there is no change in behavior
What opt-in nature are you referring to? The post is complaining about Automattic creating a new default: selling your data directly to AI companies, without compensating you, unless you explicitly opt out. Sure, for most sites, AI scrapers could do that anyway just by ignoring your robots.txt, as always. But there doesn’t seem to be any opt-in facet to this change that I can see.
There is no change in behavior by default: your data was scraped by AI companies before, and it still is. The change is that you are now allowed to opt out. That sounds positive to me.
Before, only your public data was being scraped by AI companies. I believe that public data will continue to be scraped by AI companies regardless of whether you use automattic’s opt-out mechanism. It’s public, after all.
Now, automattic is offering those AI companies more of your data. And they will share that by default unless you opt out.
If all of the data you share with automattic is public, it seems like no change to me.
If some of the data you share with automattic is not public, it sounds like a significant downgrade to need to opt out.
Grabbed the link from the moderation queue to see what the fuss was about.
The post was not asking for customer service, but instead the change in said service was the catalyst for discussing a broader issue in Customer-Generated content and policy surrounding it.
For those wondering, a summary of the article: “Opt-out isn’t a good model when it comes to handling scrapers and similar, and in continuing to legitimize this behavior, companies that engage in this are eroding the discussion around the consent of a company’s handling of customer data. Automattic has decided to engage in this behavior, and I happen to pay Automattic to host my blog, but the issue is far greater and I felt the need to speak on it.”
This is voicing displeasure with a policy change and UX dark-patterns that enable technical actions which are not always in the better interests of users/customers/etc. This is not “uwu automattic locked me out of my tumblr for women offering plumbing supplies they suck go beat on their door”, it’s a discussion on “just how much leeway does a company have on the data that they store for a customer and when is it better to ask permission rather than require explicit disapproval?”
Why might companies make a policy change like this?
What engineering can we do to better allow for consent in a profit-seeking context?
Is there a fundamental mismatch between what users say they want, what users actually use, and what a reasonable implementation of consent looks like?
What are past examples, going back years, of violating (or manufacturing, to use an old phrase) consent by these companies? Is it truly just a recent thing?
The blogpost doesn’t really do any of those things, and certainly not at a level beyond the most simple, knee-jerk, and facile.
I am unaware of lobste.rs enforcing such criteria in the past or having a general rule against “screeds”. There’s even a rant tag. And plenty of “simple, knee-jerk and facile” posts show up here and don’t get removed.
So I think you will need to find a better argument against the post in question.
My argument there is not with the submission (though I complain about that elsewhere), but with the comment I’m replying to: the comment is claiming that the post is a discussion, I claim the post is merely a screed–and not a particularly good one at that–and give some examples of what would elevate it.
By the way, the rant tag also has some effects that hint that it isn’t the preferred content here:
(from rant description) Hotness modifier -0.25 (lowers a story’s rank). Tag is not permitted on stories submitted by new users.
Some good rants make it through of course.
And plenty of “simple, knee-jerk and facile” posts show up here and don’t get removed.
The article in question seems very relevant and educational to the Lobste.rs community given the tech industry’s poor understanding of consent and widespread abusive practices around user data.
As far as I know, based on logic and personal experience, the tech industry understands consent quite well. Decisions to make things opt-out are not accidental. It’s a business decision made in consultation with legal, based on a desired outcome. There’s no technical question, and I doubt this is a surprising situation to anyone involved in implementing an opt-out like this.
IMO you provide an excellent example. You are confusing “do I have consent?” with “is it legal?”.
Their users consented to use of their data for providing blogging services. Selling that data to a 3rd party for other, unrelated reasons is unethical because the user did not know about this possible use when they signed up for the service. It’s unethical to automatically opt them in.
You are confusing “do I have consent?” with “is it legal?”.
I don’t think he was. From what I’m reading, he was politely saying that those tech businesses deliberately ignore consent, and instead just look at money and law. Cynicism, not incompetence.
Now if I were asked to implement that kind of opt-out dark pattern, I would definitely consider answering “sorry, find someone else”. I could afford it right now.
I totally get that. I trust that is exactly the discussion that business had with legal (and corporate comms and marketing and government affairs). And the only technical option you have in this situation is to find another job. So while this is a completely valid and necessary topic, it doesn’t seem (to me) like Lobsters is the right place for it.
I agree. There’s no technical difficulty in making something “opt-in” instead of “opt-out”, and a discussion of why opt-in is better isn’t technical and isn’t going to make me a better programmer.
If, hypothetically, some open-source project announced tomorrow – Thursday – that as the Next Chapter of their Exciting Open Source Journey they’re switching to BSL or another “source available” license in order to better monetize the project, and
If, hypothetically, I were to write and publish a blog post the following day – Friday – talking about the philosophy and ethics of Free Software and Open Source and condemning such switches, and calling on people to vote with their wallets by ceasing use of such a project, then
Would you remove that post from lobste.rs?
I ask because so far as I can tell, such a post would not differ in form or aims from the removed post under discussion, yet posts which couch “customer service complaints” or “business news” in even the thinnest possible framing of being about FLOSS licensing and licensing ethics don’t seem to get removed the way this one did. Heck, sometimes just the pure “business news” of a license change announcement is left up as apparently on-topic.
And to register a personal opinion, I think the post being discussed here was more on-topic for lobste.rs – if viewed through the lens of “pertains to computing” – than licensing slapfight threads typically are. I also think the post being discussed here was on-topic for lobste.rs and should not have been removed.
You’re right that your article isn’t seeking customer service, but I do think that the second part of @pushcx’ comment - “I don’t want Lobsters used to whip up a mob in an outrage and direct them at targets” - is a valid choice. It’s not the choice you made for your (excellent!) blog, but I don’t think @pushcx is making an invalid choice for Lobsters.
I’d already read your article via Mastodon, and liked it - and while I agree your article is not a request for customer service, I do think one could reasonably call it advocacy.
I do hope that you’ll continue to find value in Lobsters regardless of the outcome of this thread; I’ve enjoyed reading your comments here (as well as your blog), and I wish you the very best.
I am curious to know what you think of my analogy to posts about companies doing license changes, which to me are largely indistinguishable in form from the removed post under discussion here, but somehow are still allowed (despite being “business news” and not “pertaining to computing” and often being used to “whip up a mob” and “direct them at targets”).
It might be relevant that changes to blogging platforms affect authors more broadly, while license changes affect developers in particular. Lobsters caters to both to a degree, but more to the latter than the former.
Automattic is a store of data, they also have the details for those that are affected by the decisions done (and directly inform the users). All users are implicitly at the mercy of any changes in ToS, and must respond / care / etc within a reasonable amount of time.
A codebase’s only transaction with users is when those users acquire the code, at that time they can check the license and decide how they feel about it. They only need to check the license when acquiring the code, no other time. There is no mechanism to convey this information to the users otherwise. And it does not apply within a reasonable amount of time either.
There’s also a privacy tag here for use and abuse of one’s data – not even necessarily one’s confidential data. See, for example, threads about people leaving GitHub to avoid having their code used for things like Copilot.
So I still don’t see a meaningful difference between the post being discussed here, and many things which have gone un-removed in the past.
(First: I really appreciated your post. I was a bit out of the loop because of other things eating my attention lately, and your post did a great job of both catching me up on things I’d seen on fedi but hadn’t carefully read yet, and contextualizing the underlying consent issues. Thank you for writing that.)
It clearly wasn’t seeking customer service, but if the mod message had said “lobste.rs is not your torch and pitchfork outlet” instead, I’m not sure I’d have batted an eye. And the two messages are really mostly equivalent, IMO.
I have no power here; I simply like this place and enjoy many of the discussions that can be had here. But I don’t really feel that this site is a good place to discuss your (IMO excellent) post. It could draw a good discussion here, but it could also (more likely, IMO) draw a really terrible one. The only reason I wish it got left up on the page is because I really feel the points you made need a signal boost in the industry.
But I’m pretty sure that I’d have needed to hit “hide” on the comments to avoid being drawn into a flame war.
Thanks for all you write. I always learn something when I read it.
While I agree with the moderation decision, I was wondering if you would be open to rewording the mod messages in a more compassionate manner? I think they are a little abrasive, and the wording might be the reason why folks are getting upset.
Additionally, while all of the moderation actions are transparent, I think the guidelines for posting are difficult to find. They are buried under “tags and topicality” on the About page, mixed in with information about how the tagging and ranking system works. The orange site has a clear set of guidelines that one can find linked on the bottom of the site.
Thanks, this is all really good points. The About page started as a post about technical features and it really wasn’t clear what was happening in that section after years of edits. I’ve lifted the topicality info up to a top-level section titled Guidelines and expanded it with sections on the site climate (where I’ve tried to capture the site’s vibe in positive terms rather than a list of “do not”s), this topic of brigading, and self-promo. I took this language from the mod log, hatted comments/DMs, and meta threads, and I’ll need to do a comprehensive review of those at some point to flesh things out. I hope folks will suggest things I’ve missed or could’ve explained better; I’m particularly not satisfied that I had to handwave a bit about where to draw a line on brigading and would like to do better than this slightly “know it when I see it”.
I’ll try to echo this less frustrated language in future mod messages, or otherwise make those clearer and more actionable. Thanks for the criticism.
@pushcx does almost all the moderation, there’s a lot of it, and the aggregate result is good, and that’s why we’re all here.
If there’s any discussion to be had, I’d suggest it’s what features should be implemented to allow the community to in some way vote for reconsideration.
And then maybe someone who wants to could implement it. I definitely don’t feel like this is something that needs to change.
I appreciate the vote of confidence, but that’s a little reductive. I have previously made mistakes and am not perfect now, so meta discussions are useful. If it’s useful for this one, here’s a list of all stories removed like this one (not pasted inline for length).
On the topic of reconsideration, people have messaged me or occasionally started meta threads. The second query on that gist lists all undeleted stories.
If there’s any discussion to be had, I’d suggest it’s what features should be implemented to allow the community to in some way vote for reconsideration.
I’m not in creative mode today, so I’ll just point out: HN has a [vouch] feature for things other users flagkill. Maybe there’s some inspiration to be found there?
I don’t think so - have you seen the state of that place? “Lobsters is focused pretty narrowly on computing.” works great. Keeping the focus specifically on technology and it’s application to engineering problems, with minor wiggle room, is a factor with strong influence on the quality of submissions on this site.
Yes and whilst the comment sections do tend towards the abhorrent on occasion, HN is much more useful to me than Lobsters because it has a wider range of topics posted on any given day. As a software developer, I am (and should be!) interested in business ethics, the politics of software, etc. and a place which has those links is going to get more of my time, even if I had to wade carefully.
It’s nice that the Internet is large enough that someone like you, who benefits more from a broad range of topics, and someone else who benefits from a narrow focus on computing both have sites that fulfill their particular needs, without needing to force either side to conform to the other’s mileau.
Mmm… while I overall enjoy lobsters, I’ve grown fairly annoyed with the content policy (or lack of a clearly defined one) and many of the moderation decisions. This has been a point of frustration for years for me, and is why I don’t end up participating more.
In essence the KEM construct can be used with any asymmetric algorithm, however depending on the properties of the asymmetric algorithm the way to implement the KEM might differ (in order to have it secure).
However, I wonder if the “BetterKEM” construct is universal and can be used with all (existing) asymmetric algorithms?
(This what follows is not a critique of the article, but of the standards and general research in this field.)
The issue that annoys me with applied cryptography in general is that most cryptographers focus too much on efficiency, and thus most “standardized” constructs are quite “bizarre” and hard to understand the “why?”. However, perhaps more problematic, is that these constructs aren’t portable between different algorithms; what works in one context is completely broken in the other.
For example, RSA-KEM (the standard one) doesn’t seem to translate to Kyber-KEM. However (and I say “if” because I can’t assess this myself), if the “BetterKEM” you’ve highlighted would apply to Kyber, then why don’t cryptographers just choose to standardize that? It would simpler for everybody involved.
Then, if one needs to employ multiple asymmetric algorithms (say RSA or X25519 with Kyber), then have each of its KEMs do the binding to their public keys, and hash the concatenations of the results (i.e. hybrid-r2 = hash(X25519-KEM-r2 || Kyber-KEM-r2); indeed it’s wasteful in terms of CPU cycles but it’s so much simpler to implement and most importantly test and verify.
BTW, @soatok, I closely follow your blog because most of your articles tackle cryptographic problems from a practical applied point of view. Thanks for writing these articles!
However, I wonder if the “BetterKEM” construct is universal and can be used with all (existing) asymmetric algorithms?
For example, RSA-KEM (the standard one) doesn’t seem to translate to Kyber-KEM. However (and I say “if” because I can’t assess this myself), if the “BetterKEM” you’ve highlighted would apply to Kyber, then why don’t cryptographers just choose to standardize that? It would simpler for everybody involved.
The reason has less to do with cryptographers and more to do with standards organizations (with a few practical arguments).
Most cryptography that any of us uses in our day-to-day is transport-layer; i.e., TLS, Quic, SSH.
TLS 1.3+ (which is where PQ crypto is going to land) uses full transcript hashing in its KDF. Adding more context to the underlying primitive is, from this perspective, a duplication of effort.
The ongoing debate on the CFRG touches on this stuff, although it is admittedly a bit hard to follow.
What it doesn’t touch on: NIST and the IETF are so heavily over-indexed on the TLS use-case that they basically ignored the possibility of non-interactive key exchanges for the immediate future. Fortunately, ML-KEM can be used with static public keys.
If this oversight was corrected, it’s probable that they would prioritize differently.
Most cryptography that any of us uses in our day-to-day is transport-layer; i.e., TLS, Quic, SSH.
Indeed, but most of us also use (directly or behind the scenes) encryption, password managers, backup systems, etc. all of which do resort to “at-rest-encryption”, and because we are lacking actual best practices, we end up with broken and compromised systems.
For example NaCl / libsodium is one of the few libraries that actually try to provide developers with useful and safe constructs. (Unfortunately these two libraries only cover a limited set of use-cases, and sometimes they are either too low-level or too high-level for certain use-cases.)
TLS 1.3+ (which is where PQ crypto is going to land) uses full transcript hashing in its KDF. Adding more context to the underlying primitive is, from this perspective, a duplication of effort.
Perhaps. But, if they would have used some generally available building blocks (say something that OpenSSL / LibreSSL / libsodium / etc. provides out-of-the-box as ready-to-use constructs), then perhaps we wouldn’t have so many broken TLS implementations…
If I could put things from another perspective: at the moment cryptography is where computer-science was before general-purpose programming languages were introduced – we only have assembler (our low-level raw cryptographic primitives) and each application (our protocols) is custom built one-instruction-after-another for a particular use-case; there are no reusable libraries in sight (i.e. higher-level cryptographic building-blocks).
Indeed. I have some projects I’m exploring with my current employer to help bridge the gap between low-level building blocks and higher-level reusable components, but it will be a while before anything gets released (and when it does, it probably won’t be associated with my fursona).
This is exactly the article I needed when reading “How to Hold KEMs.” I had thought due to the title, the previous submission would be more like this one and quickly was in over my head. This type of “build an intuition” material is very much appreciated by me, as it always seems cryptography assumes a pretty high level understanding of the maths behind it already. Even the, “You can’t possibly get this wrong.” style APIs still feel foreign, and are often are used wrong just due to an incorrect intuition about what is at play.
Possible typo in OversimplifiedKEM.encaps method, I’m assuming it should be return kdf(c)?
Fundamentally a lot of cryptography is very simple when you get the intuition, but when super-precise mathematical jargon gets interspersed it can be hard to gain the intuition.
Of course that jargon is important for cryptographers to convey precise notions to one another, but not great for lay-people
It would be nice to have a simpler explanation on “how to hold KEMs”, because I was able to follow only the first 25% of the article, until the “Binding properties” section, where I think I hit my knowledge limit on the subject.
(Or, if the article was not intended for general public, at least a small warning from the author would have been good.) :)
Does your post intend to imply that KEMs exist primarily as a mechanism to avoid key-padding in RSA? (I just want to make sure I’m reading it correctly). Lazyweb but the context of both posts that I didn’t understand is the relevance to post-quantum cryptography. How do KEMs fit in with that?
I feel like you can grasp ~60% of the article by simply skipping the exact details. But it would definitely be nice to have a higher level explanation of what to expect and keep in mind if you ever hear something along the lines of “we protect our stuff with KEM against post-quantum attacks”.
In essence the “KEM” construct isn’t that “magical”, it’s just a way to wrap some symmetric secret for long term storage. It is usually used with asymmetric cryptography, but I guess it can be implemented also with symmetric primitives.
However, and the topic that the article was trying to tackle, in order for these KEM constructs to be secure, they must have certain properties. (This was the part I wanted to get a more simpler explanation.)
With regard to post-quantum usage of KEMs – please note I’m not a cryptographer thus take my words more as “wishful thinking” – I personally don’t worry that much about the PQ doom… (It does certainly extract some good chunk money from the economy at the moment.)
My household is doing the holiday thing, of course, but my work for that is already done. So I’m just going to eat good food, enjoy good company, and log off the Internet for a while.
If I get bored, I’m probably going to mess with JavaScript for a neat idea I had recently, but it can wait.
Is there any particular reason why PASETO hasn’t taken off? I just see a lot of cargo cult programmers banging on about JWTs when the issues have been well publicized for a while now.
Last year, when the OpenSSL CVE came across my work inbox, I had a protracted debate about the practicality of exploiting RSA padding oracles through timing attacks. I pointed to the literature that was available at the time, which fell short a little bit, but was able to extrapolate and say, “We should stop supporting this stupid padding mode where possible”.
Being able to simply say “Oh yeah, this is vulnerable to the Marvin attack” would have saved me a lot of time.
Job-hunting while dealing with work responsibilities.
I was told two weeks ago that I have 30 days to either agree to move to Seattle (from southwest FL) or I’m out of a job. Top-down draconian mandate from the CEO.
What kind of thing are you looking for? I am going to be hiring in a few months and was planning on reaching out to you at some point to see if you had bandwidth for some consulting.
tbh it just sounds to me like you don’t have any work responsibilities to deal with anymore. Even if you stopped most of your work right now, it would likely take longer than 30 days for the wheels of bureaucracy to oust you…
Don’t listen to me unless you want though, I’m just a sheepadoodle on the interwebs.
You’re probably right, but the cryptography community is still somewhat small and I’m cautious about burning bridges. Shirking responsibilities will negatively impact people I respect, so I’m not going to do that prematurely.
Totally fair point man! Everyone’s situation is unique. I wish you good luck on the job hunt. Wish I could help give you inroads but I am very far removed from your community haha
In rustc it has remained unbeaten for years. I’ve also used it for making color histograms, and haven’t found anything better. It’s obviously biased, and too simple to work, and yet it does work!
I am working out, I am taking the right food additives that doctors recommend (I have acid reflux + small gastric problems), I am doing my best to sleep well (if I don’t do my cardio 2-3 days then I can’t sleep well and wake up early due to shortness of breath so skipping cardio is basically shortening my lifespan), I reduce phone usage, I try to take walks with my wife, etc.
But learning to cook and eat well has been my nemesis for years. I just hate the kitchen and that’s that. I gathered some advice like vacuuming ingredients for cooking (like seasoned meat that you just gotta put in the oven or in the pan) but I can’t even bring myself to do that – nor my wife can.
But this weekend I’ll just try to get some fish and season some meat and vacuum them and see if it’s really “that easy” as many YouTube videos claim. :(
May I offer a tentative suggestion of looking into slow cooked meals. They are often brutally simple, chop vege, chop meat (sometimes), put in a pot with a spice and a herb, cup of water, put on low and leave for five hours. Return to glorious hearty meal. Budget Bytes have some nice recipes.
Lowering the complexity is often a good way to start lowering your hate of the kitchen. :)
I had the same kind of suggestion as parent but with a pressure cooker if you don’t want to let it cook on slow. Also do not hesitate to grab a few cookbook or check some blog as https://www.seriouseats.com/ as a no-wanting to make a choice (select a random three recipes, that’s your grocery list and meal-plan for the week).
Thank you. We bought CrockPot some months ago, tried it 3 times and despaired – the meals were very well-cooked and melting in the mouth but somehow the taste sucked. Likely it was the seasoning.
We suck at cooking and we really should change that. :(
We really need some easy wins to get motivated. Otherwise we lose hope and stop fighting.
Thanks for the advice, it’s a valuable one. We absolutely should revisit the CrockPot.
A close friend of mine has been taking a GLP-1 agonist for about half a year now, with impressive results, they are down ~12% in body weight, which appears to be mostly from burning fat.
The main effect is that they now feel full after finishing maybe one third of their normal food portion, and get incredibly nauseous if they eat fatty/sugary foods. They had to switch to eating leaner food and more vegetables because they can’t eat anything else without getting nauseous.
Thanks a lot for the reference! Didn’t know and sounds very promising.
Do you have any links to online shops where the pills can be bought? I will go ask around in my local pharmacies but my country is pretty backwards and slow so might need to order them online.
My friend uses https://my-bmi.co.uk/ in the UK, which is an online pharmacy, but I think they only serve the UK, which can be described as backwards and slow, but I assume you mean some other country, so probably of no help to you.
Last weekend, I was in Atlanta for a furry convention. Going from sedentary for months to walking around for several hours in fursuit was a challenge that I only just feel like I’ve recovered from.
My plans for the weekend are, therefore, to keep the momentum going. (Though probably not involving a fursuit; my neighbors might be weirded out by that.)
You too? I’ve been trying to be less of a lazy nerd sitting all day. My standing desk has helped a lot and I try to walk to the drugstore whenever I need something from there. Keep at it!
Yes, I regularly remove stories that seek customer service via public shaming. I don’t want Lobsters used to whip up a mob in an outrage and direct them at targets. It always feels righteous at first and becomes an awful tool for abuse.
I don’t think it’s right to call this a post seeking customer service. It’s a post calling attention to a policy change made by Automattic that immediately affected the privacy of all Tumblr users, and all Wordpress.com users. Users of those platforms have to revoke the consent that Automattic assumed it had - wrongly, in the view of OP. Is that outwith the scope of Lobsters?
tumblr & WordPress posts were already being scraped by AI companies, just like the rest of the public Internet, and users had no control over it.
Automattic just gave control to users, allowing them to increase privacy. The opt-in nature means there is no change in behavior unless the user chooses to take action, which seems reasonable to me.
It is explicitly opt-out, not opt-in. The original post rightly flagged this as a problem of the platform assuming user consent. Content scraping is already happening, yes, but as SoapDog said below, Automattic is directly profiting from this sale of data, and that data originally dumped by Tumblr included private and deleted posts, not just public ones. It’s unclear whether this was given to OpenAI.
As far as I am aware, it is “opt out” and not “opt in” and that is quite different. Also, the posts being scrapped by AI companies harvesting the Web is already a problem, but then the problem is with the AI companies. Automattic PROFITTING from users content by packaging it and selling it without consent is even worse and makes it their problem.
What opt-in nature are you referring to? The post is complaining about Automattic creating a new default: selling your data directly to AI companies, without compensating you, unless you explicitly opt out. Sure, for most sites, AI scrapers could do that anyway just by ignoring your robots.txt, as always. But there doesn’t seem to be any opt-in facet to this change that I can see.
Naturally, for public posts, even if users choose to opt-out, their stuff still gets scraped unless they also pay-wall or login-wall the material. But it sounds like automattic is selling more than that unless you proactively opt out.
So I don’t see how Automattic is increasing control or privacy so far… can you elaborate more?
Sorry, that was a typo; I meant opt-out.
There is no change in behavior by default: your data was scraped by AI companies before, and it still is. The change is that you are now allowed to opt out. That sounds positive to me.
Before, only your public data was being scraped by AI companies. I believe that public data will continue to be scraped by AI companies regardless of whether you use automattic’s opt-out mechanism. It’s public, after all.
Now, automattic is offering those AI companies more of your data. And they will share that by default unless you opt out.
If all of the data you share with automattic is public, it seems like no change to me.
If some of the data you share with automattic is not public, it sounds like a significant downgrade to need to opt out.
tumblr in particular doesn’t really have non-public content (unless there’s some option I’ve never discovered in the 12 years I’ve been using it.)
Grabbed the link from the moderation queue to see what the fuss was about.
The post was not asking for customer service, but instead the change in said service was the catalyst for discussing a broader issue in Customer-Generated content and policy surrounding it.
For those wondering, a summary of the article: “Opt-out isn’t a good model when it comes to handling scrapers and similar, and in continuing to legitimize this behavior, companies that engage in this are eroding the discussion around the consent of a company’s handling of customer data. Automattic has decided to engage in this behavior, and I happen to pay Automattic to host my blog, but the issue is far greater and I felt the need to speak on it.”
This is voicing displeasure with a policy change and UX dark-patterns that enable technical actions which are not always in the better interests of users/customers/etc. This is not “uwu automattic locked me out of my tumblr for women offering plumbing supplies they suck go beat on their door”, it’s a discussion on “just how much leeway does a company have on the data that they store for a customer and when is it better to ask permission rather than require explicit disapproval?”
It’s a screed, not a discussion.
A discussion would include things like:
The blogpost doesn’t really do any of those things, and certainly not at a level beyond the most simple, knee-jerk, and facile.
I am unaware of lobste.rs enforcing such criteria in the past or having a general rule against “screeds”. There’s even a
ranttag. And plenty of “simple, knee-jerk and facile” posts show up here and don’t get removed.So I think you will need to find a better argument against the post in question.
Your reading of my comment is incorrect.
My argument there is not with the submission (though I complain about that elsewhere), but with the comment I’m replying to: the comment is claiming that the post is a discussion, I claim the post is merely a screed–and not a particularly good one at that–and give some examples of what would elevate it.
By the way, the
ranttag also has some effects that hint that it isn’t the preferred content here:Some good rants make it through of course.
As do some bad ones.
The article in question seems very relevant and educational to the Lobste.rs community given the tech industry’s poor understanding of consent and widespread abusive practices around user data.
As far as I know, based on logic and personal experience, the tech industry understands consent quite well. Decisions to make things opt-out are not accidental. It’s a business decision made in consultation with legal, based on a desired outcome. There’s no technical question, and I doubt this is a surprising situation to anyone involved in implementing an opt-out like this.
IMO you provide an excellent example. You are confusing “do I have consent?” with “is it legal?”.
Their users consented to use of their data for providing blogging services. Selling that data to a 3rd party for other, unrelated reasons is unethical because the user did not know about this possible use when they signed up for the service. It’s unethical to automatically opt them in.
I don’t think he was. From what I’m reading, he was politely saying that those tech businesses deliberately ignore consent, and instead just look at money and law. Cynicism, not incompetence.
Now if I were asked to implement that kind of opt-out dark pattern, I would definitely consider answering “sorry, find someone else”. I could afford it right now.
I totally get that. I trust that is exactly the discussion that business had with legal (and corporate comms and marketing and government affairs). And the only technical option you have in this situation is to find another job. So while this is a completely valid and necessary topic, it doesn’t seem (to me) like Lobsters is the right place for it.
I agree. There’s no technical difficulty in making something “opt-in” instead of “opt-out”, and a discussion of why opt-in is better isn’t technical and isn’t going to make me a better programmer.
As I write this, it’s Wednesday in my time zone.
If, hypothetically, some open-source project announced tomorrow – Thursday – that as the Next Chapter of their Exciting Open Source Journey they’re switching to BSL or another “source available” license in order to better monetize the project, and
If, hypothetically, I were to write and publish a blog post the following day – Friday – talking about the philosophy and ethics of Free Software and Open Source and condemning such switches, and calling on people to vote with their wallets by ceasing use of such a project, then
Would you remove that post from lobste.rs?
I ask because so far as I can tell, such a post would not differ in form or aims from the removed post under discussion, yet posts which couch “customer service complaints” or “business news” in even the thinnest possible framing of being about FLOSS licensing and licensing ethics don’t seem to get removed the way this one did. Heck, sometimes just the pure “business news” of a license change announcement is left up as apparently on-topic.
And to register a personal opinion, I think the post being discussed here was more on-topic for lobste.rs – if viewed through the lens of “pertains to computing” – than licensing slapfight threads typically are. I also think the post being discussed here was on-topic for lobste.rs and should not have been removed.
There is nothing about this seeking “customer service”, Peter.
You’re right that your article isn’t seeking customer service, but I do think that the second part of @pushcx’ comment - “I don’t want Lobsters used to whip up a mob in an outrage and direct them at targets” - is a valid choice. It’s not the choice you made for your (excellent!) blog, but I don’t think @pushcx is making an invalid choice for Lobsters.
I’d already read your article via Mastodon, and liked it - and while I agree your article is not a request for customer service, I do think one could reasonably call it advocacy.
I do hope that you’ll continue to find value in Lobsters regardless of the outcome of this thread; I’ve enjoyed reading your comments here (as well as your blog), and I wish you the very best.
I am curious to know what you think of my analogy to posts about companies doing license changes, which to me are largely indistinguishable in form from the removed post under discussion here, but somehow are still allowed (despite being “business news” and not “pertaining to computing” and often being used to “whip up a mob” and “direct them at targets”).
It might be relevant that changes to blogging platforms affect authors more broadly, while license changes affect developers in particular. Lobsters caters to both to a degree, but more to the latter than the former.
Automattic is a store of data, they also have the details for those that are affected by the decisions done (and directly inform the users). All users are implicitly at the mercy of any changes in ToS, and must respond / care / etc within a reasonable amount of time.
A codebase’s only transaction with users is when those users acquire the code, at that time they can check the license and decide how they feel about it. They only need to check the license when acquiring the code, no other time. There is no mechanism to convey this information to the users otherwise. And it does not apply within a reasonable amount of time either.
I think they are very distinguishable.
There’s also a
privacytag here for use and abuse of one’s data – not even necessarily one’s confidential data. See, for example, threads about people leaving GitHub to avoid having their code used for things like Copilot.So I still don’t see a meaningful difference between the post being discussed here, and many things which have gone un-removed in the past.
(First: I really appreciated your post. I was a bit out of the loop because of other things eating my attention lately, and your post did a great job of both catching me up on things I’d seen on fedi but hadn’t carefully read yet, and contextualizing the underlying consent issues. Thank you for writing that.)
It clearly wasn’t seeking customer service, but if the mod message had said “lobste.rs is not your torch and pitchfork outlet” instead, I’m not sure I’d have batted an eye. And the two messages are really mostly equivalent, IMO.
I have no power here; I simply like this place and enjoy many of the discussions that can be had here. But I don’t really feel that this site is a good place to discuss your (IMO excellent) post. It could draw a good discussion here, but it could also (more likely, IMO) draw a really terrible one. The only reason I wish it got left up on the page is because I really feel the points you made need a signal boost in the industry.
But I’m pretty sure that I’d have needed to hit “hide” on the comments to avoid being drawn into a flame war.
Thanks for all you write. I always learn something when I read it.
I believe you, but note it’s indistinguishable from that. Someone could write that article or post it here with a different motive.
While I agree with the moderation decision, I was wondering if you would be open to rewording the mod messages in a more compassionate manner? I think they are a little abrasive, and the wording might be the reason why folks are getting upset.
Additionally, while all of the moderation actions are transparent, I think the guidelines for posting are difficult to find. They are buried under “tags and topicality” on the About page, mixed in with information about how the tagging and ranking system works. The orange site has a clear set of guidelines that one can find linked on the bottom of the site.
Thanks, this is all really good points. The About page started as a post about technical features and it really wasn’t clear what was happening in that section after years of edits. I’ve lifted the topicality info up to a top-level section titled Guidelines and expanded it with sections on the site climate (where I’ve tried to capture the site’s vibe in positive terms rather than a list of “do not”s), this topic of brigading, and self-promo. I took this language from the mod log, hatted comments/DMs, and meta threads, and I’ll need to do a comprehensive review of those at some point to flesh things out. I hope folks will suggest things I’ve missed or could’ve explained better; I’m particularly not satisfied that I had to handwave a bit about where to draw a line on brigading and would like to do better than this slightly “know it when I see it”.
I’ll try to echo this less frustrated language in future mod messages, or otherwise make those clearer and more actionable. Thanks for the criticism.
I am grateful that Lobsters is not an “outrage-driven” news site.
@pushcx does almost all the moderation, there’s a lot of it, and the aggregate result is good, and that’s why we’re all here.
If there’s any discussion to be had, I’d suggest it’s what features should be implemented to allow the community to in some way vote for reconsideration.
And then maybe someone who wants to could implement it. I definitely don’t feel like this is something that needs to change.
I appreciate the vote of confidence, but that’s a little reductive. I have previously made mistakes and am not perfect now, so meta discussions are useful. If it’s useful for this one, here’s a list of all stories removed like this one (not pasted inline for length).
On the topic of reconsideration, people have messaged me or occasionally started meta threads. The second query on that gist lists all undeleted stories.
I’m not in creative mode today, so I’ll just point out: HN has a [vouch] feature for things other users flagkill. Maybe there’s some inspiration to be found there?
I don’t think so - have you seen the state of that place? “Lobsters is focused pretty narrowly on computing.” works great. Keeping the focus specifically on technology and it’s application to engineering problems, with minor wiggle room, is a factor with strong influence on the quality of submissions on this site.
Yes and whilst the comment sections do tend towards the abhorrent on occasion, HN is much more useful to me than Lobsters because it has a wider range of topics posted on any given day. As a software developer, I am (and should be!) interested in business ethics, the politics of software, etc. and a place which has those links is going to get more of my time, even if I had to wade carefully.
It’s nice that the Internet is large enough that someone like you, who benefits more from a broad range of topics, and someone else who benefits from a narrow focus on computing both have sites that fulfill their particular needs, without needing to force either side to conform to the other’s mileau.
Mmm… while I overall enjoy lobsters, I’ve grown fairly annoyed with the content policy (or lack of a clearly defined one) and many of the moderation decisions. This has been a point of frustration for years for me, and is why I don’t end up participating more.
In essence the KEM construct can be used with any asymmetric algorithm, however depending on the properties of the asymmetric algorithm the way to implement the KEM might differ (in order to have it secure).
However, I wonder if the “BetterKEM” construct is universal and can be used with all (existing) asymmetric algorithms?
(This what follows is not a critique of the article, but of the standards and general research in this field.)
The issue that annoys me with applied cryptography in general is that most cryptographers focus too much on efficiency, and thus most “standardized” constructs are quite “bizarre” and hard to understand the “why?”. However, perhaps more problematic, is that these constructs aren’t portable between different algorithms; what works in one context is completely broken in the other.
For example, RSA-KEM (the standard one) doesn’t seem to translate to Kyber-KEM. However (and I say “if” because I can’t assess this myself), if the “BetterKEM” you’ve highlighted would apply to Kyber, then why don’t cryptographers just choose to standardize that? It would simpler for everybody involved.
Then, if one needs to employ multiple asymmetric algorithms (say RSA or X25519 with Kyber), then have each of its KEMs do the binding to their public keys, and hash the concatenations of the results (i.e.
hybrid-r2 = hash(X25519-KEM-r2 || Kyber-KEM-r2); indeed it’s wasteful in terms of CPU cycles but it’s so much simpler to implement and most importantly test and verify.BTW, @soatok, I closely follow your blog because most of your articles tackle cryptographic problems from a practical applied point of view. Thanks for writing these articles!
The reason has less to do with cryptographers and more to do with standards organizations (with a few practical arguments).
Most cryptography that any of us uses in our day-to-day is transport-layer; i.e., TLS, Quic, SSH.
TLS 1.3+ (which is where PQ crypto is going to land) uses full transcript hashing in its KDF. Adding more context to the underlying primitive is, from this perspective, a duplication of effort.
The ongoing debate on the CFRG touches on this stuff, although it is admittedly a bit hard to follow.
What it doesn’t touch on: NIST and the IETF are so heavily over-indexed on the TLS use-case that they basically ignored the possibility of non-interactive key exchanges for the immediate future. Fortunately, ML-KEM can be used with static public keys.
If this oversight was corrected, it’s probable that they would prioritize differently.
Indeed, but most of us also use (directly or behind the scenes) encryption, password managers, backup systems, etc. all of which do resort to “at-rest-encryption”, and because we are lacking actual best practices, we end up with broken and compromised systems.
For example NaCl /
libsodiumis one of the few libraries that actually try to provide developers with useful and safe constructs. (Unfortunately these two libraries only cover a limited set of use-cases, and sometimes they are either too low-level or too high-level for certain use-cases.)Perhaps. But, if they would have used some generally available building blocks (say something that OpenSSL / LibreSSL /
libsodium/ etc. provides out-of-the-box as ready-to-use constructs), then perhaps we wouldn’t have so many broken TLS implementations…If I could put things from another perspective: at the moment cryptography is where computer-science was before general-purpose programming languages were introduced – we only have assembler (our low-level raw cryptographic primitives) and each application (our protocols) is custom built one-instruction-after-another for a particular use-case; there are no reusable libraries in sight (i.e. higher-level cryptographic building-blocks).
Indeed. I have some projects I’m exploring with my current employer to help bridge the gap between low-level building blocks and higher-level reusable components, but it will be a while before anything gets released (and when it does, it probably won’t be associated with my fursona).
I’m on Firefox Android with uBlock and I’m getting the no adblocker detected message anyway.
Known issue, no known fix
https://github.com/stefanbohacek/detect-missing-adblocker/issues/19
This is exactly the article I needed when reading “How to Hold KEMs.” I had thought due to the title, the previous submission would be more like this one and quickly was in over my head. This type of “build an intuition” material is very much appreciated by me, as it always seems cryptography assumes a pretty high level understanding of the maths behind it already. Even the, “You can’t possibly get this wrong.” style APIs still feel foreign, and are often are used wrong just due to an incorrect intuition about what is at play.
Possible typo in
OversimplifiedKEM.encapsmethod, I’m assuming it should bereturn kdf(c)?Fundamentally a lot of cryptography is very simple when you get the intuition, but when super-precise mathematical jargon gets interspersed it can be hard to gain the intuition.
Of course that jargon is important for cryptographers to convey precise notions to one another, but not great for lay-people
Nope, but it should include both
candkdf(r). :)I’ve updated the post to fix the pseudocode.
The
encapsmethod needed to returncandkdf(r)and the post is now fixed.It would be nice to have a simpler explanation on “how to hold KEMs”, because I was able to follow only the first 25% of the article, until the “Binding properties” section, where I think I hit my knowledge limit on the subject.
(Or, if the article was not intended for general public, at least a small warning from the author would have been good.) :)
This may be a better introduction for the general public: https://soatok.blog/2024/02/26/kem-trails-understanding-key-encapsulation-mechanisms/
Thanks for the article! (I have a question about it, but I’ll ask it on the other Lobsters thread about the article.)
Does your post intend to imply that KEMs exist primarily as a mechanism to avoid key-padding in RSA? (I just want to make sure I’m reading it correctly). Lazyweb but the context of both posts that I didn’t understand is the relevance to post-quantum cryptography. How do KEMs fit in with that?
No.
Asymmetric Encryption -> KEM is a specific kind of transform.
The goal isn’t primarily to avoid padding, it’s just the bridge you cross to get to KEM from RSA.
I feel like you can grasp ~60% of the article by simply skipping the exact details. But it would definitely be nice to have a higher level explanation of what to expect and keep in mind if you ever hear something along the lines of “we protect our stuff with KEM against post-quantum attacks”.
In essence the “KEM” construct isn’t that “magical”, it’s just a way to wrap some symmetric secret for long term storage. It is usually used with asymmetric cryptography, but I guess it can be implemented also with symmetric primitives.
However, and the topic that the article was trying to tackle, in order for these KEM constructs to be secure, they must have certain properties. (This was the part I wanted to get a more simpler explanation.)
With regard to post-quantum usage of KEMs – please note I’m not a cryptographer thus take my words more as “wishful thinking” – I personally don’t worry that much about the PQ doom… (It does certainly extract some good chunk money from the economy at the moment.)
Absolutely nothing.
My household is doing the holiday thing, of course, but my work for that is already done. So I’m just going to eat good food, enjoy good company, and log off the Internet for a while.
If I get bored, I’m probably going to mess with JavaScript for a neat idea I had recently, but it can wait.
I’m going to play the Super Mario RPG remake because I loved the original.
Re: JWTs
You want PASETO.
You may want it but you aren’t getting it from any of the places that force you to go and dig into JWT stuff.
Don’t use those then? I can only imagine the blessed life one would lead that can make these decisions and have a working alternative.
Is there any particular reason why PASETO hasn’t taken off? I just see a lot of cargo cult programmers banging on about JWTs when the issues have been well publicized for a while now.
JWT got first mover advantage and it’s already tied into auth libraries, etc. Plus it has JSON in the name :)
What @zie said.
Also the IETF likes to stonewall things that compete with their incumbent designs.
JOSE has the JOSE-WG in IETF. Their response to JWT insecurity is “let’s publish a best practices RFC”.
This reminds me of another attempt to help people build an intuition for cryptography, published in 2015:
https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded
Kind of neat how different people independently fall into the same approach.
Woah I am amazed by this! We grouped things the same way, have mostly the same sections and even covered most items in the same order!
FYI – ZeroTier v1.x does not use a Noise-based protocol yet but we have one built and in the queue for future versions:
https://github.com/zerotier/zssp
Thanks, I’ll make a correction
Enjoying the end of my funemployment, as I start a new job next week.
Eating good food, spending time with friends, playing video games.
It sounds like you’ve been doing better recently than the last month or two; good to hear it.
I’m really glad this attack has a name now.
Last year, when the OpenSSL CVE came across my work inbox, I had a protracted debate about the practicality of exploiting RSA padding oracles through timing attacks. I pointed to the literature that was available at the time, which fell short a little bit, but was able to extrapolate and say, “We should stop supporting this stupid padding mode where possible”.
Being able to simply say “Oh yeah, this is vulnerable to the Marvin attack” would have saved me a lot of time.
“Vulnerable to a variant of the Bleichenbacher attack” was insufficient?
They dug in and questioned if a timing leak was a real variant.
First week of funemployment. (Starting a new job in October.)
Going to relax a bit then work on some side projects.
If I were a betting man…
Recovering from COVID. Be careful folks, it’s still around!
I hope you find your weekend restful and your recovery swift
Job-hunting while dealing with work responsibilities.
I was told two weeks ago that I have 30 days to either agree to move to Seattle (from southwest FL) or I’m out of a job. Top-down draconian mandate from the CEO.
That sucks, and frankly is terribly short-sighted. Hope you can find something without having to jump through too many hoops.
What kind of thing are you looking for? I am going to be hiring in a few months and was planning on reaching out to you at some point to see if you had bandwidth for some consulting.
tbh it just sounds to me like you don’t have any work responsibilities to deal with anymore. Even if you stopped most of your work right now, it would likely take longer than 30 days for the wheels of bureaucracy to oust you…
Don’t listen to me unless you want though, I’m just a sheepadoodle on the interwebs.
You’re probably right, but the cryptography community is still somewhat small and I’m cautious about burning bridges. Shirking responsibilities will negatively impact people I respect, so I’m not going to do that prematurely.
Totally fair point man! Everyone’s situation is unique. I wish you good luck on the job hunt. Wish I could help give you inroads but I am very far removed from your community haha
For simple data, especially integers, there’s a remarkable “fxhash” function that’s just a multiplication by a magic constant: https://github.com/rust-lang/rustc-hash/blob/master/src/lib.rs#L67
In rustc it has remained unbeaten for years. I’ve also used it for making color histograms, and haven’t found anything better. It’s obviously biased, and too simple to work, and yet it does work!
So the actual hash is
Not “just” a multiplication :)This is of course in the classic style of FNV (mentioned in the source).
I’m a bit surprised the seed is 0, since all-zero data of any length (a common situation) will hash to the same value.
Your first line is wrong - it’s a roll left, not a shift left!
Ah, you’re right. I was wondering why it wasn’t part of the multiplication…
Seems like incorporating the length into the hash would help?
That’s a desirable result for some situations.
If you don’t want it you could seed it with some constant random number (maybe the multiplication constant?).
Or some reasonable padding scheme
Reminds me of this super simple u64 random number generator (LCG) https://nuclear.llnl.gov/CNP/rng/rngman/node4.html
Will do my try #67 (probably) to change diet.
I am working out, I am taking the right food additives that doctors recommend (I have acid reflux + small gastric problems), I am doing my best to sleep well (if I don’t do my cardio 2-3 days then I can’t sleep well and wake up early due to shortness of breath so skipping cardio is basically shortening my lifespan), I reduce phone usage, I try to take walks with my wife, etc.
But learning to cook and eat well has been my nemesis for years. I just hate the kitchen and that’s that. I gathered some advice like vacuuming ingredients for cooking (like seasoned meat that you just gotta put in the oven or in the pan) but I can’t even bring myself to do that – nor my wife can.
But this weekend I’ll just try to get some fish and season some meat and vacuum them and see if it’s really “that easy” as many YouTube videos claim. :(
May I offer a tentative suggestion of looking into slow cooked meals. They are often brutally simple, chop vege, chop meat (sometimes), put in a pot with a spice and a herb, cup of water, put on low and leave for five hours. Return to glorious hearty meal. Budget Bytes have some nice recipes.
Lowering the complexity is often a good way to start lowering your hate of the kitchen. :)
I had the same kind of suggestion as parent but with a pressure cooker if you don’t want to let it cook on slow. Also do not hesitate to grab a few cookbook or check some blog as https://www.seriouseats.com/ as a no-wanting to make a choice (select a random three recipes, that’s your grocery list and meal-plan for the week).
Thank you. We bought CrockPot some months ago, tried it 3 times and despaired – the meals were very well-cooked and melting in the mouth but somehow the taste sucked. Likely it was the seasoning.
We suck at cooking and we really should change that. :(
We really need some easy wins to get motivated. Otherwise we lose hope and stop fighting.
Thanks for the advice, it’s a valuable one. We absolutely should revisit the CrockPot.
I don’t season food going into a crock pot much. Often I will use some wine as a liquid, so that seasons it a bit I guess.
Ranch packets are wonderful for pot roasts
Add pepperochini too
If you are trying to lose weight, consider getting a GLP-1 agonist prescription, see https://worksinprogress.co/issue/the-future-of-weight-loss for a very hyped up summary of recent developments and https://en.m.wikipedia.org/wiki/Semaglutide for a neutral take.
A close friend of mine has been taking a GLP-1 agonist for about half a year now, with impressive results, they are down ~12% in body weight, which appears to be mostly from burning fat.
The main effect is that they now feel full after finishing maybe one third of their normal food portion, and get incredibly nauseous if they eat fatty/sugary foods. They had to switch to eating leaner food and more vegetables because they can’t eat anything else without getting nauseous.
Thanks a lot for the reference! Didn’t know and sounds very promising.
Do you have any links to online shops where the pills can be bought? I will go ask around in my local pharmacies but my country is pretty backwards and slow so might need to order them online.
My friend uses https://my-bmi.co.uk/ in the UK, which is an online pharmacy, but I think they only serve the UK, which can be described as backwards and slow, but I assume you mean some other country, so probably of no help to you.
Last weekend, I was in Atlanta for a furry convention. Going from sedentary for months to walking around for several hours in fursuit was a challenge that I only just feel like I’ve recovered from.
My plans for the weekend are, therefore, to keep the momentum going. (Though probably not involving a fursuit; my neighbors might be weirded out by that.)
You too? I’ve been trying to be less of a lazy nerd sitting all day. My standing desk has helped a lot and I try to walk to the drugstore whenever I need something from there. Keep at it!