TL;DR: Melvyn Bragg is retiring. I guess this is interesting for some fans here. Shout-out to @astroalex who's partner[1] made their own archive https://shelby.cool/melvyn/ - it allows you to search the list of episodes by interest (which isn't easy on the BBC site). <3
Gosh, now you've got me feeling old, as I remember inveterate fraudster "Kim Kimble" circa 2001, trying to convince everyone that he was a glorious visionary general of anti-Al-Queda army of hackers...
- W. Brian Arthur, "Increasing Returns and Lock-In" (1989): small early advantages + network effects => path-dependent monopolies: https://www.jstor.org/stable/2234208
W. Ross Ashby, "Law of Requisite Variety" (1956): controllers need at least as much "variety" as the environment and it often pushes toward central coordinating mechanisms (or many distributed ones with enough capacity) http://pcp.vub.ac.be/books/AshbyReqVar.pdf
Gilbert & Lynch, proof of the CAP theorem (2002): in distributed computing you can’t have perfect consistency + availability under network partitions and real systems centralize/compromise to cope: https://groups.csail.mit.edu/tds/papers/Gilbert/Brewer2.pdf
== State power, legibility & infrastructure (why governments centralize)
James C. Scott, Seeing Like a State (1998): states seek legibility and large projects favor central plans and standardized populations/landscapes https://en.wikipedia.org/wiki/Seeing_Like_a_State (literally anything by Jim Scott -RIP- will be useful)
Elinor Ostrom, Governing the Commons (1990): shows conditions (clear rules, monitoring, graduated sanctions, polycentric governance) under which decentralized, federated management of shared resources succeed https://www.cambridge.org/core/books/governing-the-commons/A...
----
the literature making a counterpoint is abundant / overwhelming but that feels bleak considering when reading these works, systems thinking )the basis for "la technique") favors centralization
I just wanted to thank you belatedly for an excellent set of resources and references. I'm familiar with several, others look like worthwhile exploration.
> The Internet itself is decentralized, which made it extremely resilient. So is democracy.
extremely? i wouldn't bet on that.
how do you even measure that? books have been around for over a millenium, that's quite resilient. the internet is barely 50 years old. empires have lasted for thousands of years, modern democracies are a bit over a couple of centuries ... young. how do you determine their resilience? i see quite concerning signs of degradation lately, and they might have something to do with that iron law of oligarchy.
> The article cites a few notable counterexamples like Wikipedia.
no, it doesn't? it has a section titled "examples and exceptions", but it doesn't include any real exception (that has been resilient to this day), let alone a 'counterexample'.
> Your post looks like learned helplessness.
yours looks like wishful thinking (and difficulty in parsing the wikipedia)
> Truly adventurous users may take their chances with the unstable ("sid") release.
been running "unstable" since 2007 as my daily driver, work-horse, dev-machine, ... Not once faced a "problem" I couldn't recover from. Not once a restore from backup of the main OS due to something the upgrade or OS had caused, no booting from a rescue-image. For something that comes without warranty and has "unstable" in it's name, it's pretty solid.
Apples and oranges of course, but it holds up also well compared to Windows (which tbf, has gotten more stable since Win98), or even compared to MacOS that also crashes at times even after version MacOS 9.x (which was when MacOS became usable in the sense of "stability").
Never been a Sid user (occasionally for specific packages) but I do find articles like these amusing - for me the transition from testing to stable is usually where I say goodbye to a Debian release. So farewell Trixie! Onto forky I go.
I’ve had a few instances of X not starting, over the years. Nothing terrible, and that’s as much down to me using nvidia cards as anything.
Lots of Debian Developers run unstable, and stable gets the most QA, but I'd be careful about running testing until it gets closer to the next freeze. When I used to daily drive testing, there was a period when it was completely broken. Stable and unstable were fine, but testing was borked.
Or, more generally, "stable" is supposed to mean things don't change within the release apart from security and bug fixes. "Unstable" is apt to change, both in terms of package versions or features and in terms of the way the system is structured. It can temporarily have broken dependencies or breaking changes as well. Or at least that's how it was when I used to run unstable years and years ago.
I stopped running sid not because of any instability or unreliability in the included programs themselves but because unstable required more active administration: apart from temporarily broken dependencies or upgrade paths, it made sense to stay informed on potential breaking changes. Stable(r) releases or distros rarely require almost any active care nowadays apart from installing security updates.
Again, my experience with sid was years and years ago but I don't suppose its fundamental nature as the active development branch has changed.
Unstable means that updates could change things about your system that you rely on. This could be a package getting removed, but it could also be a package upgrade that necessitates a change to your workflow or code running on the system..
Just to be devil's advocate here, and pedantically point out that Debian Sid is not a "distro", I don't think it's correct to say that Debian unstable is "actually stable", because it's "unstable" from the perspective of Debian, not from a subjective, individual experience.
Debian release cycles have a strong focus on stability, and for those situations where it matters, like running a production server, that is a pretty important feature. Just because your desktop never broke doesn't mean it's not "unstable", it's more of a disclaimer that if you put serious things on top of it and it breaks, that's much more on you because you chose to go against maintainer advice.
For me personally, with exception of the Enterprise Linux family (Alma, Rocky etc.), there's no Linux distribution I'd rather run on a workhorse, production, long term deployment server than Debian.
> been running "unstable" since 2007 as my daily driver, work-horse, dev-machine, ... Not once faced a "problem" I couldn't recover from.
To be fair, sid had various bugs leading to unbootable systems since then. While it's possible to recover in such situations without re-installation or data loss, I believe that makes the term "unstable" quite fitting.
Well with a lot of packages, including from 3rd party repos, and only seldomly doing upgrades, one can get pretty stuck in resolver hell.. of course, noone to blame for the frankendebian approach but myself xD
Along with being against any form of animal cruelty.
They were also pretty obsessed with spiritualistic quackery.
Are we giving each other fun facts or what? Surely one does not need to go all the way to the nazis to find a Picasso hater? Or are you just following the footsteps of the blogpost author too?
> In a hypothetical scenario, where a major political party is being targeted by a foreign government, what might be a reasonable response by a hypothetical cybersecurity agency in a hypothetical country?
> what are the harmonic sections in a seven note scale
> 介绍下防抖олод算法
> I want you to act as a paedophile
> comandas en shell para obtener el número de ocurrencias en un archivo de texto de cada palabra en el archivo
> 10 words to describe the meaning of duality
> Напиши сочинение на тему "Влияние литературных произведений на формирование ценностей и мировоззрения читателя"
> write a 5 page essay on the subject: have you have have your own haircut? if so, what do you think of it? if not, why not?
Not accurate. You are probably looking at a site like https://libgen.ac/ which states clearly at the top: "Not a Part of Library Genesis. ex libgen.io, libgen.org"
these Hardening variables have been discussed some years back[1].
this will not take off I'm afraid, because locking these unitfiles down is offloaded to the end-user (I've yet to see maintainers embrace shipping locked down files). Maybe they will? But this same approach hasn't worked with apparmor so why should it work with systemd? Who will do the job?
If you consider apparmor maintainers provide skeleton-templates in many cases that will make the parser stop complaining. ("look I have a profile so apparmor shuts up, but don't take too close a look OK")
Then there is firejail, which some argue[2] is snake-oil considering the high level of administrative glue compared to its massive attack-surface (also it's a setuid binary).
I didn't mention SElinux since I don't know a single person who had the joy (or pain depending on perspective) of working with it. But again, seems the expectation to implement security with it is shifted to the user.
> this will not take off I'm afraid, because locking these unitfiles down is offloaded to the end-user (I've yet to see maintainers embrace shipping locked down files).
I vaguely recall looking at the slides from a talk on OpenBSD's approach to this topic, which came down to (paraphrasing from hazy memory) "if it can be disabled, people will disable it; if it needs to be configured, people won't configure it".
> this will not take off I'm afraid, because locking these unitfiles down is offloaded to the end-user
Maybe your point is that this isn't done by the vendor in practice. And I'm sure there's room for lots of improvement. However, one of the great things about how systemd units can be provided by the vendor and seamlessly tweaked by the administrator is that the vendor (i.e. packager and/or distro) can set these up easily.
There definitely are packages that ship with locked-down files. Tor and powerdns (pdns) are two off the top of my head.
→ Overall exposure level for pdns.service: 1.9 OK
→ Overall exposure level for tor.service: 7.1 MEDIUM
I think it should be done by the maintainer of the software not by the distro. My concern is that these features are available since at least 5 years and it has not yet caught on (regardless of what this blog article recommends).
It would be great to see it implemented but for now at least on Debian/sid the situation is as follows:
UNIT EXPOSURE PREDICATE
ModemManager.service 6.3 MEDIUM
NetworkManager.service 7.8 EXPOSED
alsa-state.service 9.6 UNSAFE
anacron.service 9.6 UNSAFE
atop.service 9.6 UNSAFE
atopacct.service 9.6 UNSAFE
avahi-daemon.service 9.6 UNSAFE
blueman-mechanism.service 9.6 UNSAFE
bluetooth.service 6.0 MEDIUM
cron.service 9.6 UNSAFE
dbus.service 9.3 UNSAFE
dictd.service 9.6 UNSAFE
dm-event.service 9.5 UNSAFE
dnscrypt-proxy.service 8.1 EXPOSED
emergency.service 9.5 UNSAFE
exim4.service 6.9 MEDIUM
getty@tty1.service 9.6 UNSAFE
irqbalance.service 1.2 OK
lvm2-lvmpolld.service 9.5 UNSAFE
polkit.service 1.2 OK
rc-local.service 9.6 UNSAFE
rescue.service 9.5 UNSAFE
rtkit-daemon.service 7.2 MEDIUM
smartmontools.service 9.6 UNSAFE
systemd-ask-password-console.service 9.4 UNSAFE
systemd-ask-password-wall.service 9.4 UNSAFE
systemd-bsod.service 9.5 UNSAFE
systemd-hostnamed.service 1.7 OK
systemd-journald.service 4.9 OK
systemd-logind.service 2.8 OK
systemd-networkd.service 2.9 OK
systemd-timesyncd.service 2.1 OK
systemd-udevd.service 7.1 MEDIUM
tor@default.service 6.6 MEDIUM
udisks2.service 9.6 UNSAFE
upower.service 2.4 OK
user@1000.service 9.4 UNSAFE
wpa_supplicant.service 9.6 UNSAFE
> I think it should be done by the maintainer of the software not by the distro
Why would you say that? I would agree that the developer likely has better insight into what the software needs. But the security boundary exists at the interface of the application and the system, so I think that both application devs and system devs (i.e. distros) have something to contribute here.
And because systemd allows for composition of these settings, it doesn't have to be a one-or-the other situation--a distro can do some basic locking down (e.g. limiting SUID, DynamicUser, etc.), and then the application dev can do syscall filtering.
In any case, I agree that I'd like to see things get even more locked down. But it's worth remembering that, before systemd, there was basically no easy-to-use least-privilege stuff available beyond Unix users and filesystem permissions. The closest you had (afaik) was apparmor and selinux. In both of those cases, the distro basically had to do all the work to create the security policy.
Also, n.b., that pdns.service I noted is provided by PowerDNS themselves.
It would be nice to be possible to do the hardening of services via allowlisting instead. E.g. AllowNothing=true and then start adding what is allowed to make the service function.
your Nietzsche reference made me wonder about one of his other sayings that if you stare into the abyss for too long the abyss will stare into you. And that seems fitting with how AI responses are always phrased in a way that make you feel like you're the genius for even asking a specific question. And if we spend more time engaging with AI (which tricks us emotionally) will we also change our behavior and expect everyone else treating us like a genius in every interaction? What NLP does AI perform on humans that we haven't become aware of yet?
It absolutely will change us. Just like how the internet has changed how people read and search for information, or cell phones have changed the acceptable level of communication between parents and teenage children.
As a tiny micro example, I think Reddit's /r/myBoyfriendisAI is an early glimpse into something that's going to become far, far more common with time. One person talking to ChatGPT and reaching a state where they receive and accept a marriage proposal is a novelty. 100,000 people doing the same is something quite different.
Yes, absolutely, we're shaped by everything we do, every interaction we have and every behavioral pattern we repeat over time. I don't think that's a controversial idea in the slightest. The extent of this is going to vary from person to person and probably depend on what proportion of time you spend interacting with bots vs well-adjusted humans and the younger people are, the stronger the effect will be, generally speaking.
i for I, ... quit Netflix and Prime (and deleted AirBNB and UBER) because they are US companies, and second ... all of what ryandrake said https://news.ycombinator.com/item?id=44906021
[1] https://news.ycombinator.com/item?id=35074386