For the uninitiated, this is a representation of the Survivorship Bias.
Essentially, the red dots represent bullet holes from aircraft which returned from battle.
If you were to ask someone which places should be reinforced with armour, someone who has the Survivorship Bias would say “where the red dots are”, whereas people who know anything about engineering would say “everywhere else!”
It’s like saying: “why are you wearing a helmet? I’ve met hundreds of soldiers and none of them have ever been shot in the head, helmets are a waste of good armour.”
A true fact: Did you know wearing a helmet increases your chances of dying of cancer.
What are you saying? That there are people doing the top version (“I want a backdoor / I ask the corpo to grant me access”) for FOSS but they’re less likely to get caught if they don’t do all the gymnastics?
OP is referring to a backdoor that was found. It apparently modified behaviour in a way that was noticeable to humans, suggesting that it was built by an unskilled adversary.
It’s a safe bet that there are others (in FOSS) that remain undiscovered. We know that skilled adversaries can produce pretty amazing attacks (e.g. stuxnet), so it seems likely that similar vulnerabilities remain in other FOSS packages.
It’s a safe bet that there are others (in FOSS) that remain undiscovered.
I agree, but I don’t think that photo (about survivors’ bias) applies to the op meme then, as that would imply that it only seems like open source backdoors are convoluted because we’ve not found the simple/obvious ones
Survivorship bias or survival bias is the logical error of concentrating on entities that passed a selection process while overlooking those that did not. This can lead to incorrect conclusions because of incomplete data.
In this case, the selection process is discovering human-evident back doors. It fits by my reading.
Stuxnet was done by a literal army assembled by state actors with massive funding hoarding zero days. If an attack like that came at you there is very little you can do.
I feel like that’s really crappy non-vegan mental gymnastics. I think veganism is morally superior, but I really want to show mine off, just because I’m offended by how stupid all these are-the fact I know they’re real makes me more ashamed of eating that yogurt earlier than any amount of chatt slavery or butchery ever will.
I had the same experience. Despite all the doomsaying online I found the installation and configuration process pretty straightforward thanks to the quality documentation.
this is why we invented responsible disclosure, which is a thing companies like apple do even. Although in this case, this was the very beginning of what seemed to be a rollout, so if it does effect systems, it’s not very many. And if they are affected. The solution is pretty obvious.
Even in open source, responsible disclosure is generally possible.
See, e.g. Spectre/Meltdown, where they worked privately with high level Linux Kernel developers for months to have patches ready on all supported branches before they made the vulnerability public
If your security relies on hidden information then it’s at risk of being broken at any time by someone who will find the information in some way. Open source security is so much stronger because it works independently of system knowledge. See all the open source cryptography that secures the web for example.
Open source poc and fix increases awareness of issues and helps everyone to make progress. You will also get much more eyes to verify your analysis and fix, as well as people checking if there could other consequences in other systems. Some security specialists are probably going to create techniques to detect this kind of sophisticated attack in the future.
This doesn’t happen with closed source.
If some system company/administrator is too lazy to update, the fault is on them, not on the person who made all the information available for your to understand and fix the issue.
This is literally how I make my living and this is the only comment I’ve made so I’m not sure where you get the idea I think publishing vulnerabilities and PoC are bad … again I literally do this for a living.
Finding vulnerabilities and reporting them is literally what pays my mortgage. Open Source, Closed Source, they both have their merits but to say one is inherently more secure because of the reasons you’re specifying is tacitly false.
I don’t need to repeat myself but that’s all I’d be doing.
You’re making the argument that open source software inherently does this better and I’m telling you that you’re wrong. I’m going to cite myself, a 20 year veteran in the field.
It can do it better and often times it does work out this way.
Closed source software also has value and use and for its own set of reasons could make the argument that it is more secure because of access controls and supply chain management and traditional security mechanisms.
I think you read what I wrote as a “no you’re entirely wrong” whereas what I said was “you’re asserting things that aren’t true which is weakening the argument”
Frankly though given the lack of response to what I actually said by anyone I’m just going to rest on knowing in the real world my input is considered valid, here where we’re being fanatics … idk for all you know I’m a bot spewing AI generated drivel.
Maybe the disconnect here is I’m talking about practical application because of experience vs theoretical application because of ideology.
No I don’t think you said I was entirely wrong, that part was clear enough.
My issue is more with your argument from authority and personal experience. It is very easy to be biased by personal experience, especially when it brings good money.
access controls and supply chain management and traditional security mechanisms.
So I’ll put my personal experience too (which is also a low value argument). From the outside it may seem this is well done in big companies. But the reality is that this is often a big mess and security often depends on some guy, if any, actually having some standards and enforcing them, until they leave because the company doesn’t value those tasks. But since it’s closed source, nobody knows about it. With open source, there’s more chance more people will look at this system and find issues.
I don’t doubt some ultra sensitive systems like nuclear weapons have a functional closed source security process because the government understands the risk well enough. But I think there are way more closed source systems, at lower danger level but which still impacts people’s security, that are managed with a much lower standard than if they were open-sourced.
You have provided no valuable argument except “believe my experience”, so I am answering with an equally weak one. Provide me some good quality study and I will be happy to change my mind. I recognize this lack of enlightening information is pretty aligned with closed source philosophy.
I think you asking me for “quality study” informs me that I don’t want to talk to you about this anymore.
I understand ideologically you’re all for open source software (so am I, but you can’t see that) and you believe there is no merit to close sourced software. You believe open source software is inherently more secure and nothing will convince you otherwise and to be honest I just don’t care.
In the real world your argument falls flat, the ideology is great but practically it doesn’t shake out that way. If you’re incapable of recognizing the merits AND flaws in both systems then I don’t have any desire to continue talking to myself.
I’ve not at one moment argued against anything other than your narrow view, I am a proponent of open source software and am a contributor to a project I guarantee impacts your life every day. I’m not shitting on open source and never would.
All of the things you say CAN make it better and many times do. That said it doesn’t inherently make it better and just because you crowdsource doesn’t mean you got it right. There is nuance. Democracy always fails on the idea that 1 Million Voices are smarter than 1, which isn’t always the case.
Open Source Software ought to be used EVERYWHERE IT MAKES SENSE and not used where it doesn’t.
The problem is when people make statements that just aren’t true to push for something that can stand on its own without false narratives.
That’s a good point, but wasn’t the micro benchmarking possible, published and analyzed because it is open source? Also the vulnerability analysis, impact analysis and fix can be peer reviewed by more yes.
It does, because many more eyes can find issues, as illustrated by this story.
This story illustrates that some eyes can find some issues. For proper discussion we need proper data and ratios, only then we could compare. How many issues there are in open and closed source software? How many of them are getting fixed? Unfortunately, we don’t have this data.
I think some of this data is actually available for open source projects by scanning public repositories, although it would be a lot of work to collect it.
In this case, downgrading to the not affected version. If there’s no possible downgrade, stopping the compromised system until it is fixed.
Keeping the vulnerable system up because you think nobody else should know is a bet, I don’t think it’s sound. State actors are investing a lot to find and exploit those vulnerabilities, in this case probably even funded the implementation of the vulnerability, so I think you should assume that any vulnerability you discover is already used.
In this case it seems the backdoor is only usable with someone who has the correct key. Seeing and reverting something fishy is in some cases, like this easier than finding an exploit. It takes a lot of time in this case to figure out what goes on.
Fixing a bug never automatically give an easy to use exploit for script kiddies
Excellent work - I currently run Endeavour on a PC and laptop. This article has almost made me brave enough to try a bare bones build of Arch on the laptop :-)
My Linux usage was: Ubuntu, then Arch, then I got tired of it and took a break from Linux. I found Fedora KDE in 2017 and been using it ever since. Only reinstalled once to switch to btrfs and it went surprisingly smooth.
I like Arch, and I love the wiki, but I appreciate sane defaults and ease of use. I’d rather optimize down than pull features out of repos.
Another distro I’d check would be Suse, or one of the immutables, starting with the Fedora KDE one. When I have time for it.
The 90’s weren’t that long ago to some of us. But yes, in the 80’s and 90’s they rallied hard against music, and in the 90’s and early 2000’s against video games. Something positive did come out of it though. Music albums and video games didn’t have maturity ratings before all of that campaigning from the Christian Coalition. As a parent it’s nice to have a rating flag, so you know to check the content and see if you think it’s appropriate for your children.
My brother in Christ, I don’t know what planet you live on, but here on Earth, that was 30 years ago no matter where you live. And to my knowledge, none of the games and/or bands actually got cancelled because of it except on an individual basis (i.e. if you parents forbid you to have them at home). But in that case, we simply went to a friend’s house to play or listen to them there, so I’m not sure that this is really something worth getting all worked up over.
1990 was 34 years ago, but 1999 was only 25 years ago. When you get older, 25 years doesn’t seem like that long ago. I’m not sure if you’re implying that I’m getting worked up in your last sentence, but I’m not. I simply stated an observation. As far as the Christian Coalition, yes, they got really worked up.
Tons of albums were banned. 2 Live Crew had almost every one of their albums banned at one point or another. License to Ill by the Beasty Boys was banned. Everything from Too Short was banned. Tons of music was banned either from the radio, the record stores, or both. People went to jail over it. It was a big deal. Thankfully a lot of those bands sued and appealed, and moved the meter for artistic expression considerably, from then forwards.
Depicted: Incel “Alpha” Males hoping to one day have a submissive wife sex slave, that cooks, maintains the house for them, and raises children, so that they can continue being children themselves. Women are just lining up for this lifestyle, aren’t they?
Therapy is expensive, I’d have to make appointments, leave my home during my free time, talk about myself to someone, and probably won’t help because my problems are external. No thanks.
Buying a new laptop and installing an OS is a relatively simple and inexpensive process that is actually rewarding.
Therapy actually often helps with external problems too. If you tried another therapist every time you installed a distro, you might have found one that can solve your problems.
Okay so multiply all the other problems I listed by how many therapists I have to try and no they can’t solve my problems unless they’re gonna buy me a house or pay off my debts or something so I can actually get ahead financially.
No, a therapist will not give you money. What they could do is identify why you don’t have the money you need, then help you plan and execute the steps to accomplish your goal. If your goal is more money, I’d guess they would ask you if you are looking for a higher-paying job, then discuss what steps you can take to improve that process, with a focus on mental hurdles you may not even realize you’re putting in your way.
Unless those steps are overthrowing the rich then I think the person you are talking to is correct. This is a money problem not a psychological problem and most money problems are because of capitalism. Get a higher paying job? FFS what actually makes one job more valuable than another? It sure isn’t how essential it is as plenty of high pay jobs are things like finance bros.
No, the steps would probably be more along the lines of refreshing your resume, maybe setting up an appointment to have it professionally reviewed, getting a habit of applying for jobs going, stuff that materially contributes to having more money. A therapist might tell you that overthrowing the rich is a little too vague a plan to actually act on.
I specifically said higher-paying instead of a “better” job because it’s not necessarily going to be a more fun or world-improving position. But if money is what you need and the job you apply for has a higher pay rate than the one you have now it will likely lead to you having more money, regardless of the greater economic climate.
No, the steps would probably be more along the lines of refreshing your resume, maybe setting up an appointment to have it professionally reviewed, getting a habit of applying for jobs going, stuff that materially contributes to having more money. A therapist might tell you that overthrowing the rich is a little too vague a plan to actually act on.
So the solution the therapist has is to hire a career counselor? That’s not them solving anything, that’s them passing the buck to someone else that will cost me even more money and time. Beside the fact that I already know how to ladder climb and am currently in a position that pays well above what most of my peers are making and is above the credentials I have on paper so I have to rely on networking for any new opportunities (which again i’m doing better than most of my network so they don’t have a lot to offer at this point). There really isn’t anywhere for me to go up from here without moving to a place that is even more expensive to live.
The real issue is that inflation is out of control and housing is too expensive. My best bet of ever owning a home is waiting for my parents to die and inherit theirs and that thing is shitty new construction that was slapped together as quickly and cheaply as possible and will probably be falling apart by then.
Yes, in the hypothetical scenario where you are applying for positions but not hearing back and it has become frustrating, my theoretical therapist might suggest you get in touch with someone specialized in helping with that, and then if you continue to not do so while stressing over the state of your resume their job would be to help you take that step.
Evidently that’s not your problem, which I could not be aware of, being a stranger on the internet before your explanation of your situation. Sorry my example did not perfectly address your situation.
I don’t know how a therapist would react to your circumstances of being able to make more money but still not making enough because that is rather foreign to me, but I can tell you one thing. If you are holding down a job above your credentials, you are no longer holding down a job above your credentials, you are now holding down a job at your current level of credentials and I would recommend updating your papers to reflect that.
Yeah this guy is consistently defecting and giving bad advice. I don’t think they have any experience with the current job market, economy, or just the state of capitalism in general. Psychologists aren’t even the right people to go to here, you need a career specialist for that. If they said to get more qualifications instead that would make more sense, but clearly they just want to add therapy to everything as if that’s gonna fix it.
If I want to gain more qualifications but never actually spend time working on them, if I want a better resume but never even look up a phone number to call, do you think a therapist could help me get moving on those things I want to do?
That’s a hypothetical scenario and not at all the same one you were describing earlier or the scenario the other commentor is in. Stop trying so hard to be right. Even this scenario could be explained by exhaustion from working your current job.
It costs you nothing to admit that you made a mistake and that sometimes psychologists aren’t the right answer. You only need a psychologist for career based problems in very specific scenarios for example when mental health issues or mental disabilities impact your work. Outside of that is what a career specialist is for, they should be a first port of call for career based problems as that’s exactly what they specialize in.
What I was trying to say is that if you already have a job above your qualifications, which my understanding is you do, you can use your experience in that job as a qualification for future jobs. Maybe I did a poor job of saying that.
That’s not how that works unfortunately. Job requirements change, different businesses have different requirements, and furthermore you probably need to look at a more advanced job for more money which requires more qualifications. For example in the tech industry jobs that you could get with experience or working up through a company now requires a degree because there are more people working in tech with degrees now. It’s supply and demand to put it simply.
@areyouevenreal bought some bitcoin once? cryto analyst!
asked chatgpt something once? AI LLM prompting
downloaded a movie on bittorrent? distributed networking!
Stop trying to fit therapy to every problem. That’s not what it’s for. The best advice would be to upskill and gain qualifications - which not everyone can afford. Stop trying to ignore physical reality and claim the economy and everything is fine when it clearly isn’t. Admit there are problems and actually do something about it! Complain to politicians, unionize, strike.
Telling people to go to therapy for economic and financial problems is maybe the dumbest thing I have heard unless you have a problem with impulsive purchases or the like.
lemmy.ml
Active