That's a hopeless generalization. People have many different problems and there are many different modalities of psychotherapy that try to address them.
Treating less severe forms of anxiety with CBT is going to be a lot more successful than treating deeply rooted personality disorders using any modality. Some problems are more suitable for CBT, and others are more suitable for EMDR, etc.
Just chatting to friends isn't enough unless you're just dealing with relatively mild, garden variety loneliness, depression, anxiety, or something similar.
Net neutrality has nothing to do with how content publishers treat visitors, it's about ISPs who try to interfere based on the content of the traffic instead of just providing "dumb pipes" (infrastructure) like they're supposed to.
I can't speak for everyone, but the web should be free and scraping should be allowed insofar that it promotes dissemination of knowledge and data in a sustainable way that benefits our society and generations to come. You're doing the thing where you're trying to pervert the original intent behind those beliefs.
I see this as a clear example of the paradox of tolerance.
Just as private businesses are allowed "no shirt, no shoes, no service" policies, my website should be allowed a "no heartbeat, no qualia, no HTTP 200".
> I wish wealth wasn't treated so abstractly as if it's some kind of universal measure of evil.
It is evil, the vast majority of people don't become rich without exploiting other people, and just about everyone in that position then leverages their wealth to exert even more power over people and politics.
> technologies and aid originating from the wealthier nations.
We run sweatshops in poor countries, exploit their people and natural resources to death, then we send them a few crumbs of aid to paint ourselves as the good guys for the history books, how noble of us!
> Historically the only time the trend of wealth accumulation reverses is during massive crises, wars, and civilizational collapse which make life worse for everyone and nobody with any sense would wish for
Nobody wishes for this but people will reach a breaking point where they're desperate and can't take it anymore. If slaves try to resist they get beaten, would you advise them to keep their heads down and do as they're told to avoid the beatings? These are classic abuser tactics.
> based on this same flavor of folk economics
Which part of "The wealthy are getting wealthier, they're using that wealth to exert more power over us, and they're using that power to change the system to be even more favourable for them, so that they can get even richer, and even more powerful, at great cost to the rest of society" would you say is "folk economics"?
It is evil, the vast majority of people don't become rich without exploiting other people, and just about everyone in that position then leverages their wealth to exert even more power over people and politics.
Do you have any evidence to back this up? The cutoff for being in the richest 1% globally is about $1 million. What's the evil and exploitation you attribute to the average person with $1mm, who statistically is probably a retiree who had a pretty normal job?
We run sweatshops in poor countries, exploit their people and natural resources to death, then we send them a few crumbs of aid to paint ourselves as the good guys for the history books, how noble of us!
Can you name some of those countries that we've exploited over the last twenty years? Do me a favor and also look up their GDP per capita, or whatever other measure of financial well-being you prefer, and tell me how it's changed over the past two decades. I suspect what you'll find is that they've grown way, way faster than the developed countries who are "exploiting" them.
I'm not suggesting the world doesn't have problems, or that richer countries don't take advantage of poorer countries. But this "rich = evil" drivel is cartoonishly lacking in facts.
Please start by reading the title that contextualizes my comment instead of posting a snotty response that takes things out of context — The number is 0.001%, not 1%.
What do you get out of these childish straw man arguments? I made it perfectly clear which group I was talking about and you're asking me to defend an argument I didn't make.
Let them. Individuals can move but they can't take their properties or companies with them (in any real sense, they can take a piece of paper with their name on it).
You can absolutely do that with name constraints extension set on the root CA certificate. You should verify compatibility but it's pretty universally supported on modern browsers and consumer devices last I checked.
If you generate the root CA sure. However name constraints aren't well supported.
A far better option would be to allow me, the user, to do this in the user agent. I can import my mitm cert and today I can trust it for "abc123.com" and point that to something I want to access in that manner for some reason, but tomorrow simply toggle that trust off.
If I find that I want to use a specific website and want to do something with the traffic, then I could point that DNS to my middle-box and turn that on in my browser. With name constraints I'd have to regenerate the root certificate with the new domain, and then re-import it.
the entire concept of the name constraints puts the power into the CA issuing person rather than the user.
Where are you finding that name constraints aren't supported? I've only come across that on embedded/IoT devices. They work fine for me across Firefox and Chrome on Linux, on Android, and they are supposed to work fine on Apple devices too.
> If I find that I want to use a specific website and want to do something with the traffic...
I agree but that's a different problem. If you just need a certificate for your router and some internal services (the original discussion), you can do that using an internal root CA and you have nothing to worry about as long as you using name constraints.
On IoT devices without nameConstraints support I just use an alternative CA certificate without name constraints (same key, different extensions).
> My router _shouldn't_ have a globally recognized certificate, because it's not on a publicly visible host.
If you're not encrypting local network traffic then any rogue device on that network can decide to intercept it and steal your admin password. That's one of the biggest reasons why we adopted HTTPS in the first place - whether a host is public or not isn't relevant.
It doesn't need a "globally" recognized certificate signed by a public CA, self-signed ones are fine. At home I manage mine with XCA. I have a root CA that's installed on all of my devices, with name constrains set to ".internal", ensuring it can't be used to sign certificates for any other domains.
Why is that problematic? They don't have your private keys and their "level of access" is equivalent to any other certificate authority that your browser trusts.
> Why is that problematic? They don't have your private keys and their "level of access" is equivalent to any other certificate authority that your browser trusts.
Let's Encrypt could stop issuing certificates to you, if the administration decided that necessary. This would at least disrupt whatever you were serving.
Not that I think this is likely, only possible.
I think LE clealy demonstrated the need for a accessible free ACME authority. But it is high time for more alternatives (EU and China at least).
FWIW: Everything around public infrastructure should be run decentralized not-for-profit using national resources. Things like DNS Registrars are silly if you think about it. They just buy it from TLD holders anyway.
> We reliably see people saying "obviously" the Mossad or the NSA are snooping but they haven't shown any evidence that there's tampering
Why would they use the one approach that leaves a verifiable trace? That'd be foolish.
- They can intercept everything in the comfort of Cloudflare's datacenters
- They can "politely" ask Cloudflare, AWS, Google cloud, etc. to send them a copy of the private keys for certificates that have already been issued
- They either have a backdoor, or have the capability to add a backdoor in the hardware that generates those keys in the first place, should more convenient forms of access fail.
> Why would they use the one approach that leaves a verifiable trace?
It is NSA practice to avoid targets knowing for sure what happened. However their colleagues at outfits like Russia's GRU have no compunctions about being seen and yet likewise there's no indication they're tampering either.
Although Cloudflare are huge, a lot of transactions you might be interested in don't go through Cloudflare.
> the hardware that generates those keys in the first place
That's literally any general purpose computer. So this ends up as the usual godhood claim, oh, they're omniscient. Woo, ineffable. No action is appropriate.
Your "I bet they're God" stance is even more naive. They're not God, they've got a finite budget both in financial terms and in terms of what will be tolerated politically.
Of course spooks expend resources to spy on people, but that's an expenditure from their finite budget. If it costs $1 to snoop every HTTP request a US citizen makes in a year, that's inconsequential so an NSA project to trawl every such request gets green lit because why not. If it costs $1000 now there's pressure to cut that, because it'll be hundreds of billions of dollars to snoop every US citizen.
That's why it matters that these logs are tamper-evident. One of the easiest ways to cheaply snoop would be to be able to impersonate any server at your whim, and we see that actually nope, that would be very expensive, so that's not a thing they seem to do.
That's never been my stance because there's a difference between mass surveillance and targeted surveillance. If you understood that then you wouldn't be getting lost and making silly references to "God".
I don't believe that the NSA is omniscient. I believe they have 95% of data on 95% of the population through mass surveillance, and 99.9% of data on 99.9% of people of interest through targeted surveillance.
You think abusing public CAs for mass surveillance is a genius idea, and that its lack of real-world abuse proves that mass surveillance just doesn't happen - full stop.
Unfortunately you fail to consider that if they tried to do this just once, they would be detected immediately, offending CAs would be quickly removed from every OS and browser on the planet, the trust in our digital infrastructure would be eroded, impacting the economy, and it would likely all be in exchange for nothing.
On the other hand if you're trying to target someone then what's the point of using an attack that immediately tips off your target, that requires them to be on a network path that you control, and that's trivially defeated if they simply use a VPN or any sort of application-layer encryption, like Signal? There is none.
The first quote was about them having nearly unlimited power for targeted surveillance and the second was about not having such power for mass surveillance. You keep confusing them.
Just stick to your original claim that I responded to - I addressed it in the second half of my previous comment which you glossed over.
There's no "nearly" in your statement. "a backdoor, or have the capability to add a backdoor in the hardware that generates those keys" is the same God powers claim again. If you now want to water it down with enough caveats it's nothing, this reminds me of how people go from "In lab conditions we can do a timing attack on the electronics from a FIDO key" to imagining that outfits like this just routinely bypass FIDO and so it's worthless.
It's very difficult and expensive to attack our encryption technologies, and so it's correspondingly rare. We are, in fact, winning this particular race.
Encryption actually works not because surveillance is now utterly impossible but because it's expensive. How you went from my pointing out that there's no evidence of this mass surveillance to the idea that I'm claiming these outfits don't conduct targeted surveillance at all I cannot imagine.
> How you went from [...] to the idea that I'm claiming these outfits don't conduct targeted surveillance at all
Again, I didn't. You concluded that the lack of evidence of public CA abuse indicates lack of surveillance, full stop, as if that's the only viable way of conducting surveillance. Here's a reminder:
> It is striking that we don't see that. We reliably see people saying "obviously" the Mossad or the NSA are snooping but they haven't shown any evidence that there's tampering
That's a reasonable observation with an unsupported and faulty conclusion. It doesn't even matter whether you meant mass surveillance (preceding context) or targeted surveillance here because the conclusion is bunk either way. I discussed that earlier but you keep glossing over it in favor of these absurd tangents.
> I see people claiming 20 - 50%, which lines up with the studies above
Most of those studies either measure productivity using useless metrics like lines of code, number of PRs, or whose participants are working for organizations that are heavily invested in future success of AI.
As mentioned in the thread I linked, they acknowlege the productivity puzzle and try to control for it in their studies. It's worth reading them in detail, I feel like many of them did a decent job controlling for many factors.
For instance, when measure the number of PRs they ensure that each one goes through the same review process whether AI-assisted or not, ensuring these PRs meet the same quality standards as humans.
Furthermore, they did this as a randomly controlled trial comparing engineers without AI to those with AI (in most cases, the same ones over time!) which does control for a lot of the issues with using PRs in isolation as a holistic view of productivity.
>... whose participants are working for organizations that are heavily invested in future success of AI.
That seems pretty ad hom, unless you want to claim they are faking the data. Along with co-authors who are from premier institutes like NBER, MIT, UPenn, Princeton, etc.
And here's the kicker: they all converge on a similar range of productivity boost, such as the Stanford study:
> https://www.youtube.com/watch?v=tbDDYKRFjhk (from Stanford, not an RCT, but the largest scale with actual commits from 100K developers across 600+ companies, and tries to account for reworking AI output. Same guys behind the "ghost engineers" story.
The preponderence of evidence paints a very clear picture. The alternative hypothesis is that ALL these institutes and companies are colluding. Occam's razor and all that.
Tailscale connections don't get terminated by a middle box, it's just end-to-end encrypted Wireguard under the hood. Cloud-hosted control panel is a risk because they could push malicious configuration changes to your clients (ACLs and new nodes if you're not using the lock feature), but they can't do it without leaving a trace like Cloudflare can.
Treating less severe forms of anxiety with CBT is going to be a lot more successful than treating deeply rooted personality disorders using any modality. Some problems are more suitable for CBT, and others are more suitable for EMDR, etc.
Just chatting to friends isn't enough unless you're just dealing with relatively mild, garden variety loneliness, depression, anxiety, or something similar.
reply