Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.
After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.
A more charitable interpretation could be "seems like you want large corporations, which have the financial means, to take security seriously and build a respectable process before publishing security solutions whatever the license".
If you bought a car and your dealer had you sign an EULA with that sentence in it (pertaining specifically to the security features of your car), would you feel safe to ride it at highway speeds?
If I went to a lot that had a sign at the entrance saying "Open Source Cars, feel free to open the hood and look to learn stuff. No warranty implied. Some may not function. All free to duplicate, free to take parts from, and free to take home", and then took a car from the lot and drove it home, no I would not be surprised if it fell apart before getting out of the lot.
When you purchase a car, you pay actual money, and that adds liability, so if it implodes I feel like I can at least get money back, or sue the vendor for negligence. OSS is not like that. You get something for free and there is a big sign saying "lol have fun", and it's also incredibly well known that software is all buggy and bad with like maybe 3 exceptions.
> If you bought a car and your dealer had you sign an EULA with that sentence in it (pertaining specifically to the security features of your car)
If the security features are implemented in software, like "iOS app unlock", no I would not expect it to actually be secure.
It is well known that while the pure engineering disciplines, those that make cars and planes and boats, mostly know what they're doing... the software engineering industry knows how to produce code that constantly needs updates and still manages to segfault in so much as a strong breeze, even though memory safety has been a well understood problem for longer than most developers have been alive.
> then took a car from the lot and drove it home, no I would not be surprised if it fell apart before getting out of the lot.
Congrats, the brakes failed, you caused bodily damage to an innocent bystander. Do you take full responsibility for that? I guess you do.
Now build a security solution that you sell to millions of users. Have their private data exposed to attackers because you used a third party library that was not properly audited. Do you take any responsibility, beyond the barebones "well I installed their security patches"?
> It is well known that while the pure engineering disciplines, those that make cars and planes and boats, mostly know what they're doing... the software engineering industry knows how to produce code that constantly needs updates and still manages to segfault in so much as a strong breeze, even though memory safety has been a well understood problem for longer than most developers have been alive.
We're aligned there. In a parallel universe, somehow we find a way to converge. Judging by the replies and downvotes, not on this universe.
Speaking to US laws, auto manufacturers are required to fix design bugs that cause safety issues regardless of warranty or used status, at no cost to the owner. You may be familiar with the standard name for those fixes, "recalls". It's illegal to sell a vehicle with unresolved recalls, though the government deliberately avoids enforcing that as aggressively as they could.
It's a very different system from software's "NO WARRANTY OF ANY KIND".
What? We're talking about a free open source library (that I happen to use). Nobody who writes and publishes software for free should be subject to any such regulations. That's why the licenses all contain some "provided as is, no warranty" clause.
Otherwise, nobody would ever write non-commercial cryptographic libraries any longer. Why take the risk? (And good luck with finding bugs in commercial, closed source cryptographic libraries and getting them fixed...)
Taking the parallel-universe idea a bit further: for-profit actors must accept financial accountability for the open source software they engage with, whereas not-for-profit actors are exempt or even incentivised.
Build an open-source security solution as an individual? Well done you, and maybe here's a grant to be able to spend more of your free time on it, if you choose to do so.
Use an open-source security solution to sell stuff to the public and make a profit? Make sure you can vouch for the security, otherwise no profit for you.
No thanks, that would kill my one-man software business before I have even started selling a single product, and I'd also have to withdraw every open source repository I have on Github.If you want to pay 10 times more for software and make sure only large corporations sell it to you, your plan is fantastic. Otherwise, not so great.
Not sure why you choose an interpretation that goes against your interest, instead of the more advantageous one, namely that your one-man software business would be able to charge a sizeable premium if the buyer is planning to use your software in a security-sensitive operation.
What do you mean, practices from safety-critical industries applied to security? Unpossible! (end /s)
For that you need regulation that enforces it. On a global scale it is pretty difficult, since it's a country-by-country thing... If you say e.g. for customers in the US, then US Congress needs to pass legislation on that. Trend is however to install backdoors everywhere, so good luck with that.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
No one is expecting browsers to identify the purposes of cookies. Websites would still need to register cookies as either technically necessary or not. That part stays the same.
As far as malicious/non-compliant websites go, cookie banners don’t make that issue better or worse. They can lie just as easily with a banner. In fact this implementation makes it easier as no one needs to build those ugly banners anymore. (Devastating for the pop up industry though.)
The website owner can track you in a couple dozen ways, and all of them require your consent to be lawful.
What you are saying is that websites would need to "register" transparent pixels as tehcnically necessary or not, Javascript fingerprinting as technically necessary or not, URL query strings/fragments as technically necessary or not, etc, and then the web browser would need to detect those "registrations" and enable/disable those technical uses one by one.
Cookie banners are malicious compliance almost all the time, but really, the web browser can't do anything about it.
If I need to manage an AI as I would manage an employee's brain, I'm going to need quite a few non-technical resources to actually achieve that: time, willpower to babysit it, ability to motivate it, leverage in the form of incentives (and reprimands), to name a few.
AI sits at a weird place where it can't be analyzed as software, and it can't be managed as a person.
My current mental model is that AGI can only be achieved when a machine experiences pleasure, pain, and "bodily functions". Otherwise there's no way to manage it.
How would that work? Assume that I'm willing to bribe the underclass with welfare to prevent crime (hell, assume I'm only worried about the worst types of crime)... how much bribery for how much reduction?
Flock won't prevent you from being stabbed by a homeless junkie. It might help catch the guy and prevent him from stabbing someone else (until he's released three months later).
Knowing this, wouldn't you prefer that we spend the money on crime prevention programs that "bribes" the underclass, instead of in a system that won't prevent crime at all but will rob all of us of privacy?
The single best resolution to crime is to dramatically reduce poverty.
The single best way to reduce poverty is to pay (bribe) the poor to stop having children, which ends the cycle of poverty (which is extraordinarily difficult to break and tends to trap generations). That should go hand-in-hand with free birth control, free day-after pills, free abortions, comprehensive sexual education, etc.
A large share of the bottom 1/3 in the US will never step foot outside of poverty, most of them will never hold a job on a sustained basis. Pay them to not have children, which simultaneously benefits their lives in the here and now, while preventing the mistake of bringing children into poverty. It's one of the most humane things the US could do as a society. It would very rapidly improve poverty (and reduce crime) in the US.
Paying an entire class of people to not have children is eugenics. There is a massive line between that and increasing (free) access to reproductive services.
Barring any massive mental illness, humans are great optimizers. Crime is basically the optimal policy within environmentm where illegal activites with their added risk have a potential much greater reward than leading your life normally and doing things by the book.
Its not hard to inject money in the right places to either decrease the reward, or increase the risk.
>Crime is basically the optimal policy within environmentm where illegal activites with their added risk have a potential much greater reward than
An interesting theory. But there exists a class of criminals who commit crimes not because the tradeoffs come out with the crime ahead of the lawfulness, but because they are impulsive, malicious, bored, and apathetic. Some of them continue to commit crime even after they are well out of poverty, even when the tradeoffs have shifted in the other direction. And this isn't some tiny fraction of crime, I suspect it is the majority of it. Crime has become their culture, and no one casually gives up culture and adopts a new one. More importantly, while one single person might do that, an entire group does not do this because they reinforce each other's continuation of that culture.
This makes it difficult or impossible to inject money anywhere and have measurable results. It makes it difficult or impossible to do anything at all about it. And for that reason, I'd prefer we not pursue a trillion dollar boondoggle.
>And this isn't some tiny fraction of crime, I suspect it is the majority of it.
Nope.
Lets take the famous example of low income area gang activity. They have examples of everything from local powerful people in charge having enough money to buy nice cars, to things like famous rappers with origins in same gangs. The reason why they commit crime is because the alternative actually sucks - you have to put up with boredom, lack of money, poverty, lack of any social support, all into a system that is going to discriminate against you even if you do everything right. This is where proper money injection with adequate policing can easily fix the problem.
As for people continuing to do crime after being financially off, this is still just a matter of tradeoff still favoring the crime side. The crime that most of these people commit is stuff like illegal firearms, drugs, and/or financial fraud - i.e stuff that is really not that relevant to society, with potentially a big payoff instead of investment. At the worst, some people get scammed. Meanwhile, the perpetrator gets usually punished financially or minimal jailing.
There are always going to be mentally unwell people who end up being serial killers, but the risk to society from those people is minuscule.
>Lets take the famous example of low income area gang activity.
That's the perfect example! Street drug dealers make less than minimum wage. Why bother with the risk of prison, death, and on top of it get paid the equivalent of $4/hour when you could go make $14/hour at a fast food job?
Because you actually like the sheer hell of what you're doing.
>you have to put up with boredom, l
And how the fuck are we supposed to solve that problem for them with welfare? You'll notice you even list that first, poverty and lack of social support come, in your mind, second to boredom. I think we're actually in agreement here on the problem, just you want to pretend that there is a solution to this problem.
> If you take one lesson from this, it’s that you can always say no.
I fully understand why this is true, but it seems to ignore any retaliative measures that the management could take against the person who says no.
With the benefit of hindsight, any such retaliation would be weaker than ending up in an orange suit. But the person has to find the guts to say "no" without that hindsight.
I would argue that you have a moral and ethical responsibility to say no when your manager asks you to do something illegal, even if it does cost you your job. The law is the law, and there is no excuse for breaking it. Your manager is certainly culpable, but if you act against the law, you are culpable as well.
The exception is if you fear literal physical violence against you or others, or are being blackmailed or something, then of course you are being coerced and have no choice. But "losing your job" does not rise to that kind of coercion, in my opinion.
Not saying it's easy, it's a horrible situation to be put in and I have huge amounts of sympathy for a person who has to experience this. No one is perfect and act with faultless ethics at all times. But hard or not, it is your duty as a citizen not to violate the law.
I think, for most people, getting the shit beaten out of them is a preferable outcome to losing their job.
For most people, their job is the only thing standing between them and being homeless, losing their car, losing their kids, their partner, etc.
This is why having a culture that treats firing people as no big deal leads to wack ass incentives. You can make people do almost anything if you threaten their job enough.
One can only conclude that the VW engineers were uniquely immoral, since they have a safety net and nonetheless committed massive scale fraud. At least in America it's coercion. In Europe, it's willful evil.
Countrapoint is that these dilemas are NOT dilemas of poor people struggling to feed their kids.They are dilemmas of well doing middle class who in fact, can find another job.
Seriously, we hear the "but the job, but the potential pay raise" exactly as often in a good economy from people having large salaries.
They have choice. They are choosing the fraud over ... still high salary but just not that high.
It does in some places. Firstly banks will usually let you pause or significantly reduce mortgage payments while unemployed. You then make up for it with increased payments (for a period of time) when you regain employment. There is also government help in the form of a loan to pay the interest on your mortgage while unemployed if you've been unemployed for a certain period of time (longer than the bank grace period).
The cases in the article were software engineers in the US, and at FTX. Two were engineering directors and the third was a senior engineer. If any of them didn't have plenty of emergency funds set aside, they should have seriously rethought their spending.
I know plenty of people who saved for years to get a downpayment for a house and then used all of that for just that. After that, it will take a while to replenish their emergency fund with very little margin of error. A job loss would be devastating.
My claim is that that's a bad decision, for exactly that reason. Job loss can happen for any number of reasons, often without warning. Getting a mortgage without any cushion for job loss is a huge risk.
Note also that I'm talking about highly-paid software engineers, not about people in general. Lots of people in the US make way less money than senior software engineers, and they manage to get by. Live at that level and secure your emergency funds first, and you'll be a lot more comfortable dealing with any ethical quandaries at work.
> Lots of people in the US make way less money than senior software engineers, and they manage to get by.
No, I'm pretty sure this is getting less and less true actually. Credit card debt is at an all time high. Homelessness is rising. Medical debt is crushing.
No, you’re claiming they have a spending issue, with the typical judgemental holier-than-thou undertone. My example is not that.
And I’m talking about my SWE neighbors in SV who have a desire to buy their own house just like almost everybody else. It’s just wrong to claim they have a spending issue.
They may be highly paid, but the house prices are commensurately higher too.
It is nearly impossible in the US in general to buy a house without taking on some amount of financial risk. It has nothing to do with being wasteful with money.
I mean, it's been the standard personal finance advice for decades. Step one is to set aside six months of emergency expenses. If you have an above-average income, you're capable of doing that. It's not "judgmental" to point out that this is indeed an intelligent strategy, just as advisors have been suggesting for years and years.
You yourself said that for the people you know who bought a house without that, "a job loss would be devastating." So you seem to agree with me and the personal finance advisors.
I did not say they had "a spending issue" or that they were "wasteful with money." Those were your terms just now. I simply said they should have rethought. You're turning that into some moral judgement, when all I'm saying is that it's bad strategy.
Indeed, any sufficiently wise man would prefer to place himself in a position of precariousness so that all his acts of crime can be attributed to the man who employs him. Only the financially careful face dilemmas. The spendthrift fears no judgment from society having forced his choice function into an identity of his employer's.
"losing your job", for a lot of people, is extremely effective coercion.
We are not talking about luxury here. A lot of people depend on their salary to pay rent and put food on the table. This is even more pressing if you have a family that depends on you, if you are in need of healthcare, etc.
What your post fails to recognize is that in the current system, labor is already a form of coercion. You need to work because the option is homelessness and starvation.
If you can avoid those even when unemployed, you are extremely privileged.
380k homeless in UK. 262k in Germany. 122k Australia. 650k in USA. The per capita math is left for the reader but I don't believe there is much distinction here .
You're right, the numbers are very close to recent official figures. I looked them up to calculate the per capita rates. So USA is actually better than other countries? Kind of defeats these arguments here - interesting. (By the way I’m not from us)
Based on the latest available data (mostly 2023) and current population estimates:
* *UK:* ~56.0 per 10,000 people (1 in 178)
* *Australia:* ~45.4 per 10,000 people (1 in 220) [using 2021 census data]
* *Germany:* ~31.0 per 10,000 people (1 in 323)
* *USA:* ~19.4 per 10,000 people (1 in 515)
The per capita distinction is more significant than the raw numbers suggest.
(Note: Methodologies for counting vary by country, which can affect direct comparisons.)
Your last paragraph is doing a LOT of heavy lifting. TLDR: the US figures should be WAY higher if you expand the definition of homelessness like those other countries do.
More research shows the U.S. rate looks lower largely because it uses a narrow, one-night "Point In Time" measure that excludes many precarious living situations other countries intentionally count. If you harmonise definitions, the U.S. does not outperform high-safety-net countries; on unsheltered homelessness in particular, it fares worse.
In UK official usage, being legally homeless often includes people the state is actively accommodating; it is not limited to street homelessness like the US PIT figure. In Australia, their figures include couch surfing (staying temporarily with other households and those in “severely crowded” dwellings). In Germany, apart from again having a more expansive definition of homelessness, their figures also include ~130k Ukrainian refugees.
Just one example: the US figures should at least include >1.2 million students experiencing homelessness.
also, despite being homeless people in germany can get financial support and healthcare, which was the original point about the fear of losing your job. and losing your job in germany does not make you homeless. you'd have to get evicted from your home (but not for failing to pay rent, as you would cover that with the financial support) so the group that is being talked about in the original paragraph that fears losing their job, and the group that is homeless in germany have nothing to do with each other, because the first group does not exist. most of tho homeless in germany never had a job to begin with.
I think the risk is somewhat higher than just losing your job - you are potentially burning your whole referral network in the process (especially if you end up with your name in the press during any resulting prosecution).
For a junior engineer it may not be that hard to fly under the radar, but senior/staff level folks tend to be well known by the execs. And execs talk, they call their friends to vet future hires... burn your execs, and maybe you don't work in that town again
Quite. One of my first gigs was at a large real-estate aggregator. The people were great but the highest levels of the company did
- A pet “adoption” site, in quotes because to my knowledge the pets weren’t real and it was a subscription service with no means of cancellation outside of a voicemail box
- A kind of Craigslist-esque site for selling home improvement services that was wildly vulnerable to XSS -
I discovered that during an unannounced client demo when my own manager had said “you guys try to break it”
- We were a PHP shop from the beginning. One day, engineering gets pulled into a meeting room and told that they’ve been developing 2.0 in an office downtown, with a separate team, in ColdFusion. They fired the lead engineer on the spot and most of us left or got fired shortly thereafter. They did offer to train us in CF, but the bad blood was too thick for my taste.
All that is to say, if I ever get wind of the owner or CEO being involved anywhere that I’m working, I’ll probably be walking.
> I would argue that you have a moral and ethical responsibility to say no when your manager asks you to do something illegal, even if it does cost you your job.
When your access to food, housing, heating and healthcare for your family are dependent on your income, you may find yourself facing very difficult decisions. Most parents will risk whatever legal ramifications to care for their kids and that's inherent moral and ethical, even if the downstream outcome is not. That is because it is the socioeconomic system rather than the individual who is acting immorally.
> The law is the law, and there is no excuse for breaking it.
This is an infantile view. The law is a framework and there are lots of circumstances where breaking it is not only excusable, it's the only moral action.
> When your access to food, housing, heating and healthcare for your family are dependent on your income, you may find yourself facing very difficult decisions
This is the time when your ethics are tested. Anyone can do the right thing when they're getting paid for it.
Nah. I’ve been in the exact situation you describe and it’s pretty obvious tbh. Loss of a job is a temporary setback. Being locked up in a jail is a permanent one.
> There was a lesson to learn from the holocaust. We're always reminded that: "Never forget, we've learned our lesson." "What was the lesson?" That's the question. The lesson is, "You're the Nazi". No-one wants to learn that; If you were there, that would have been you. You might think "Well, I'd be Oskar Schindler and I'd be rescuing the Jews." It's like, no, afraid not. You'd at least not be saying anything. And you might also be actively participating. You might also enjoy it.
Hindsight theoretical morality is very different from experience on the ground, where peer pressure, stress, uncertainty, exploding situations and fog of war come into the mix.
Seems like a better lesson would be "don't be the Nazi."
It's not like it's impossible. The Nazis arrested 800,000 Germans for active resistance activities, and several hundred thousand Germans deserted the military, many of those defecting to the Allies.
It wasn't a huge percentage, but we don't know how many actively resisted without getting caught, or resisted in more passive ways. And that was resistance against the Nazis, who had no qualms about killing resistors. Risking or quitting your job to not only do what's right, but avoid getting in trouble with your government, isn't in the same ballpark.
I thought the lesson was to not base your morality and what you are willing to do on the laws, because they can change at a whim. And for the democratic politicians, don't play with fire and take problems seriously.
You might want to think about why Petersen wants you to think you’re the Nazi. What change is he trying to effect in our culture, and how does that belief support his desire? Rhetoric always aims to effect some change in the attitude of the listener, and never without some benefit of the speaker.
Not that person but the my take on their take is that Peterson is greasing you up to accept more authoritarian control since he puts you in the in-group of the oppressors to ease the societal drift.
I don't necessarily agree. I think he is pointing out that people morally grandstand and the majority will not act out how they say they would.
> You might want to think about why Petersen wants you to think you’re the Nazi. What change is he trying to effect in our culture, and how does that belief support his desire? Rhetoric always aims to effect some change in the attitude of the listener, and never without some benefit of the speaker.
What benefit do you think he's trying to get from it? I'm honestly trying to figure out the nefarious angle and coming up blank.
It seems to me like a very similar sentiment to that great "are we the baddies?" sketch from Mitchell and Webb. [1] I see both as an exercise in moral humility.
See the Milgram experiment, or the Asch experiment. Most people do cave to pressure from authorities and the group. Everybody believes they're they exception. Statistically, most of them are wrong.
We're not talking about living in a totalitarian state and breaking the law by aiding the resistance here. The cases in the article is like committing financial fraud or faking customer data. And then, yeah, I do think there is no excuse for going along with it, you have a duty as a member of society not to do such things, even if it costs your your job. It's not easy, and as I said I have enormous sympathy for a person in this position, but there is a clear right thing to do, and you have an obligation to act accordingly.
At least in the case of engineers, we're talking about highly compensated people. You should have a solid emergency fund put together within a few months of starting your career. From there, it's on you to not put yourself into an economically precarious position. People who are making multiples of the median household don't have food/shelter as an excuse.
Not that it's much of an excuse for everyone else either, but with people in the professional-managerial class it's absurd.
Globally, most software developers are not highly paid and certainly not enough to be above financial pressure.
Becoming a whistleblower or refusing unethical demands can also lead to being blacklisted, as in most industries, loyalty is valued more highly than ethics.
If you want to fight corruption and unethical behaviour, start with a just society that doesn't tie a person's value and well-being directly to their income. Otherwise you're fighting incentives and will never win.
You don’t get to a just society by not fighting corruption. Ask yourself not what “engineers globally” can do, but what you can do. Historically, pressure from the educated middle class has made huge impacts on culture and society.
Corruption is both a systemic and moral problem. You can’t build a just society without confronting corruption and you can’t sustain anti-corruption without reducing inequality.
To get rich at your software startup is not one of the situations where you have a moral obligation to break the law. None of these people were stealing bread from the rich to feed their children.
Right, saying outright that Thoreau was wrong and also that pretty much every famous person who took him to heart was wrong too is a rather strong position to take and likely very, very hard to defend.
Or, for a more obscure example, that Antigone should just have said 'yes daddy' and left it at that with the play ending somewhere in the initial conversation with Ismene.
> […] that's inherent moral and ethical, even if the downstream outcome is not. That is because it is the socioeconomic system rather than the individual who is acting immorally.
Wow. This is incredibly dangerous way of thinking. Are any “downstream outcomes” justified as moral in such a case? How about outcomes involving people dying eg due to safety or quality rules broken? People may do things like that “to feed their kids” but that does not make it ethical, especially when we actually talk about preservation of certain social status rather than real survival.
> But "losing your job" does not rise to that kind of coercion, in my opinion.
it depends how many friends and family you have in the area that can host your whole family that is now homeless. it depends how much disruption you are willing to inflict on your kids definitely right now as opposed to maybe in the future.
The threat of retaliation - in the form of being fired, harassed or moved to a dead end position - is very scary to a younger engineer. But from a rational point of view it's not very strong (HOWEVER many managers or CEOs are far from rational.)
- Firing someone has large costs to the employer. You have the job because you are needed. Same for side-lining someone or not promoting them.
- Firing someone removes the final incentives against that person reporting the deed to the govt. It pushes that person toward reporting instead of softer "negotiated" steps such as continuing to argue for legal alternatives or discussing it with an intermediate rather than outright reporting. And many corporate legal or accounting people are amazing at finding alternative ways to achieve the same result in a not-illegal manner.
- A lawyer can help you much more once there is retaliation. The company might end up fighting both the fraud reporting AND the retaliation.
Just firing someone is not a great "solution" for the company.
Letting you believe that they will ... that's very powerful.
(and probably all this is caveat: in countries where retaliation is illegal enough and commonly taken to court or settled. which is not worldwide.)
This is why whistleblower laws need to be stronger (e.g. retaliation means automatic jailtime even if the whistle was wrongly blown) and rewards need to be larger.
> But the person has to find the guts to say "no" without that hindsight.
Not that I would recommend a night's stay at a local lockup (2/5 stars, the beds are awful, the toilet facilities are worse, and the roommates leave much to be desired), but doing so certainly puts things in perspective going forward.
Good find. That's really interesting. I would guess the titles are related.
I want to also mention that with "Bachlorette" Björk seems to anticipate Large Language Models and wrote a cautionary tale about them:
“One day I found a big book buried deep in the ground. I opened it, but all the pages were blank. Then, to my surprise, it started writing itself: 'One day, I found a big book buried deep in the ground…’”
Yes, that's absolutely the allusion. Brautigan's line is a popular title for stuff, including a widely read post by Dario Amodei two months before the CCC talk you've linked:
reply