gattsuru
1yr ago
Isn't that why we're all here on this site though?
How To Convince Me That 2 + 2 = 3 seems relevant.
The problem from that perspective isn't that guesswho's arguing; it's that he's awful at it. It's bad enough when posters provide weakmen of their enemies. No one's going to change minds by providing weakmen of the position they claim to be defending.
gattsuru
1yr ago
Very much appreciate the additional takeaways.
Rolling out your own compression is much less evil: there is certainly some potential for arbitrary code execution vulnerabilities, but not more than with handling any other file parsing.
Yeah, that's fair. There are some esoteric failure modes -- how do you handle large files, what level of recoverability do you want to handle, how do you avoid being the next zlib -- but for good-enough lossless compression you can get away with some surprisingly naive approaches, without the cryptography-specific failure mode where it can look where it's working fine but be vulnerable in ways you can't even imagine.
Data point: As some casual linux user, I recognize the xz file extension.
Huh, I stand corrected. I've seen it occasionally, but more often for Docker than anything else -- a lot of environments still use .gz almost everywhere.
On the plus side, the fact that the attackers stayed in userspace instead of having /usr/bin/sshd load some kernel model seems to indicate that a stealthy compromise of the kernel is hard? Yay for NSA's SELinux?
There is that on the plus side. I'm not hugely optimistic people would be as easily able to discover those sort of attacks, but then again, there's a lot more eyes on the kernel and a lot more emphasis on finding weird or unexpected behaviors in it.
I for one do not want to scream at them because I consider them to be a sock puppet of some unknown agency. I am kind of gleeful that some agency burned through this identity they put a lot of work into propping up.
Yeah, that's probably the more Correct response.
gattsuru
1yr ago
What does that involve, if not covered by a traditional Christian family who had very strict understandings and very overt rules about not just social roles but also biological expectations (ie, it is your duty to marry and pump out 2-4 children)?
gattsuru
1yr ago
I can see that as a more general concern, but I'm not sure how much it applies to cases like this. Lasse, as far as I can tell from the outside, seems a very competent developer, just one with less than maximal interest for this project; I'm not sure what level of yelling at him would have avoided this. Jia Tan has managed the amazing feat of getting pretty much every FOSS dev of every political alignment to want to yell at it, and I doubt it's on his top ten list of concerns right now.
Indeed, there's an argument that the pressure campaign against Lasse to promote Jia Tan was downstream of FOSS tolerance of that sort of thing (though in turn, the attackers probably would have just picked different pressure had it not been around).
There's a problem in that people are aging out, from Stahlman to Linus to Lasse, and few if any have anyone to step into their shoes, even at far more trivial projects, leaving them to either be vulnerable. But that's a lot broader and scarier.
FOSS and The XZ Problem
A critical vulnerability (CVE-2024-3094) was discovered in the XZ Utils library on March 29th, 2024. This severe flaw allows attackers to remotely execute arbitrary code on affected systems, earning it the highest possible score (10) on both the CVSS 3.1 and CVSS 4.0 scoring systems due to its immediate impact and wide scope.
The exploit would allow remote code execution as root in a wide majority of systemd-based Linux (and Mac OSX, thanks homebrew!) machines. There's some reasonable complaints that some CVE ratings are prone to inflation, but this has absolutely earned a 10/10, would not recommend. Thankfully, this was caught before the full exploit made it to many fixed release Linux distros, and most rolling-release distros either would not have updated so quickly or would not yet be vulnerable (and, presumably, will be updating to fixed versions of XZ quickly), with the exception of a handful of rarely-used Debian options. Uh, for the stuff that's been caught so far.
Summary and FAQ, for the more technically minded reader, the NIST CVE is here, background of initial discovery at here.
Ok, most of us who'd care remember Heartbleed. What's different here?
In this case, the exploit was near-certainly introduced intentionally by a co-maintainer of the library XZ Utils, by smuggling code into a binary test file, months apart from adding calls to execute that test file from live environments, and then working to hide any evidence. The combination of complexity in the attack (requiring fairly deep knowledge of a wide variety of Linux internals) and bizarreness of exploit steps (his FOSS history is sprinkled with a replacing safe functions with their unsafe precursors, or adding loose periods in cmake files) leaves nearly zero chance that this is unintentional, and the guy has since disappeared. He was boosted into co-maintainership only recently, and only after the original maintainer was pressured to pick him up by a strangely large barrage of very picky users. The author even pushed to have these updates shoved into Fedora early.
Most mainstream technical advisories aren't outright calling this a nation-state actor, but The Grugq is pretty willing to describe whoever did it as an 'intelligence agency', whether government or private, and with cause. Both the amount of effort and time put into this attack is vast, and the scope of vulnerability it produced extreme -- though this might be the 'cope' answer, since an individual or small-private-group running this level of complex attack is even more disturbing. It's paranoid to start wondering how much of the discussion aimed encouraging XZ's maintainer to take on the bad actor here as a co-maintainer, but as people are having more and more trouble finding evidence of their existence since, it might not be paranoid enough.
There's a lot of potential takeaways:
-
The Many Eyes theory of software development worked. This was an incredibly subtle attack that few developers would have been able to catch, by an adversary willing to put years into developing trust and sneaking exploit in piecemeal.
-
Except it was caught because a Microsoft (Postgres!) developer, without looking at the code, noticed a performance impact. Shit.
-
This attack heavily exploited access through the FOSS community: the author was able to join sight-unseen through a year of purely digital communications, and the 'business decision' of co-maintainership came through a lot of pressure from randos or anons.
-
Except that's something that can happen in corporate or government environments, too. There are places where every prospective employee gets a full background check and a free prostate exam, but they're the outlier even for dotmil spheres. Many employers are having trouble verifying that prospective recruits can even code, and most tech companies openly welcome recent immigrants or international workers that would be hard to investigate at best. Maybe they would have recognized that the guy with a stereotypical Indian name didn't talk like a native Indian, but I wouldn't bet on even that. And then there's just the stupid stuff that doesn't have to involve employees at all.
-
The attack space is big, and probably bigger than it needs to be. The old school of thought was that you'd only 'really' need to do a serious security audit of services actually being exposed, and perhaps some specialty stuff like firewall software, but people are going to be spending months looking for weird calls in any software run in privileged modes. One of many
boneheadedcontroversial bits of systemd was the increased reliance on outside libraries compared to precursors like SysV Init. While some people do pass tar.xz around, XZ's main use in systemd seems to be related to loading replacement keys or VMs, and it's not quite clear exactly why that's something that needs to be baked into systemd directly. -
But a compression library seems just after cryptographic libraries are a reasonable thing to not roll your own, and even if this particular use for this particular library might have been avoidable, you're probably not going to be able to trim that much out, and you might not even be able to trim this.
-
There's a lot of this that seems like the chickens coming home to roost for bad practices in FOSS development: random test binary blobs ending up on user systems, build systems that either fail-silently on hard-to-notice errors or spam so much random text no one looks at it, building from tarballs, so on.
-
But getting rid of bad or lazy dev practices seems one of those things that's just not gonna happen.
-
The attacker was able to get a lot of trust so quickly because significant part of modern digital infrastructure depended on a library no one cared about. The various requests for XZ updates and co-maintainer permissions look so bizarre because in a library that does one small thing very well, it's quite possible only attackers cared. 7Zip is everywhere in the Windows world, but even a lot of IT people don't know who makes it (Igor Patlov?).
-
But there's a lot of these dependencies, and it's not clear that level of trust was necessary -- quite a lot of maintainers wouldn't have caught this sort of indirect attack, and no small part of the exploit depended on behavior introduced to libraries that were 'well'-maintained. Detecting novel attacks at all is a messy field at best, and this sort of distributed attack might not be possible to detect at the library level even in theory.
-
And there's far more varied attack spaces available than just waiting for a lead dev to burn out. I'm a big fan of pointing out how much cash Google is willing to throw around for a more visible sort of ownage of Mozilla and the Raspberry Pi Foundation, but the full breadth of the FOSS world runs on a shoestring budget for how much of the world depends on it working and working well. In theory, reputation is supposed to cover the gap, and a dev with a great GitHub commit history can name their price. In practice, the previous maintainer of XZ was working on XZ for Java, and you haven't heard of Lasse Collin (and may not even recognize xz as a file extension!).
-
((For culture war bonus points, I can think of a way to excise original maintainers so hard that their co-maintainers have their employment threatened.))
-
There's been calls for some sort of big-business-sponsored security audits, and as annoying as the politics of that get, there's a not-unreasonable point that they should really want to do that. This particular exploit had some code to stop it from running on Google servers (maybe to slow recognition?), but there's a ton of big businesses that would have been in deep shit had it not been recognized. "If everyone's responsible, no one is", but neither the SEC nor ransomware devs care if you're responsible.
-
But the punchline to the Google's funding of various FOSS (or not-quite-F-or-O, like RaspberryPi) groups is that even the best-funded groups aren't doing that hot, for even the most trivial problem. Canonical is one of the better-funded groups, and it's gotten them into a variety of places (default for WSL!) and they can't bother to maintain manual review for new Snaps despite years of hilariously bad malware.
-
But it's not clear that it's reasonable or possible to actually audit the critical stuff; it's easier to write code than to seriously audit it, and we're not just a little shy on audit capabilities, but orders of magnitude too low.
-
It's unlikely this is the first time something like this has happened. TheGrugq is professionally paranoid and notes that this looks like bad luck, and that strikes me more as cautious than pessimistic.
gattsuru
1yr ago
Does anyone know how accurate these studies are
I mean, they are social science, so we're not starting off at a great point to begin with.
The Cameron & Cameron (2017) piece you link is primarily a defense of their Homosexual Parents paper from 1996, but that consisted of sending out surveys during the 1980s, starting with a 1983 survey sent to 9k adults (4340 responses) in LA, DC, Omaha, Denver, and Louisville, and a 1984 survey in Dallas going to 10k adults (5182 responses). In those surveys, the closest question to "same-sex parents" was if "one of [respondant's] parents was a homosexual"... which "was not asked in the 5-city study".
Being charitable to the level of naivety and assuming that the weird procedural changes were totally just meant to better serve the data, it's hard to think of worse ways to establish this question. Even outside of the lizardman constant problems or the tiny sample size, this isn't the same question, especially during that day and age, and there's no way to separate 'are children raised by same-sex parents more likely to be victims of sexual abuse' from 'are children sexual abused by their parents more likely to know their parent's orientation', esp given that the paper never gives base rates or overall rates.
The Sullins paper is pointing toward his 2015 work, most relevantly "The Unexpected Harm of Same-sex Marriage: A Critical Appraisal, Replication and Re-analysis of Wainright and Patterson’s Studies of Adolescents with Same-sex Parents", which does have the section "Over two-thirds (71% SE 30) of the children with same-sex married parents who had ever had sexual intercourse reported that they had been forced to have sex against their will at some point" and perhaps more shockingly that 38% of all respondents, not just those who had sexual intercourse, if they'd been forced to give or receive sexual touch or intercourse from a parent or caregiver.
There's some weirdness here, not all of which is from Sullins -- while he excludes almost half of what Wainright called lesbian parents on the basis of male adults in the household, the original survey gatherers made some bizarre decisions where the same survey segment was used to only to ask males if they had raped someone and only to ask females if they had been raped -- but combination makes the numbers less useful. Sullins is implying-without-stating that female children are being molested by lesbian parents in this sample by staggering numbers, but it's far from clear that's what actually was asked in the question. Yet at the same time, unmarried parents have zero odds?
((There's also a GRIM failure; 37.8% doesn't come as a reasonable division for any of the combinations I can provide as possible counts for total same-sex couples. Might just be a rounding error if it's the 17 'real' lesbian couples, around 40% of which identified as married, but then it's an N=3.))
Especially given the other assumptions (esp that men should only be asked if they forced someone into sex, and women only if they were forced), I'm curious if this reflects a number of victims of familial sexual abuse in one family environment then having sole custody and/or being adopted by lesbians later, but there's not data for it, just a story.
((Separately, he also wrote in 2015 "Emotional Problems among Children with Same-Sex Parents", and that's at least procedurally not-crazy: pull in NHIS surveys for sexual relationships, look at reported emotional problems and some developmental disabilities, and saw larger values (generally 2x). There's a bunch of interesting modeling, but a lot of it points to gay parents having more emotional problems themselves, and adopted kids having more emotional problems and developmental disabilities (and gay parents being more likely to adopt). But it's not really relevant here.))
should this be dispositive evidence against allowing same-sex couples to adopt?
I think you need some data with more than double-digit total same-sex couples or non-trivial number bad actors, for starters, and then some more serious effort to isolate molestation within the same-sex couple (or adoption).
gattsuru
1yr ago
Yes.
At the trivial level, code with strong or moderate typing are far less likely to introduce a pretty wide variety of fairly annoying bugs. You can theoretically hire coders who aren't going to make that sort of mistake, but then you have to hire coders who don't make that class of mistake, and they have to put time and focus into it. Compile time can be the difference between iterating in seconds or minutes (or in one miserable case, tens of minutes). If you need portability (whether Windows to Linux, or x86 to ARM to Mac Silicon), some languages are much more frustrating than others.
At the less obvious, the availability of good and strong debuggers matters less for desktop (where the span is more Firefox Inspector Mode to Visual Studio) than embedded or microcontroller worlds (where the low end might be 'you get nothing, good day sir!'), but for applications requiring multithreading or complex performance or memory management, the higher end still matters. There's a tradeoff between succinctness and clarity of code, as evidenced by Java vs Kotlin vs Scala.
While you might consider them extremes of the "special requirements", some languages handle certain matters and frameworks better than others. MVVM makes a lot more sense in Java or C# than JavaScript, and may make sense for a common project type. Many things interfacing with hardware or certain databases may only have library support for a handful of languages, especially in industrial automation world -- at best you're going to end up writing a shim, at worst you may just be stuck. Some languages have really clever tricks justifying their use for certain specialty purposes (Matlab and matrix arithmetic) but are absolutely obnoxious otherwise. ((Some, like VC++, introduce weird user-environment-specific errors that can drastically increase your support costs and reduce user-friendliness, thank you msvr###.dll errors.)) For many internal-use tools, having something that you can build-and-leave-for-a-decade can push you away from languages with a history of breaking changes.
For smaller businesses, you go to war with the army you have, and I say that as someone who's written more than a fair share of internal-use C#, Java, and Python code.
I don't think they're the only part of business success: the road is paved with the skulls of LLCs that had great software but struggled on the business side, or just bad luck. And there's definitely a coding fandom that endlessly chases the Next Best Thing, either to (charitably) keep themselves sharp or (less charitably) keep their resume up to date, in preference to mastering one language well, or building lasting projects, or just getting tasks done. You can definitely end up bike-shedding. But it's a mistake to not consider it seriously and in depth.
gattsuru
1yr ago
I'm going to say that a female child raised as female knows she's a girl. A female child raised as female declaring she is really a boy? I'm waiting to see on that one.
There's not exactly a shortage of trans men who can point to an upbringing and environment that required and enforced pretty strict gender norms for behavior. To the level of 'not allowed to wear pants' sorta thing.
gattsuru
1yr ago
The steelman is that a lot of trans people are really obviously trans before they transition even socially (and sometimes even before they realize it themselves), and whether aware or not, a lot of these regulations can still impact them (or, less charitably, be reported as/forced into impacting them, a la Floridian teachers making news releases).
The ironman is that, while there's a lot of controversy about where and when the Correct minimum age for specific types of transition in minors is even among the broader LGBT movement, setting that as 18 for hormonal transition is a very far outlier, and that's been that way for a while. I'll point to Venus Envy as an example of early-2000s media covering transition of late high schoolers (and much of the exploration of the theme is focused on the contrast between Zoe going through conventional processes, and Larson as the problems of gray market self-administration), and that being completely unnoteworthy among readers.
That's not hugely honest to describe as kids, but it's not exactly dishonest, either.
The problem is that there's a genuine paradox, where the overwhelming majority of trans people can look back and honestly say it would have been better, easier, more complete, less traumatic, so on, if they'd realized and started transition just slightly earlier, and gotten just that small amount of more support. And then Zeno stumbles in like a drunken fool.
gattsuru
1yr ago
I don't know.
I'd like to believe that it merely proved people like Dan Savage would be tolerated and feted, rather than undermine and weaken their movements, and that in a counterfactual world where everyone instead focused on honest debate and open engagement, Obergefel would still have happened, perhaps with a bunch of references to South Park's Big Gay Al. In this world, though, we got that sorta stuff, and Savage bullying a bunch of teenagers as part of his anti-bullying campaign was just the most on-the-nose bit, rather than the worst or even highest profile.
And there is a large portion of the progressive movement believes that sort of behavior was a large portion of why they won, and it's not obvious that they're wrong. Putting massive social, career, and legal costs to opposing gay marriage genuinely blew apart a lot of anti-gay marriage movements; breaking any opposition to favored goals as homophobia worked; leaking donation records and sending newcasters to individual rando's homes increased the cost of doing those things.
One observation he makes that I hadn't seen in other reporting on campus protests, is that college admissions select for people who are "really good at looking really good," which includes strategic political posturing.
This seems woefully optimistic to me, not least in the assumption that people would abandon these positions were they made less than maximally appealing. There's no small amount of the people leading this charge who headily predate modern college admissions being driven by "looking really good" -- up to and including professors and administrators.
I think the more plausible argument why this has gone so hard so fast is that the conventions against doing so were proven wrong. Until the mid-00s, there was an argument -- a credible and serious argument -- that the Progressive movement had to win by persuading people, not just as a matter of principle but principle and pragmatics. That one defeats one's enemies by making them your friends. But by 2012 making Bad People Afraid worked, by 2014 and the aftermath of the ACA, it had already become respectability politics; by 2015, the answer was yes, you could get everything you wanted by stigmatizing and shunning and silencing those opposed to you hard enough, and some turgid prose on top, too. All the people worried about pushback or the pendulum shifting or whatever metaphor you want were wrong, and I say that as someone who plead at length with exactly that argument in the belief my neck was on the line.
It's a genuinely harsh paradox, and harsher still for those of us who haven't let the New Respectability hollow us out like skin suits, but it doesn't stop existing just because you ignore it.
I'm curious what the PR and legal discussions leading to this "ban" were, and what may result from it.
Search term you're looking for is the Leonard Law, passed in 1992. Not sure by how much; the California legis lookup only goes to 1992. Stanford did try the our ban is our free speech thing, but courts rejected it. The 2007 Amendment was passed with pretty clear margins, though Yee (better known for his other work) being involved doesn't encourage.
That being said, I don't think the law is as ambiguous as you're making it out to be.
I don't think his particular case is ambiguous: I agree that Malinowski was likely violating the law ("almost no chance that he'd have been able to avoid a lengthy federal sentence"). My moral problem is more a question of what compliance would look like.
(Abramski is more complicated: it's unquestioned that he was reselling the gun, but the law about buying and selling doesn't ban resale, only "engaging in the business", which he wasn't doing. Hence why he got hit with paperwork violations that aren't even parts of paperwork listed in the statute, but rather ATF regs.)
The exact requirements for a private FFL is a mess, but there's a lot of ways it can be ludicrously impractical. Becoming an FFL means the ATF can inspect your entire listed address with little or no notice at least once a year. While less often an issue in Little Rock than other jurisdictions, FFLs must comply with all local business regs just to receive a license; this can require massive investments or even where it doesn't just turn into a catch-22 or punitive FFL-specific fees. Moving is annoying and in recent years leaves you pretty much at the whims of the ATF's schedule. Some IOTs or jurisdictions can require enough additional security as to make casual sellers cost-negative. Gotta keep (and show you can keep) form 4473s for twenty years, every i dotted and t crossed. Even the sort of zoning stuff no one actually enforces has to be met and understood and complied with. Apartment or rental FFLs have to show that they'll be in compliance with all the boilerplate contract crap meant to keep people from running a leather tannery in basement.
Most critically, the ATF requires FFLs be engaged not just in resale, but in business. If you can't present a decent business plan during the interview, the ATF won't issue an FFL; if you're not making a decent number of sales, the ATF can pull an FFL. There's limited alternative sales (mostly consulting), but if you go with them you've got other problems. Officially, you only have to list two hours a week as your 'open hours' for inspection and business, but outside of FFL 03s (C&Rs), you're likely to get your IOT to tell you to try again until you've got at least one 'open' day (usually 5+ hours). That's likely wildly impractical for an airport manager, who must also be available at no notice to handle everything from a major air disaster to an fuel spill to a burst water pipe to a busted runway light.
((This isn't helped by overt abuse of FFLs by the ATF: there are some limited statutory protections about having too many inspections in too short a time period, searching material unrelated to the business, or taking pictures of FFL records during inspections absent evidence of wrongdoing, but these solely exist on paper. There's literally no recourse if the ATF flips the law the bird.))
That's the point; the whole set of regulations and harassment exists to discourage small or marginal FFLs, or people becoming an FFL for personal use (which is itself a felony!). That's the state of regulations right now, and there's no wiggle room from a view of the courts.
But from a moral one... I don't advocate noncompliance with such unreasonable laws. I'm hard-pressed to see it as morally wrong, though, rather than just a horribly bad idea.
I think part of the reason why the law remains vague is that gun control is such a toxic issue right now that any change of the law is difficult to accomplish. For the gun rights people any clarification short of a total repeal of the FFL requirement is going to be seen as an unreasonable imposition, and for the gun control people anything short of eliminating private sales entirely is going to be seen as a useless half-measure. So there's no political will to do this.
For gun rights people, there's a lot for whom the FFL system is, in many ways, the room temperature -- at most, you get some problems at extremes, but even among gunnies, there's just not the interest for its core. The problem's more that any of the even remotely plausible compromises look a lot like just one more bite at the cake.
I'm not sure if it's intentional, but I'd point that your particular proposal is all take and no give. Every private firearm sale must now have a paperwork and ID requirement, or involve an FFL, and a fairly low limit to private sales is now in place, and... what, we're supposed to be happy that we're 'absolutely sure' that four guns in two years wouldn't be against the law, at least until the feds change it again?
Add in that there's a wide gap between such minimal sales and the scope required for it to make business sense to jump through all the hoops for an FFL. For a fermi estimate, if we assume 300 USD profit per gun and 150 guns, Malinowski would have made less than 15k USD/year.
gattsuru
1yr ago
One thing I always like to point out: almanac.
In my opinion, I believe Malinowski was technically legally in the right despite the high volume of sales. There is no indication he was attempting to profit from selling to criminals/gangs etc. Many people collect firearms and enjoy buying and selling them as others would spend hundreds of thousands of dollars on motorcycles or pokemon cards. There is no law in Arkansas against purchasing a handgun and deciding you don't like it for whatever reason and selling it to your neighbor the next day.
Legally in the right is kinda unrelated to those questions; the federal law isn't about selling to Bad People, but selling as a business or buying on 'behalf' of another person. See Abramski v. United States for a case where buying one gun for resale to another person (his uncle) who could legally buy or own the firearm had he bought the gun himself, and received five years of probation (technically, two such sentences running concurrently).
(The affidavit claims one of the guns was found in possession of a Norteno gang member, but search affidavits claim bullshit regularly, and it's not clear how many steps happened between Malinowski's sale and that point, since the Nortenos are mostly a California thing.)
Under current law, there's almost no chance that he'd have been able to avoid a lengthy federal sentence. There's not a statute written down saying you can't buy and resell in a day or a week as a private individual, but the law is whatever the ATF wants it to be, until and unless a court slaps them down. The line between private sales from a personal collection and acting as a business is vague and basically defined only in whatever sense the ATF wants it to mean, but there's been far more marginal cases convicted.
He might have been trying to start a legal confrontation, but I'm... somewhat skeptical for aviation reasons -- very few people who deal with the FAA regularly would start shit by going straight to 11, and those who do would have had a lawyer on retainer, heavily tied into paperwork somewhere, and ready to give a statement. As an alternative explanation, there was (and remains to a smaller extent) a lot of non-coastal people who use firearms as a store of value, and quite a lot of them aren't familiar with the law or the extent that it's been tightened recently.
Morally... more complicated. Whatever the original status of the GCA1968, the ATF and federal government have since joined together to make the FFL system as unavailable as possible to small businesses or hobbyist resellers, starting with the Clinton-era crackdown on kitchen-table FFLs (with a few exceptions). Abramski would have struggled to operate as an FFL had he wanted to, and the harassment aimed at small FFLs makes the moral arguments rough.
gattsuru
1yr ago
Others I'd add:
-
Rationalist an adherent (or some style of critic) of the philosophy established on LessWrong, originally focused on trying to develop a more accurate model of what is true through understanding available information and avoiding the various pitfalls newly being recognized by 1990s-2005-era social psychology. Not... very typically that rational, and very much not philosophical rationalism.
-
Ratsphere, rationalist diaspora. A reader or commenter from LessWrong that started moving to other social media, typically in 2010-2014, or those adjacent to them, or adjacent to those adjacent to them. See here or here.
-
Postrat or post-rationalist, someone that rejects the rationalist movement's interest in what is true as impossible, and instead prioritizes what is useful to believe. Usually part of the (twitter) rationalist diaspora. See example here.
-
Tpot, usually lower-cased. 'That part of twitter', a mostly coastal techie group, some overlap with ratsphere. Largely an endonym. Example here.
-
Litany of Tarski, a poem saying to want to know and believe things that are true, usually with the connotation that the true thing is depressing or unpleasant. See here.
-
Conflict Theory and Mistake Theory, where Conflict Theory is the model that disagreements reflect two sides naturally opposed to each other who at best are negotiating over the division of spoils, while Mistake Theory is the model that each side disagrees about a question and could be persuaded. See example here or here. Quokka is largely a criticism of or self-identifier for mistake theorists and... I think we're at the point where there's not enough pure mistake theorists to have anything similar going the other way for conflict theorists.
gattsuru
1yr ago
I've also seen a lot of people call others in the ratsphere quokkas to justify their own being a prick, but I dunno if that's just seeing the meme earlier (naraburns points to the zerohplovecraft origin as a prototype of someone calling everyone else quokkas) or different focuses.
gattsuru
1yr ago
You're not the only one that has to pull out a dictionary at times, here, and I say that with the recognition that no one else has or likely would want to use if-by-whiskey.
gattsuru
1yr ago
I would also specify that it's gone well outside of communities focused on gender relationships, especially blackpill (see also here, here, here), but also whitepill (see also here) and more rarely bluepill (see also here).
Clearpill doesn't actually seem popular here (the only older ref is from a Moldbug piece?) or much of anywhere.
Pink, I don't think I've seen here, and it's not very common even in spheres that are about AMAB people being briar patched into dressing as women.
There is dogpill, as ChrisPrattAlphaRaptr points out, and grillpill, but those are probably at the point where it's a generic suffix.
gattsuru
1yr ago
EtherShout’s ban/ account deletion means Contexts that include one of his posts will not load properly. Presumably other accounts in similar straights will do the same. Contrast https://www.themotte.org/post/788/culture-war-roundup-for-the-week/170478 or https://www.themotte.org/post/788/culture-war-roundup-for-the-week/170478?context=1#context
I’ve reported it jn the Motte dev discord, but I dunno if anyone’s had a chance to look into it in depth, and the relevant code was pretty opaque at a first glance.
2009 was a long time ago, I was basically a kid...
I can point exactly where I was, online, in 2009: the writing was already on the wall, and it went exactly where I expected it would.
There were better places online, if you looked for them -- this was still before some of the weirder specialty forums got chased out, and I have some fond memories of early therianthropy spheres -- but it was already a long way from the highlights of the early Eternal September era, or especially usenet era. The Scylla and Charbydis of SomethingAwful and corporate monoculture were well and present then.
gattsuru
1yr ago
New York Times v. Sullivan only requires that the evidence of actual malice (a legal term that's not satisfied by hating someone) or reckless disregard for the truth be present for public figures or public officials (and later cases require this for any damages other than 'actual damages'). ((The courts have also recognized a limited public figure and involuntary limited public figure doctrine, though it's far from clear the former applies and the latter condition may well be extinct.))
Private citizens still have a really high bar to reach on a wide variety of other prongs. If you were bringing a left-aligned lawsuit in the northeast against a particularly hated enemy, maybe, but as bad as the Fifth Circuit has gotten, it's not gotten that bad.
gattsuru
1yr ago
Or someone posted the crazy story about the trains in Poland
Here.
Tech companies have a clear profit motive to force you to buy their software, same way that John Deere has a clear profit motive to stop you from repairing their tractors when they can charge you 800$ to plug in a wire themselves. They're not afraid of you shitposting about your waifu LLMs on reddit, they want you to buy the latest and shittier version of Windows, Now With More Advertisements And Less Functionality. It's the Suits, not the HR and DEI consultants.
I think it's worse in the sense that there's a million different excuses. There are legitimate security issues. iOS has, as a philosophical position that it has held for over a decade and through the death of its leader, against porn on the iOS store.
((Of course, the same people allow web browsers to submit OS-level notifications or can't stop the simplest malware, so fuck em.))
Interest in freedom is fundamentally the interest of a minority of one.
Witnessed is a little important, here; I'm not as sure as TheGrugq that this isn't the first try at this, if only because no one's found (and reported) a historical example yet, but I'm still very far from confident it is the first. And it did get really close: I've got an Arch laptop that has one part of the payload.
That's... not entirely clear. Visible-source seems to have helped track down the whole story, as did the development discussions that happened in public (though what about e-mail/discord?), but the initial discovery seems like it was entirely separate from any source-diving, and a lot of the attack never had its source available until people began decompiling it.
Yeah, that part is encouraging; I've definitely seen places (not just in code! aviation!) where people look at circumstances like this and consider it sign the were enough redundancy, rather than enough redundancy for this time. I think it's tempting to focus a little too much on the mechanical aspects, but that's more a streetlamp effect than an philosophical decision.
More options
Context Copy link