Nice that they’ve found an even worse method of longform writing than twitter posts tied together.
I remember a time when “blog about it” was a pejorative dismissal applied to weird ranting. Now, I think of that phrase except I’m pleading for people to just put the sentences… into paragraphs!
"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
Perhaps you should review the definition of tangential.
The medium of something is hardly tangential to the self-nature of that thing. We could go more into Kant, but why waste the time?
Not that I expect you to (re)consider anything other than the same three links your account spams anytime you see a post that you personally don’t appreciate.
Let's not argue about what 'tangential' means or what Kant said (or McLuhan for that matter). If you can suggest a better word I'm all for it.
The point is that these generic-offtopic complaints are extremely repetitive. Maybe the first 1 or 2 (or 17) times one sees them they aren't a big deal, but after that it's bad to be overrun by them like weeds. It's not that they're wrong—rather, precisely because they have a point, they tend to get upvoted, crowding out more interesting/specific conversation. That then leads to complaints about the complaints and god help us. That's why we added that rule.
It's a tradeoff between the particular (yes the annoyance exists, yes the comment is valid—I personally agree with it) vs. the general (it's even worse to see these things over and over again, especially at the top of threads). Both are valuable, but only one can prevail and the global optimum is more important. If you really feel strongly about such formats, you should take it up with the people who are choosing to publish this way. Complaining to a link aggregator is like yelling at a photograph.
Thanks for the kind words, I think! - but... three links?
Also, I protest. The number of HN posts I "personally don't appreciate" is massively greater than the number I reply to. This is an internet forum, after all; I spend my days failing to appreciate things.
Probably half the people who frequent this website, if not more, are some form of web engineer or at the very least are web-adjacent. It’s a function of UX being a core paradigm of that work that leads to such frequent reflections about a submitted link’s “finer points.”
I understand the posts are extremely repetitive, but I’ve not seen a non-regressive attempt to account for this clear and evident desire to discuss this on HN’s part. As far as I know, HN has never tried to have a different comment section for this or other “””offtopic””” discussions, it’s only ever harangued people for talking about it.
I was a roofer in my twenties, three decades ago. When you ride around with roofers, you inevitably hear “oh, that one’s a piece of shit. Oh that one’s nice. Oh, they screwed the pooch with that flashing. Oh, that pattern looks great.” It’s part of the trade to reflect on other roofs, and it comes with the territory in most trades, ime, to talk to other tradespeople about best practices.
I’ve long thought splitting the comment section into Topic and Offtopic would result in better user experience, as well as tagging posts, being able to mute other users, and a million other features forums had twenty (!) years ago. I already know how desperately HN insists upon itself, but this is my frustration with the moderation surrounding these points. Users have no customization of the experience, they want to talk about the experience, HN says no, of course not.
Trade talk about craft is indeed great but HN has tons of that on lots of things. Thousands of identical complaints on a perennial annoyance is not interesting material to read. It may be satisfying to vent or to upvote, but let's not confuse indignation with intellectual interest. That's a fundamental distinction if you want to understand HN.
There are plenty of such repetitive/indignant symptoms and one of our jobs is to dampen them so they don't crowd out the things that actually are interesting to read. If we didn't do this, HN would consist of almost nothing but sensationalism, indignation, and the few hottest topics of the moment (ChatGPT these days). It's our job not to let that happen.
Having a separate comment section for this kind of thing would be a moderation nightmare and I don't think it would add to the quality of the site—quite the opposite. I once had a conversation with a founder of a (much) larger forum than HN, who told me that creating such a section (or something recognizably like it) was the biggest mistake they ever made.
I hear you about the frustration though. It's true that HN lacks a lot of features. There are many different ways to structure an internet forum/community—many more than have ever been tried, and I feel sure that there's still plenty of room for new ones to flourish. People feel understandably frustrated when this forum doesn't match the one that they imagine and believe (perhaps correctly!) would be much more satisfying.
Maybe the other way round? Infosec has caught up with “social concerns” that, say governments would have been dealing with for centuries especially during wars.
I want to believe this is somewhat accurate given the names dropped in this... tootstorm, but then the more I read it, the more alarm bells went off. The whole thing reads like a tired, old "critique" of a strawman of a group one doesn't like, with a mix of hocus pocus nonsense on top.
The last two toots make for a particularly clear example:
> Chapman calls this "fluidity", and that's what today's infosec community seems to be in: an acceptance of the coexistence of both "nebulosity" (boundaries are fuzzy, nothing is ever cut and dried, there are no universal truths) and "pattern" (form and structure still exist, things can still be "more or less" X or Y in a certain context).
I mean... this "fluidity" is literally what the bayesian stuff is for. Probabilistic reasoning isn't in opposition to "fuzzy boundaries", it's a formalization of it. From this description, "fluidity" isn't something new or superior, it's just informal baby steps in the direction of what later became Bayesian modeling.
> the infosec community may be ahead of society at large in understanding change, nuance, and complexity. The world is filled with conflicts over boundaries and meanings.
Not if it rejects reason and starts buying into mathematical equivalent of homeopathy.
> Some want to impose rigid norms, definitions, and structures on everyone in a flailing attempt to restore certainty and order.
It's definitely not those evil rationalists, given how rationalist movement is all about handling uncertainty (with maths!), and insistence on "rigid norms, definitions and structures" is the first thing it makes you unlearn.
EDIT:
Disclaimer is in order, I suppose - I'm triply biased here, because: 1) I have positive feelings towards the LessWrong flavor of rationality movement as it was in its heyday, and its intellectual contributions; 2) I have negative feelings towards the infosec industry in general, and 3) some years ago I actually worked on an infosec product and tried to add some provably correct probabilistic reasoning capacity to it, and found it to be an uphill battle against corporate and infosec cultures.
i agree that it's a bit up its own ass but chapman is definitely worth reading on his own, and his writing is in dialogue with contemporary rationalism; his audience is also mostly rat-adjacent (typically labeled or self-identified 'post-rationalist', which also sounds pretty up its own ass, but so does 'rationalism')
Just to give concrete recommendation re: bayesianism (one kind of what he calls probabilistic rationalism), it specifically might be worth dipping into his metarationality writings here: https://metarationality.com/probabilism-applicability
Truth be told, I don't think I fully understand all of the language of the original post, being unfamiliar with the infosec community and not having time to read all the linked articles, but I do have a bit of familiarity with postmodern thought. That said, the post uses some strange vocabulary that probably has additional connotations in the space, so it's possible I'm talking in a completely different direction than OP.
>I mean... this "fluidity" is literally what the bayesian stuff is for. Probabilistic reasoning isn't in opposition to "fuzzy boundaries", it's a formalization of it. From this description, "fluidity" isn't something new or superior, it's just informal baby steps in the direction of what later became Bayesian modeling.
I might just note here, because I might be wrong, but I'm not sure this is the same thing. I believe OP is trying to describe a limitation with language and its assumption of static meaning. Consider, for instance, trying to model gender probabilistically - it doesn't quite work. If that's not to your taste, then how the distinction between the political left and right seems obvious in aggregate, but 1) transcends a fully comprehensive definition in practice, and even if you define it 2) people tend to not fall neatly into one category or another on every issue. Even political borders between states have a sort of fuzzy history. I recommend Peter Sahlins' Boundaries, which goes into the border between France and Spain, but I won't beleaguer that point. But basically trying to set probabilistic distinctions is somewhat like trying to measure a coastline - things become almost infinitely detailed the more you investigate it, and the map looks less and less like the territory.
Even if you say, modeled political affiliation w/ a statistical model and simply assigned a confidence score to a predicted affiliation, what it seems that the post is claiming is that the Infosec community seems more willing to critique the underlying definitions of, say, "left" and "right". Obviously, you could counter and say that operationally these definitions work well enough, and in practice you'd most likely be right, but the willingness to recognize that definitions are not historically or socially static is probably what's being meant by "the infosec community may be ahead of society at large in understanding change, nuance, and complexity. The world is filled with conflicts over boundaries and meanings". I'm not going to go as far as to say there's a Sausseurian or Derridean conception of language here, but if that's the case then it's a different sort of uncertainty than probablistic as well.
That said, I skimmed the linked "fluidity" post and really hated it. Maybe there's a coherent thought buried in the thesaurus soup but even then the self-aggrandizing tone puts me off.
My point is that "rationalistic" approach wielding probabilistic reasoning will get the cases in your examples right. It's precisely the rationalists who I'd expect to point out that "gender" and "political affiliation" are ill-defined categories, which is why they resist useful formalization. "The willingness to recognize that definitions are not historically or socially static" is something I learned from reading rationalist pieces.
Meta-point: perhaps "rationalism" and "fluidity" are themselves ill-defined categories. Perhaps the authors only ever met rationalist groups that are extremely limited in their understanding and mostly just have a crush on mathy-sounding language - and so the authors invent "fluidity", which to the rationalist groups I interacted with would be just "basics of thinking straight, explained for 5 years old".
> But basically trying to set probabilistic distinctions is somewhat like trying to measure a coastline - things become almost infinitely detailed the more you investigate it, and the map looks less and less like the territory.
I know those examples, precisely because of the probability-wielding rationalists, who point at such cases as curiosities, and show how to put numbers on them correctly. "All models are wrong, but some are useful." I think the authors may be complaining about the people who forgot about the "all models are wrong" part, but they themselves seem to forget the "some are useful" part. Throwing hands up in the air and saying "it always depends" isn't a solution.
BTW. on a bit of a tangent, one of your examples:
> If that's not to your taste, then how the distinction between the political left and right seems obvious in aggregate, but (...)
I still can't imagine to whom this distinction seems "obvious in aggregate". I never found it obvious. Nor useful for anything other than cultivating hate and shutting your own thinking off. This is not a "look at me, I transcend boundaries" remark - it's just if anything is obvious, it's that political categories do not map well to how people think about issues, much less to any sort of correct or optimal beliefs. Rather, they work as attractors in the political spectacle.
(This has become painfully pronounced in recent times, as people are happy to round you off to "far-${otherside}" just because you disagree with them on something.)
It's possibly that Chapman is arguing against a straw-man of Yudkowskian rationality, but it's also the case that many people really do seem to believe in something like that straw-man, and so it's necessary to argue against it anyway.
It's true that in any attempt to orient oneself to the world, probabilities will be involved. Some of these are modelled implicitly and autonomously by your perceptual system, some are experienced as intuitions, and some are modelled explicitly as part of a problem-solving task, and some are considered reflectively.
In the problem-solving scenario, we are taking a certain model of the situation as a given, and assigning probabilities based on that. Sometimes that's good: our model is accurate and gives us things that are relatively easy to assign probabilities to. In some situations, like casino gambling, the map/territory distinction is almost nil. We still have some problems, though: not all maps are accurate, and some accurate maps don't make it easy to assign probabilities. We can still do it - we can always assign some probability - but we might not be getting very good results any more.
Changing our map requires, in Chapman's terms, changing our "stance": our idea about what the hell is going on in the situation, including our ideas about who we are in relation to it. Roughly speaking, stances are cached sets of techniques, assumptions and perspectives which make certain actions and perceptions available to us. They are associated with schools of practice, and have evolved for suitability for certain situations. We may have reason to believe that a given stance is correct for a situation, but our reason for thinking so is not that the stance gives us access to an explicit model of probabilities.
A lot of this is actually pretty obvious, and we do it all the time. The feeling of "oh, this is one of those situations, I know what to do now" is familiar to most of us. To the extent that a stance gives us a probabilistic model to work with, it is by updating our perceptual and intuitive senses of what to do and what kind of result to expect. "Meta-rationality", in Chapman's terms, is the skill of maintaining a constant awareness of one's stance, the possibility of changing it, and some well-trained intuition about when to do so.
Introspection on these stance-associated intuitions can be very valuable, but this is a reflective practice, requiring a much greater intensity of attention than merely acting on them (and this is generally not compatible with acting on them in real time, c.f "choking" in sports). It is more "computationally" (and hence metabolically) expensive, and is generally something one would do only after gaining familiarity with the practice. One cannot use a priori probabilistic reasoning to imagine what one would do in a situation if one were, say, skilled in the art of kung fu - one can only understand the implications of being good at kung fu by actually becoming good at it (see Agnes Callard's book Aspiration[1] on this point). After which point, it may or may not be good for your kung fu practice to examine it with the tools of probabilistic rationality. I imagine Chapman would argue that, for many stances and their associated practices, it isn't really worth it, but you'd have to ask him.
Of course, we can certainly describe the entire process using probabilities: my decision to treat this as a kung fu problem rather than a diplomatic problem ultimately rests on some model I have of the likely outcomes. But this is merely descriptive: I am not "shutting up and calculating" in order to make the decision, merely rationalising it after the fact.
Perhaps this does not seem particularly insightful to you, and I would agree that perhaps it should not - you may well have figured this out for yourself, and experienced rationalists may be familiar with all of it. Most of these ideas are within the gra...
Yeah, I mean I have nothing against rationalism (mostly because I haven't read much rationalist writings), so if these are concepts that have made it into rationalism then there's really not much to add.
>Throwing hands up in the air and saying "it always depends" isn't a solution.
Admittedly, postmodernism isn't really inclined towards engineering problems. It does provide frameworks and lines of criticism, but I also didn't see many new ideas being deployed in that sense. This was also a point that I struggled w/ in the OP.
>I know those examples, precisely because of the probability-wielding rationalists, who point at such cases as curiosities, and show how to put numbers on them correctly.
I'd argue there's no useful way to put numbers on, say, borders. Even in cases where the geographic location of a border was definite, if I were to stand across, say, the California-Oregon border, it's not as if 50% of my body would be subject to California's laws and 50% Oregon's. Thinking of everything numerically and engineering features to support that framework seems like a Macnamara fallacy. I would also agree that some models are useful, but the emphasis on utility would in turn be problematic in a vacuum. You could reasonably predict, say, housing prices by racial makeup of a neighborhood (recalling the Boston housing data set controversy), but to do so would invite structurally racist applications. There are probably rationalist ways of de-emphasizing utility and accuracy, but again that's less my point and more to just illustrate that the biases of a model do not inherently remove from its usefulness to some end, and that critical frameworks can allow us to articulate problems. A map could just as easily center the world on Great Britain, Jerusalem, Rome, or China - to a certain extent they're equally useful and justifiable - but even with this arbitrary decision you affect how the viewer will see what the map represents.
>I still can't imagine to whom this distinction seems "obvious in aggregate". I never found it obvious.
Probably the word obvious wasn't the right term, but "definable at all" would be closer to what I intended. There _is_ an idea of what is left and what is right, but the words themselves are deployed arbitrarily. Perhaps a better example of where postmodern thought would be deployed would be something like exploring/critiquing the American right's notion of "postmodern neo-Marxism". This would be where concepts of floating signifiers and performance might be useful to explore how speech informs identity (not just vice versa).
That's funny... the InfoSec community has no clue about what it takes to actually secure a computer. It was figured out in the 1970s[1], after issues with mixed levels of secret information couldn't be handled quickly in the Viet Nam conflict, and is now mostly forgotten.
You can take $5 from your wallet and hand it to a stranger, without needing to trust them with everything in your wallet.
You can not take a single file in a folder and hand it to an executable, without needing to trust it with everything on your computer.
While that's an interesting option for the developer, it doesn't appear to be something the end user can use on any random executable. (I'd LOVE to be wrong)
As with the Android thread above, this is encouraging news.
That's cool, it's a PowerBox implementation. Instead of putting up a dialog box, then accessing the file named by that dialog (which requires access to ALL the users files), the system puts up the dialog and gives you the handle/capability to access ONLY the files the user chose.
Do you have any more information on this issue, what you mean, and the topic? I think I'm getting this but want to read more to understand.
Are you saying modern Operating systems are inherently insecure in what is allowed to use those spaces? You mentioned the dollar analogy. Someone else mentioned Androids storage access service.
I'm understanding it like this. Youre saying systems of access control within the kernel space are a known and used resource, but practices like this are ignored in the infosec world. Am I getting it?
I read HN partially to learn about cybersecurity is why I ask.
Current operating systems allow the program to directly access files, which is the way they've worked historically. This means that if the program is compromised, all the files the user is allowed to access on the system are at risk.
A better way to deal with this is to use an operating system that doesn't trust applications with access to files by default, and instead uses it's own dialogs to allow the user to select files for access, and only give capabilities/handles to those files to the application.
technically you can severely limit what an app can see and do on a modern OS (inc. limiting it to only specific files), but it's so complicated nobody does it. definitely not as convenient as 'here program, please read only this file right now'
(fwiw HN is not a great place to learn security, but I don't have better recs either)
Not sure if this is exactly what the person you replied to is talking about, but I recently looked through a list of tools for restricting the permissions of programs: https://www.macchaffee.com/blog/2023/hacking-myself/
Spoiler: they're all kinda bad, but macOS sandboxing is promising
I think you're projecting a bit here. This is not only a well known approach, it's implemented in many ways.
> You can not take a single file in a folder and hand it to an executable
Here's a few things that achieve this that I directly used recently (and I'm sure there's way more): selinux, apparmor, linux namespaces, AWS IAM roles, path mapping over RDP, flatpak portals, android data, google drive sharing, google photos albums, windows ACLs, probably some more...
The idea is alive and doing well, but it can't be applied the same way it was in the military... because people don't care enough and they don't have a good reason to care. "disable selinux to make your app work" is a meme at this point, because labeling your system is a HARD problem. But the idea that Infosec in general is not aware of the approach is silly. The principle of least privilege is probably the most known idea everyone's aware of.
>because people don't care enough and they don't have a good reason to care
Users do care, but they're not given an OS that works in a sane manner to enforce their wishes. You can't bolt this stuff on after the fact without a lot of grief.
Strongly disagree and we've got receipts too. Even a basic search for selinux-related issues will show you how many people want to disable it compared to how many want to understand it. It's not users either. Developers who should know better and who should distribute the policies that users need in the first place also start their installation instructions with "disable selinux".
It's not even selinux specific - "everyone's a domain admin" is also a meme in security in the enterprise windows world where the permissions are actually a bit easier to manage. One of the main complaints about AWS complexity are IAM policies. There's just no way around it - this is inherently complex and a generic user does not care to learn how to deal with this. When you simplify it (like mobile phones do) on the other hand, there will be lots of people (rightfully) complaining about not being able to use the files between applications - a common complaint about iOS environment.
Forcing the user to decide ahead of time exactly what files are required goes against the purpose of a computer. It is a run-time choice, not an administrative one.
SE linux et al solve the wrong problem, which is why we all hate it.
Selinux is only one of the tech I mentioned. Flatpak portals do access query at runtime instead. But if you hold MLS and its military origins as an example, keep in mind those were very much labelled ahead of time and there's lots of administration involved.
I guess MLS works for the military but object-capability sandboxing is a better fit for most other cases. Of course legacy compatibility is slowing adoption of security in general.
> You can not take a single file in a folder and hand it to an executable, without needing to trust it with everything on your computer
iOS works this way. This is a problem that has real, commercially viable solutions. There are many real criticisms of the way security practitioners execute their craft (passwords and 2FA are littered with HCI failures) but something as well studied as sandboxing is not one.
I think one issue, underneath this, is that threats are anti-inductive.
Whatever you learn eg., about hacking-X today, will be obsolete tomorrow because X has been patched. You can't do induction (here, I supposed called Bayesianism) nor can you deduce anything since the problem space is intractable.
(The system underneath this, of course, is the human animal).
There's a new epistemic (, ontological) framework lurking here that has to do with complex systems, anti-induction, the failure of the scientific method (eg., methodological reductionism), and the limits of human knowledge.
"Antifragility", complexity theory, chaos etc. get you 70% of the way there. But as this article demonstrates, all that talk still doesn't give us a clear language for, eg., infosec.
In my view we're 95% of the way along the S-curve called "scientific knowledge of the reducible world", and nearing an end of the success of the scientific method. Since all open domains now have the characteristics above, and simply, there is no method which produces knowledge in the face of them.
This is actually why we have in the social sciences the concept of abduction. Finding out something that defies the rules, where new rules have to be created. In deduction, you have a type, and infer the tokens. For induction, you have tokes and infer a type. But for abduction, you have a radically new token, where the type needs to be created. I am pretty sure that the techy infosec community finds out that it's closer to the social sciences.
Well all explanation, imv, is abductive. But in scientific abduction, the "types" are properties which obtain invariantly across "the space in which they're located". Eg., water heats the same regardless of where it is, assuming identical other conditions.
Whereas if we think of human society (, psychology, threats, etc.) as a space, then properties arent invariant (eg., there's path dependence).
Hence, I dont think there is such a thing as a "social science". I think we'd be better of ditching the term science entirely, and scrapping much of the scientific method here.
We need a new term, we arent building explanations, but rather ways of coping not having them. A kind of "empirical-speculative coping".
I might be misunderstanding you, exactly because I am a social scientist, and we have different kind of vocabulary. Maybe a definition by group instead of an understanding of reality that differs. Your approach looks to me more like what the social sciences critique as a paradigm, the positivist approach, where everything has to be law-like, "nomothetic". From there a stack of ontological/epistemological revelations are following, (the postmodern is one of them). But I think our backgrounds are very different, so that would need a few cups of coffee or tea :)
I am German, maybe this makes the difference. We define science as an object of study, with the basic distinction between natural sciences, which can be explained, and the human sciences that have to be understood. The social sciences enhance in the way also the natural sciences, as everything is a social construct, even physical terms, what is a desert, what is climate, or even what is a man or a woman. Philosophy once included natural philosophy where we would now locate the scientific method. But hermeneutics is equally a scientific method. The reduction of science to the explanation of "certain" physical phenomena is exactly why we then fail to understand the world.
Being a hacker is just like being a scientist. You find yourself in front of an unknown device or mechanism, you study its inputs and outputs and try to take it apart as much as possible. Then you formulate a model and see how much it is able to predict, until you reach an accurate enough one that allows you to deduce the real inner workings of the machine.
The fact that the system can get patched does not change anything, you just start again.
> But we see that societies and systems can work -- sort of -- because we, collectively, with good judgment and sincere effort and appreciation for context and nuance, make them work.
In the spirit of this mini-essay, what happens when the centralised "collective we" goes berserk? Or treats some other parts of society as having gone berserk?
Also, and partially related to this, I'm surprised that not that many thoughts have been given to the fact that most of the anti-Covid measures, especially in the tech-heavy West (but not only, see also China or Singapore), were in fact pseudo-infosec measures "adapted" to real life. I mean many of us were forced to use our smart-phones plus some dedicated apps just to be let in inside a coffee shop, or a bookstore, or just to take the bus.
The issue is that - and the same is true for the IT scene at large - many of the authors are disconnected from reality. It's like Marxian economics: Works great in theory when you're thinking it up all in your mind, sitting at your desk. Math is like that and coding too. Real humans are not machines though and society is immensely complex, with billions of semi-independent highly intelligent actors in different situations and with disparate goals. They are not going to behave the way the average infosec "expert" thinks they will.
>I'm surprised that not that many thoughts have been given to the fact that most of the anti-Covid measures, especially in the tech-heavy West (but not only, see also China or Singapore), were in fact pseudo-infosec measures "adapted" to real life
Among the advocates we have the aforementioned educated idiot who's not going to bring this up because they don't see the issue to begin with. Then you have those who're pushing it knowing full well what they're doing. The power hungry, the authoritarians, the psychopaths. They may mostly be less tech literate and not good at coding but it doesn't matter because they can get others to built it for them in the name of "security". In principle this isn't new, the pretense of protection has been used as a means of control for a long time.
So among the thought leaders we're left with a minority who see the problem because they don't fall in either camp and do not personally profit from such measures, nor find them ethical, but they aren't influential enough to convince the masses. They're outnumbered.
> the infosec community may be ahead of society at large in understanding change, nuance, and complexity.
I think almost everyone outside of tech knows all about change, nuance and complexity. And every time they mention it we tell them they're overestimating the unique complexity of their particular situation. Then we prove it by forcing solutions on them that artificially reduce that complexity. And in the end they accept that reduction as a new reality (with some grumbling).
I feel sometimes when tech and humanity converge we end up accepting a lowest common denominator rather than accepting that our stuff isn't very good.
>I feel sometimes when tech and humanity converge we end up accepting a lowest common denominator rather than accepting that our stuff isn't very good.
> overestimating the unique complexity of their particular situation. Then we prove it by forcing solutions on them that artificially reduce that complexity.
As an electrical engineer I have the habit of asking people to explain to me the function of the part they want to remove. Just because it worked briefly without that part does not mean that part did not serve some vital function. How you can tell experts from beginners is that beginners will be pleased with the thing working. Experts will think about weirder edge conditions, thermal cycles, maintainability, safety, security, testability, sustainability, you name it.
Don't get me wrong, I love simple, elegant solutions with little (or no) moving parts — they often win out on all of the above. But sometimes the people with the complexity of the domain in mind are right, when they insist that certain elements of a system are needed.
There's a strong business component here that often seems to be blamed on technologists (at least in discussions in tech and tech-adjacent communities, like here), but really has nothing to do with technology, and is present in every industry.
Yes, we like elegant and simple solutions, but "artificially reducing complexity" of the problem to make an elegant and simple solution work is no fun at all. We do it not because it's right or gratifying, but because it's what the business side tells us to, it's what permeates the culture of this and every other industry - of everything in the market economy. We do it because if we don't, our competitors will, and then we'll lose our jobs and won't be able to feed our families anymore.
Or, in short: the trend towards "accepting a lowest common denominator rather than accepting that our stuff isn't very good" is caused by market competition itself. After all, the market doesn't know when something is just perfect - there's always a marginal profit to be extracted by repeatedly making it ever so slightly shittier, and competitive pressure ensures you can't move in the opposite direction.
I find that infosec people are typically pretty bad at understanding how the world works, because they often think that people and processes work like computers and can be hacked or gamed around, and that’s not really how the real world works. The post talks about “fluidity” but a lot of things that people come up fail to account for the fact that e.g. public opinion or people with guns can subvert the thing they’re trying to do pretty effectively. It’s good to have a mindset where you’re able to think beyond traditional threats but I think it’s really odd how this often leads to a sort of blindness to things outside of whatever scope you think is the novel or clever way of looking at things.
63 comments
[ 2.5 ms ] story [ 138 ms ] threadI remember a time when “blog about it” was a pejorative dismissal applied to weird ranting. Now, I think of that phrase except I’m pleading for people to just put the sentences… into paragraphs!
It all reduces, but it’s simpler to just have categories of content. And this is a category error of a blog post in tweet form.
There’s probably browser extensions for twitter threads already, could be a good starter project for someone to adapt one for fediverse sites.
"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
https://news.ycombinator.com/newsguidelines.html
The medium of something is hardly tangential to the self-nature of that thing. We could go more into Kant, but why waste the time?
Not that I expect you to (re)consider anything other than the same three links your account spams anytime you see a post that you personally don’t appreciate.
Thanks for all you do, you’re truly a marvel.
The point is that these generic-offtopic complaints are extremely repetitive. Maybe the first 1 or 2 (or 17) times one sees them they aren't a big deal, but after that it's bad to be overrun by them like weeds. It's not that they're wrong—rather, precisely because they have a point, they tend to get upvoted, crowding out more interesting/specific conversation. That then leads to complaints about the complaints and god help us. That's why we added that rule.
It's a tradeoff between the particular (yes the annoyance exists, yes the comment is valid—I personally agree with it) vs. the general (it's even worse to see these things over and over again, especially at the top of threads). Both are valuable, but only one can prevail and the global optimum is more important. If you really feel strongly about such formats, you should take it up with the people who are choosing to publish this way. Complaining to a link aggregator is like yelling at a photograph.
Thanks for the kind words, I think! - but... three links?
Also, I protest. The number of HN posts I "personally don't appreciate" is massively greater than the number I reply to. This is an internet forum, after all; I spend my days failing to appreciate things.
I understand the posts are extremely repetitive, but I’ve not seen a non-regressive attempt to account for this clear and evident desire to discuss this on HN’s part. As far as I know, HN has never tried to have a different comment section for this or other “””offtopic””” discussions, it’s only ever harangued people for talking about it.
I was a roofer in my twenties, three decades ago. When you ride around with roofers, you inevitably hear “oh, that one’s a piece of shit. Oh that one’s nice. Oh, they screwed the pooch with that flashing. Oh, that pattern looks great.” It’s part of the trade to reflect on other roofs, and it comes with the territory in most trades, ime, to talk to other tradespeople about best practices.
I’ve long thought splitting the comment section into Topic and Offtopic would result in better user experience, as well as tagging posts, being able to mute other users, and a million other features forums had twenty (!) years ago. I already know how desperately HN insists upon itself, but this is my frustration with the moderation surrounding these points. Users have no customization of the experience, they want to talk about the experience, HN says no, of course not.
There are plenty of such repetitive/indignant symptoms and one of our jobs is to dampen them so they don't crowd out the things that actually are interesting to read. If we didn't do this, HN would consist of almost nothing but sensationalism, indignation, and the few hottest topics of the moment (ChatGPT these days). It's our job not to let that happen.
Having a separate comment section for this kind of thing would be a moderation nightmare and I don't think it would add to the quality of the site—quite the opposite. I once had a conversation with a founder of a (much) larger forum than HN, who told me that creating such a section (or something recognizably like it) was the biggest mistake they ever made.
I hear you about the frustration though. It's true that HN lacks a lot of features. There are many different ways to structure an internet forum/community—many more than have ever been tried, and I feel sure that there's still plenty of room for new ones to flourish. People feel understandably frustrated when this forum doesn't match the one that they imagine and believe (perhaps correctly!) would be much more satisfying.
The last two toots make for a particularly clear example:
> Chapman calls this "fluidity", and that's what today's infosec community seems to be in: an acceptance of the coexistence of both "nebulosity" (boundaries are fuzzy, nothing is ever cut and dried, there are no universal truths) and "pattern" (form and structure still exist, things can still be "more or less" X or Y in a certain context).
I mean... this "fluidity" is literally what the bayesian stuff is for. Probabilistic reasoning isn't in opposition to "fuzzy boundaries", it's a formalization of it. From this description, "fluidity" isn't something new or superior, it's just informal baby steps in the direction of what later became Bayesian modeling.
> the infosec community may be ahead of society at large in understanding change, nuance, and complexity. The world is filled with conflicts over boundaries and meanings.
Not if it rejects reason and starts buying into mathematical equivalent of homeopathy.
> Some want to impose rigid norms, definitions, and structures on everyone in a flailing attempt to restore certainty and order.
It's definitely not those evil rationalists, given how rationalist movement is all about handling uncertainty (with maths!), and insistence on "rigid norms, definitions and structures" is the first thing it makes you unlearn.
EDIT:
Disclaimer is in order, I suppose - I'm triply biased here, because: 1) I have positive feelings towards the LessWrong flavor of rationality movement as it was in its heyday, and its intellectual contributions; 2) I have negative feelings towards the infosec industry in general, and 3) some years ago I actually worked on an infosec product and tried to add some provably correct probabilistic reasoning capacity to it, and found it to be an uphill battle against corporate and infosec cultures.
>I mean... this "fluidity" is literally what the bayesian stuff is for. Probabilistic reasoning isn't in opposition to "fuzzy boundaries", it's a formalization of it. From this description, "fluidity" isn't something new or superior, it's just informal baby steps in the direction of what later became Bayesian modeling.
I might just note here, because I might be wrong, but I'm not sure this is the same thing. I believe OP is trying to describe a limitation with language and its assumption of static meaning. Consider, for instance, trying to model gender probabilistically - it doesn't quite work. If that's not to your taste, then how the distinction between the political left and right seems obvious in aggregate, but 1) transcends a fully comprehensive definition in practice, and even if you define it 2) people tend to not fall neatly into one category or another on every issue. Even political borders between states have a sort of fuzzy history. I recommend Peter Sahlins' Boundaries, which goes into the border between France and Spain, but I won't beleaguer that point. But basically trying to set probabilistic distinctions is somewhat like trying to measure a coastline - things become almost infinitely detailed the more you investigate it, and the map looks less and less like the territory.
Even if you say, modeled political affiliation w/ a statistical model and simply assigned a confidence score to a predicted affiliation, what it seems that the post is claiming is that the Infosec community seems more willing to critique the underlying definitions of, say, "left" and "right". Obviously, you could counter and say that operationally these definitions work well enough, and in practice you'd most likely be right, but the willingness to recognize that definitions are not historically or socially static is probably what's being meant by "the infosec community may be ahead of society at large in understanding change, nuance, and complexity. The world is filled with conflicts over boundaries and meanings". I'm not going to go as far as to say there's a Sausseurian or Derridean conception of language here, but if that's the case then it's a different sort of uncertainty than probablistic as well.
That said, I skimmed the linked "fluidity" post and really hated it. Maybe there's a coherent thought buried in the thesaurus soup but even then the self-aggrandizing tone puts me off.
Meta-point: perhaps "rationalism" and "fluidity" are themselves ill-defined categories. Perhaps the authors only ever met rationalist groups that are extremely limited in their understanding and mostly just have a crush on mathy-sounding language - and so the authors invent "fluidity", which to the rationalist groups I interacted with would be just "basics of thinking straight, explained for 5 years old".
> But basically trying to set probabilistic distinctions is somewhat like trying to measure a coastline - things become almost infinitely detailed the more you investigate it, and the map looks less and less like the territory.
I know those examples, precisely because of the probability-wielding rationalists, who point at such cases as curiosities, and show how to put numbers on them correctly. "All models are wrong, but some are useful." I think the authors may be complaining about the people who forgot about the "all models are wrong" part, but they themselves seem to forget the "some are useful" part. Throwing hands up in the air and saying "it always depends" isn't a solution.
BTW. on a bit of a tangent, one of your examples:
> If that's not to your taste, then how the distinction between the political left and right seems obvious in aggregate, but (...)
I still can't imagine to whom this distinction seems "obvious in aggregate". I never found it obvious. Nor useful for anything other than cultivating hate and shutting your own thinking off. This is not a "look at me, I transcend boundaries" remark - it's just if anything is obvious, it's that political categories do not map well to how people think about issues, much less to any sort of correct or optimal beliefs. Rather, they work as attractors in the political spectacle.
(This has become painfully pronounced in recent times, as people are happy to round you off to "far-${otherside}" just because you disagree with them on something.)
It's true that in any attempt to orient oneself to the world, probabilities will be involved. Some of these are modelled implicitly and autonomously by your perceptual system, some are experienced as intuitions, and some are modelled explicitly as part of a problem-solving task, and some are considered reflectively.
In the problem-solving scenario, we are taking a certain model of the situation as a given, and assigning probabilities based on that. Sometimes that's good: our model is accurate and gives us things that are relatively easy to assign probabilities to. In some situations, like casino gambling, the map/territory distinction is almost nil. We still have some problems, though: not all maps are accurate, and some accurate maps don't make it easy to assign probabilities. We can still do it - we can always assign some probability - but we might not be getting very good results any more.
Changing our map requires, in Chapman's terms, changing our "stance": our idea about what the hell is going on in the situation, including our ideas about who we are in relation to it. Roughly speaking, stances are cached sets of techniques, assumptions and perspectives which make certain actions and perceptions available to us. They are associated with schools of practice, and have evolved for suitability for certain situations. We may have reason to believe that a given stance is correct for a situation, but our reason for thinking so is not that the stance gives us access to an explicit model of probabilities.
A lot of this is actually pretty obvious, and we do it all the time. The feeling of "oh, this is one of those situations, I know what to do now" is familiar to most of us. To the extent that a stance gives us a probabilistic model to work with, it is by updating our perceptual and intuitive senses of what to do and what kind of result to expect. "Meta-rationality", in Chapman's terms, is the skill of maintaining a constant awareness of one's stance, the possibility of changing it, and some well-trained intuition about when to do so.
Introspection on these stance-associated intuitions can be very valuable, but this is a reflective practice, requiring a much greater intensity of attention than merely acting on them (and this is generally not compatible with acting on them in real time, c.f "choking" in sports). It is more "computationally" (and hence metabolically) expensive, and is generally something one would do only after gaining familiarity with the practice. One cannot use a priori probabilistic reasoning to imagine what one would do in a situation if one were, say, skilled in the art of kung fu - one can only understand the implications of being good at kung fu by actually becoming good at it (see Agnes Callard's book Aspiration[1] on this point). After which point, it may or may not be good for your kung fu practice to examine it with the tools of probabilistic rationality. I imagine Chapman would argue that, for many stances and their associated practices, it isn't really worth it, but you'd have to ask him.
Of course, we can certainly describe the entire process using probabilities: my decision to treat this as a kung fu problem rather than a diplomatic problem ultimately rests on some model I have of the likely outcomes. But this is merely descriptive: I am not "shutting up and calculating" in order to make the decision, merely rationalising it after the fact.
Perhaps this does not seem particularly insightful to you, and I would agree that perhaps it should not - you may well have figured this out for yourself, and experienced rationalists may be familiar with all of it. Most of these ideas are within the gra...
>Throwing hands up in the air and saying "it always depends" isn't a solution.
Admittedly, postmodernism isn't really inclined towards engineering problems. It does provide frameworks and lines of criticism, but I also didn't see many new ideas being deployed in that sense. This was also a point that I struggled w/ in the OP.
>I know those examples, precisely because of the probability-wielding rationalists, who point at such cases as curiosities, and show how to put numbers on them correctly.
I'd argue there's no useful way to put numbers on, say, borders. Even in cases where the geographic location of a border was definite, if I were to stand across, say, the California-Oregon border, it's not as if 50% of my body would be subject to California's laws and 50% Oregon's. Thinking of everything numerically and engineering features to support that framework seems like a Macnamara fallacy. I would also agree that some models are useful, but the emphasis on utility would in turn be problematic in a vacuum. You could reasonably predict, say, housing prices by racial makeup of a neighborhood (recalling the Boston housing data set controversy), but to do so would invite structurally racist applications. There are probably rationalist ways of de-emphasizing utility and accuracy, but again that's less my point and more to just illustrate that the biases of a model do not inherently remove from its usefulness to some end, and that critical frameworks can allow us to articulate problems. A map could just as easily center the world on Great Britain, Jerusalem, Rome, or China - to a certain extent they're equally useful and justifiable - but even with this arbitrary decision you affect how the viewer will see what the map represents.
>I still can't imagine to whom this distinction seems "obvious in aggregate". I never found it obvious.
Probably the word obvious wasn't the right term, but "definable at all" would be closer to what I intended. There _is_ an idea of what is left and what is right, but the words themselves are deployed arbitrarily. Perhaps a better example of where postmodern thought would be deployed would be something like exploring/critiquing the American right's notion of "postmodern neo-Marxism". This would be where concepts of floating signifiers and performance might be useful to explore how speech informs identity (not just vice versa).
You can take $5 from your wallet and hand it to a stranger, without needing to trust them with everything in your wallet.
You can not take a single file in a folder and hand it to an executable, without needing to trust it with everything on your computer.
[1] https://en.wikipedia.org/wiki/Multilevel_security
You totally can, with macOS and iOS’s sandboxing model.
As with the Android thread above, this is encouraging news.
Awesome!
Are you saying modern Operating systems are inherently insecure in what is allowed to use those spaces? You mentioned the dollar analogy. Someone else mentioned Androids storage access service.
I'm understanding it like this. Youre saying systems of access control within the kernel space are a known and used resource, but practices like this are ignored in the infosec world. Am I getting it?
I read HN partially to learn about cybersecurity is why I ask.
A better way to deal with this is to use an operating system that doesn't trust applications with access to files by default, and instead uses it's own dialogs to allow the user to select files for access, and only give capabilities/handles to those files to the application.
(fwiw HN is not a great place to learn security, but I don't have better recs either)
Spoiler: they're all kinda bad, but macOS sandboxing is promising
> You can not take a single file in a folder and hand it to an executable
Here's a few things that achieve this that I directly used recently (and I'm sure there's way more): selinux, apparmor, linux namespaces, AWS IAM roles, path mapping over RDP, flatpak portals, android data, google drive sharing, google photos albums, windows ACLs, probably some more...
The idea is alive and doing well, but it can't be applied the same way it was in the military... because people don't care enough and they don't have a good reason to care. "disable selinux to make your app work" is a meme at this point, because labeling your system is a HARD problem. But the idea that Infosec in general is not aware of the approach is silly. The principle of least privilege is probably the most known idea everyone's aware of.
Users do care, but they're not given an OS that works in a sane manner to enforce their wishes. You can't bolt this stuff on after the fact without a lot of grief.
It's not even selinux specific - "everyone's a domain admin" is also a meme in security in the enterprise windows world where the permissions are actually a bit easier to manage. One of the main complaints about AWS complexity are IAM policies. There's just no way around it - this is inherently complex and a generic user does not care to learn how to deal with this. When you simplify it (like mobile phones do) on the other hand, there will be lots of people (rightfully) complaining about not being able to use the files between applications - a common complaint about iOS environment.
SE linux et al solve the wrong problem, which is why we all hate it.
iOS works this way. This is a problem that has real, commercially viable solutions. There are many real criticisms of the way security practitioners execute their craft (passwords and 2FA are littered with HCI failures) but something as well studied as sandboxing is not one.
His take down of IoT devices is hilarious.
[1] https://www.youtube.com/watch?v=ajGX7odA87k
Whatever you learn eg., about hacking-X today, will be obsolete tomorrow because X has been patched. You can't do induction (here, I supposed called Bayesianism) nor can you deduce anything since the problem space is intractable.
(The system underneath this, of course, is the human animal).
There's a new epistemic (, ontological) framework lurking here that has to do with complex systems, anti-induction, the failure of the scientific method (eg., methodological reductionism), and the limits of human knowledge.
"Antifragility", complexity theory, chaos etc. get you 70% of the way there. But as this article demonstrates, all that talk still doesn't give us a clear language for, eg., infosec.
In my view we're 95% of the way along the S-curve called "scientific knowledge of the reducible world", and nearing an end of the success of the scientific method. Since all open domains now have the characteristics above, and simply, there is no method which produces knowledge in the face of them.
Whereas if we think of human society (, psychology, threats, etc.) as a space, then properties arent invariant (eg., there's path dependence).
Hence, I dont think there is such a thing as a "social science". I think we'd be better of ditching the term science entirely, and scrapping much of the scientific method here.
We need a new term, we arent building explanations, but rather ways of coping not having them. A kind of "empirical-speculative coping".
There is no such thing as a "scientific critique" of a "paradigm". There can be a philosophical critique of a paradigm.
The very phrase, "a social science critique of a paradigm" shows that "social science" isn't a science -- which is no bad thing.
My point is there can't be a social science. Since "society" is an object the scientific method fails on.
"hermeneutics" isnt a scientific method in the english sense: https://plato.stanford.edu/entries/scientific-method/
The fact that the system can get patched does not change anything, you just start again.
In the spirit of this mini-essay, what happens when the centralised "collective we" goes berserk? Or treats some other parts of society as having gone berserk?
Also, and partially related to this, I'm surprised that not that many thoughts have been given to the fact that most of the anti-Covid measures, especially in the tech-heavy West (but not only, see also China or Singapore), were in fact pseudo-infosec measures "adapted" to real life. I mean many of us were forced to use our smart-phones plus some dedicated apps just to be let in inside a coffee shop, or a bookstore, or just to take the bus.
>I'm surprised that not that many thoughts have been given to the fact that most of the anti-Covid measures, especially in the tech-heavy West (but not only, see also China or Singapore), were in fact pseudo-infosec measures "adapted" to real life
Among the advocates we have the aforementioned educated idiot who's not going to bring this up because they don't see the issue to begin with. Then you have those who're pushing it knowing full well what they're doing. The power hungry, the authoritarians, the psychopaths. They may mostly be less tech literate and not good at coding but it doesn't matter because they can get others to built it for them in the name of "security". In principle this isn't new, the pretense of protection has been used as a means of control for a long time.
So among the thought leaders we're left with a minority who see the problem because they don't fall in either camp and do not personally profit from such measures, nor find them ethical, but they aren't influential enough to convince the masses. They're outnumbered.
I think almost everyone outside of tech knows all about change, nuance and complexity. And every time they mention it we tell them they're overestimating the unique complexity of their particular situation. Then we prove it by forcing solutions on them that artificially reduce that complexity. And in the end they accept that reduction as a new reality (with some grumbling).
I feel sometimes when tech and humanity converge we end up accepting a lowest common denominator rather than accepting that our stuff isn't very good.
Passwords.
As an electrical engineer I have the habit of asking people to explain to me the function of the part they want to remove. Just because it worked briefly without that part does not mean that part did not serve some vital function. How you can tell experts from beginners is that beginners will be pleased with the thing working. Experts will think about weirder edge conditions, thermal cycles, maintainability, safety, security, testability, sustainability, you name it.
Don't get me wrong, I love simple, elegant solutions with little (or no) moving parts — they often win out on all of the above. But sometimes the people with the complexity of the domain in mind are right, when they insist that certain elements of a system are needed.
Yes, we like elegant and simple solutions, but "artificially reducing complexity" of the problem to make an elegant and simple solution work is no fun at all. We do it not because it's right or gratifying, but because it's what the business side tells us to, it's what permeates the culture of this and every other industry - of everything in the market economy. We do it because if we don't, our competitors will, and then we'll lose our jobs and won't be able to feed our families anymore.
Or, in short: the trend towards "accepting a lowest common denominator rather than accepting that our stuff isn't very good" is caused by market competition itself. After all, the market doesn't know when something is just perfect - there's always a marginal profit to be extracted by repeatedly making it ever so slightly shittier, and competitive pressure ensures you can't move in the opposite direction.