One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.
> One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this.
I guess that's what I was getting at. There never used to be a standards body for civil engineers, either, but after a while society got tired of bridges falling down and buildings collapsing. When will we get to that point with computer software?
It's kind of funny (or sad) that barbers and hair stylists need a license, but software engineers don't.
It isn't sufficient that people are upset about problems caused by people in a profession/trade. Instead a major source of regulation is the professionals/tradies themselves. "I spent five years at university, so they should too." "I'm a member of the Association of Software Professionals, so they should be too".
Since there's an unhealthy obsession with libertarian small government is software circles, it seems relatively unlikely this will happen any time soon. And we would rightly fear for our jobs if this happened, because I can't imagine the regulation applying to imported code.
IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation. Even if manipulation is discovered, you can chalk it up to a "bug" and re-run the manipulated election again. People are stupid, and most ordinary people only want to believe there's malice involved when they've run out of more pleasing cognitive options.
I believe that if this site enumerated all the ways that you can maliciously use computerized vs. paper voting systems, we would show a hell of a lot more benefits to a manipulator than a voter.
> IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation.
I think if you bring up Occam's Razor you also need:
1. Somebody gets to make money selling crap to the government
2. Somebody in government thinks it'll mean cost-savings
Occam's Razor is not a real logical principle. It would also lead to the conclusion that the reason not much of substance is ever done about computer security in general is because there is someone or some group who earnestly wants to see the rise of action-movie-style supervillains who can walk down the street and see society unwind into chaos around them as ATMs jackpot into the street, airplanes careen out of the sky, power stations blink and surge, all the doors to prison cells fling wide open, and modern cars lock the steering while maxing out the accelerator. Never attribute to malice what can be adequately explained by incompetence. And that's the case here. Electronic voting, if it were magically secure, would be cheaper and more accessible. And it would make some companies like Diebold a bunch of money. So of course it gets pursued.
That is more or less correct. It is a way for state governments to enable "their side" to win easier. It will get worse as the demographic shift continues to strangle the GOP's support in swing states.
> If I go see a doctor, I have no idea if I will end up with a $40, $400, $4000, or $40,000 bill until the bill comes months later and I have to pay it. NO IDEA.
This is what's really strange about the American healthcare system. For everything else in America you can either get a price up front or an estimate of total costs up front. Why should going to the doctor be any different than going to a mechanic? Pay advertised flat rates for issue diagnosis, and get estimates for the problem.
Yes, in cases of emergency you can't really shop around too much, but the majority of the time you're going to a doctor, you could at least call and get estimates of how much things will cost. It's not even possible to do this with most healthcare organizations. If you call your doctor's reception and ask "how much will it cost for this visit?" they'll tell you they don't do billing and they won't know until it's processed by insurance.
Price transparency in the healthcare market - or at least some decent estimate of it - would be a great thing to see. American healthcare is ridiculously inefficient because it appears wholly designed to be byzantine.
> This is what's really strange about the American healthcare system ...
It gets worse. Each entity in the system applies their own rules. eg a friend had an eye exam at the doctors and they took 11 months to bill[0]. The doctor group pointed out their small print says they have 12 months to bill. The insurance company had a shorter time frame and refused to pay. But it was a scam - the doctor had changed the diagnosis code to get more money, and the insurer would have refused to pay so they kept more money. My friend lost.
It is very easy to see which proposals will "fix" things. Look at which groups make less money due to the fixes (doctors, insurers, medical groups, equipment makers, drug companies etc). It is extremely rare for that to be shown, and all those groups will fight to keep what is "theirs".
> American healthcare is ridiculously inefficient because it appears wholly designed to be byzantine.
Confusopoly is an economic and marketing term referring to a purposeful
act by a seller or group of sellers to confuse the buyer in order to ease the sale
[0] those fortunate enough not to deal with USA healthcare are probably wondering how this could happen. The answer is that any visit now results in a blizzard of electronic and paper communication, including satisfaction surveys, "courtesy" statements with many dollar numbers all over them that don't add up, stuff telling you legal information, and more saying one party has done stuff (eg billed or paid) on your behalf but you are still liable if it doesn't all complete, co pays, deductibles, random others because of in and out network nonsense etc. And this is a superficial description - how would anyone know?
Or we could just have universal healthcare with government-set price controls, just like Japan does. The ultimate in price transparency. Everyone is healthier, lives longer, and it’s far cheaper.
I'd be fine with that, but I'm acutely aware living in the deep south that MANY people would not be happy with that. If we're talking about what's politically feasible within the US, "universal" healthcare is only really an option at the state level, or maybe with some federal maneuvering, as a multi-state regional coordination. It's simply not going to be accepted anywhere in the near-future on a national level.
For the parts of the country that are rabidly anti-universal healthcare, a more free market solution would be a nice consolation prize.
I disagree, I think they'd be extremely happy with it... as long as they were prevented from seeing the words "socialized" in any context around the program until they'd seen the benefits.
A large portion of the country working full time already has their employer offered health plans supplemented by Medicaid anyways.
There’s already tons of people on Medicare and Medicaid in red states and there hasn’t been an armed insurrection.
I think that working class people in these regions wouldn’t be adverse to Medicare being expanded to include them. I’m sure the Republican Party base of upper middle income and wealthy whites would be, but again, not so much everyone else there. It’s a matter of how and what constituencies you recruit and activate.
> I think that working class people in these regions wouldn’t be adverse to the program being expanded to include them
It’s so strange, the people who would most benefit from universal healthcare (and those that currently do, like Medicare beneficiaries) tend to be the strongest objectors to it, citing hard-to-understand ideological reasons.
> It’s so strange, the people who would most benefit from universal healthcare (and those that currently do, like Medicare beneficiaries) tend to be the strongest objectors to it, citing hard-to-understand ideological reasons.
It's not so strange if you allow yourself to question the assumption that they'd benefit from it in the first place.
Medicare is a great example. Patients can opt to receive their Medicare inpatient and outpatient coverage through a private plan instead of through the government-managed plan. Since this program was introduced, it's gained popularity rapidly, over a third of Medicare beneficiaries receive their benefits from private plans. Many private plans are the same price as Medicare or cheaper.
From the data, the private plans beat government-managed plans on the three major metrics: medical outcomes, cost, and patient satisfaction. On the last one, the difference isn't even close: the worst of the major private plans (by patient satisfaction scores) still manages higher scores than Original Medicare does.
People who haven't ever dealt with Medicare themselves directly (which includes most HN commenters) find this hard to understand, but it really isn't: dealing with Medicare is awful. I could give you my personal anecdotes, but they'd overfill the comment length on HN, and again, at the end of the day, the numbers speak for themselves. Medicare beneficiaries themselves are turning to private plans to replace their government-managed plans, so it's really not surprising if they're not the biggest advocates of expanding government-managed plans.
The private plans you refer to are mainly either simply administrators (the government pays them to administer the benefits) or supplemental providers or both. And their existence and popularity has more to do with their sponsorship by insurance funded politicians than anything else. Dealing with these administrators isn't generally better or worse than dealing with the government directly. Exceptions exist, but that goes without saying.
> The private plans you refer to are mainly either simply administrators (the government pays them to administer the benefits) or supplemental providers or both
No, they're much more than that.
> And their existence and popularity has more to do with their sponsorship by insurance funded politicians than anything else.
The programs are cheaper, provide better medical outcomes, and patients prefer them.
That doesn't mean they're perfect, but you have to bend over pretty far backwards to say that they're inferior and only popular because of "insurance-funded politicians".
> Dealing with these administrators isn't generally better or worse than dealing with the government directly. Exceptions exist, but that goes without saying.
It is monumentally easier to deal with private insurers than to deal with an Original Medicare plan.
Be careful interpreting polls. Question wording bias is very powerful. If you ask them whether they’d be willing to pay higher taxes for Medicare for all, it’d much less popular. Just like how a huge majority support renewable energy in surveys, but the same overwhelming majority refuses to pay even 5% more for electricity.
Which only shows that opinion on these issues is malleable and not ideologically-fixed, as many would like to portray them. Understanding your constituency and being successfully persuasive is a fundamental part of any politics.
> Unbelievable that these companies take security for their prized assets way less seriously than I do.
A lot of engineering teams unfortunately see strong security as a hurdle to fast development, and/or security is put as a lower priority to feature development or other deadlines. A lot of business units see security as a cost sink and have the "there's only so much we can do to protect ourselves, if they want it they can get it" or "it won't happen to us" mentality.
On the other hand, some companies have security built deeply into their lifecycle, and really care.
> their graphs (at least on Android) have no labled Y axis!
It's the same on iOS.
I can't say I'm happy with Robinhood. It's dumbing down something that can get you into a world of financial pain if you don't know what you're doing.
If they want to target people that don't understand what they are playing with, they shouldn't be giving away options/crypto access/margin buying to people that don't understand those concepts. Expect a lot of people to lose a lot of money. /r/stupidfinance has some pretty great posts in which people were left in the cold after playing with fire in RH.
I know very little about stock trading. I shouldn't get in a world of financial pain if I don't trade on margin (Robinhood Gold Buying Power) and only transfer money I can afford to lose right?
That is treating Robinhood like a casino. I recognize I don't know what I'm doing at the casino. Therefore I don't use a credit card to buy casino chips and I have a hard stop-loss of a couple hundred bucks that's budgeted as entertainment money.
It's been literally years since node-forward got its talk about signing packages [1] with a lot of pushback from the npm team. Every time a new typosquatting article shows up, there's some more waffling by npm. left-pad happened to much consternation. Now this.
I used to really care about trying to harden the Node ecosystem, and last year it was one of my main goals. I tried to send multiple vulnerability reports, do mass static analysis of npm packages, and wanted to contribute more to the ecosystem, but the consistent ambivalent reactions of much of the community that I talked to turned me off of the project entirely. If npm wants to continue to be a security dumpster fire, let it burn. Node is a waste of security researchers' time and an honest goldmine for black hats looking to compromise relatively powerful novice webdev hardware.
I don't see it changing anytime soon. npm is a business that isn't focused on security. These things keep coming up, and yet npm install metrics I'm sure aren't decreasing. Until they face meaningful competition and/or the rest of the Node community begins to give even half a care to security outside of this forum, there will be no incentive for anyone to do anything about it. It's easier to play PR, give a little lip service to it and dodge the problem than it is to add any friction to their potential growth.
This is your occasional reminder that package signing is not a panacea, and as typically proposed for community package repositories like npm, PyPI, etc. would likely do absolutely nothing.
For example, people often insist in the Python world that PyPI should support package signing. But it already does -- you can generate a signature for a package and upload the signature with the package. Django does this, and has been doing it for years. You can also get package download/install tools that will check the signature. But then what?
What people really mean when they say there should be "signed packages" is that there should be a whole bunch of invisible infrastructure (set up by... who, exactly? Maintained by... who, exactly?) to decide which PGP keys are authorized to sign releases of which packages. And that's close to an intractable problem for an anyone-can-contribute community repository like npm or PyPI.
This is a very important point. I work for a company that publishes client libs for many different package indexes (although not npm). This is a fairly well automated process, but it takes minutes (if that) to push a new version to pypi, rubygems etc, but at least a few hours of fiddling about to get something on maven, which of course has this security infrastructure.
An analogy might be drawn with the app stores. We all know it is massively easier to get stuff in the play store than the iOS store. We all know there is a shit ton of spam, malware etc on the play store and not really in the other. But it's also much easier to contribute to. It's a trade off. Security is important, but sometimes I feel that people are unwilling to treat it as an input in a basic cost benefit analysis, instead turning it into a kind of absolute value. I accept that it is not treated seriously enough by many in the community, but overcorrection is not the answer.
Of course, other relatively 'open' package indexes exist that do not have npm's typo squatting issues, so there are other design issues at work in this particular case.
Do you suppose FB+Yarn is in a position to compete? Yarn can implement support for optional package signing. From the consumer's perspective, one can choose to be alerted whenever the "main" package signer (usu. developer) changes, or simply to accept only packages verified and signed by a group of trusted third parties.
While I guess this is something, I would be curious to know what types of users are being targeted with these NSLs, and for what crimes. While it's natural to think "Islamic extremism and terrorism" as that's the usual natsec rallying cry, I wouldn't be surprised to see these being used for other purposes.
One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.