@ControlsFreak's banner p

ControlsFreak


				

				

				

					4 followers  

					follows 0 users  

					

					
joined 2022 October 02 23:23:48 UTC
				

				

				

				

				

				

					
				

				

				
				
				

				
User ID: 1422


				
				
				

			

		

	














	


		


			



	

		

			

			

				

					

						

							
						

						

							
							

								
ControlsFreak


								

								

								
								
								

								
							
					
 
				


				

				
				
				

				

					4 followers  

					follows 0 users  

					joined 2022 October 02 23:23:48 UTC
				


				
					

					
No bio...

				

				

				

				

				

					

					

					
					
					

					
User ID: 1422


					
					
					
				

			


					

						
					



		

	

 











			
			

			
			

			




	


		

			

			

				
				

					Hour
					Day
					Week
					Month
					Year
					
				

			


			

			

	
	

	 Hot Top Bottom New Old Controversial Comments
	



		

	






	

		
		

		
		
	

	

  







		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
I don't see what's awkward at all about the phrasing. They want people to reduce attack surface, so they say that they should not expose interfaces thoughtlessly (3). Obviously, they can thoughtfully choose to expose an interface, for precisely the reasons you present, which is why they give plenty of latitude for manufacturers to assess that they would like to expose it. It seems like manufacturers have wide latitude, too. There doesn't seem to be any real boundary on their assessment; they just have to be like, "Yeah, we thought about it."


Then, moreover, they know that there have been many high-profile instances of products shipping, having an interface exposed that is trivially-attackable, and when it's attacked, the manufacturers ignore it and just say some bullshit about how it was supposed to just be for the manufacturer for debugging purposes, so they're not responsible and not going to do anything about it. It's a bullshit thing by bad entity manufacturers who don't care. So, while they're well-aware that manufacturers sometimes want a manufacturer-only interface for perfectly fine reasons, all (4) is doing is saying, "Yeah, if that's what you're going for here, don't be an idiot; disable it before you ship it."


This is a very natural way of doing things. Honestly, I probably would have not done as good of a job if I had tried to put this set of ideas together from scratch myself.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


Can you point to anything in the document which supports the interpretation that saying "We have assessed that leaving this debug interface provides user benefit because the debug interface allows the user to debug" would actually be sufficient justification?




That quote would not be correct. You have not "assessed that leaving a debug interface..." because it is not a debug interface, by the definition of "debug interface" given in the document. You have assessed that leaving that physical interface provides user benefit, because the physical interface allows the user to debug. You have determined that the physical interface in question is "part of the consumer-facing functionality". That is right there in the definition, in the document. You have made that assessment directly following the instruction given in 5.6-3, in the document.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


The deliberate exaggeration of your opponent's views




Items 1 and 2 in my list is my description of my opponent's views. If you think there is an exaggeration, tell me where you think it is, specifically. I don't particularly like the constant deflections either.






Now that you have discovered that your proposal will destroy a culture (as determined by Nybbler), are you willing to pursue it?








Yes.




Ok, now we have discovered that you are willing to destroy a culture. I could act like you and claim that this means that you're willing to destroy the entire culture of tinkering, but that would feel a bit like an exaggeration, wouldn't it?




You are, again, deliberately misrepresenting his views.




Tell me, specifically, how I am misrepresenting his views. I don't particularly like the constant deflections either.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Notice that there is nothing in there about the entire culture of tinkering. I'm assuming that whatever culture it is that we're changing, it's not the entire culture of tinkering. If you/he want to press that it would require destroying the entire culture of tinkering, I'd have to learn a lot more about what proposal is deemed necessary, why it is necessary, what implications it has, etc. I really really wouldn't want to do that, so if it came down to the case where nothing can possibly work without destroying the entire culture of tinkering, I may not do it.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


And you have also explicitly said that if actions that would not end all tinkering are not enough, you would end all tinkering.




This is not true. I have not said this.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
My position is this:


-I believe that Nybbler's position is that any epsilon regulation would destroy a culture. I think you are coming into agreement with me that this is a reasonable description.


-I also believe that this position is totally hyperbolic. I don't actually think it's true, but it is the claim being made.


-I am not in any way claiming that regulation cannot possibly impact innovation.


Please specify which of the above you disagree with.


Turning now to the merits of your proposal. Now that you have discovered that your proposal will destroy a culture (as determined by Nybbler), are you willing to pursue it? Or is it now a no-go for you?


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
I don't see any documentation requirement for user interfaces. But it would seem that they are required to put on the table that they are intending for it to be a user interface. "We have assessed that this interface provides user benefits, e.g., debugging." Simple.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


"default passwords must be purged from the face of the Earth, even if it means the end of all tinkering"




This is not what I have said. Not even remotely. I would be perfectly happy with actions that don't end all of tinkering. I would prefer them!




Nybbler would declare that this is, in fact, changing the culture of people who mass produce end-use consumer goods. That this is the only way, that we have to change their culture. If that is required, I am willing to do it.




We can move this to the other thread, because this was your solution. In the other thread, we can discuss whether you're willing to pursue your solution, even if it changes their culture. I am still open to arguments that your solution has too many demerits to be implemented, but I am currently on the side of being willing to do your solution, even though you have now discovered that it will, in fact, change a culture. I could be persuaded otherwise, but first let's see if you're willing to proceed with your own solution.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Yeah, I don't understand what you're offended by. All we did was check to see if your solution destroys a culture, and we discovered that your solution destroys a culture. Simple as. This is just a straightforward description of what went down.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
There you have it, @ArjinFerman. You're a culture-destroyer. You just didn't know it.


I mean, I can hardly blame you, though. It was the only choice you had. Literally if you do anything, Nybbler will think that you're a culture-destroyer. There are only two options: do nothing and have billions of trivially-hackable devices with default passwords... or be a culture-destroyer. That's it. That's the dichotomy.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


if the trivial solution does not work, you won't think twice about destroying the tinkerers' culture




I don't know what you mean by this. What is "the trivial solution"? I don't have any idea what you mean by it. We've been talking about the entire class of possible solutions that stop billions of devices from being trivially-hackable with default passwords. Which one is "the trivial solution"?




My complaint with you is that you're acting injured that anyone would portray your values as terminal




I am not injured in any such way. I explicitly presented the value of stopping the deluge of trivially-hackable devices with default passwords as a terminal value. You're just really off the mark.


I think your link was meant to be this. Frankly, I interpret Nybbler's silence as rejecting your proposal. We can clear this up right quick, though. Hey @The_Nybbler! Arjin says:




My personal way of squaring that circle is that I'm open to regulation on mass-produced end-user consumer goods, and a more freedom on anything that requires some deliberate action.




Do you think this will destroy the culture, since anyone who wants to make mass-produced end-user consumer goods will be reduced to nothing but checking boxes? Or do you think that he can do this without destroying the culture?




My problem here is that if it doesn't work, you explicitly said you won't stop at it.




I actually explicitly said that I would consider all possible ideas, and that I was even open to the possibility that all options genuinely have too many demerits to implement. Literally in the comment you were just replying to. Please don't lie about what I've said.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
I mean, just read them again, more slowly. 5.6-3 says that the company needs to at least think about leaving physical interfaces open. They can choose to do so, so long as they assess that there are benefits to the user. But their choice here is to either consider it consumer-facing or manufacturer-only. It is their choice, but they have to pick one, so they can't pretend like, "Oh, that's supposed to be manufacturer-only, so we don't have to worry about securing it," while also forgetting to turn it off before they ship.


Then, suppose you have a physical interface, is it a "debug interface" or not a "debug interface"? From the definition, it is only a "debug interface" if the manufacturer has determined that it is not part of the consumer-facing functionality. So, if they choose to make it accessible to the user (as per above, making a conscious choice about the matter), it is not a "debug interface", and 5.6-4 simply does not apply, because the device does not have a "debug interface". But if they choose to say that it's manufacturer-only, then it's a "debug interface", and they have to turn it off before they ship.


It's actually very well put together. I've seen many a regulation that is light-years more confusing.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Fair enough. California already sealed our fate years ago, and I guess this conversation has nowhere else to go.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


You are still effectively saying "get rid of things that annoy me, or I'll drive a steamroller over your culture", even if you don't particularly care how those things or gotten rid of, in my opinion that's still accurately described as "my way or the highway"?




I would be perfectly happy not driving a steamroller over anyone's culture. But billions of trivially-hackable devices with default passwords is truly unacceptable. If you want to characterize any version of "we need to fix this problem (and by the way, we can do so trivially)" as being "my way or the highway", I think this is just a fully-general argument against fixing any problems ever, even the most trivial ones. Literally any time someone points out any problem that could be fixed and says, "Hey, how about we fix this," it can be characterized as "my way or the highway". Even if they're open to literally any option that you can put on the table to solve the problem, they're not prescriptive at all, and are perfectly happy considering the relative merits/demerits of each approach, and even open to the possibility that all options genuinely have too many demerits to implement. Literally any form of "let's fix this problem" is "my way or the highway" because you want to "get rid of the problem (that annoys me... and also causes billions of dollars in damage every year and is a national security threat, but I guess mostly because it annoys me)".


So look, if you can come up with any other ideas. Get rid of them, don't get rid of them. Fix the massive problems some other way, still having billions of devices with default passwords, fine. I don't care. Come up with ideas. Bring them to the table. We can debate the merits/demerits. We honestly could even conclude that there are too many demerits of all the options and choose to not do anything. But right now, what I'm being told is that the One Great Demerit that is fatal to all possible options (not "my way"; all options) is that whatever is done, it will "destroy a culture". Very little is given to support what the meat of this demerit is, other than what appears to be vague threats of slowing innovation. If that's all, then I will throw in with destroying the culture. I will throw in with doing it in the most minimal way possible, with the most reasonable regulations you can come up with, or whatever alternative solution you propose, and we will just have to live with destroying the culture.


Moreover, your refusal on grounds of it being "my way or the highway" is fully symmetric, in addition to being fully general. If, as is claimed, the only two options are "billions of trivially-hackable devices with default passwords" and "destroy a culture", then the people who are demanding that we choose the former are also demanding "my way or the highway". It's just that their way is the other way. Why aren't you rejecting their position on the grounds of it being "my way or the highway"?




You're getting tit for tat




I don't know what you mean by this.




I did, and he didn't seem to say anything in response to me, so mission accomplished?




Can you link me? I'd really appreciate seeing your way. If you truly believe his silence means that we can do it, fix the problem, and not destroy the culture, it may actually be mission accomplished.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


That this is the only way, that we have to change their culture. If that is required, I am willing to do it.






Ok, in that case I'm out. If it's your way or the highway




It is not "my way or the highway". Again, if you can come up with any other way to make it so that we don't have billions of trivially-hackable shit with default passwords, sign me up. But I keep getting told this is my only option! It's not even "my way"! It's the only option! That this is a fact about the universe! Nothing to do with me at all!


EDIT: Give me "your way"! Make it an option! If you can do so in a way that won't result in Nybber telling us that "your way" would break their culture, great! But he keeps telling me that you can't.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Ok, so "read the whole post" means "ignore the first two thirds and just read the last third". Got it. Violates Grice's maxims and makes you a bad communication entity, but got it.




However reasonable a given rule is of no consequence if it enables unreasonable rules to be made and if unreasonable rule makers necessarily outcompete reasonable rule makers.




Ok, so flesh out those "ifs". In your long post, you spoke about power rising up to take power. In this context, it would sound like what you're worried about is cashing out in terms of regulatory capture/crony capitalism. That powerful corporate interests will rise to impose unreasonable regulations to form barriers to entry. This is a totally plausible thing to happen, and perhaps we could consider some reasoning for when this is likely to happen/not happen, and how damaging it is likely to be in a particular domain. Plausibly, this has something to do with the regulations in question or the regulatory bodies in question, or something. Or is this truly just a long-form way of restating, "Once we've crossed epsilon, the worst conclusion in inevitable."


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
I read the whole post. You started off talking about good regulation and bad regulation, then got to some considerations of slippery slope dynamics. Is the former part just irrelevant? I was going by Grice's maxims that it did, in fact, have relevance. It seems like it is relevant to the dynamics of slippery slope dynamics. If it's not relevant, please let me know. I'd especially like to know why you don't actually think it's relevant. Do you think that it actually doesn't matter whether something is a 'good regulation' or a 'bad regulation', and that the only thing that matters is the slippery slope part, where you think that all regulations end up in the bad category? If so, it would have been nice if you said something along these lines. I was just trying to go through your considerations in a systematic fashion.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


The approach I outlined earlier, which you called reasonable, was to regulate mass produced end-user consumer goods, and let people who build stuff on their, or otherwise are reasonably expected to know what they're getting into, have a large degree of freedom. There wasn't a word there about changing anyone's culture, in fact the whole approach is designed to let everyone keep their culture the way they like it.




Nybbler would declare that this is, in fact, changing the culture of people who mass produce end-use consumer goods. That this is the only way, that we have to change their culture. If that is required, I am willing to do it. If you think that we can regulate them so that they don't churn out billions of trivially-hackable devices, without changing their culture, I'm fine with that. But they keep telling me that we can't do that! That we have to change their culture! That that's the only option!




I don't think it is, but I think the things you are saying here strongly imply that trivially hackable default passwords are just an excuse for you to destroy a culture you hate.




Not at all. I love the 'tinkerer' culture. I love the innovation culture. I love the building new stuff culture. I love coding and coming up with interesting new shit, though my day job is more on the new math side and I'm having less time for coding lately. The culture that I dislike is the "we can keep pumping out trivially-hackable shit because it might be slightly boring to take the basic steps everyone knows and nobody's going to do anything about it" culture.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Fair enough. If there is literally no way to change the culture to something that doesn't have trivially-hackable default passwords on billions of devices with anything other than unreasonable regulations, if this is honestly the dichotomy that you think exists in the world, then I guess I have to throw my lot in with the unreasonable regulations folks. But if you can come up with any plausible way to change the culture enough so that we don't have a spigot of trivially-hackable devices with default passwords on them, and your method is anything other than 'unreasonable regulation', I will jump to your side immediately. Nybbler has already committed to the claim that this is a complete impossibility, that the only options are "a culture that churns out trivially-hackable devices with default passwords" and "unreasonable regulations". Do you embrace this position, that those are the only two options?


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Ok, I think we've made progress. It is literally impossible for the culture to bother taking the most basic steps to make the billions of devices on our networks not trivially hackable without causing some folks like you to shut down and stop being open to new ideas. These are the stakes as you have presented them. The only question that seems to be available to the general public is what they value.


Different folks can have different values and different answers. I personally fall on the side that I think you're actually just delivering a bullshit threat that is based on a lie. That it's akin to a child swearing that they're going to hold their breath until they die unless you let them have more cookies. No better than saying, "Nice IoT development space you have there; would be a shame if something happened to it." No better than a monopolist swearing that if you let others enter the market, shoddy products will kill everyone. That it's a false dichotomy, propped up just so you can avoid even the smallest iota of boredom, purely in your own self-interest.


But whatever. My opinion on that isn't important. You've laid down the stakes. Society made its choice years ago when California gave the first checkbox. The deed is already done. The only thing left is for us to watch what happens. Does innovation actually die? Do people actually just stop thinking about new ideas, because they might have to not put a default password on their new idea? I guess we'll find out.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
What part would you like me to address? You spoke of "good regulation" and "bad regulation" first, so it would make sense to start with that discussion and then see how it flows into other pieces. I'm really not sure what you're demanding of me.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Can you propose a way that we could change the culture to "do the trivial basic shit so we don't have billions of abhorrently bad products permeating all of our networks"? I'm wide open to ideas you have for how to do this without making anyone check any boxes, but it seems a little unlikely that they won't have to somehow come up with a culture that at least considers having a box for "is this thing not trivially insecure against a handful of the most basic mistakes that everyone has known about for years?"


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Those are plenty interesting general characteristics, and I don't object to much. Now, perhaps attention can be turned toward applying these ideas to the regulation at hand. I spoke to some reasons why I think this document leans much more toward the "good regulation" side than the "bad regulation" side. It seems plenty open to all sorts of innovative products in the IoT space and has very little that seems likely to affect the development of new features and products, except perhaps some edge cases. Any thoughts?


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					
Not once in there did I say anything about it becoming an over-regulated morass. You can change your culture enough to do the trivial fucking basics without becoming an over-regulated morass.


				

				

						

							

								
							

						


						
					

				
			


			

	


			
			
				

			
		

	






		

			
			
				Culture War Roundup for the week of May 6, 2024
			
		

	

	

	

		
			

			

				

			

		

			


				

					


If an attacker can read the flash storage on your door lock, presumably that means they've already managed to detach the door lock from your door, and can just enter your house.






[and similar examples given as reasons to discount 5.4-1]




Sure, if there are other threats, folks should mitigate those, too. You seem to be under the impression that if this document doesn't spell out precisely every detail for how to make every aspect of a device perfectly secure from all threats, then it's completely useless. That's nonsensical. It would be silly to try to include in this type of document requirements for physically securing door locks. This is just focused on the cyber part, and it's just focused on at least doing the bones-simple basics. Put at least some roadblocks in front of script kiddies. Full "real" security is obviously harder than just the basics, and I can't imagine it would be easy or really even plausible to regulate our way to that. So, we sort of have to say, "At least do the basics," to hopefully cut out some of the worst behavior, and then we still have to hope that the unregulated part of the market even tries to deal with the other aspects.




That said, the correct reading then seems to be "users should not be able to debug, diagnose problems with, or repair their own devices which they have physical access to, and which they bought with their own money."




Not at all. They made no such normative statements. They're saying that IF the manufacturer includes a debug interface that they intend to not be a user interface, then they should shut it off. They're still completely free and clear to have any interfaces for debugging or anything else that are meant to be usable by the user. But if they're going to do that, they probably need to at least think about the fact that it's accessible, rather than just "forget" to turn it off.