This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
This is a true statement about the world, not an outrageous claim, newfriend. You may be thinking that those words mean something other than what those words mean. What are you thinking they mean?
Great! We can surely then have a reasoned discussion about the nature of slippery slope arguments, trying to understand when they hold, to what extent they hold, and whether the premises required for them to have force are present here. I have never objected to the concept of a slippery slope arguments, but it does need some something behind it, otherwise it leaves us vulnerable to just any crazy extrapolation of anything in any domain. We probably wouldn't respond to, "Gay marriage is a slippery slope to marrying dogs!" with, "H-yup. All slippery slope arguments are perfectly valid and correct in all conclusions."
It's a true statement about your opinion. I disagree with your assessment of what "being capable of operating" entails, as we have gone over already.
it certainly does!
All it needs formally is demonstration that the slope is slippery. Which we can discuss in this case, but I don't really see the argument against given we have dozens of examples in this very specific field, and in other fields of engineering, of the complexity of regulation increasing to smothering levels from previously small demands. Automobiles, airplanes, even dishwashers, you can take your pick of examples.
Will you then disagree that government regulation is a slippery slope? And on what ground will you do so?
We discussed shale fracking. Now Space X, ozempic, Matt Levine gives tons of examples of financial innovation, we're damn close to self-driving cars, but the hol' up is the tech, not the regulation. The list goes on and on. I do not see any more content in your comment that is anywhere near suitable to claim that we can simply declare this "gone over already". If anything, you just dropped it, because your position didn't go anywhere.
Let's make sure we're on the same page here, so that we are at least confident that we're both actually really ready to engage the slippery slope question honestly, without leaving room for a retreat in this direction. Are other industries capable of operating with some amount of regulation? Not, "Is there a general sense of a regulation-innovation tradeoff?" We agree that there is. The straightforward statement that many other industries are capable of operating with some amount of regulation. Are you going to stick with the position that this is an outlandish Bailey? Or is it simply a true fact about the world, and we can shift the discussion toward slippery slopes?
Let's take a look at those survivors then.
Illegal in Europe at large.
Currently being sued for not respecting the contradictions between ITAR and the CRA.
Took three years to change the label of a drug that would never have been approved if they had to label it from scratch.
Most financial innovation is currently happening outside of regulation.
Technically very hard indeed, but I'm willing to bet they'll also become very hard legally once they start inevitably running people over.
On the whole, it seems hard to argue that these innovations are examples of regulation being compatible with or fostering innovation. They rather seem to exist despite it.
I'm willing to have the charity to shake on "there a general sense of a regulation-innovation tradeoff". This is true. The more regulation, the less innovation as a general rule, with some exceptions.
As for the second part of the argument, you haven't produced any reasoning as to why regulation isn't a slippery slope while I can point to the development of essentially any technology since 1940 to affirm it. From the dishwasher to the machine gun.
You seem ready to argue elsewhere in this thread that the very idea of the slope being slippery is ridiculous and unfounded and here you're dodging. I think that is bad faith and that you've done nothing but project objections to your antagonism onto those that criticize it here. That is isn't just unconvincing rhetoric, it's a waste of our time.
So instead let's actually do something productive and establish your position definitively: what is your positive theory of the interaction of regulation and innovation, does it have any limiting principle and how does it maintain the innovation cycle and competition in the face of the interests that inevitably act on it?
I don't actually see how your argument here is supposed to function. Can you spell it out for me?
Nope; literally never did that. Please don't waste our time strawmanning me.
I think there is often a general sense of a regulation-innovation tradeoff. It happens in different ways in different places, and it's often area specific, many times in ways that you might not expect. It's a really tough problem, so I'm generally in favor of fewer regulations, especially when they're not pretty decently well-tied to a specific, serious problem. I think that a lot of the time, you can maintain the innovation cycle and competition by being careful and hopefully as light-touch as possible with regulation. Some examples would be that if (and this is a big if, because I would actually disagree with the ends) you want to reduce carbon emissions from powerplants or noxious emissions from tailpipes, it's better to do things like set output targets and let the innovation cycle and competition figure out how to solve the problem rather than mandate specific technological solutions that must be adopted for the rest of time, no questions asked. Of course, this is an easy example, and many situations can pose more difficult problems; I'm probably not going to have the answer to them all off the top of my head.
This requirement seems mostly focused on some of the most egregious practices, and it appears that they at least try to leave open the possibility that people can come to the table with innovative solutions to accomplish the "aspirational text" (as gattsuru put it), even if it wasn't a solution that they specifically identified. It may be possible that we have some other big breakthroughs in the field of network security that make some of these line items look ridiculous in hindsight, which is why I would also say that a grossly under-resourced effort across regulation regimes is hunting for precisely any items that may have been deprecated, so they can be promptly chopped. I lament that this is not done well enough, and it's likely one of the major contributors to the general sense of a regulation-innovation tradeoff.
I reject the concept that as soon as epsilon regulation of an industry is put into place, it necessarily and logically follows that there is a slippery slope that results in innovation dying. I think you need at least some argument further. It's easy to just 'declare'
bankruptcya slippery slope, but we know that many end up not.Nobody is arguing that "the moment any regulation is in place, it is inevitable that we will slide all the way down the slippery slope of increasing regulation and all innovation in that industry will die". The argument is, instead, that adding a regulation increases the chance that we will slide down that slippery slope. That chance may be worth it, if the step is small and the benefit of the regulation is large, but in the case of the entirety of ETSI EN 303 645 (not just section 5.1 in isolation), I don't think that's the case, and I certainly don't think it's a slam-dunk that it's worth the cost.
Section 5.1, "You are not allowed to use a default password on an network interface as the sole means of authorization for the administrative functions of an IoT device", if well-implemented, is probably such a high-benefit low-risk regulation.
Section 5.4.1, "sensitive security parameters in persistent storage shall be stored securely by the device," seems a bit more likely to be a costly provision, and IMO one that misunderstands how hardware security works (there is no such thing as robust security against an attacker with physical access).
They double down on the idea that manufacturers can make something robust to physical access in section 5.4.2, "where a hard-coded unique per device identity is used in a device for security purposes, it shall be implemented in such a way that it resists tampering by means such as physical, electrical or software."
And then there's perplexing stuff like 5.6.4 "where a debug interface is physically accessible, it shall be disabled in software.". Does this mean if you sell a color-changing light bulb, and the bulb has a usbc port, you're not allowed to expose logs across the network and instead have to expose them only over the usbc port? I would guess not, but I'd also guess that if I was in the UK the legal team at my company would be very unhappy if I just went with my guess without consulting them.
And that's really the crux of the issue, introducing regulation like this means that companies now have to make a choice between exposing themselves to legal risks, making dumb development decisions based on the most conservative possible interpretation of the law, or involve the legal department way more frequently for development decisions.
I present to you: nobody.
This is a vastly better argument, but one that wouldn't allow us to then simply reject any continued discussion, just because we've 'declared' slippery slope and observed that we're epsilon on it. For example, one might ask about the underlying reason for why it increases the chance that we will slide down it? The answer could take many forms, which may be more or less convincing for whether it does, indeed, increase the chance. See here for some examples, and feel free to click through for any specific sub-topics.
IMO, it shows that you misunderstand how these things work. They're not saying "secure against a nation state decapping your chip". They actually refer to ways that persistent storage can be generally regarded as secure, even if you can imagine an extreme case. To be honest, this is a clear sign that you've drunk the tech press kool aid and are pretty out in whacko land from where most serious tech experts are on this issue. Like, they literally tell you what standards are acceptable; it doesn't make any sense to concoct an argument for why it's AKSHUALLY impossible to satisfy the requirement.
H-what? What are you even talking about? This doesn't even make any sense. The standard problem here is that lots of devices have debug interfaces that are supposed to only be used by the manufacturer (you would know this if you read the definitions section), yet many products are getting shipped in a state where anyone can just plug in and do whatever they want to the device. This is just saying to not be a retard and shut it off if it's not meant to be used by the user.
... I see a lot of you arguing that The_Nybbler believes that giving an inch here is a bad idea because they think that a tiny regulation will directly kill innovation, while The_Nybbler is arguing that there's no particular reason for the regulators who introduced this legislation to stop at only implementing useful regulations that pass cost-benefit analysis, and that the other industries we see do seem to have vastly overreaching regulators, and so a naive cost-benefit analysis on a marginal regulation which does not factor in the likely-much-larger second-order effects is useless (though @The_Nybbler do correct me if I'm wrong about this, and you think introducing regulation would be bad even if the first-order effects of regulation were positive and there was some actually-credible way of ensuring that the scope of the regulation was strictly limited).
Honestly I think both of you could stand to focus a bit more on explaining your own positions and less on arguing against what you believe the other means, because as it stands it looks to me like a bunch of statements about what the other person believes, like "you argue that the first-order effects of the most defensible part of this regulation are bad, but you can't support that" / "well you want to turn software into an over-regulated morass similar to what aerospace / pharma / construction have become".
Quoting the examples:
Ok, fair enough, I can see why you would want to prevent users from accessing these particular secrets on the device they own (because, in a sense, they don't own this particular bit). Though I contend that the main "security" benefit of these is fear of being legally slapped around under CFAA.
Seems kinda pointless. If an attacker can read the flash storage on your door lock, presumably that means they've already managed to detach the door lock from your door, and can just enter your house. And if a remote attacker has the ability to read the flash storage because they have gained the ability to execute arbitrary code, they can presumably just directly send the outputs which unlock the door without mucking about with the secrets at all.
What's the threat model we're mitigating here, such that the benefit of mitigating that threat is worth the monetary and complexity cost of requiring an extra component on e.g. every single adjustable-color light bulb sold?
On examination, I misread, and you are correct about what the documents says.
That said, the correct reading then seems to be "users should not be able to debug, diagnose problems with, or repair their own devices which they have physical access to, and which they bought with their own money." That seems worse, not better. What's the threat model this is supposed to be defending against? Is this a good way of defending against this threat model?
In support of this interpretation:
https://www.themotte.org/post/995/culture-war-roundup-for-the-week/210060?context=8#context (whole thing)
https://www.themotte.org/post/995/culture-war-roundup-for-the-week/209894?context=8#context ("Maybe their little subculture will change.")
https://www.themotte.org/post/995/culture-war-roundup-for-the-week/209881?context=8#context ("coloring inside the lines")
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link