• 2 Posts
  • 21 Comments
Joined 2 years ago
cake
Cake day: June 8th, 2023

help-circle



  • The death of the device and the return of the system.

    A device is a sealed thing provided on a take it or leave it basis, often designed to oppose the interests of the person using it. Like hybrid corn, a device is infertile by design: you cannot use a device to develop, test, and program more devices.

    A system is a curated collection of interchangeable hardware and software parts. Some parts are only compatible with certain other parts, but there is no part that cannot be replaced with an alternative from a different manufacturer. Like heirloom seeds, systems are fertile: systems can be used to design and program both other systems and devices.

    A system is a liberatory technology for manipulating information, while a device is a carceral technology for manipulating people.


  • Alice is a pretty good 3D programming environment aimed at kids, with little programming blocks to snap together.

    You might want to try going back into the archives and pulling out something like MS-DOS and QBasic, or Logo. You can find a good tutorial in book form, and you can get a system that was designed to be programmed offline, with things like local help in the editor instead of behind a Google search, so it should be 100% safe to leave the kid alone with the machine.








  • I’m struggling to understand how there can be so many security flaws, even in things that don’t seem to matter for security. I think the bar for a security problem might be too low; a lot of these look like footguns that could give my package a security hole, rather than genuine security flaws in the packages they are reported on.

    Here’s a progress bar package with a “high” security vulnerability because it contains an internal utility that merges objects and doesn’t stop you writing to the prototype. Did the progress bar package ever promise to provide an object merge function that was safe to use on untrusted user input?

    Here’s a notification UI element that bills using HTML in your notification messages as a feature. It has a “medium” level “XSS” security vulnerability where the message parameter is not sanitized to remove HTML. A CVE was issued for this.

    Here’s an arbitrary code execution vulnerability in sqlite3! High severity! The bug is that, if you tell sqlite3 to substitute an object into an SQL statement, it will run the ToString() method on the object. If an evil hacker has broken into your lead developer’s house and written a malicious ToString() method into one of the classes of object you use as a database query parameter, then that code would run! The fix here was, instead of letting the normal Javascript stringification rules apply, to hardcode all objects to be inserted into the database as “[object Object]”, because surely that is what the programmer meant to store.





  • Yes, the document from the county administration would be much better, than some “magic” contract from the internet that may or may not be enforced by the county.

    If the magic contract from the Internet is not actually likely to be enforced by the county, then the county is not actually using the magic Internet contract system. If the system were adopted by the county, then the official records from the system would be known to be enforceable.

    I sound like I am for and against blockchain because I am. I don’t think you can stand up any existing blockchain system and start slapping government functions onto it and get a good result. People won’t understand it well enough or have sufficient resources to be true peers in the system, and if they did it wouldn’t scale very well.

    But I do think that governmental systems can be improved by taking inspiration form blockchain technology and drawing on its underlying philosophical principles of accountability and consensus.



  • If you don’t have a system of law that even its designated enforcers are obliged to follow, you don’t have a legitimate government, you have a mafia.

    The easier it is to make cases where a law is broken common knowledge, the easier it is to gather the political will to enforce the law. That mechanism is what obliges the enforcers to actually follow the law, and it can work more or less well depending on the structure of the society, the relative power of different groups of people, and the communication technologies in use. If the President guns someone down in broad daylight, they get thrown out more often if you have a reputable newspaper than if you don’t. An election is a convenient substitute for everyone trying to kill each other until we find out who is left.

    Blockchains are one technology for establishing common knowledge among a group of participants. They’re not magic, they don’t even usually work particularly well. But they do offer techniques for binding the administrators of systems of rules to actually follow those rules, which have the potential to be applied more broadly.



  • One of the good things about using a blockchain system is that it forces you to set out and follow a set of programmatic, and thus at least minimally fair, rules for how the system is going to work. It means you are running on some kind of rule of law, and for it to work everyone involved has to be able to replicate the history of the system and agree that it is correct.

    It seems a fairly natural fit for something like land, especially in the US, where we know for a fact that huge swathes of it were seized in the past from Native Americans, or revoked after being given to Black folks at the end of the civil war, or otherwise moved around by the government in suspiciously ad-hoc ways that we have later come to regret.

    If you can design the entire system to grind to a halt if rights are not respected or someone tries to rewrite the rules on the basis of they have the guns, it could be a powerful force for the rule of law and the maintenance of a consensus reality.


  • A central database would be just a list of all the land and who owns it.

    Right now, the deed system is a bunch of deeds that say “remember when I got this land, on page 302 of book 75 in the county recorder’s office? Well now Jimantha owns it actually, since they bought it from me for ten dollars and a peppercorn.”. This is great for accountability: it lets you trace ownership history and provides a piece of evidence to substantiate every transfer, and so helps you answer inconvenient questions like “why should you own that house when it was my grandmother’s house and I want to own it?”. It also lets you roll transfers back if they are found to be fraudulent, and neatly captures how all current ownership is contingent on the theft of the whole place from any disposessed original inhabitants.

    This is also basically how ownership works in many current blockchain systems: you select something you own based on the transaction that gave you ownership, and then you say who should own it now in a signed message.

    But the blockchain systems verify signatures cryptographically, whereas the county recorder verifies the authority to transfer stuff on the “you think someone would just tell lies? On the Internet?” principle. And the centralized database doesn’t even keep the transfers around for review, it just has the database operator in charge of who owns any given thing at the moment.

    Would you rather walk up to a grumpy person with a shotgun and demand that they move out while brandishing a printout of an SQLite database recently recovered after the ransomware attack at the county administrative building? Or with a deed with their spouse’s signature on it?

    Then the problem is to make the deeds more machine-readable, and to get better at not putting in deeds from people who have no business writing to that part of the ledger, for which pieces of blockchain technology might be useful.