domain:reddit.com
NunoSempere
3m ago
Here is a link to coverage of this topic on Linux Weekly News: https://lwn.net/SubscriberLink/970824/8002d283c35edf86/
Incidentally one of the few publications I pay for subscribing, because coverage is generally thoughtful and informative
NunoSempere
9m ago
Our biographies sound eerily similar, I also took the IB, gave up on college, built a career partly out of programming. I tried harder in highschool though, and IT isn't quite what I do.
faul_sname
Fuck around once, find out once. Do it again, now it's science.
11m ago
I reject the concept that as soon as epsilon regulation of an industry is put into place, it necessarily and logically follows that there is a slippery slope that results in innovation dying. I think you need at least some argument further. It's easy to just 'declare' bankruptcy a slippery slope, but we know that many end up not.
Nobody is arguing that "the moment any regulation is in place, it is inevitable that we will slide all the way down the slippery slope of increasing regulation and all innovation in that industry will die". The argument is, instead, that adding a regulation increases the chance that we will slide down that slippery slope. That chance may be worth it, if the step is small and the benefit of the regulation is large, but in the case of the entirety of ETSI EN 303 645 (not just section 5.1 in isolation), I don't think that's the case, and I certainly don't think it's a slam-dunk that it's worth the cost.
Section 5.1, "You are not allowed to use a default password on an network interface as the sole means of authorization for the administrative functions of an IoT device", if well-implemented, is probably such a high-benefit low-risk regulation.
Section 5.4.1, "sensitive security parameters in persistent storage shall be stored securely by the device," seems a bit more likely to be a costly provision, and IMO one that misunderstands how hardware security works (there is no such thing as robust security against an attacker with physical access).
They double down on the idea that manufacturers can make something robust to physical access in section 5.4.2, "where a hard-coded unique per device identity is used in a device for security purposes, it shall be implemented in such a way that it resists tampering by means such as physical, electrical or software."
And then there's perplexing stuff like 5.6.4 "where a debug interface is physically accessible, it shall be disabled in software.". Does this mean if you sell a color-changing light bulb, and the bulb has a usbc port, you're not allowed to expose logs across the network and instead have to expose them only over the usbc port? I would guess not, but I'd also guess that if I was in the UK the legal team at my company would be very unhappy if I just went with my guess without consulting them.
And that's really the crux of the issue, introducing regulation like this means that companies now have to make a choice between exposing themselves to legal risks, making dumb development decisions based on the most conservative possible interpretation of the law, or involve the legal department way more frequently for development decisions.
The_Nybbler
Does not have a yacht
27m ago
So while people might have supported the ADA if it was 1% of the budget, they might start getting pissed at the program when it balloons up to 10% of the budget and a bunch of reverse lottery sob stories start showing up in the news. And suddenly instead of 10% or even 1% of the budget, you get 0% for your cause and no one trusts you with a 1% allotment cuz they will all remember the horror days of 10%.
Except that's not what happens. Your program lasts forever because it sounds good to the normies and has strong built-in constituencies. So there's no incentive NOT to do this; if you do it you win.
Felagund
29m ago
What exactly do you mean by neoliberal?
I've never seen it used in the way you're using it.
Capital_Room
rather dementor-like
42m ago
It's weird to have more than one person give you "advice" suggesting you try to become a drug dealer, right?
ArjinFerman
Tinfoil Gigachad
53m ago
Is that worth saving the nightmare of having billions of adversarial objects, likely quickly and easily controlled by the Chinese or Russians, literally everywhere on all our networks? Maybe not. But maybe so?
I'm in the curious position of not particularly caring about the Russians running botnets on your vacuum cleaner, but hating IoT with a passion, and being prepared to murder anyone that tries to sell me a toaster that connects to the Internet. What do?
SubstantialFrivolity
I'm not even supposed to be here today
53m ago
Dude it's common sense. It doesn't need to be explicitly spelled out in the rules, any more than the rules explicitly enumerate every single word you aren't allowed to use to describe fellow posters.
Capital_Room
rather dementor-like
55m ago
Still working my way through Life Worth Living. I keep finding myself pausing to note down various choice quotes. And I definitely appreciate the authors' clear disdain for Bentham.
faul_sname
Fuck around once, find out once. Do it again, now it's science.
58m ago
Excellent post!
In general I think we should be suspicious of any public program that tries to hide its costs, or launder those costs onto private actors.
Another example of this is AML/KYC regulations, which basically require banks to serve as a branch of law enforcement at their own expense. I don't think From the excellent Bits About Money post on the topic:
Money laundering is, effectively, a process crime. We criminalized it not because of the direct harms, but because it tends to make other interdiction of criminal activity more difficult.
Money laundering covers anything which obscures the link between another crime and the proceeds of that crime. This is intentionally extremely vague and expansive. The victim is, take your pick, either the state or the financial institutions the state has deputized to detect it. [...]
Much like KYC, AML policies are recursive stochastic management of crime. The state deputizes financial institutions to, in effect, change the physics of money. In particular, it wants them to situationally repudiate the fungibility of money. [...] They are required to have policies and procedures which will tend to, statistically, interdict some money laundering and (similar to how we discussed for KYC) trigger additional crimes when accessing the financial system. Particularly in U.S. practice, one sub-goal of this is maximizing the amount of assets which will be tainted by money laundering and then subject to forfeiture proceedings. [...]
And so every financial institution of any size has a Compliance department. One of their functions is having a technological system which will sift through the constant stream of transactions they produce and periodically fire “alerts.” Those alerts go to an analyst for review.
This implies floors upon floors of people who read tweet-length descriptions of financial transactions and, for some very small percentage, click a Big Red Button and begin documenting the heck out of everything. This might sound like a dystopian parody, and it is important to say specifically that this is not merely standard practice but is functionally mandatory. [...]
I think the thing that cryptocurrency enthusiasts are rightest about, which is broadly underappreciated, is that the financial system has been deputized to act as law enforcement. [...] Is this tradeoff worth it? I wish that society and policymakers more closely scrutinized the actual results obtained by AML policies. Plausibly we get sufficient value out of AML to have people attend mandatory diversity training at 1 PM, Banking the Underbanked seminar at 2 PM, and then AML training at 3 PM, while experiencing very little cognitive dissonance. But if that case can be made, then let it be made. I find the opposing case, that AML consumes vast resources and inconveniences legitimate users far out of proportion to positive impact on the legitimate interest of society in interdicting crime, to be very persuasive.
Sorry for the giant quote-post, I just think that article is very very good and also quite relevant to the topic at hand.
ControlsFreak
1hr ago
My personal way of squaring that circle is that I'm open to regulation on mass-produced end-user consumer goods, and a more freedom on anything that requires some deliberate action.
I think this is very reasonable, and these regulations pretty much go after just that. Consumer IoT devices, that are being mass-produced and just thrown onto the internet by the billions. What's worse is that they're making the same handful of mistakes over and over and over and over and over again, even though everyone and their dog knows that they can fix these things (at least the worst problems; not every problem) using even just a small number of best practices. A small number of things that every expert technologist has been screaming, "OH MY GOD PEOPLE JUST DO THIS SHIT WHY WON'T YOU DO THIS SHIT IT'S SO EASY AND WOULD PREVENT SO MANY PROBLEMS!" Things that they don't do because they don't have to. There's no law making them. They're Chinese, but their devices are being sold in the US, so fuck the US anyway. And even if they did do them, it would cost them epsilon amount of money, and they'd never be able to market it as anything to make them more money, besides, all their competitors are just churning them out as cheaply as possible without bothering, and they're not suffering for it.
There are many edge cases, and gattsuru brought up a lot of good cases that may be difficult. Things that might legitimately contribute to a regulation-innovation tradeoff. Most of them still seem kind of minor, so while they might produce some small tradeoffs, I think it's unlikely that they're going to wholesale preclude innovation. There's still going to be plenty of innovation, though there may be some edges that are unfortunately trimmed. Is that worth saving the nightmare of having billions of adversarial objects, likely quickly and easily controlled by the Chinese or Russians, literally everywhere on all our networks? Maybe not. But maybe so?
Capital_Room
rather dementor-like
1hr ago
Your argument becomes close to saying that ranking any human attribute is in bad taste, because someone ends up at the bottom, which is bullying.
It's been awhile since I was in elementary school, back in the previous century, but even that far back, the whole "self esteem" program we were subjected to pretty much endorsed something like this — you're great just the way you are, nobody is better or worse than anyone else, everybody's equally special in their own way ("which is another way of saying nobody is," to quote Dash Parr), everybody gets a participation trophy.
It's the "equity" mindset, the moral axiom that fairness demands equal outcomes for everyone; the same thinking that, when applied to identity groups, creates our "disparate impact" regime. And to many of its defenders, whether it's true, or even if it's a "noble lie," it's the only thing holding back horrific oppression. After all, you know who else once thought some people were better than others, back in mid-century Germany?
ControlsFreak
1hr ago
you haven't produced any reasoning as to why regulation isn't a slippery slope while I can point to the development of essentially any technology since 1940 to affirm it.
I don't actually see how your argument here is supposed to function. Can you spell it out for me?
You seem ready to argue elsewhere in this thread that the very idea of the slope being slippery is ridiculous and unfounded
Nope; literally never did that. Please don't waste our time strawmanning me.
what is your positive theory of the interaction of regulation and innovation, does it have any limiting principle and how does it maintain the innovation cycle and competition in the face of the interests that inevitably act on it?
I think there is often a general sense of a regulation-innovation tradeoff. It happens in different ways in different places, and it's often area specific, many times in ways that you might not expect. It's a really tough problem, so I'm generally in favor of fewer regulations, especially when they're not pretty decently well-tied to a specific, serious problem. I think that a lot of the time, you can maintain the innovation cycle and competition by being careful and hopefully as light-touch as possible with regulation. Some examples would be that if (and this is a big if, because I would actually disagree with the ends) you want to reduce carbon emissions from powerplants or noxious emissions from tailpipes, it's better to do things like set output targets and let the innovation cycle and competition figure out how to solve the problem rather than mandate specific technological solutions that must be adopted for the rest of time, no questions asked. Of course, this is an easy example, and many situations can pose more difficult problems; I'm probably not going to have the answer to them all off the top of my head.
This requirement seems mostly focused on some of the most egregious practices, and it appears that they at least try to leave open the possibility that people can come to the table with innovative solutions to accomplish the "aspirational text" (as gattsuru put it), even if it wasn't a solution that they specifically identified. It may be possible that we have some other big breakthroughs in the field of network security that make some of these line items look ridiculous in hindsight, which is why I would also say that a grossly under-resourced effort across regulation regimes is hunting for precisely any items that may have been deprecated, so they can be promptly chopped. I lament that this is not done well enough, and it's likely one of the major contributors to the general sense of a regulation-innovation tradeoff.
I reject the concept that as soon as epsilon regulation of an industry is put into place, it necessarily and logically follows that there is a slippery slope that results in innovation dying. I think you need at least some argument further. It's easy to just 'declare' bankruptcy a slippery slope, but we know that many end up not.
ArjinFerman
Tinfoil Gigachad
1hr ago
I think that would be a clear case of malicious regulation
I might end up having to do a walk of shame around here, and self-flaggelate about how I mistreated Elon, but I think that SpaceX is going to be seen as an example of "move fast and break things" being applied where it doesn't belong.
I guess "lack of regulation" isn't the right term, because there's been some bizarre political decisions in the process.
do_something
1hr ago
No need to do that. It seems relatively obvious to block someone who openly announces in reply to warning that they will not change behaviour at all.
ControlsFreak
1hr ago
I think that would be a clear case of malicious regulation, which is an entirely different class of problem. That is to say, if we were discussing something like laws about business records fraud or campaign finance, we'd talk generally about how it generates friction in business processes or has some potential to chill some amount of speech around the edges, and that would be a totally valid discussion with real tradeoffs. But I think it would be an entirely different conversation than talking specifically about Trump being maliciously prosecuted in NY; that has about jack-all to do with real tradeoffs in the space of business records fraud law or campaign finance law; it it purely about malicious actors reaching for literally any tool they can find to hit someone over the head with.
ArjinFerman
Tinfoil Gigachad
1hr ago
I don't know if I agree.
I might end up eating my words, but there's a decent chance that after a series of underwhelming Starship launches, New Glenn ends up going straight to Mars on first attempt. They both operate in the same regulatory environment, so if that happens I'd say it's down to how each company is run.
ControlsFreak
1hr ago
CMOS RAM
Fair enough. Hopefully the worst case is that this ends up not being covered, even though it should be.
5.4-2 (unique IDs)
I think I can agree that there may be tradeoffs here for some devices.
twenty sensors on a LIN line
I think these would almost certainly just be classified as "constrained devices", and they also give alternate mechanisms for valid trust relations, which I think will be what the automakers go for. They'll do the verification at a different step and say that the lack of physical or other access is what ensures that presence on the network is sufficient.
A presumption toward encrypting everything makes sense when it's free or nearly-free, but there are a lot of entire devices where it's just not that relevant. If your equipment does literally nothing but relay temperature and humidity values over ISM bands, you might want some amount of authentication to prevent spoofing, but it's really not that big a deal if someone can listen in. And there's a lot of IoT stuff that goes into that category.
There's some parts of the rules that motion around this -- 5.5-1's "Appropriateness of security controls and the use of best practice cryptography is dependent on many factors including the usage context" or the exceptions for ARP, DHCP, DNS, ICMP, and NTP in 5.5-5 -- but again that turns the requirement into aspirational text.
I think you're right that some portion of this is aspirational text, but I think it's along the lines of, "If you can just put some reason down on the table for why this should be considered aspirational text, then you're probably fine," and the only people who are at risk are the people who are doing the clearly and obviously boneheaded stuff. Like, I don't think it's going to be hard for the maker of a device that does nothing but relay temperature and humidity values over ISM bands to just say, "It's a constrained device; can't do any of that fancy stuff; pretty much no way in anyway," and we can all mostly go home happy. If we start having major corporate networks brought down by botnets of temperature monitors (uh, how?), then perhaps folks will have to figure out how to make it more than aspirational text.
In any event, thanks a bunch for really thinking through edge cases for a wide variety of really specialized and, for lack of a better term, really constrained devices.
Primaprimaprima
Bigfoot is an interdimensional being
1hr ago
I understand that that rule is supposed to be an elastic clause, and I agree on the practical necessity of having an elastic clause. But I think it's also good to minimize governing by the elastic clause as much as possible.
In this case we have identified something that is an explicit rule and can be phrased relatively unambiguously - either "don't backtalk to a mod" or "don't state your intent to violate the rules", whatever formulation you prefer - so why not just add it as an explicit rule?
(I also simply disagree that either of FNE's posts in that thread were egregiously obnoxious, although I think her first post that got the initial warning was an unambiguous violation of the rules on courtesy and low-effort posting.)
Stefferi
Chief Suomiposter
1hr ago
The smartphone map features are genuinely useful and I use them all the time to figure out what bus I need to take where, for example.
FCfromSSC
Nuclear levels of sour
1hr ago
Another way to engage with it might be, "if SpaceX fails in the future, where do we expect 'overregulation' to rank on the scale of expected causes?"
I would rank it pretty high.
FCfromSSC
Nuclear levels of sour
1hr ago
"Don't be egregiously obnoxious" covers both, I think.
No matter how careful we are, someone's going to come up with a way to be annoying, in a way that technically follows the rules. If we were to write a rule saying "don't do this thing", they would bend the rule to be as broad as possible, then complain that we're not enforcing it properly.
The goal of this community is not, however, slavish adherence to rules. It's discussion. And if this means we need to use our human judgement to make calls, then that's exactly what we will do.
There are people who think that every rule should be absolutely objective, to the point where our job could be done by a robot. I will point out that no legal system in history has ever worked this way and that if you think we can do better than the entire human race working on it for five thousand years, then I invite you to submit a proposal on how it will work.
I played, it's very much in "wait" territory imo. It has potential. I like the way you assign families to jobs, and how you can turn people's homes into artisan workshops. I also like the addition of combat to the city builder format. But I also think it's very much half baked even by early access standards. The map takes way too long to traverse, the AI has no chill, some techs seem to not work at all, and so on.
I think that if the dev can keep at it, Manor Lords is going to be great someday. But it's pretty meh at the moment.
More options
Context Copy link