confidentcrescent

0 followers follows 0 users joined 2022 September 05 03:38:01 UTC

No bio...

User ID: 423

‎

Freedom of speech has been poisoned and we need to reframe it

confidentcrescent 14d ago

Your browser has probably run a hundred little arbitrary Javascript programs so far today, and the worst they could have done would have been to churn your CPU until you closed a tab, because anything more serious is sufficiently restricted. Crooks sending you links to rnicrosoft.com still depend on you typing in your credentials or downloading and running something heinous afterward, even though the second you click a link like that they get to send your computer arbitrary programs that it will immediately run.

Firefox released a patch to fix a sandbox escape* just a few days ago. Properly sandboxing a program has not been solved; it is an active problem that consumes a lot of developer time and current solutions likely still have many holes to be found.

Crooks mostly rely on users downloading and running scripts because it's easy and it works. Writing exploits against browsers isn't worth the effort when you can socially engineer people and get the same results.

Most sandboxing is also bad for performance. Javascript on a random webpage generally doesn't need to perform well but a recommendation algorithm will.

Practically speaking, you just do what any automated test suite does: you define "infinite" to be 5 minutes, or 5 seconds, or however much you expect you can spare per run at most, and if the algorithm isn't done by then it gets killed anyway.

Any cut-off aggressive enough to meaningfully restrict denial-of-service attacks would make algorithm-writing functionally impossible for the majority of users and probably also prevent most of the possible algorithms people would like to write.

* I can't see the bug report but based on the reported severity this appears to be a between-page sandbox escape rather than fully leaving the browser.

Context

Freedom of speech has been poisoned and we need to reframe it

confidentcrescent 15d ago

Technologically it's perfectly possible to let every user write their own algorithm

I think the technical hurdles to this are a lot higher than you expect. I'd like to see someone make a shot at doing it anyway, but I'm confident it will come with some significant trade-offs. A basic algorithm is probably more likely.

The main problem is that you need to run this somewhere and neither of your choices are good.

Running this on company hardware brings large performance and safety risks. Safety because some guy is going to try to get you to run an infinite loop or virus. Performance because search algorithms over large datasets are computationally intensive at the best of times, and code written by random strangers is not the best of times. Solving both of these without severely limiting the ability to create an algorithm would be a miracle.

Running this on a user's computer instead raises challenges around getting the data into the user's computer to be searched. If you're looking at Twitter and want to get today's tweets from accounts you follow that could be thousands of records. Download speed limitations will ensure you will never be able to run your algorithm on more than a tiny fraction of the full site.

Context

What is this place?

Why are you called The Motte?

New post guidelines

Rules

Recommended Posts And Communities

Recommended Realtime Chats

confidentcrescent

confidentcrescent