A sweet hack, and full marks for humor in the FAQ.[1]
Q: Is it secure?
A: Security is not binary.
Q: OK, how secure is it?
A: It seems like you just asked that question.
Q: No, the first question was if it's secure,
the second question was how secure is it.
A: Well now that wasn't even a question at all.
Tell you what, if you find an unreported security
vulnerability I'll buy you a beer.
Personally I find this really unsettling for non-technical users. Almost asshole-ish. It's funny to us...but seriously providing a real answer after all that would even be sufficient. Not just answering with a "yes", but with a little blurb on how it is secure.
Oh, so when someone doesn't lie to you it's unsettling?
The only way to know if something is secure is when it's adopted en-mass and you see if it really was secure or not. You could read the WinXP pamphlet on security back when it was released and it had endless bullet points about how secure it was. It was probably the least secure software in the history of computing based on actual attacks after the fact.
Security isn't something you provide an answer to unless you're selling snake oil. Luckily, it seems most people prefer buying snake oil and are happy to eat up a vendor telling them how secure an utterly untested product is.
Security theory is not something you can understand as a non-technical user anyway.
I think one should start by explaining what "a layer 3 virtual network that uses public keys instead of IP addresses" would mean, or what a network is depending on what non-technical means.
If one doesn't immediately understand what this means, they should stay away. The intended audience is clearly people who have some grounding in networking.
Q: What do you mean "No"?
A: We believe we have done a good job in securing it.
Q: So did you do a good job?
A: We hope so!
Q: You "hope so", what sort of answer is that?
A: Trust us. It's secure. We are not hackers. We don't want to steal your data. We did not put in any back doors. We audited the code ourselves. There are not any kernel level hacks, root kits, or otherwise. This has been tested against a variety of anti-virus scanners and none of them flagged anything. We're very good. Please please trust us?
The last answer could be even better if it included an actual list of things that have been checked against:
What testing methodology did you use, what form of vulnerability or classes of errors does it prevent (valgrind, ...). Has the code been formally verified ?
What are the attack scenarios that you have considered. What are those you don't prevent (physical access, system compromise, user compromise).
:-) The slight tone of sarcasm was there if you were looking for it.
Ultimately it comes down to "Trust us". Unless you are well versed in computer security, anything other than what I wrote, is meaningless. Even the rootkit stuff I put there is above the head of the average computer user (we're probably talking the 98th percentile and above that would understand what a rootkit is).
Probably talking the 99.99th percentile for what's above.
> Personally I find this really unsettling for non-technical users.
There is of course the counter argument, that if you're non-technical, you probably shouldn't be trying to implement a cryptographic layer-3 network for any reason other than "the lols".
That just means we move the bar a little further. We write an answer for programmers who know next to nothing about cryptography and security measures.
I’m not part of the Snow project, but I have the impression it’s still pretty experimental. If so, it’s probably better for non-technical users to remain unsettled about it for a while yet.
It's easy to say that this happens all the time, urge folks to call the cops, let them deal with it, and otherwise don't make a big deal.
So here's the thing: people have been calling the cops; the cops are ill-equipped to deal with this. The inherent structure of police agencies in the U.S. is oriented around physical communities and jurisdictions. More than 5/6 of the sworn officers are below the federal level, thus not easily able to pursue investigations across state lines.[1] but it's easier to push this conveniently to being a problem for the cops than it is to think and choose to act.
You could instead:
* lobby your congressperson and senators to start a federal reporting program.
* develop a set of tools that helps narrow the source of these threats, along with a toolkit of self-serve legal forms to demand IP information so victims can submit full evidence to police
* support EFF and others who are helping fight this
* stop blaming the victim
mholt, you ask how Astrocyte's is part of Jesse's problem. Here's how:
* Astrocyte is assuming that none of this has already been done.
* Astrocyte is refusing to do some research and learn about the current state of affairs before minimizing the concerns of people actually experiencing the problem.
* Astrocyte is demanding that victims prove they've met Astrocyte's standards before those victims are supposed to raise broad-based concerns publicly.
* Astrocyte is writing this off as an isolated thing despite it clearly being more than that.
* Astrocyte is doing so publicly while implicitly urging others to do the same.
Astrocyte is choosing to push this problem away and say it's not as big, as wide, as common, or as horrific as it is. That's Astrocyte's choice. People are responsible for their own choices.
There are no social problems so large that we can't fix them once we develop the will to do so. We don't develop the will until we admit that these problems are tractable.
Completely agree that this is a fixable problem that we must resolve before some "responsible" institution comes along and trades our freedom on the internet for security.
I do think that there is an interesting twist for humanity though as we try to move into a virtual space. Much of the social norms that are hard wired into people to allow us to get along involve actual facial and other cues only accessible in person. It will likely take some training and some time figure out how to deal with each other remotely. There is a lot of work in psychology looking at things like "social identity theory" that people have applied to internet interactions (with some colorful summaries [1]).
I do think that many folks will be surprised in the future to find that the internet isn't quite as anonymous as they think. There are only 7 billion or so of us and google and others could process everything we've ever written in an afternoon. Certainly a lot of folks have been surprised to find that their emails aren't very secure and can hang around for a long time. If you wouldn't say something to somebody in person then it usually isn't a good idea to say it online as well with possible exceptions for concern for your own personal safety when constructively criticizing the powerful.
Thanks for the link, chuckcode. Skimmed a bit and added to the "read before bedtime" pile.
There's a lot of interestingness around anonymity vs. pseudonymity. From what I've read and experienced, it comes down to how much you value a particular identity in a particular context; from there, it's all about framing incentives around the identity that you value. Violentcranz didn't value the online persona enough that online incentives mattered; when he was outed by a journalist, he valued the real life incentives enough to stop the online behavior.
I'm happy it hasn't impinged on your work life, and I hope it never does. And there's still folks being hurt by a malevolent minority in and around our industry.
When does that majority of incredibly decent human beings, both men and women, start to care enough that they refuse to accept this any longer?
"Bullying remains a big problem, according to the study data. About 76% of violent crimes that occurred at school were not reported to police, which is consistent with the findings that from 2006 to 2010, crimes against youth age 12 to 17 were more likely to go unreported than crimes against persons in other age categories."
Now, here's my question for you, mholt (and others), meant in a kind but very direct tone: why should someone need to prove that reporting more of these crimes is justifiable? Why quibble with that question versus addressing the question of, "is there a wrong being done and can I help stop it?"
There is a wrong being done. You can help stop it.
I'm not a particular follower of Randi's and still couldn't help but see the Vivek stuff going on. I wouldn't have labeled it harassment; what I saw was a loud and unrelenting public call for accountability. I don't believe she threatened, doxxed, or otherwise harassed him. Do you know differently?
What I would call harassment is that Randi was doxxed as well as swatted, seemingly by the same sort of folks involved in this situation. She seems to have decided to aggressively stand up for her rights and the rights of others.
I'm sure that makes many uncomfortable, some so much so that they create new profiles in social media to comment on it without risking their reputation. Which is fair, though you have to ask yourself why.
Fair, and we can disagree. I'll say that I'm not a fan of urging people to die in fires.
However, it's noteworthy that her review made several clear statements, some opinion and some fact, in her own name. She didn't resort to ad hominem attacks, nor doxxing, nor swatting. And evidently 370 of 1218 people found it useful in some way.
Also noteworthy that Stop the Goodread Bullies isn't a balanced, objective news source. Their coverage makes clear that SJW is a pejorative term that equates to bullying[1]; that they're happy to damn with innuendo rather than fact[2] and they're seemingly okay with pulling quotes out of context[3]. The only mention of Vox Day, who has participated in the same bullying review activity[4], is in the article you shared. Ergo, I'd tend to say they're not unbiased.
Still, they're not aking lewd suggestions or threatening peoples' lives, so I'm glad they're out there working to represent their opinions directly.
As I mentioned, I'm not a particular follower of hers; I guess I should have mentioned I'm also not her apologist.
Sorry I can't answer your question. I don't know what she was doing in that tweet; you provided no context. It's clear you believe you have the answer, though, and that you care enough to create a throwaway account; pull up a four year old tweet; and present in a discussion that really isn't about Randi. Seems like she's important to you.
> You can't do anything to stop trolls online [...]
So painfully wrong. There are many things you can do, including not giving up and walking off. You just have to decide you've had enough and are willing to do hard work.
Speak out, even when it's not in your own best interest.
Support people who are targeted.
And, last but not least, don't pick pedantic points to argue while losing sight of the main issue: it absolutely stinks to be a woman in tech.
I am not trolling I am just being a realist here. I recognize that it totally sucks, and it does seem to be harder for women in certain arenas because they are targeted by trolls more heavily. That being said, this comment is wishy-washy feel good fluff, and doesn't address the real issue.
If i was being harassed online how would I employ these tactics? These are just cliche motivational phrases.
> not giving up and walking off
> had enough and are willing to do hard work
> Speak out, even when it's not in your own best interest
None of these would do anything to prevent harassment.
It's disingenuous to switch from your original context in which you, a bystander, urge listeners to believe that this is an unsolvable problem, to the context of the victim, which you aren't.
If you, the bystander, decide to take a stand rather than write this off as too hard a problem to solve, you help the victim by giving them support, and you help future victims by decreasing, however slightly, the chance that harassers will continue to believe that their behavior is tolerable.
If you, the bystander, are willing to spend time on one person who doesn't yet understand but who may be willing to think, and then to move from thought to action, your efforts gain leverage and that minuscule probability decrease becomes larger.
If you, the bystander, continue to do this, even without being a victim yourself; if you do this in places your voice can be heard; if you do this even when you gain no personal benefit, you hopefully influence the people around you to at least think deeper, and from there, to act in some way that fits with their conscience. And in doing so, you give the victims hope for a day when this isn't their norm.
It's not a clogged sink. It's also not an intractable problem.
I have been thinking about this more and more lately. It is a security problem, not a social one.
>So let's fix it.
I posted a thread earlier today trying to solicit advise about solving this and posted some of my own advise. I realized that there is a lot that can be done but I was focusing on the attacker. This is much more about defense than it is about offense.
> This is much more about defense than it is about offense.
What you seem to mean by this is "I don't believe we can prevent threats from being sent".
Harassment is also a cultural issue. A vast amount of people live among a circle of friends who believe that sending things like death threats in anonymous emails is something that can be done light-heartedly. It's what transpires when people downplay the situation by saying "They can't be serious" or to "Just ignore them".
You mix up the need to stop an offender in action, with the need to remove the situations in which someone becomes an offender. Changing this "acceptable threat" culture is the offense you describe as less relevant, but it's key to a long-term change.
Thank you for thinking about this. It's a very worthy topic for thought. If you'd care to link the thread you mention, I'm sure others would like to help.
Yup. I agree with Hilary and Diego. Optimizing for the clickability of the ad is shortsighted. Yahoo is an advertising company.
Optimizing for revenue via delivering valuable clicks to your ad buyers seems more a right choice. That speaks of good placement and excellent targeting (better CTR) combined with an overall good experience (to attract/keep users in the first place).
