site banner

Culture War Roundup for the week of March 18, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

7
Jump in the discussion.

No email address required.

On the one hand I am inclined to be sympathetic to this genre of complaints. I think the proliferation of Trusted Platform Modules and Intel's AMT are real problems with user control of the software running on their computer. On the other hand, I don't really see how these complaints relate to the White House advice on using memory safe languages. Rust is licensed under the MIT license. Python's license is GPL-Compatible. What is un-free about those? C and C++ do give you lower level control over memory but lots of developers mess that part up and write insecure code. Unless you need to be managing that lower level memory for some compelling reason you probably should use a language that provides more memory safety.

All code will need to be signed. Maybe you can self sign code you've written on your local system, but nobody else will be able to run it. Unless they go through the added hoops of adding your key to some sort of key store for "recognized" code. But eventually the self signed qualities of the code will catch up to you, and Windows may just refuse to accept self signed code certs anymore. But no fear! Maybe Github or other organization will offer to sign your code for you. Assuming it meets their TOS, nobody on social media has cancelled you, and their AI hasn't rejected your project for hallucinated reasons. But eventually, however well relying on a 3rd party like Github to allow your code to run on your locked down operating system and your locked down hardware starts off, it will become a barely viable solution. And then free and open software is over.

Maybe once upon a time "it's hard to get a cert" was a valid complaint but today there exist fully automated services like Let's Encrypt. Their root certificate even comes default as trusted on my new windows installation. They even issue certificates to websites that may be phishing or malware. There is not really any excuse for your site to be lacking some kind of cert for auth and signing in 2024.

LetsEncrypt only issues domain validation certs. They do not issue code signing certs, and they are not interchangeable.

If valid certs are routinely issued to malicious actors, then they are useless and the requirement to get one is cost without benefit. If they are not, the vetting process is both costly and easily abusable and the cost is too high for the benefit.

I mean, that's the invisible context shift though. Certs, by and large, aren't used to deny people access to modern secure web architecture. They are part of a set of technologies to verify the data you receive is from the person you think is sending it. They aren't supposed to stop you from giving your credit card information to a scam site directly. They are supposed to stop that scammer from manipulating your communications with Amazon.

But they could be used to deny people access to modern secure internet architecture. Just the same as DNS, hosting, banking, etc have been weaponized.

By this logic nobody should ever get a cert. I guess we should just transmit everything over the internet unencrypted for anyone to hoover up.

We could also use other methods of id than trusted third parties.

In many cases my threat model excludes the sort of attack that would be thwarted by a cert that could be issued to anyone. A cert makes sense if I'm talking to some known party -- a cert that proves that Bank of America is Bank of America, or Amazon is Amazon, and which won't be issued by some trusted cert issuer to just anyone. If I'm just publishing stuff, who cares that I bought a cert saying "This Really Is The Nybbler"?

The people who want to be sure they are talking to TheNybbler? Or that no third parties are listening to their traffic? I think it is good that browsers (at least mine, Firefox) allow people to click through invalid SSL cert prompts if people don't care, but I think the ubiquity of cert issuance is good for computer security and privacy generally.

MITM attacks aren't much of a threat except from actors who already have sufficient power to carry them out regardless of cert (e.g. your employer on your work machine, state actors).

As for those who wish to be sure they're talking to The Nybbler, why do they care? And if they do care, why should I care that they care?

To be honest the insistence on everything being TLS is completely unwarranted. Most sites don't need, and should not have, TLS encryption.

If you or the other party doesn't own every inch of infra between the two of you, it's necessary. The switch to ubiquitous encryption happened right around the time Comcast was starting to MITM most connections with tracking scripts, and it was only a matter of time until they started injecting ads. (Which is one reason existing players were so gung ho on encryption--can't have someone else cutting into that income stream.)

ubiquitous TLS + ESNI/ECH does make it harder to perform some forms of censorship. for example if someone controlling the network wants to ban you from a particular site hosted on cloudflare or another CDN then they will need to ban ESNI/ECH connections to the whole of the CDN. more people using TLS/etc increases the collateral damage from certain blocking technologies.

I don't agree. Knowing who you are talking to and that no third party is listening to your content is good.

I get the argument, I just disagree with it. I don't think most content is worthy of that level of protection.

Maybe once upon a time "it's hard to get a cert" was a valid complaint but today there exist fully automated services like Let's Encrypt. Their root certificate even comes default as trusted on my new windows installation. They even issue certificates to websites that may be phishing or malware. There is not really any excuse for your site to be lacking some kind of cert for auth and signing in 2024.

It also used to be easy to get domains, or hosting. Fully automated services exist!

Except, oh wait, turns out those easy automated services occasionally go all "We're not an impartial service you can rely on, we're a private company and we can do whatever the fuck we want."