"There is no way for us to defend ourselves: even skilled technologists who administer their own networked services are no match for the bandits. To keep bandits out, you have to be perfect and perfectly vigilant, and never make a single mistake. For the bandits to get you, they need merely find a single mistake that you’ve made."
Ooof. What a boot-to-the-face reminder. Despite my use of a Tor Router, three ubikeys and Google authenticator, password manager, non-GSM voice (GoogleVoice), and several hard tokens from various financial institutions, I still have no idea if I'm doing enough because I don't control any of my three OSes, including Ubuntu 18.04 (we almost missed elliptic key backdoor in OpenSSL, what else is in there?).
If what you are communicating needs to be guaranteed to never be crackable, you only need to use the oldest and most secure way of communicating before the days of internet and computers: short wave transmitted one time pad codes.
The reason that number stations continue to operate is that it really is the best way to communicate/order under surveillance which almost certainly is happening in every embassy in non-friendly countries.
One time pads are truly unbreakable and it's techniques have been refined for the past 80 years since Cold War began.
Luckily you don't need a shortwave radio anymore and the CIA I believe utilizes emoticons. Even if you intercept a bunch of smiley faces followed by a wink, how do you figure out the contents of the message when the medium to decode is completely unknowable?
It was only when they captured a few Cuban spies were they able to break the number stations operating out of Havana but this is perhaps the only case in history.
Everybody has a different standard of privacy they want. There are different levels of trade offs they can make as they become more secure. What you’re describing is the top level of security but it’s not very convenient to use. It also uses private keys which makes establishing a new connection challenging.
There are as I see it a few main security modes: stopping automated surveillance and hacking, stopping low effort surveillance and hacking, and being “perfectly” secure from the most motivated adversary.
Being perfectly secure on a networked computer is basically impossible. Governments likely have access to back doors and 0days that can compromise anyone (and keep in mind if the person on the other end has bad opsec, you’ve already lost). But they’re probably not going to unleash the fire and fury on Joe Schmo, and would probably be reluctant to target someone security-minded who might identify how they got pwned and publicize the vulnerability unless they have a damned good reason.
Most people don’t need never-crackable, they just need to be reasonably assured that only a very motivated adversary could crack them.
> Governments likely have access to back doors and 0days that can compromise anyone
* anyone running a certain configuration
Bugs don't exist in a vacuum. They exist in a specific piece of software, which usually supports a specific feature (e.g. Flash, Microsoft Word, or TCP/IP).
Curious in more informed opinions, but it seems unlikely there's a large universe of zero days applicable to every configuration out there.
Consequently, a huge part of security is (and has always been!) limiting unnecessary code. Specifically, code accepting input from network connections.
Parent's point about crypto algorithms is a form of this: one reason they're so secure, and proveably so, is because they have extremely limited attack surfaces. They take this input, they produce this output.
What I first replied to is about a specific private key algorithm that doesn’t have any patterns, and using it over something that can’t be backdoored. Using OTP is not just using crypto, it is pretty much the only “uncrackable” encryption if used properly.
My point is that using something like PGP to communicate over TOR (or even OTP over TOR) doesn’t matter if whoever you are trying to hide from has a backdoor to your OS or has the ability to exploit a vulnerability in your OS (which only requires something trivial like you having loaded some random JS in the past year). And there is no way to protect against an undocumented bug in some software you depend on other than to not use it. You can only hope that a government or criminal doesn’t care enough to burn a 0day on you.
(Of course you can still airgap a computer with the private PGP key and manually copy the encrypted data over but the question then is whether that is worth the minuscule chance of it mattering)
> no way to protect against an undocumented bug in some software you depend on
I understand the point you're making, but I feel like it's overstating the frequency.
Of all the code in a piece of software, only some amount will have bugs. Of those bugs, only some will be executable in your configuration. Of that buggy code, only some will create security issues. Of those security issues, only some will be network-exploitable.
That's a lot of partitioning.
So it's fair to say systems run on other systems, but I don't think it's fair to say it's likely that every system has an undiscovered, network accessible security vulnerability.
> If what you are communicating needs to be guaranteed to never be crackable, you only need to use the oldest and most secure way of communicating before the days of internet and computers: short wave transmitted one time pad codes.
I'd say using a dead drop is probably even older and more secure. I don't think it'd attract any extra attention unless you're already being followed.
A numbers station is really only useful to a particular use case that seems exclusive to nation-state spies: you don't care who knows you're transmitting, but you need the message and the location of the recipient to be absolutely secure.
It's not that I'm a spy. It's that I want to protect myself digitally as much as possible, despite being forced to interface with the internet by large institutions.
We can go back and time and argue about the lack of security just four decades ago (George Hayduke[1] had a series of books on how to exfiltrate info in the 60's & 70's through social engineering). However, here we are: in a virtual world that is simultaneously more secure and less secure than ever. Compare: we have evolving security protocols that are being hardend every year by attacker's pushing on them, yet our entire lives are open like never before for the picking-off by one clever blackhat.
It is maddening, and I consider myself far more cognizant of the issues than a typical chain-letter sharing, 8-char all-text passwording, facebook user.
From whom? Understanding the threat model is incredibly important to understanding how and what to defend against. It sounds like you're just chucking "security ideas" over the fence in the hopes that one might protect you.
Protection against cyber criminals and other net denizens? You're probably overkill and also not helpful in some circumstances. Tor is generally for anonymizing internet traffic, but using a financial institution is the exact opposite of anonymity.
ISP? Maybe? Depends on what you're doing and why. With DPI and other tools it's not clear cut.
Nation state? Not much you can do. Very little can protect you if Russia decides you're a person of interest.
> It sounds like you're just chucking "security ideas" over the fence in the hopes that one might protect you.
Precisely my point!
You describe a situation where "buyer beware" means staying up to date with the latest netsec and tech rags. That is simply unfeasible for the vast majority of people, including me.
But you know what: I can't get simjacked anymore because I read about that. I have stronger passwords because of hard tokens, because I read about that.
What next 50 things do I need to read about to stay "safe", and what even IS "safe"?
This is nontrivial and our identities literally depend on it. The fall-off costs are astonishingly high.
> It was only when they captured a few Cuban spies were they able to break the number stations operating out of Havana but this is perhaps the only case in history
Bad OPSEC (Reuse of pads) allowed the West to extremely painfully decrypt chunks of soviet communications - finding just how bad communist infiltration was in the process.
Read "Spycatcher" by Peter Wright. It's one of not many books on spying like this (Wright was cleaning up the mess Venona revealed for years) actually written by an intelligence officer, in clear breach of the official secrets act, and even better he was an engineer too so there are lots of tales of him reverse engineering soviet bugs like "The thing" and tracking down spurious radio emissions to find spies.
His theory about Roger Hollis is probably lost to time although MI5's complete failure to address it is probably a hint.
You can't operate a number station in someone else's country.... they might not be able to crack the code, but they can sure track down the number station and turn it off/arrest the operator.
Oh yes absolutely. There's a reason why both Korea's broadcast numbers in their respective borders. I remember when I first discovered number station....it kept me obsessed for days
You're joking, but I don't think I will be running Windows without uwfmgr.exe aka Unified Write Filter if I ever decide to use it as my main OS again. More people should be aware of it. It's only for Enterprise editions, but maybe there are similar options out there.
To go one step further, have three, or more, identical fire walled systems running and have them vote on every calculation with the votes sent to a hardwired switch, that prevents the system from advancing if there’s a disagreement, and shuts off power to the RAM if there’s too many in a row. The chances of any compromise happening to all the systems within the same nanosecond would be infinitesimal.
Wouldn't it be better to do a reinstall of the OS in the VM (or use a previous image), apply the security updates, and then reinstall any other software that was on the system?
Typically the base, non-persistent image is carefully managed to be pristine, e.g. through a tree of storage snapshots that allows reversion to known-good checkpoints.
Information security is not a matter of secure or not-secure. Throughout history, it has always been a matter of available resources and risk management.
Failing to consider security in terms of resources and risk leads to moments like this. The crushing fear that you're not doing enough, never doing enough, never sure enough...
It's a bottomless pit of anxiety. You can always add on more protections, more tools, and more layers. Your anxiety is never really soothed because you can never actually fully banish risk.
As long as you conceive of information security as deterministic or binary, you're going to struggle.
The entire point of signatures is that you don't have to trust the channel that delivers them.
The root of trust is the private key that comes with the operating system install ISO, but that you can download over HTTPS or have it delivered as physical media etc.
But the public signing key, that's already installed via presumably verified initial media is already there, so unless their private key is compromised, which would be a bigger deal ....
How does this chain of trust bootstrap for a first time (or stand alone) user who downloads Ubuntu from a non-Ubuntu system? If I've got MITM, I can change both the ISO (with the totally-not-verified public key) as well as the gpg sig to match using a private key I know (and gave you the public key to).
Sure. And how does a TLS connection for the ISO download solve this problem? You would need to make sure that the TLS connection is to the correct server. How do you check it is the right server? Probably by checking the hostname against some webpage and the TLS certificate against some CA roots in your browser. How you get the right hostname? How do you know the CA roots in your browser are correct? How do you know your browser executable and config are correct?
There's an extremely wide range of adversaries between "potentially capable of MITMing a network I use" and "potentially capable of screwing with my OS/browser's CA roots or actively acquiring and misusing an illegally obtained valid TLS cert for ubuntu.com".
Sure, most nation states can craft whatever TLS cert they want, with only some risk of bad press if they get caught signing a ubuntu.com TLS cert fraudulently via a CA they control/coerce. If those people are my adversary I'm screwed. "YOU'RE STILL GONNA GET MOSSAD'D UPON!"
A TLS connection for the download (and the gpg signature) protects against people like the disgruntled hotel IT guy, the kid futzing with the cafe wifi, an evil housemate, some crappy rooted IoT shit somebody hooked up to the wifi, an overly curious coworker or corporate IT drone, the red team in a company pen test.
I've heard the arguments here - that it's a difficult problem for all the mirror operators to add ssl certs, that it'll stop downloads being cacheable, etc. But I didn't really buy those arguments 5 years ago, and these days, with LetsEncrypt and HSTS - I think those arguments are even more bogus than they were in 2015...
Side-channel verification with the distro developers. Contact them over a channel that's unlikely to be compromised, get them to confirm that the keys in the system signature keyrings belong to them. Repeat for many channels until you get enough confidence.
We need to abolish IP Laws (aka "Imaginary Property" aka "Illogical Property" aka "Incongruent Property" aka "Invalidates Property Laws"—the other term is a big lie, don't repeat it). Not "reform". Not "compromise". Abolish.
If 2020 taught me anything, it's that society can come close to the brink pretty quickly. I thought there was an inevitable trend toward freedom, but recently think it's perilous. We need ideas to flow to create a more distributed, less unequal, world, and we need it now. We need to unshackle the people.
If anyone is working toward this, let me know how I can help (including funding). I'm supporting things like SciHub/LibGen and the like, but we need far far more organizers fighting to #EndIp, #AbolishCopyright, #AbolishPatents.
Trolls feel free to reply with the rote lies about how these laws make any sense. Anyone with a conscience doing something about it please get in touch and let me know how I can help!
I am genuinely interested in understanding how we could have innovation in a world where a creator is not entitled to benefits from their invention. Including any monetary benefits if they so choose.
Recipes do not have patent protection, yet there is plenty of innovation in restaurants.
There are many paths to an innovation. I don't think the first person deserves such a monopoly. American IP law, in combination with the generally letigious society, has always seemed like a net source of innovation friction...
Creating a new recipe doesn’t involve billions of dollars in research as is the case in pharma.
A company that spends billions of dollars in research assumes they will be able to recoup the cost by having a monopoly on the drug they developed. If however competitors can flood the market with the same drug, they cannot recoup the cost and will subsequently go bankrupt.
Without the proper incentives you can’t expect companies to pursue strategies that will lead to bankruptcy.
I'm fine with that. Funding drugs based on profit potential is hugely distorting. E.g., Oxycontin. Or the whole pharmaceutical sales and promotion apparatus. Or the way it's much easier to fund something that mitigates a problem instead of curing it.
We could publicly fund pharmaceutical research. Indeed, I suspect we'd be better off publicly funding it on cost terms alone. Global pharma research was $186 billion in 2019. [1] The US spends over $100 billion more on drugs compared with other countries' per-capita spending. [2] The current opioid crisis costs nearly $80 billion/year, [3] and was kicked off by a prescription opioid boom [4] driven by the promotion of Oxycontin. [5]
For pharma specifically, trade secrets could be a decent alternative. Coke comes to mind as a success story in that regard - if it was protected by a patent, we’d be awash in cokes made by someone other than Coca-Cola company because patents expire. Instead, it’s a trade secret that can be kept indefinitely.
You of course get a lot of imitation cokes and that’s great! More consumer choice. With Pharma, the idea is that you get generics after the patent expires. However, an interesting “what if” to ponder - what if the resources that go into generics went instead into the coke-wannabes of the pharma and actually resulted in more innovation? We’ll never know.
Medicine development should be sponsored by the government anyway. Private sector development funding optimises for drawn-out therapies that manage a condition indefinitely rather than ones that cure it. This is an unconscionable status quo.
Public funding is fine for when your end-goal is known. In medicine, the end-goal is known: cure/manage condition X, which will save lives or improving quality of life of sufferers.
Optimising for patentable, innovative techniques is no longer a distraction (because those aren't needed to "protect your investment"). Optimising for ongoing therapy rather than a one-off/infrequent cure is no longer a distraction because you already got your money from the government and ain't getting any more. You can just focus on getting the job done quickly, with the cheapest techniques available (though boring they might be), and with the cheapest possible total cost of running the therapy start-to-end.
That's a great development which I welcome whole-heartedly, but I don't think this diminishes my broader argument. There are still many conditions besides COVID-19 that only have a therapy available but no cure because of business reasons.
> There are still many conditions besides COVID-19 that only have a therapy available but no cure because of business reasons.
Name three, and give reasons to believe that there's no cure for business reasons. If you can't name at least three (of the "many conditions"), then how can you be so sure of this?
#1) Psychedelics/psilocybin for mental health. Cost basically $0 to produce but the US Mental Health industry was a $225B industry in 2019. Now though big pharma sees the writing on the wall, so is inventing patented variations (https://www.npr.org/sections/health-shots/2020/12/09/9445723...) because otherwise these natural substances that people have been taking for thousands of years wouldn't be "safe".
#2) Oxycontin. We have far better cures for short-term pain management. A 1996 internal email from Sackler: "get an audience for our patent infringement suits so that we are feared as a tiger with claws, teeth and balls, and build some excitement with prescribers that OxyContin Tablets is [sic] the way to go.15" (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5234149/)
1) Psilocybin research was, and it probably still is in most of the world, made ILLEGAL by governments. Another causality of the war on drugs, who wrongly imprisoned thousands and caused countless victims so that a few politicians get re-elected.
2) > We have far better cures
So you’re saying there are cures. Great then. Please re-read the gp's question. For 3) as well...
After a few years in medical research I learned a shocking truth: patents in medicine are killing more people than they are save. It’s an absolute disaster. Big pharma splintering into thousands of smaller players would be a huge improvement.
It turns out that most funding for innovation actually comes from the government. Even the esteemed Mr Musk has benefited from about 5 billion dollars of non-private money for his profitable ventures.
There is research that solidly backs this up. Taxpayers are bankrolling the industries but it's the shareholders who are reaping the rewards. It's further support for the argument that IP should not be private but rather commonly shared.
Recipes take skill to produce and in some cases significant effort to bring together exotic ingredients. That's not the case for media that can be copied almost effortlessly.
Outside of running restaurants, people who innovate in recipes tend to make money via either writing cookbooks or hosting TV shows. Both of which are protected by IP.
> a world where a creator is not entitled to benefits from their invention
This is a mis-statement of the anti-IP case. Given the abolishment of IP laws, creators are not prevented from benefitting from their invention. They merely no longer have the benefit of the state regulators in preventing others from following the inventor's example.
> Including any monetary benefits if they so choose.
The "monetary benefit" here is the power to exclude others from manufacturing the invention with the power of the state, and to compel society at large to pay for enforcement of this monopoly.
Disney originally got rich from animating public domain stories, like Cinderella and Snow White. These were the popular stories of the day that people grew up with. Now after nearly a century of Disney, who has bought Star Wars and Marvel, Disney owns all the stories people grow up with. They built up their IP moat using public domain stories, and have used IP law to maintain their incumbency.
To me, the solution is to let the cycle repeat. Let the next animation company start making stories about Spidier-Man or Luke Skywalker. Sure, keep the trademarks so you can't say "Marvels™ Spidier-Man", but John Smith should be able to take a crack at his version of Spider-Man just like Walt got his version of Cinderella.
> So Disney can steal the work of amateur animators and not pay them a dime. Great.
I'm pretty sure they'd have to hire their own animators in order to produce a product to sell. Theft is still a crime, we would be removing Disney's ability to use the police to shut down the work of amateur animators.
They might struggle to sell licenses to their ideas, given that license is merely permission to perform a trivial task they are equally prepared to perform sans license, they could always benefit by selling their creative labor as work on the market.
Who is the "creator"? If it is someone who composed a song or wrote a book, that word makes sense; without them the song or book would not exist. (Ironically, copyrights for songs are often not owned by the people who composed them, because contracts with publishers often require selling the copyright to them. At the end, you may be forbidden to sing your own song without paying.)
But in patents, sometimes it is just a person who noticed that existing technologies X and Y could be used together, and filed the patent first. If not them, someone else would have noticed it somewhat later. Even worse, someone else may get the idea independently a few weeks later... and then be sued for using it. Actually, if you invent something, it is always risky to use it, because you can never be sure whether someone else didn't patent it before you. (Did you do an expensive research of existing patents? Maybe you used a wrong keyword.) (By the way, patents also sometimes do not belong to people who had the idea.)
If everyone who says they will stop creating new bits if they can't control people anymore, were to stop creating new bits, that would be a great world.
(Btw, an example for your question is to look up the origin of this thing we are using to communicate—the WWW)
Because if financial reciprocation is your first incentive to be creative you've already lost the mind game. If you are a creative, you will understand that sometimes we just like to do things...
You can't eat self-actualization, nor can you build houses from it. Sunshine and enjoyment of your work is not sufficient to sustain your body, not to speak of all the other needs that effectively require money to be fulfilled.
Then again, I work all week with little entitlement to the "intellectual property" I generate, but I still receive income for my work. Making a livelihood by getting paid for the work I do and its value on the market, and the time I spend doing it and its value to me is the situation most people are in.
Being able to extract substantial rent in effective perpetuity from e.g. some copyright you own is a luxury only afforded to a relatively small minority, and ideally I think only productive work should be awarded, not rent. That will incentivize productive work rather than rent seeking.
> Making a livelihood by getting paid for the work I do and its value on the market [...]
You're only getting paid because people have to pay you the market rate for your work. If a musician creates and records a song [1], releases it at market rates (say, 2 USD), and everyone can just copy it without repercussions, he won't be able to make a living, no matter how productive he is.
[1] Which entails many hours of work, plus equipment costs.
It shouldn't be surprising that an economy will grow to depend on copyright if it exists and is enforceable.
It's really a strange, indirect way to go about it, though. It doesn't in itself incentivize further work (a lot of the music I still regularly pay for was recorded by dead artists in defunct studios, so no incentive short of Frankenstein will compel them to make more) and it may or may not cover the investment the artist/studio made in terms of actual work and equipment costs.
The up front costs is in creating and recording the music, which consumers could pay for instead of copies. A lot of creative artists are already taking this approach with crowdfunding platforms like Kickstarter and Patreon.
Even now, it's probably true for most musicians that sales of copies isn't particularly lucrative compared to concerts/work for hire/project contracts, while recordings have an ever increasing number of pockets to line before the artists get their take. It's a potentially infinite revenue source, so why not?
I've talked to a thousand people like this and generally they seem immune to logical conversations. If you are in the 1% who gets a nice fat check thanks to IP laws, hurray for you. I've been there too, it's a nice comfortable life. You can promote the Big Lie all you want, but any smart honest person will figure out eventually that IP is evil from every angle.
It is an argument. IP is evil/suboptimal from every angle. What happens when debating people who repeat tired tropes of “a musician won’t get paid” or “we won’t have new medicines” or “copying is stealing” is that you can never satisfy them because they aren’t discussing in good faith. They provide 3 angles, you refute those 3; they provide 3 more; you refute those; et cetera. There is no angle to support IP unless you are in the 1% and support it for selfish interests in maintaining the status quo, or you take the autocratic angle that it is important for a government to have more control over its people. Those are interesting debates to have, but discussing the logic and data about how IP is unjust and bad economics is not, because generally people just regurgitate “the Big Lie”, and it’s a waste of time talking to them. There’s plenty out there refuting any point in favor of IP, and simply thinking from first principles is a fast and simple way to arrive at the truth.
I do apologize for me jumping on you there and assuming bad faith, it’s just that most folks who raise similar points to you are coming from that, but wasn’t fair of me to assume the worst from you. I like your point about holding opinions that go against your own self-interest (being against IP has personally cost me a fortune), and I encourage you to delve more into this issue.
> Sunshine and enjoyment of your work is not sufficient to sustain your body, not to speak of all the other needs that effectively require money to be fulfilled.
You've neglected to argue as to why these needs should be artificially subsidized by the issuance of state-enforced monopolies for certain concepts.
> You've neglected to argue as to why these needs should be artificially subsidized by the issuance of state-enforced monopolies for certain concepts.
... What? Avicebron argued that "financial reciprocation" should not be a priority of a creator, I countered that idealism won't keep you alive for long, and that creators need to make money to be able to create. Your post is completely beside the point.
Why do they need special laws to subsidize their creation? People can pay them to make their work, that's historically how things were done. Now suddenly they need special laws so its illegal to take a photograph in public without permission? Of course they need to get paid in order to live and to work, so do I, so does everyone else. Can we now discuss why creators are so special that they get an entire class of quasi-property rights where enforcement is subsidized by the state?
> People can pay them to make their work, that's historically how things were done.
So who's going to pay them? Their employer? That raises two problems: 1) Creators can't be independent and self-employed anymore, and 2) how is their employer going to make enough money?
Recent successful companies have largely done so because of execution, not IP protection. They have had competitors trying the exact same idea who still lost. This is especially the case with the move to SaaS, even copyright isn't so important as in the days of packaged software. A lot of the unicorns innovated on business model, and business models aren't protected anyway.
Andrew "bunnie" Huang explains an alternative model of innovation in his talk An Alternative to the American way of Innovation[1].
The over-simplified summary is that instead of worrying about the losing the monopoly protection of copyrights and patents - which are expensive to enforce and often bypassed - consider the new types of innovation that become possible when you have access to the all of the knowledge that was previously locked behind IP monopolies.
> a world where a creator is not entitled to benefits from their invention.
Do you mean a world where YouTube takes money from creators and give it to corporations that claim ownership of public domain music, or do you mean independent artist who gets zero money from their Spotify plays, since the three company cartel of record companies have forced streaming services to pool the artists’ money and then give most of that money to the biggest artists fronted by those same three record companies..?
This abuse is wholly dependent on the outrageous IP laws we live under.
Real innovators care about the journey not the money. Some money is needed sometimes to get or keep going, we have this money, we have plenty of money.
We can also chose to reward innovators both for the effort and the result. It should be in proportion tho, an invention that makes you the owner of the world is not desirable for anyone else.
And finally, the most ironic, you don't have innovation if you are renting it. (they don't even have to let you rent it) Its a well crafted con that turns you into a subject to be exploited in any way the ~~innovator~~ owner chooses.
> I am genuinely interested in understanding how we could have innovation in a world where a creator is not entitled to benefits from their invention. Including any monetary benefits if they so choose.
they are entitled to the benefits of their creation. by executing their idea better than others. and selling that execution competitively.
> I am genuinely interested in understanding how we could have innovation in a world where a creator is not entitled to benefits from their invention.
We've had innovations for thousands of years without IP. Not to mention that Linux and GNU exist for a reason. Do you think people will stop writing books, making music, etc without IP laws.
> Including any monetary benefits if they so choose.
How does removing IP laws prevent you from profiting from your work?
IP laws are bad because they have been taken past any sane limit. However the original terms would are not too onerous, with provisions and updates there is no reason not to give the people who invent things short and clear monopolies on their ideas.
15 years is plenty of time, then everything needs to be released into the public domain.
>with provisions and updates there is no reason not to give the people who invent things short and clear monopolies on their ideas.
The lack of a monopoly creates competition which accelerates innovation and leads to cheaper, higher quality products for the consumer. The person who invents a product should simply be one competitor in the market, they can have the first mover advantage, but shouldn't be allowed to control the market entirely.
If we believe in the FOSS ethos that no one has the right to own software, even if they write it, then why would this only apply to software? Why not to all forms of intellectual property? Why do I have a moral right to fork, rewrite and redistribute Firefox but not Star Wars or Pfizer Pharmaceuticals?
> The lack of a monopoly creates competition which accelerates innovation and leads to cheaper, higher quality products for the consumer. The person who invents a product should simply be one competitor in the market, they can have the first mover advantage, but shouldn't be allowed to control the market entirely.
But that obviously wouldn't as work well, because:
1. The inventor would pay the R&D costs with no good way to recoup them, because he'd be competing against knockoffs who didn't have to make that investment, and can price accordingly. You'd be putting the actual inventor at a disadvantage.
2. There'd be no incentive for inventors to actually publish designs for their inventions. Most people who argue against patents as a concept forget is that to get one you have to publish plans for your idea openly, which makes it much easier to copy. The limited monopoly is an incentive to part with that information. You'd end up leaving the public domain poorer.
3. Invention and production are different skillsets. For an author to get paid for writing, they shouldn't need to own a printing press and distribution network. It's a good thing that good, successful authors can make their livings by writing and not always be forced to sustain themselves with a day job.
The original ideas behind IP are very, very sounds. What we need is to roll back how the implementation of those ideas has been corrupted to society's detriment.
> 1. The inventor would pay the R&D costs with no good way to recoup them, because he'd be competing against knockoffs who didn't have to make that investment, and can price accordingly. You'd be putting the actual inventor at a disadvantage.
Yes, the means of ensuring that research and development would be funded would have to change. This doesn't imply that there would be no r&d, rather the current r&d is being subsidized by laws that give legal privileges to certain corporations while prohibiting their competition from competing.
> 2. There'd be no incentive for inventors to actually publish designs for their inventions. Most people who argue against patents as a concept forget is that to get one you have to publish plans for your idea openly, which makes it much easier to copy. The limited monopoly is an incentive to part with that information. You'd end up leaving the public domain poorer.
You could pay them for the design. Or you could reverse engineer the design from the actual physical product.
> 3. Invention and production are different skillsets. For an author to get paid for writing, they shouldn't need to own a printing press and distribution network.
likewise people shouldn't be subject to violence for copying intangibles.
> 1. The inventor would pay the R&D costs with no good way to recoup them, because he'd be competing against knockoffs who didn't have to make that investment, and can price accordingly. You'd be putting the actual inventor at a disadvantage.
So what? They would just need to sell the research at profit instead of subsidizing it with future monopoly revenue.
Patents are nowadays written to obscure the research as much as possible anyway.
And remember how putting a 3D printer in a box to keep the material warm has been patented? Suuuure, wouldn't get discovered independently.
>> 1. The inventor would pay the R&D costs with no good way to recoup them, because he'd be competing against knockoffs who didn't have to make that investment, and can price accordingly. You'd be putting the actual inventor at a disadvantage.
>> 2. There'd be no incentive for inventors to actually publish designs for their inventions. Most people who argue against patents as a concept forget is that to get one you have to publish plans for your idea openly, which makes it much easier to copy. The limited monopoly is an incentive to part with that information. You'd end up leaving the public domain poorer.
> So what? They would just need to sell the research at profit instead of subsidizing it with future monopoly revenue.
That doesn't actually address the concern; it just moves it around a little.
So, there's at least two cases to consider: something that was difficult to develop and either a) easy to reverse engineer or b) hard to reverse engineer.
With (a), why would someone pay for the research when it's just going to be cloned by their competitors for free? It's the same situation the inventor is in.
With (b), why would the inventor ever publicize the research behind the invention or product? It'd end up being a trade secret, and probably be monopolized (for potential a longer period) or lost altogether.
For instance, with 3D printers, maybe instead of them becoming ubiquitous after the patent expiration, the inventor kept the technology secret and used to start a rapid prototyping company. Maybe they couldn't keep that up forever, but it's quite conceivable they could for longer than a patent term.
> And remember how putting a 3D printer in a box to keep the material warm has been patented? Suuuure, wouldn't get discovered independently.
That's not an argument against patents, but an argument against the current threshold of patentability. Also, there are a lot of things that only seem obvious after you've seen them done.
Maybe, instead of an exclusive monopoly, ownership of IP grants an inventor a share of revenue from any products using that IP for a limited time, like a royalty or a license. Then they could make money while the community innovates on their idea.
> Maybe, instead of an exclusive monopoly, ownership of IP grants an inventor a share of revenue from any products using that IP for a limited time, like a royalty or a license. Then they could make money while the community innovates on their idea.
I think that's a reasonable idea, and I believe it's called "compulsory licensing."
These arguments get trotted out every time this comes up, and they are bad.
>1. The inventor would pay the R&D costs with no good way to recoup them, because he'd be competing against knockoffs who didn't have to make that investment, and can price accordingly. You'd be putting the actual inventor at a disadvantage.
It's now clear that there are plenty of ways to fund R&D without relying on IP law to recoup the costs. Another reply goes into this better, so I want to also point out another benefit: the incentive to perform R&D, without IP law, is less likely to be "in order to make a profit," and more likely to be "because whoever is funding it wants it to be done," whether for itself or because they want the end product to exist.
Remember that an open market capitalist economy is _a method for allocating resources within a society towards ends that people actually want_. Doing R&D for profit is an indirect way of incentivising companies to produce things that people want. Without monopoly licensing, the incentive to the company is directly to research & develop something that people want - the funders, at a minimum.
Some lessons from e.g. machine learning research show that any slight misalignment in objective when you have a powerful optimising system, like a corporation, will be ruthlessly exploited, until what you end up with is nothing like what you wanted. In particular, instead of solely making things that people want, companies spend massive amounts of effort on making people want the things they make.
>2. There'd be no incentive for inventors to actually publish designs for their inventions. Most people who argue against patents as a concept forget is that to get one you have to publish plans for your idea openly, which makes it much easier to copy. The limited monopoly is an incentive to part with that information. You'd end up leaving the public domain poorer.
This argument is nearly completely redundant these days. Nowadays, to reproduce something it's almost always enough just to know it's possible, let alone knowing precisely how or even having a working example. If that wasn't the case, why are copyrights necessary on manufactured physical products like drugs? The producers wouldn't be concerned about their products being copied if it wasn't possible to do so without explicit instructions.
Another poster brought up that patents are now written to be as obscure as possible anyway - also true, nearly removing all public benefit that might have been obtained from such a system in the first place.
>3. Invention and production are different skillsets. For an author to get paid for writing, they shouldn't need to own a printing press and distribution network. It's a good thing that good, successful authors can make their livings by writing and not always be forced to sustain themselves with a day job.
This just makes you seem out of touch with the modern reality of the writing industry. You may have heard that most musicians, apart from a few mega popular ones, make their money from live performance & merchandise. Writing is going a similar way. Self publishing is a bigger and bigger thing, lots of authors have communities or are supported directly by fans & merchandise. There are multiple companies that can print any arbitrary work into a physical book for you without requiring ownership of the IP.
Of course under the current system there will always be a few big winners, but for the aspiring new writer it's pretty unlikely you'll get very far unless you're exceptionally talented or you know people high up in the industry.
Essentially, because the average creator doesn't have a realistic shot at making money from licensing anyway, they are already adopting models that work in the absence of licensing revenue. If I were to boil it down, they're mostly selling one of three things: community, experiences, and anticipation of future creations that wouldn't otherwise exist (in other words, investment, except the investors don't own the creator's work or otherwise receive any formal stake.)
The original ideas behind IP were conceived in a different time, and many of the assumptions simply don't apply any more. It's possible that there are still good reasons why some form of IP needs to exist, but these tired justifications aren't it.
Discussions like the current one make me wish we had huge but relatively affordable space habitats [1]. People with a radical idea for restructuring society [2] could pool their resources, build/buy a space habitat, and prove that their way is superior to the status quo (or fail miserably, or something inbetween) [3]. This way, empirical evidence could be collected, and radical ideas could be tested and adopted if they turn out to be beneficial. The best way to convince others is to demonstrate an implementation.
Unfortunately, this is not possible on Earth, because pretty much every square meter is already claimed by some entity, but there's virtually infinite room in the solar system.
This is a good point and we do indeed have it in a way: countries that have allowed piracy to flourish have seen a big boom in economic activity over the past 2 decades (China being the most notable example).
Absolutely. The fact that China almost completely disregards IP and shows no signs of "innovation" slowing down disproves the notion that you need government backed monopolies on inventions in order to encourage innovation.
Slavery laws are bad because they have been taken past any sane limit. However the original terms would are not too onerous, with provisions and updates there is no reason not to give the people with capital short and clear monopolies on their slaves.
15 years is plenty of time, then every slave needs to be released into the public domain.
> If 2020 taught me anything, it's that society can come close to the brink pretty quickly. I thought there was an inevitable trend toward freedom, but recently think it's perilous. We need ideas to flow to create a more distributed, less unequal, world, and we need it now. We need to unshackle the people.
This seems like an odd claim, as society as a whole was able to weather the pandemic overall in incredible comfort due to technology and content created under our IP regime. And we got a vaccine, covered by IP laws, to people with incredible speed. If anything - it's working well.
I think the burden is on you to demonstrate that we'd have these things without the IP environment of past 100 years.
> weather the pandemic overall in incredible comfort due to technology and content created under our IP regime
strike "under" insert "in spite of"
> demonstrate that we'd have these things without the IP environment of past 100 years.
IP are laws that prohibit who is allowed to manufacture and profit by certain types of goods. The burden of proof rests on those who think that those goods would not exist if more people were permitted to produce them. The presumption is that prohibitive laws have the effect of decreasing the things they prohibit.
I do not think your beef is with IP. I think you are anti private property.
If private property exists, with any sort of free exchange, then IP that takes resources to produce and nothing to copy will need protection under some sort of property law.
A high tech society is imaginable in the absence of private property, but generally the abolition of private property is not considered as a serious option.
> If private property exists, with any sort of free exchange, then IP that takes resources to produce and nothing to copy will need protection under some sort of property law.
No, it doesn't need to be protected. The ability to copy is a feature, not a bug. Laws that limit the copying of data decrease the proliferation of that data in most cases.
> A high tech society is imaginable in the absence of private property, but generally the abolition of private property is not considered as a serious option.
I see people mentioning it but I agree its considered to be somewhat fringe by most. A society without private property would likely devolve to subsistence level or recreate propertarian norms.
Private property is definitely one of the things that has benefited society the most, but the reward distribution has skewed in the wrong direction.
When one has too much power or capital, the ability for one to rewrite the laws that govern the taxation of the accrued private property (intellectual or physical) increases as well. This is why those with the most private property can essentially do as they please; the benefits they derive from their private property are disproportionately high compared to the cost that society incurs protecting their private property.
For instance, the workload that the government is tasked with to protect private property of these elites at home (e.g. the large amount of police resources that need to be available for large tech campuses or in rich areas) and abroad (e.g. by tasking the Acronym Agencies with searching for foreign and domestic threats, by using the might of the dollar and the military to basically force their will on other countries through political, physical, or financial violence (FATCA comes to mind...) [0]).
Private property needs to stay, but the incarnation we find ourselves in today needs to evolve for it to survive. Either through taxes or government stakeholdership in corporations (e.g. Yanis Varoufakis' proposal that companies must give X percentage of their shares to a common fund such that the incentives are aligned for both the companies and the government to act in the long-term interests of its citizens), this imbalance of power needs to be corrected for.
The one thing undermining this is a distrust in the US government that is rightfully earned after decades of neoliberalism (and, to a different perspective, neoconservatism) has worked hand in hand with the elites to steal and pillage the private property of the common man (e.g. how Warren Buffet's secretary pays a higher tax percentage that he does).
Unfortunately I don't see this happening. Things are getting worse in the US as public institutions are eroding or becoming more kleptocratic, all the while the elites are starting to act more like feudal lords, thinking that some libertarian wet dream of privatization of everything is the answer (private military and private firefighters come to mind for the extremely wealthy few). This technofeudalism will probably only be stopped by some major shift in global power (e.g. away from the dollar as the world's reserve currency, which I suspect would provoke the US into military action one way or another)
If anyone wants to read a great article about what happened to America's institutions, I recommend Francis Fukuyama's America in Decay [1]. His "end of history" argument seems very premature given what's happened since he wrote that, but most of his other work is spot on.
[0] I certainly don't agree that these policies are beneficial in aggregate, as they result in international hostility, the things Snowden revealed, etc. It is, however, a thing that government does provide for the monied elites.
> When one has too much power or capital, the ability for one to rewrite the laws that govern the taxation of the accrued private property (intellectual or physical) increases as well.
This is conflating power and wealth. When one has too much power, one is able to seek rents. Often this takes the form of government-sponsored monopolies. However, one's security costs increase faster than one's wealth, so wealthy people have an incentive to capture the government and outsource their security costs. This is actually contrary to private property norms as it socializes costs that are properly born by the private entity.
> This is why those with the most private property can essentially do as they please;
This is absolutely backwards, the rich have more money, this incurs benefits and drawbacks. For example, they have much more to lose in the event they are found liable for anything.
> the benefits they derive from their private property are disproportionately high compared to the cost that society incurs protecting their private property.
That would be an argument for expanding the scope of private property (because we are able to get disproportionately more benefit at disproportionately lower social cost).
> For instance, the workload that the government is tasked with to protect private property of these elites at home (e.g. the large amount of police resources that need to be available for large tech campuses or in rich areas)
One imagines that the benefits of a low-crime society might be extended to people who don't live on a tech campus or in the Hamptons.
> Either through taxes or government stakeholdership in corporations
Its probably best to spend more time identifying the problem before we grasp for solutions.
> has worked hand in hand with the elites to steal and pillage the private property of the common man (e.g. how Warren Buffet's secretary pays a higher tax percentage that he does).
I agree, working professionals are taxed to death. Taxes on wages and salaries should be lowered to match the ltcg rate.
> Things are getting worse in the US as public institutions are eroding or becoming more kleptocratic
Have you considered this to be a weakness of the way those institutions are structured?
> some libertarian wet dream of privatization of everything is the answer (private military and private firefighters come to mind
Tbf its probably better to have these institutions working for the people who enjoy their services and pay for them, rather than the current system.
More people would have the opportunity to produce live-saving drugs, fewer people would be subject to state violence as a consequence of performing acts that had no victim.
I'm not actually sure we need government to enforce trademarks. All a trademark system is is a central registry. Seems like the private sector does just fine with that (domain name system, github, npm, twitter, etc).
What really puzzles me about Apple fans and it's userbase is that they do not care. They simply do not care at all what's being done to them.
It's the strongest example of consumer cultism. Absolute in their exceptionalism and ignorance. Similar problems discussed in the article are found in Tesla.
The lowest common denominator of consumer cultism is surveillance and it's no surprise that both Apple and Tesla do exceptionally well in authoritarian countries like China.
When our data is worth more than a barrel of oil, strange things are happening.
> What really puzzles me about Apple fans and it's userbase is that they do not care.
They are hardly alone. There are so many issues to worry about you can really only afford to pay attention to a few. Water pollution, food pollution, being able to to be housed and fed 20 years ago...the list goes on and on. And computer security is obscure and way down the list.
And specifically addressing your case, the same is true of Windows and, TBH, all Linux distros. You've checked everything on your machine for back doors?
> They are hardly alone. There are so many issues to worry about you can really only afford to pay attention to a few. Water pollution, food pollution, being able to to be housed and fed 20 years ago...the list goes on and on. And computer security is obscure and way down the list.
I would be quite surprised if American citizens were not able to come to a reasonable (at least partial fix) consensus on most of these issues in fairly short order if there was a platform designed specifically for making such decisions. Of course, getting any substantial value out of this knowledge would require a means to pass legislation, but "democracy" is at least as compromised and beyond control of the citizens as our software is.
Nonetheless, I think it would still be valuable to have a grassroots way for the public to actually voice their opinions on matters, at least then we could all have a good laugh in higher resolution at how we allowed control over our destiny to slip out of our hands, without putting up even the slightest fight.
> What really puzzles me about Apple fans and it's userbase is that they do not care.
Alternatively, they know what's going on and approve of it.
Consider that this blog post frames the issue as one of surveillance, instead of an anti-malware effort. If you are inclined to be anti-Apple-at-any-cost, then you will agree with the blog post. If you are a happy Apple user, you are inclined to go for the latter explanation.
> It's the strongest example of consumer cultism. Absolute in their exceptionalism and ignorance.
Now you're being ridiculous, snobby, and insinuating that you are of course immune to such motivations. Sucks to see this on HN.
> Consider that this blog post frames the issue as one of surveillance, instead of an anti-malware effort.
It does address the idea of this system being intended to combat malware in the fourth and fifth paragraphs. The point it makes is that there's nothing stopping it from being used against legitimate software too, other than the benevolence of the "warlord" who controls it, so you're still just trusting them to protect you and hoping they don't take advantage of it.
“you're still just trusting them to protect you and hoping they don't take advantage of it”
That is exactly what Apple’s customers are doing.
It actually a pretty normal feature of modern society to trust institutions or businesses not to take advantage of particular powers they have.
It’s really bizarre to call a business a ‘warlord’.
The converse, where we can’t trust any institution or business and we must all be fully equipped to individually defend our own interests on our own is a lot more like a warlord situation.
That said, I agree that the centralized model is bad and we need to develop technology that is both secure and decentralized.
It actually a pretty normal feature of modern society to trust institutions or businesses not to take advantage of particular powers they have.
The problem here is that Apple disallows user override, as the article explains. It's like asking that you trust your government but also allow yourself to be physically constrained from rising up and rebelling against it. And you're not only trusting Apple you're trusting whatever goverment Apple is accountable to where you live.
I'm ok with trusting Apple or Google for vetting most of the apps I have on my phone but I'm absolutely not ok with them restraining me from overriding their decisions when necessary.
Surveillance is rarely about the individual avoiding one specific mechanism and instead mostly about its subtile influence on society (like chilling effects, the reshaping of power structures, the shift of dependencies, etc.)
We should therefore care about increased surveillance even though we personally can avoid some specific measures.
We wouldn't question someones concern about climate change just because they live in some Russian perma frost region either.
Cory Doctorow is a sci-fi author and has written cyberpunk fiction, calling corporate empires "warlords" seems par for the genre. Scott Galloway has called GAFA "the four horseman" and Bruce Sterling calls them "the Stacks."
> It’s really bizarre to call a business a ‘warlord’.
It's not more bizarre than calling someone else's servers "the cloud". I'd call GAFAM warlords because they are monopolistic, force their unwanted preferences upon users and buy up competition so there is none to migrate to.
> warlord uses force and often violence to gain power.
not necessary if they gain it after the power vacuum
The behaviors these companies engage in are anti competitive.
MS even saved Apple at one point so that in antitrust suit they could point out that other operating systems existed. GAFAM are not on the side of the people. For decades I never asked for a Windows license when buying PC, and yet I had no choice, most of the computers weren't available without giving MS a cut, that's a mob methods, take it leave it.
“I never asked for a Windows license when buying PC, and yet I had no choice.”
I have owned countless computers since the mid 80’s, and I have never been forced to purchase a windows license or used windows on a computer I bought for myself.
And yet you can identify no real alternative. Last I checked Apple is the only company with a consumer-grade operating system that (1) has refused to turn over user data even after legal challenges from the federal government and (2) doesn’t generate revenues from advertising and selling user data.
You don't need to turn over any data if you transmit which programs people start in the clear, unencrypted, easily observable, to one of your servers.
And they do turn it over. They tried to make icloud end to end encrypted but then didn't do it at the behest of the US government. They employ the same tactics as zoom by claiming that icloud is encrypted, trying to make people believe that it's end to end encrypted. The encryption key still sits with them though.
Yes, there are some high profile cases where they very publicly refused the feds. Got a lot of publicity. That was their main goal, to paint an image of them not turning over user data.
Maybe apple indeed collects less user data than Google. But they still collect many things, and it's way harder to escape apple's collection than to escape Google's collection as their OSs are so locked down.
And these alternate solutions lack 75% of the functionality available to customers of Apple products. It isn't that these customers are all clueless dunces, many of them look at the tradeoffs and if they are living in a country with some citizen rights conclude that the risk is acceptable given the magnitude of the tradeoff.
> has refused to turn over user data even after legal challenges from the federal government
Apple turned over the user data of over 30,000 customers without a warrant to the US government in 2019, per their own transparency report (see under FISA).
Apple also does not end to end encrypt device backups specifically to aid the FBI.
>What really puzzles me about Apple fans and it's userbase is that they do not care. They simply do not care at all what's being done to them.
Or, you know, we're as informed (or more) than you, but have different priorities and opinions.
Other people that are not merely mindless sheep, where you and those agreeing with you are the only smart people? What a wild concept!
I've used anything, from 4 major unices of yore, to FreeBSD, a dozen of Linux varieties, Windows, and modern Linux.
I still enjoy macOS more and I agree with lots of the decisions taken in that ecosystem (not every one, but more than not).
You are free to buy something else.
>The lowest common denominator of consumer cultism is surveillance and it's no surprise that both Apple and Tesla do exceptionally well in authoritarian countries like China.
>That's a different way of saying "we don't care". You aren't really contradicting the other person's point.
And yet, I am. The weasel phrasing "we don't care" implies:
(a) we should care
(b) everybody should care
(c) we're doing the wrong thing by not caring
In other words, it takes the parent's prioritization as some absolute correct one everybody should agree on (this is also evident from the rest of the comment).
As opposed to merely "we have different priorities, and we don't believe yours are important".
If the parent changed the "they don't care" accusation to a neutral "they don't care about the things I care", I'd undersign it.
>I would enjoy macOS if it subscribed to open source ideals, but then it wouldn't be Apple right
Yes, and what's more troubling, I think it also wouldn't be macOS.
macOS can be more open, but it can't "subscribe to open source ideals" (and even less so the "bazaar model") without stopping being macOS.
It offers something else, and some of it could be replicated in FOSS (e.g. Gnome has copied tons of those, as have certain distros), but part of it stems from it being walled, and curated.
And it's not cut and dry which parts are the latter ones.
E.g. I think that "deprecating things" the way Apple does and no FOSS would dare do (due to inertia and community-driven nature) makes macOS able to adopt new stuff faster, and adopt it more wholly (e.g. with no leftover apps with 10 layers of old GUIs like in Windows).
Similarly the "my way or the highway" from Apple helps keep the platform focused (as opposed to all the FOSS hoopla, X vs Wayland, KDE vs Gnome vs XFCE etc, systemd vs init, and tons of other minituae and duplication of effort). We'd still be discussing Metal in FOSS land (well, we have 10 years of moving from X to Wayland and it's still going on). In macOS it's a done deal.
(That's irrelevant of whether that new stuff is better or worse, btw. It can be either - but it can be either faster, and more uniformly. That's a quality FOSS lacks, and which I appreciate over customizability).
Aside from this recent fiasco with their verification server shutting down local apps I'm pretty happy with macOS. It's fairly secure by default and treats me like an adult when I want to make my own decisions and install software outside of their distribution channels.
I'm very much not ok with the iOS model where Apple and my government have veto-proof power over what software I can run on my hardware.
Wait, you'll pay me $50 (just under today's Brent crude) for a list of everything I downloaded and ran (what Apple gets)? I'll maybe even throw in all the names of the `a.out` that I create for no reason.
Sure, what the hell. It's a deal, email me and I'll run:
>What really puzzles me about Apple fans and it's userbase is that they do not care. They simply do not care at all what's being done to them.
I am Apple user and I care a lot for my self and my privacy. Thats why I will not support this company with my money. Some people are aware, but unfortunately we run a business in which Mac OS as software platform is superior. Little Snitch is installed in all my Apple computers. In last 5 years after every os update, telemetry from mothership is exponentially more. I don't like this direction and have taken active measures to change my business operation and remove everything Apple related excluding some graphic software and audio. Windows is not an option.
Apple is a company that openly dislikes professional users and focusing marketing efforts to semi pro audience by using powerful tribe psychology, trends and sentiments to create public perception of a Good Shepard and Guardian.
In reality they know that future is data based and Google has advantage in this market. So they correct direction to recondition public over the idea of personal computing and transform Mac OS to iOS UX with already established consumer habit of no control and minimum transparency.
From business perspective the idea that someone will have a log file with my office activity is non acceptable. Period. Apple knows this and recently stopped standalone updates. This pushes businesses to avoid sandboxing of Apple computers in corporate network.
The message is clear. You rent Mac Os as a service, the price is your data. It is Beautified Google:)
I think if people bothered to read beyond blind hatred, they'd see Apple users _do_ tend to care - and are often very critical of Apple, which is what you'd want. Hell, read any of Sneak's comments on here - they might be the perfect example.
Ultimately, until another ecosystem can match what Apple provides (Windows & Linux do not), I don't see a particular point in attempting to switch. I'd rather be critical of Apple, disable the things I don't like or trust, and then do actual things with my life.
We care. And Apple cares which is why they publicly said this system as run right now was a mistake. Within a week of this going public.
The article linked here is pretending that didn't happen. And you are pretending, against all evidence, that Apple users don't care. But it's apple users who complained and sounded the alarm in the first place. Your statement is so obviously and trivially false it's crazy to see any one up voting it.
Take this quote from the article, and s/Google/Apple/g: "If you don’t mind being spied on by Google, and if you trust Google to decide who’s a scumbag and who isn’t, this is great."
Windows & Linux probably aren't the answer to the trillion-dollar juggernaut that is Apple.
OSS has drawn the talent, and there's a lot of talent building enterprise applications, most of which are the bricks in the wall of mega-tech as they re-write our rights.
Macs are great if you want access to the financial funnel that is the app stores now. That probably defines the echo chamber of silence that exists on this subject.
Apple and Tesla do perfectly well everywhere, in China and guess what, in Switzerland, one of the most democratic countries there is. You are suffering from strong does of selection bias.
They simply do not care at all what's being done to them.
This is an ignorant view to take. I'm a pretty dedicated apple user but only because the other options don't have the tools I need and the UX I desire.
Likely many of the flaws apple products have are piling up to a "straw that broke the camels back" situation for users in a few years or decades.
When you assume other's intentions and feelings, bad things happen.
So you're saying that privacy (Apple knows what apps you're running and when) and autonomy (Apple controlling which apps you may run) are less important than the improvements which Apple has made to its OS over competitors?
This is totally fine. But there's where the friction between the two viewpoints is.
>What really puzzles me about Apple fans and it's userbase is that they do not care. They simply do not care at all what's being done to them.
I'm not really an Apple fan, per se, but I do own a macbook and the reason is this: It's not worth my time to switch to Linux. I have a core i7 Thinkpad that I also run Debian+KDE on, and the user experience is much worse, to say nothing of track pad quality and battery life.
I'm a parent and I'm not a software developer in my professional life, which means every minute spent figuring out why Linux won't do $thing properly is a minute not spent on more important things.
The opportunity cost of using free software is just too high for my use case.
"As with Apple, the best way for Google to avoid being ordered to turn over data on its users is to not collect or retain that data in the first place. And, as with Apple, the next best thing is to give users the power to turn off that data-collection and data-retention altogether, something Google's gotten marginally better at in the past year."
Google is very aggressive in its data collection. Its scope keeps increasing not vice versa. For example, I have been experimenting with blocking some of YouTube's data collection using a forward proxy to deny certain request URLs. It appears one could do this within Developer Tools using request blocking and regex. But who would ever use that. Is it any coincidence this is not named "User Tools".
It is possible to watch YouTube videos without having every interaction with the website logged and collected by Google as "data". You will not see any ads if you do not use the Google-supplied Javascript video player. However avoiding data collection takes some effort on the part of the user. Tech companies know this, they know most people are not really "into computers" and cannot be bothered to spend time fiddling with them. We cannot expect Google to make avoiding data collection "easy" for anyone. This is no different from expecting tech companies to "self-regulate".
> You will not see any ads if you do not use the Google-supplied Javascript video player. However avoiding data collection takes some effort on the part of the user.
I watch most of my YT videos through mpv, which (AFAIK) uses youtube-dl as a backend to get the video stream. Am I still vulnerable to tracking?
What I do is only use the videoplayback URL and reject/divert all the others. This requires having the proxy delete the range parameter in the query string portion. If you observe the traffic when using the YouTube website, there are many HTTP requests for things we do not need if we are not using Google's Javascript player. And there is no need for Cookies and many other HTTP headers if only using the videoplayback URL. Sometimes I may do two downloads: one for the video and one for the audio. YouTube seems to be now using similar/same approach for their user video as Facebook.
With some videoplayback URLs pointing to only audio, and some pointing to different screen sizes.
I doubt you are as vulnerable to as much tracking as someone using the YouTube website.
I find youtube-dl breaks quite frequently and so I wrote a simple downloader myself (for non-commercial videos) in a few lines of shell script. I have found it is easier to fix quickly if there are significant changes at YouTube than waiting for the youtube-dl project to release an update.
You can go to https://myactivity.google.com/ and turn off everything there. I think most users can do atleast that if you have a Google account. Using adblockers, fingerprint avoiding browsers, and diligently opting out of all forms of tracking where possible is also doable. This only minimizes data collection.
It's sending companies like acxiom and sift science requests to delete your data based on identifiers that most people will likely not do.
I would like to see banning of data collection IDs, including IDFAs. No ad re-targeting IDs, no Verizon injecting IDs into network traffic, no Facebook SDK IDs, no IDFAs enabling data collection. I think that would do wonders for big tech minimizing their data collection.
This requires sign-in. (Signing-in, the "business" of creating non-anonymous profiles, is as I see it the essence of the problem. "Tech" companies hoping to do "work" for free and profit via online advertising want to build profiles for advertisers to target, without having to ask for consent to create them. Some users do not want profiles nor advertising.) "Myactivity" does not stop data collection. It is, to quote the web page, for "managing" the data they have already collected and will continue to collect going forward absent intervention from the user. The data collection is already happening before one ever signs in. Sure, someone can tell Google to stop collecting, but by then it's too late. They have created a profile at Google's urging , identified themselves and put their name on data that Google has already collected and attached to other identifiers. The solution is simple, as stated above: stop collecting data on people without their prior consent. Legislation could address this, but I doubt the US will ever see any meaningful regulation in this area. As I am typing this I am thinking of the case where Google was sniffing people's Wifi and storing the data. I can find the cite if needed. They later stopped after people complained, and they were sued, but that was a nice example of how aggressively they pursue data collection "within the bounds of existing law". Wrong but legal (for now). This is the "tech" industry in a nutshell.
The chaos and banditry is caused by software churn. Nothing is ever finished, so nothing is ever secure, so you must ally yourself with a powerful warlord.
This is why I am in the process of migrating my website from HTML to PDF/A.
This confuses me; the core of HTML is relatively unchanged since its inception and static HTML is fairly secure. PDF is notoriously complex and has had many security issues associated with it as a result. Regardless, if it's content you're producing I'm imagining it can be done securely with either format?
PDF/A is meant for archive purposes (e.g remain pixel perfectly the same when read out of some tape archive 50 years from now archival purposes) and doesn't allow things like javascript. Plus it requires fonts to be embedded.
PDF/A is a reduced subset of PDF, optimised for archival storage. A compliant PDF/A reader has a greatly reduced attack surface compared to a full PDF format reader.
pdf.js in Firefox - as it’s sandboxed. Safari on iOS also natively displays web-hosted PDFs very snappily. Okular is an excellent PDF reader for the Linux desktop and supports attachments.
I'm genuinely curious as to how having an online presence (like a website) implemented as PDF is advantageous? Do PDFs offer some security or authenticity of content that html lacks? Not bashing, really just want to learn.
I think the idea of using PDF/A is that you only have to maintain a single file that contains all the content, without external dependencies like pictures or fonts. It also supports ways to sign the file, to protect its integrity. At least it's how I understand it.
Edit: following the link on the parent's profile, there's a few explanations (in https://www.lab6.com/0):
"""
PDF makes a stand against the churn.
I’m publishing this document in PDF because:
- PDFs are self-contained and offlineable
- PDFs are files.
- PDFs are decentralised.
- PDFs are discoverable.
- PDFs are independent of browsers
- PDFs and a PDF tool ecosystem exist today
- PDF is an open standard
- PDFs are part of the web
- PDFs are page-oriented
"""
(abridged for readability, each of the bullet points are expanded in the document)
Thank you to the sibling content for quoting the headlines from my polemic, but yes, validated PDF/A is guaranteed to contain only static content with no tracking malfeatures and a vastly reduced attack surface compared to HTML5.
It’s hilariously impractical if your goal is to build a web application, so a direct comparison to HTML5 isn’t fair, but if you just want to publish information, PDF/A is state of the art.
You can very easily end up in that "minority". It's just an accident or disease away -- and if not, time and old age will get you anyway (presbyopia, motor decline, and so on).
A discussion is impossible when one side assumes the other is arguing in bad faith. You started from the assumption I need sight to navigate and when I pointed out I don't you doubled down on sanctimoniousness.
Again: why should the needs of the few trump the needs of the many?
>You started from the assumption I need sight to navigate
Yes, and it was a legitimate assumption, given that your comment implied as much (speaking of those people as a minority in the third person, saying "who cares" about those, etc).
There certainly wasn't any "I am a person with accessibility issues myself, and I consider open formats for the majority more important than accessible content" implication.
>Again: why should the needs of the few trump the needs of the many?
First, disabled / elderly etc. people being able to have access to content, knowledge, entertainment, isn't just some random small thing we can just toss aside. Nor does it concern some insignificant minority we could ignore with minimal loss.
Second, putting out unaccessible PDF content is 100% certain to be problematic for people with accessibility needs.
Whereas having HTML instead of PDFs (the latter being what the grandfather suggested and you supported) is far from certain to make people "serfs" (which is a loaded metaphor from feudal times) or to be of much significance.
If anything HTML is open source and free, and implementing a browser to read basic HTML (as opposed to full WPAs) is trivial - more trivial than PDF for that matter, and with more FOSS browser engines in existance, from full-on to minimal like Links. So even at the basic factual level the concern is misplaced.
Try a screen reader on the above nightmare and tell me what you hear. For me it's: iframe-iframe-iframe-iframe-iframe-iframe-iframe-iframe-iframe... turning it into a png and trying to scrape text doesn't help because there is literally zero predictable structure to the text, is it one, two, three or 8 columns wide? Depends on where in the page you look.
So again, thanks for the outrage, but we don't need people like you who don't understand the first thing about what we go through defending us and shitting on people trying to make the world better.
s/not because it easy/not beucase it's easy/g
s/that ISO want 198/that ISO wants 198/g
Other than that 10/10. As readable as hacker news on my setup.
The only way that can be better if is you wrote it as pure text.
If you follow basic formatting like double new lines after headings and punctuation most screen readers do a better job of giving you the semantic information by breaks and tones than the always broken 'semantic tags'.
Put it another way, would you want to read raw html to make sure that what you thought was a <p> was actually a <pre>? That's what I get whenever I try and use those. Again a solution by people who don't need to eat their dog food.
This is a really good point. The endless and often needless churn in software creates a treadmill effect, making it really hard for open source and smaller companies to keep up. It inherently favors large players with deep pockets able to employ vast numbers of developers.
Unfortunately the way he describes the "Ulysses Pact" is fantasy. He makes it sound like it would be just like today, except a savvy user could sideload Signal for example if Apple was compelled to remove it. What would _actually_ happen is a long list of companies would say "brilliant, we don't have to conform to the app store guidelines any more" and go sideload-exclusive. Within a matter of months it would be common for users to have both official and unofficial app stores, sowing widespread confusion, and UX would go to pot while apps run in the background, chew up battery and take advantage of undocumented/buggy APIs to track users or steal data.
The warlord analogy is a good one. It's a tough nut to crack. The only defensive mechanism that's actionable for the average user is to keep as much data as possible offline. Sure, if Apple wants to they can ship code that exfiltrates data off my external USB hard drive, but that's way beyond the threat model we're discussing today.
"What would _actually_ happen is a long list of companies would say "brilliant, we don't have to conform to the app store guidelines any more" and go sideload-exclusive"
This hasn't happened in Android, why do you think it would happen with Apple?
It hasn't happened on the Mac app store either. If anything it's put pressure on Apple to make the Mac app store a better experience for developers and users. It's only where users have no option as on iOS that Apple has been able to really abuse its power.
So what you're saying is you are willing sacrifice personal privacy and security so that technically illiterate people can have a good user experience?
I understand that from Apple's perspective, but I, personally, couldn't care less about the battery life on someone else's phone. I feel like the market would sort it out, probably with optional walled gardens. That's better, no?
> So what you're saying is you are willing sacrifice personal privacy and security so that technically illiterate people can have a good user experience?
Well, yes. Who is this for if not the tech-illiterate? I’ll be fine. I can use PGP and Tor if I want to.
I dunno, Android has sideload capabilities forever - all you need to do is to go to setting and check the checkbox. But still, most people only use the google's store.
Even Chromebooks, which are super locked down by design, has "developer mode". It needs to be activated via obscure process, and when active it shows up a warning screen on every boot, but it is still there.
The diagnosis is correct, but the prescription is lacking. His technical idea is fine, but this is a political issue that cannot be solved by technical means alone.
If any 'warlord' implemented Doctorow's idea, they'd just weaken themselves. Eventually the legal and financial incentives will ensure the 'warlord' returns to form or is replaced. There's no replacement for a political pressure campaign to make digital neofeudalism obsolete by changing the relevant laws.
Sixty-nine percent of registered voters in the April 19-20 survey support providing medicare to every American, just down 1 percentage point from a Oct. 19-20, 2018 poll, and within the poll's margin of error. Support among independent voters was steady at 68 percent. However, support among Republican voters declined 6 percentage points over the course of two years, from 52 percent support in 2018 to 46 percent in 2020.
I doubt you'll find many issues as fundamentally important and with as much bi-partisan support support as Medicare For all, and no politician is ever going to actually try to get that passed, despite what they may claim on TV or the campaign trail.
I am afraid we will have to find a way to be content with the legislation that is chosen for us by the Reality TV political system we allowed to form while we weren't paying attention.
> If Microsoft added a feature to Windows that duplicated a popular application's functionality, developers would be screaming bloody murder
Jeff had already forgotten ten years ago that we did, in fact, scream bloody murder. They kept doing it. For decades. And now they wonder why there are people who will never cut Microsoft a break for anything.
I'm a little bummed that this repeats the standard apple-vs-the-FBI (in the San Bernardino shooter case) false narrative.
Apple provided all of the shooter's phone data, unencrypted and available to Apple thanks to the non-e2e iCloud Backup (on by default on every iPhone) to the FBI.
The whole "Apple is naughty and won't unlock it for us!" narrative was a coordinated marketing effort carried out by Apple and the FBI following the Snowden/PRISM thing.
Apple doesn't need to backdoor the phones. iOS uploads a complete backup of the phone's data, effectively unencrypted (in that it's encrypted to Apple and Apple can decrypt it at any time they wish without the user, their pin, their password, or their phone) every night when it's plugged in.
I love the idea of a Ulysses Pact. Something like https://support.apple.com/en-us/HT202491 would be good. I note that while right now there’s no way to override the malware safeguards, Apple's promising to fix this. (I believe that update was made after this article was written, btw.)
Now: it’s absolutely true that Apple could change their mind. Given that possibility, I understand why someone might prefer to avoid Apple. I'd be sincerely interested in some thoughts on how you can make such a Pact enforceable, or do you just have to take it on a case by case basis?
> there’s no way to override the malware safeguards
There technically is, because Macs don't come with locked bootloaders, and, you know, system files aren't exactly burned into one-time programmable memory. I mean, you could patch the binaries and have it your way if you really want to. But in reality you don't even need to do that — you only have to completely disable SIP and add change the kernel arguments (something like `amfi_get_out_of_my_way=1` iirc) to disable signature verification altogether.
The only path that makes me hopeful involves a combination of 1. FOSS software (ie forkabke when the warlord misbehaves) 2. user owned / governed networks, so the warlord can't easily get extractive against their users.
You are forgetting the importance of open hardware, in ideal world we shouldn't need to install Libreboot to fight proprietary drivers and firmware that can be turned against you any second.
It would be great if there were a way to ally with multiple 'warlords' to achieve security without having to trust just one of them. It should be possible since there's the hardware level, the OS level, and the application level. At least for computers, it should be possible to build an alliance that doesn't require you to put too much trust in any single warlord.
Of course on mobile, there's so much vertical consolidation (especially on iOS) that you just have to pick one warlord.
EDIT: curious about the downvotes — what part of this do people disagree with? That it would be good to not be stuck with this dilemma? That mobile is vertically integrated?
I only see two differences between MacOS and iOS: kernel development is allowed on MacOS, and running self-signed code doesn't delete itself even if you don't pay like it does on iOS. Running unsigned code doesn't exist on MacOS anymore with Big Sur, unless you self-sign everything. Stop kernel development (going to be "higher friction" going forward) and a daemon to delete self-signed code, and it's iOS.
Allowing neutral parties to do app-signing for Chromebooks, Windows 10 S or i/MacOS (the way SSL-certs are issued and trusted by browsers, Mozilla App Store anyone?), alternative app stores (iOS), alternative signed-OSes on hardware (Occulus) are all Ulysses pacts that Apple, Google, Microsoft, Facebook and others could do.
I thought you could still disable stuff on macos and then run your own code to your heart's content. You know, boot into recovery and turn stuff off. Is that not true with Big Sur?
On the other hand, there is no procedure like this on ios. I think you can run your own code, but you need an apple id (therefore apple's permission) and you can only run code for 7 days.
You can, even on the M1. It's more annoying now, sure, but still possible. Apple's been very clear that kernel extensions are going the way of the dodo, eventually, though - developers should be moving to DriverKit/etc.
In truth, it's actually a better system. Slowly becoming more of a hybrid/micro kernel.
NixOS everywhere is the only thing to me that feels like enough sovereignty that good security is possible.
Tons of Free Software is too complex or just shitty be secure (not that proprietary software is better though!), but at least I am in full control of that which I need to fortify.
Interesting take but it's missing the other part of feudalism: the Catholic Church.
Today we don't have one monolithic church but we do have a very large number of priests who can excommunicate you over nothing at all. The larger outside of the centres of powers you get the juicer target for these people you get.
At Qbix, we have recognized the Feudal nature of Web 2.0 for a while. You can talk about this for years and years (as people have done with UBI and other things) or you can build the solutions. The same way that talking about vegetarianism is never going to convert people as much as the Impossible Burger, an actual meat alternative, ever will.
About 20 years ago, the original Web 1.0 has disrupted AOL, CompuServe, Prodigy etc. which were walled gardens. It unleashed trillions in value through new business models like SAAS and E-Commerce. But there is no good open source alternative these days to the Web 2.0 feudal lords, including Google, Facebook, etc. Because it's harder to do.
Without sound overly cocky, I think we are perhaps the closest to do it. You can see for yourself at https://qbix.com/token (you can ignore the token part, as it's optional, but it's basically building a micropayment monetization model for digital content, including journalism and open source software, on the new open source Web 2.0)
Ooof. What a boot-to-the-face reminder. Despite my use of a Tor Router, three ubikeys and Google authenticator, password manager, non-GSM voice (GoogleVoice), and several hard tokens from various financial institutions, I still have no idea if I'm doing enough because I don't control any of my three OSes, including Ubuntu 18.04 (we almost missed elliptic key backdoor in OpenSSL, what else is in there?).