IMHO second answer does not hold water. If you will end up in situation where you are tortured they will torture you until you will you say how to add the backdoor.
His point is that he can't backdoor it: you can read the code before you install it. I'd go further, and say that this is true of anything end-to-end encrypted, open-source or not, because it's not 2002 anymore and reversing ordinary client software is table stakes. (I'd still rather run something open source, ceteris paribus).
Feeding the paranoia above is that cperciva would verifiably be the smartest person in the room. A canny torturer would respond to this bringing in djb as the primary instrument of torture. "First one to break or weaken scrypt or 8-round salsa20 gains their freedom". The loser is forced to give talks at AWS marketing conferences for the rest of their natural
Not being able to "backdoor it" (presuming this means "exploit a backdoor the torturer presumes you have already put into it") does not prevent you from getting tortured to backdoor it.
All it does is, should that occur, prevent you from giving the torturer what they want to end the torture.
OTOH, convincing the torturer by, among other means, public statements in advance that you have failed to consider this anhd believe that not having that ability prevents torture, and that for this reason you do not have it, might prevent torture. But that's a big gamble on potential future torturers believing your public statements of motivation.
Exploitable but obscured backdoors in software distributed in form that is compiled and installed by downstream users is not impossible, though sufficient auditing may make it improbable.
He probably should have said that if it's what he meant. In his answer he implies that he could in fact back door it but chooses not to because of the liability.
Reversing ordinary client software is table stakes, sure. I'm not so sure about reversing client software which has a deliberately hidden backdoor. (You can hide a backdoor in source code too, of course, but I think it's easier to hide one in a binary because you could e.g. ensure that a buffer overflow overwrites cryptographic keys, where a C compiler would have the freedom to change the memory layout.)
That is to say, it's entirely possible that you were already tortured and the backdoor is already there by using the same logic - no time machine needed
Like already said unfortunately the only safety would be reading the code
Coerce you into sending something like "All users must upgrade to client version xyz because of a backdoor discovered by the NSA in the encryption used in older clients. I'm not allowed to tell you what it is, however, rest assured, the latest versions do not have this vulnerability." (but do have a backdoor that I've been tortured into adding).
And then wait for a scheduled backup with the
backdoored client.
Though XZ says that's impossible, so I won't lose sleep over that scenario.
I am confident that if I sent a message like that, the top application security and cryptography experts in the world would collectively descend on the Tarsnap source code to figure out what changed.
Honestly, I really wish the Tarsnap server was open source. I imagine it has not been released as such because that would probably hurt the business a lot, especially given that the costs per GB are currently approximately 50 times more than I would pay for simple object storage on B2.
I built our company's first backup solution on Tarsnap, but when I projected out what deploying that to our entire fleet would cost, I rebuilt on Restic. We currently pay something like $250/mo for our backups, as opposed to the approximately $12,500/mo they would cost on Tarsnap.
Colin, if you've ever hoped to compete with your own software and providing support to people running your whole stack so they can avoid paying you anything, you should give some serious thought to open-sourcing the whole thing.
Yeah I get it, if one wants to make money off one's software, one shouldn't give it away for free, right? I'm just highlighting why I do not recommend Tarsnap professionally. It's great if you're going to be storing under 1 TB of total backups. Otherwise, you're paying 50x as much as you need to. Back when it was released, the alternatives were not as good. Today, restic seems to work just as well (and yes, I've done restores, both as a test and under real data loss circumstances) and supports object storage natively.
By the way, I absolutely love spiped. It beats the pants off stunnel in both stability and performance. Maybe Colin should close-source that and start charging $0.25/GB for traffic that flows through there too? :P
Consider that Colin's target customers might be paying for things other than raw storage, that most products are poorly marketed with cost-plus pricing, and that trying to make everybody happy is usually a bad plan. Make something that some people love, not something that everybody likes.
He's been doing this long enough, I'm not even prepared to dunk on him for picodollar pricing anymore.
It could be designed that doing so will generate some alarm to other people. For example, the backdoor do not exists and it has to be developed, so the attacker has to keep them hostage for some period of time and loved ones may report a missing person. The software then might have to be signed with a key that generate alert to the whole engineering team, which someone else in the company may investigate the unauthorized release as cyberattack. Perhaps the release signing key is physically stored in the office (eg. Yubikey) which also require the attacker to perform a heist in the office.
Surely some three letters organization probably could pull that off, but it add risk to their operation that the operation could be leaked.
Surely some three letters organization probably could pull that off, but it add risk to their operation that the operation could be leaked.
This is basically a point I've made in a few of my talks about security and cryptography: The point of cryptography isn't to guarantee that your data is safe; it's to raise the cost of an attack to the point where a potential attacker decides not to attack. In particular, there's usually a human involved somewhere (sending or receiving information, or both) and humans are squishy and fragile; but torturing people attracts far more adverse attention than torturing data.
No, he won't, because there is no back door. Or yes, because his torturer-contractor thinks there is. Either way, the last part of your sentence doesn't hold water.
The page loads a webfont (Jetbrains Mono) with 4 different weights, for a total payload of 725KB. Looking light and being light are 2 different things.
The problem is mostly with how fonts are packaged, because even if you serve WOFF and WOFF2 in addition to fallbacks like TTF, then the font will most likely include a whole bunch of symbols that you won’t actually display.
Sadly, I never quite figured out how to do it for arbitrary fonts easily, so for example I still serve comparatively large PT Sans, PT Serif and PT Mono fonts just because I like how they look. Maybe some day I’ll figure it out and will be able to automate converting all of the fonts I want.
Here’s something silly: you could probably put GNU Unifont on some page, the OpenType version of which is like 5 MB alone: https://unifoundry.com/unifont/
All that said, the JetBrains Mono font is a pleasure to look at on the site, as long as I’m not on a limited data cap.
- those fonts will have different sizes (not guaranteed to be metrically compatible), which would make working with UI harder
- sometimes the built in fonts look pretty unpleasant (Courier New, anyone?)
- it will look different on every OS, which in most cases will also complicate testing and hurt branding (in actual projects)
I think the world would be a better place instead, if all of the OS makers got together and were like: "Okay, everyone needs fonts, let's just take the 20 most popular serif, sans serif and monospaced fonts with open licenses and include them in our OS default font stack, so they can be used in all the sites, without costing humanity PB of data transfer because we couldn't be bothered to include like 100 MB of additional content in our OSes."
Instead, nobody cares and the only options we have are to either use the crappy web safe fonts, or waste bandwidth to make websites look better. Luckily, if you prefer the former approach, then you can untick "Allow pages to choose their own fonts, instead of your selections above" in Firefox options or the equivalent in other browsers.
I don’t remember which book
I got idea from but idea is to work in different modes. When you work as programmer then there are no deadlines and etc. So sometimes you have to put different hat, e.g. CEO hat. It took several months to work out but overall result is reasonably good.
I think you have misread quote here. Emphasis is on taking responsibility here IMHO. Your proposal to “divide and conquer” is still estimation process.
I like how this article is still relevant after 12 years. It gave me some ideas why I have some problems working with my colleague (as well senior level engineer).
Confused about what point you're attempting to make here?
Political conflict with a trade partner obviously leads to reduced trade, no matter the parties involved. What part of that statement are you taking issue with?
> Looks like militarism and imperialism are not compatible at that crazy new 21th century world
Your faux confusion isn't really impressing anyone. Is the US, the most militarist and imperialist nation in the world by far at the moment, "compatible" with the "crazy new 21st century world"?
I've also yet to see any practical examples of Chinese militarism or imperialism. I keep hearing that it's going to start happening any day now, but then it never does. What I do see is the hegemon (the US) trying to take down a rising superpower via economic warfare, and by creating instability in the region - a typical behavior of a militarist and imperialist nation.
Hong Kong. Or the many "shadow CCP police" instances in other sovereign nations.
Or did you just conveniently ignore those? Just because they don't wear uniforms and march in lines doesn't mean there isn't power projection going on.
Its not faux. I'm genuinely asking what about the original comment you disagreed with. It didn't really have anything to do with what you're talking about, so, Im wondering what connection you're trying to make.
Do you think political conflict makes trade better, and are using the US as an example? It doesn't seem like you're disagreeing with the original premise, but rather just aggressively responding with a tangent.
You've pointed out what the US is doing. That's good, but you're clearly biased, so let me tell you two things that China is doing that is contributing for that instability you've mentioned: claims in the south china sea that no country would accept if it was done to them and a major naval build up.
You need two to tango and both the US and China are dancing right now. Anyone only blaming one side need to stop for a second, take their US or China tinted glasses, and look again at the problem.
> Anyone only blaming one side need to stop for a second [...]
When it comes to military coercion (wars, threats), and imperialism, it only takes one bad actor to cause problems.
When there are two sides, or three, it just means more actors willing to push around everyone else.
Albeit, they amplify each other. Their respective needs to dominate encourage each others' aggressive tendencies. And it is much easier to justify/ignore/repeat misbehaviors when there are other aggressors to point at.
The point I was trying to make (probably made a bad job at it) is that there is more than one bad actor in the Pacific and the person I replied to only blames one side.
Sure, the US has their bases there (many since WW2), but we can't blame the US alone when we also have China making threats and claims that scare the heck out of other countries. The US doesn't need to move a finger to have Taiwan or Philippines on their side... these countries know what they're up against and will, for obvious reasons, want to have a "big guy" on their side.
In a few years China will not only have US bases around them, but also a handful of countries that won't side with them on anything. And that's how the next version of the "Pacific NATO" will be created... the US will of course take advantage of it, but it could not exist without a China that makes overreaching claims, threats, and their huge military.
> it could not exist without a China that makes overreaching claims, threats, and their huge military.
Good point.
Year after year, China was outpacing the world economically in numbers and strategic position.
Their future appeared to have no ceiling.
But they self-sabotaged by reverting from quietly accumulating strength to loudly showcasing strength via consolidation & provocation.
Despite no pressing need, they amplified military risk, economic & technological friction, undermined trust & provoked intense global resistance. The strategic value they destroyed is immense:
Poof! The presumed “Century of China” looks very different now. More like another Cold War.
Take a look at a map of US bases around China and then try to find any Chinese bases near the US, and you’ll understand who’s “militarist” and who isn’t.
America has been sabre rattling about the South China Sea for two decades now, a sea named after China that China has sailed through for some 4,000 years.
Is it any wonder that China builds out a navy to defend waters off its own shores that America has crossed an ocean to patrol?
I'm not particularly anti-US, just an observer of the world and history in general. Post WWII the US has been number one and it wants to keep that crown despite China advancing faster than any other nation for the past decades.
Historically the South China Sea was named that in English because the British just sort of considered everything along the coast "China." This included Thailand (then Siam) and Taiwan (then Formosa). After Vietnam fell into separate kingdoms in 1533 France and Spain claimed ownership of a huge chunk of the waters for quite a long time until the Japanese imperialist era started in 1868. Chinese assertion of ownership came about after negotiations in 1953 when France said Vietnam had no claim on anything offshore and wouldn't let the Japanese return the Spratly Islands to Vietnam (then French Indochina) and insisted Japan hand the islands over to the French directly.
The language used to describe and name things is vastly more powerful than people give it credit for. Just because the British were lazy in their administration and named it after something else nearby doesn't mean that the entire sea belongs to the current Chinese state.
> Is it any wonder that China builds out a navy to defend waters off its own shores
"Off its own shores"!? Is that what the kids are calling it these days? [0]
As an "observer of the world", I suggest checking exactly how much and how far the PRC has been claiming exclusive ownership over waters that are closer to their neighbors' shores. (Neighbors with their own ancestors who probably did even more sailing.)
I found a map from a deleted Reddit account with a lot of replies about how there aren't any US-controlled bases near China. It even had one in China. I'd like a link to an accurate map since I couldn't find one.
From the list I can see on Wikipedia, all of the nearby bases are in Korea and Japan.
More useful might be a map of US forces near China, not caring about who owns the base. And some comparable maps from the last 50 years to see how it's changed over time.
Most bases have been there since before you were born (probably) and before China was a rising power.
In any case, my point is that you only attribute fault to one side, when you have the other side making claims and starting to flex in front of smaller countries. Let's cut the BS here, that is not China playing nice and promoting stability.
It also doesn't take much to understand that the smaller, way less powerful countries that feel threaten will try to find allies. Who's the other big guy in the Pacific? Of course they want the US to be near them and on their side in case shit hits the fan.
This reminds me of Russia, which invaded Ukraine to keep it under their control, but then is surprised to learn that their actions made Ukrainians dislike them even more and are shocked that other countries that could rushed to join NATO. People like you course blame the US alone, missing the fact that NATO would crumble (like it was already happening) if Russia didn't make weekly threats about nuking European cities or actually invaded their neighbours.
See, the problem with this is that he never did threaten that. It's CIA propaganda. Indeed such a threat would make zero sense even logically, since from the standpoint of China (and the US State Department) Taiwan _is_ China.
The US's official public position on the One China Policy is a diplomatic front for the benefit of US relations with the PRC. The US maintains diplomatic relations with Taiwan through the American Institute in Taiwan, an organization owned by the US government and staffed by members of the state department.
Xi Jinping opened the Chinese Communist Party's twice-a-decade National Congress on Sunday by pledging to never renounce using force to take control of Taiwan
Chinese President Xi Jinping has met former Taiwanese President Ma Ying-jeou and said that outside influence cannot stop the “family” reunion between Beijing and Taipei....Beijing views the self-ruled island as a province that must be reunited with mainland China, and it has not ruled out using force to assert its claims to Taiwan.
China's "reunification" with Taiwan is inevitable, President Xi Jinping said in his New Year's address on Sunday, striking a stronger tone than he did last year
Chinese President Xi Jinping bluntly told President Joe Biden during their recent summit in San Francisco that Beijing will reunify Taiwan with mainland China but that the timing has not yet been decided
I don’t see anything in any of this that contradicts my claim, although I can see how you were misled by the wording. “Never renouncing the use of force” is not the same thing as “threatening to use force”. Put bluntly, all China has to do to reunify with Taiwan peacefully is grow its economy and wait for another decade for the bottom to fall out here in the US. And yes, it is inevitable that they will reunify, and almost certain that it’ll happen without bloodshed unless the US makes them believe unrealistic things about an island right next to an industrial colossus 60x the size being able to somehow “beat China” militarily with or without our “help”. I pray to god Taiwan doesn’t believe this because it’ll be utterly and completely destroyed otherwise. Shit the US couldn’t even beat the Taliban or Houthis. What makes anyone believe that it can even pose a significant threat on the other side of the world?
The idea of reunification is less popular than it's ever been in Taiwan since Taiwan's Nation Chengchi University started polling in the late 1990s. What you don't seem to understand is that unification is most supported among the older generations in Taiwan. With time, Taiwan will only become less open to the idea of reunification as the older generations die off. Currently less than 10% support the idea, down from nearly 20% two decades ago. You've likely never met a Taiwanese if you believe the Taiwanese population is open to the idea.
The US has also never engaged with the Houthis, except to protect marine shipping. There was never an attempt to "defeat" them by the US.
This is more of what I'm talking about. It's evident you've never talked with a Taiwanese. The younger generations of Taiwanese don't oppose the idea of reunification because they don't like China, due to this idea of US propaganda you have, but because they don't feel Chinese, due to living independent from the PRC for their entire lives. Have you ever asked yourself why they would care to entertain the idea of "reunification" to a country they had never been a part of?
Approximately 1 million victims (mostly civilian) just in this century, with trillions spent on wars. Multiple continuous wars since WW2. Iraq (2x), Afghanistan, Libya, Syria, Yugoslavia, Korea, Cuba, Vietnam, Grenada, Panama, Somalia, Haiti. Multiple proxy wars on top of that. Need I continue?
Umm.. merrily bombing the middle east ? There are occupation bases in Syria merrily looting oil. And selling $20 billion in weapons to bomb the middle east even more. Americans seem to have blinkers the size of titanosaurs and a "I cannot see it" attitude when it comes to their military.
Merrily is a slightly biased way of putting it I would say, but ok, it does happen, one can dispute why.
Looting oil in Syria, I didn’t know this, do you have a source?
Now, we are comparing, right, so let’s list what china is doing, shall we?
Invading multiple neighbouring countries? Check. (Isn’t that the definition of imperialism?)
Exterminating populations considered hostile? Check.
And I’m not even talking about Africa, where “colonialism” wouldn’t necessarily be an exaggeration.
I do think that, today, China is the most imperialist.
The US is far from a model, mind you and Europe also did significantly more horrible things in the past, but I’m talking about today.
Which nations has China "invaded" recently ? Kindly elaborate. Please note that the U.S. has occupation bases in both Iraq and Syria presently. U.S. military and intelligence has directly and in-directly killed more tens of thousands of civilians within the last decade in the middle-east. (I won't even go into the Syrian war sponsorship since whatever Obama did is "old news" to Americans now)
Looting of oil - there are several sources. But if you don't believe them - find a Syrian on telegram and ask him.
It was reasonably well reported that Delta crescent energy extracts oil from occupied Syrian oil fields - of-course passed off as propaganda in helping the Kurds in the U.S. media.
Hello, Yemen ? The full sanctions block and complete intelligence analysis, weapons and targeting given to PMC's and "allied" forces causing the deaths of tens of thousands of people ? This was an extraordinary extermination of the civilian population that got black-holed in the U.S. media. Of-course any time the population resisted, they got bombed - even weddings.
China's imperialism is orders of magnitude lower than the U.S. Its like comparing a ravaging T-Rex with a stubborn mouse.
PS: The U.S. has now merrily resumed bombing Yemen again since the last few months. Yes, I use the word "merrily" because executives of the American military sector are happy about this. Utterly no bias there, just point-blank honesty.
And again, I’m not saying the US are not imperialists, and they were the most imperialists for a very long while, but I really think China beat them. They still have less means to their imperialists ambitions, but their ambitions are by far bigger than these of the US nowadays.
In the end the conversation is a bit ridiculous, they are both very much imperialists, and it also depends on how you measure it. Russia is, from a political point of view, probably even more imperialist, they just have less means. The ratio means/ambitions of china is what put them at the top of this very sad list for me.
I didn’t know about the syria oil fields, I can’t even say I’m surprised though.
Please do not conflate territorial disputes with "invasion". When has China started bombing their neighbors - or any other nation for that matter ? At-least their territorial disputes are with the the nations neighbouring them and not nations across the world.
Well, the recent US claim of national ownership of the Artic seabed and Bering sea in contravention of long-established conventions of UNCLOS is even more imperialistic. But, hey, its OK when Americans do it.
IMHO article defines perfectionism doing both things you have mentioned too early. E.g. you do prototype and instead of showing that to stakeholders you clean it up, cover with tests and etc.
Good point. I guess I was implicitly thinking Moscow-area, but if you know what the answer might be for the Lietuvos Tarybų Socialistinė Respublika, now I'm curious about that, too...
I was born in 1982 so it is like 7 years of Soviet Union of which majority I don’t remember. I think your question can be looked in two ways:
* what cheap food people made instead of pizza? I think in Lithuania it is anything with meat and potato. In some occasions meat and dough (kibin might be more interesting case). My mother did pizza actually but it is not pizza in traditional sense as it was done with carrots and green peas.
* what cheap street food was eaten instead of pizza. I don’t have idea here as I don’t remember street food at all. I remember we bought kvass in the street.
There is site for that https://www.caniemail.com/ . I don’t use it, even if I work on email marketing software, but I guess it might be useful sometimes.
