Topical Grab Bag

This post will probably come out a bit disjointed, because this week brought a few events that I wanted to talk about, at least a bit, and I wanted to get posts out while it still made sense for me to mention them. Since “while they made sense” happens to coincide, I had the not-so-bright idea of juggling the topics in one post, which you have before you. This presumably means that no topic will get the attention that it needs, but it felt like it made more sense during the week to do everything at once instead of dribbling out posts long after people have forgotten the motivation for bringing anything up.

The characters Pepper and Carrot standing at an eight-way intersection of paths, trying to decide which way to go

Likewise, I could have dropped some of this in the newsletter for April—and may still continue my thoughts there—but that would hide those issues for a few weeks, for the majority of readers. Therefore, I hope that you’ll accept my apologies now for a post that might not hold together as a unit. It looks like a news post, which I don’t really do. It looks like my reactions to a news post, which I try to limit to the Social Media Roundup posts on Friday. And it looks like a bunch of small posts stitched together in hopes that nobody notices. If I get lucky, I might find a “hook” that connects the ideas and turns this into a more legitimate post…but don’t count on it.

XZ Utils Backdoor

I’ve felt like I should try to provide some thoughts on the XZ backdoor found last week, largely because so much of the discourse has gleefully decided to turn this into a list of grievances against Free Software. And while I don’t think that I have a unique or even especially informed perspective, here, I do seem to have an under-represented perspective.

Background

You have probably heard the overall story, by now, even if you didn’t bother to read that Wikipedia page. But in short, about three years ago, the attackers bullied a library maintainer into allowing their confederate access to the administrative parts of the project. With that level of access, after building up trust, the confederate eventually replaced the use of a modern system function with an older equivalent that had fewer security checks. Under the right circumstances, this change could allow an attacker to log into a computer as an administrator.

The backdoor made it into some low-level software—but not the big Linux versions that would create a huge problem on servers across the Internet—when someone on the PostgreSQL database’s team reported some strange behavior traced to the library.

Fallout

Reputable software providers who needed to deal with the effect have reverted to the prior versions. The original attackers have left. And everything has mostly gone back to normal except for the misinformation and random grievance-airing.

In particular, you’ll find plenty of people jumping to condemn Open Source or Free Software for somehow creating the problem. Parroting the talking points of thirty years ago, you’ll hear people talk about how you can’t trust Free Software, because they’ll let anybody contribute. Or you’ll hear people talk about the area having such an inherently toxic culture that you can bully a maintainer without anybody caring.

And I have a couple of responses to those—admittedly abstracted and simplified, to not attack anybody specific—arguments.

Trust

First, I want to make the critical point that the system worked. Free Software advocates have said since the beginning that given enough eyeballs, all bugs are shallow. And true to form, someone with deep pockets spent three years carefully undermining important code used across the world, and they got pretty much nowhere, because somebody noticed the problem while working on a different project. Everybody who maintains an important project stopped all activity immediately, to make sure that the problem wouldn’t affect their users.

By contrast, many companies build their security policies around plausible deniability, where everybody semi-technical at the company knows about a major flaw or backdoor—and many might even use it to get around the system with less effort—but would rather not talk about fixing it. Partly, they don’t want the legal liability of revealing their knowledge of the problem, and partly because “customers pay for features, not security fixes,” as multiple people have told me.

Prevention

I should also point out that it took three years to get this vulnerability into place. They needed to create an entire social engineering campaign to pressure the maintainer into changing the governance of the target project. If you find this objectionable, and distrust Free Software because it can happen, I’d like you to consider the equivalent of this process in the corporate world.

Over in the world of corporations, one could—and I think that we all know that quite a few people have—fabricate an entire work history, and coast through lax interviews to land a good job. Now, you or I wouldn’t risk doing that, because we wouldn’t want to risk our reputations, if somebody discovers that the companies that you claim to work for never existed or haven’t heard of you, all for a slightly better job than the one that you’d get legitimately.

If you had the motivation and resources, though—like (allegedly the case, here) a state actor planting a vulnerability for a specific purpose—then you could create a reasonable facsimile of former employers, complete with people responding to phone calls, and references to talk you up. And that assumes that your operative doesn’t have a legitimate work history, already, since you can always find marginal programmers with loose sense of ethics looking for work.

Anyway, once inside, if you want to spend the same three years increasing confidence in your work, then you can slowly undermine the team’s trust in code reviews and testing, because most developers and companies (inexplicably) think of those as a waste of time instead of a time-saver. Then, when you have nobody paying attention to your work—or if you don’t have time, then slip your change in with unrelated fixes, during some inevitable emergency, where people have their attention drawn elsewhere—when you push your change into the codebase, and jump back to the previous section to see if the company ever catches and fixes the problem.

For clarity, I’ve never seen any actual, deliberate sabotage happen in my career. I have, however, worked with plenty of inept-to-middling developers over the years, and seen plenty more developers drop huge bugs into products, because the team or management didn’t see value in careful review or tests. And because I’ve seen those happen accidentally, I also know that someone with enough motivation could make them happen on demand, with far less effort than it took to subvert one tiny library.

Going Forward

Despite my relatively cheery view, here, we do still need to fix a core problem.

Free Software lives on the backs of hobbyists, who never intended that their weekend hack or “no responsibility left behind” project would become constant unpaid labor for large and huge corporations. Companies download code and build massive projects with it, and maybe the community can shame them into throwing a few thousand dollars as compensation.

I don’t love boiling everything down to money, but with companies relying on a supply of hobbyist labor to underpay or avoid paying, everybody has better things to do than maintain software for them, such as earning enough money to keep roofs over their heads. People still burn out and make huge mistakes when you pay them, as I suggest above in referring to how many companies validate their employees and handle security issues, but given a million-dollar annual budget instead of “beer money,” many developers can leave their day-jobs to share the load on an important project.

And yes, some projects ask for donations. But that doesn’t really count, because they ask us for donations. My five dollar donation to a project goes far further in making me feel good about myself than it goes to decreasing the stress and vulnerability felt by people working on the project. I don’t know how to fix that, as you can probably figure out. If I did, I’d start with funding myself as an experiment, to the point where I can work on whatever projects catch my eye.

Clumsy Model

In one sense, I want to—and maybe this has something to do with the month—think about this like taxation. Liberal thinkers often flounder on the subject of taxes, because they want to say something like “people (and companies) should pay their fair share,” but nobody agrees on what looks fair, especially wealthy people. Instead, taxes conceptually work like maintenance and insurance. Based on the value of the economy to you, measured by the amount of money that you can “harvest” from it, you pay the people who keep it safely running.

Without taxes, companies can capture regulators and exploit both workers and customers until the former can’t work and the latter can’t spend. And likewise, wealthier entities should have more of an interest in making those investments, so that their sources of income don’t vanish.

You can’t operate donations to Free Software projects in the same way, because many projects cross national boundaries, making it difficult to figure out how to collect and distribute those funds. But the intellectual model of “paying maintenance, so that the things that you need don’t fall apart” makes a lot more sense than “if everybody who used this donated a dollar…” styles of framing.

Although, on that topic, if anybody wants to donate to get my projects out faster, I wouldn’t say no…

Craig Maloney, RIP

On Tuesday, David Revoy—of Pepper & Carrot fame—broke the news that Craig Maloney has died. Unlike many people, I never reached out to Maloney, but I believe that I’ve known him by reputation for most of my career. As I developed a loose interest in Free Software, later a stronger interest, and what one might currently call a maybe-unhealthy interest in Free Culture, Maloney’s name has come up so often that it took me many years to realize that the same person kept becoming relevant.

Over the last couple of years, I have subscribed to his blog and, until about two weeks ago as this goes out, read along with his daily updates, largely skewed to his treatment for cancer and its side effects.

If you check through his blog, you can see him realize and document his decline starting in early March, and updates become less frequent until stopping on the twenty-fifth, so his death probably didn’t come as a huge surprise. However, it hurts when anybody dies, and especially so with someone who built the kind of legacy that Maloney did, affecting so many people’s lives for the better, both directly as evidenced by the many people on Mastodon expressing grief, and indirectly like myself.

Anyway, I had the pleasure of reading Craig’s The Mediocre Programmer, recently, and strongly recommend that you do, too, if you have any kind of white-collar career…at least the first few chapters. It gets into the myth that only the best of the best do (or should do) our work, why we come up short of our own expectations, and what we can do to manage that gap. You’ve seen me talk about the same sorts of things on this blog, on occasion, and if I had known his work at the time, I surely would have quoted liberally from the book or directed readers there.

You’ll also find Craig’s games, almost(?) all Free Culture, and I might try to slip in some of his work in an upcoming Free Culture Book Club post.

The End Is Nigh-ish

Speaking of endings, and since I already mentioned David Revoy as the bearer of bad news in the previous section, I should also note that the artist himself has announced the upcoming end of Pepper & Carrot.

On one hand, this feels unpleasant, because (among other things) Pepper & Carrot has served as probably the strongest pillar of the Free Culture space for—at the time that this goes out, one month shy of—a full decade. It has survived for a decade, for one thing, going strong the entire time. It seems to earn Revoy enough money to keep it going, roughly four thousand dollars per episode, quickly checking out his crowdfunding campaigns. And people routinely point to it as a fantasy universe that anybody can use and doesn’t look like cheap, off-brand Tolkien. And while we don’t lose all those items, because the material will still exist, witnessing the end of a prominent project like that, in a field that I care about, still hurts.

However, the world and overall project will continue and expand in the Mini Fantasy Theater anthology format, so we don’t quite lose the project’s continuity, even if we lose the “flagship title.” And as I mentioned in my reply to Revoy’s post , I believe that he has discussed a few times that the comic would have a closed-form story to it, because he didn’t want to work with an eternal status quo, for himself or his story. And I have a lot of respect for creators who can make that decision, rather than waiting for the audience to make that decision for them. (Not that I don’t also love creators who try to keep their projects rolling for as long as possible, or respect that decision, too, mind you.)

And because of that, I genuinely look forward to seeing how this all shapes up in the future.

Also, Definitely Nigh, Right?

On a lighter note, my area had a fairly substantial earthquake, this week, on top of everything else, the strongest (4.8 magnitude) in something like a century and a half. I haven’t seen much evidence of damage, other than frayed nerves and confusion, but we don’t really get earthquakes out here. Or, rather, like the article says, we get little tremors that nobody notices amid the background noise of millions of internal combustion engines.

It occurs to me, though, that this came within a handful of days of tomorrow’s eclipse, which…I admit to not really caring about, especially with a mostly cloudy forecast. But a major earthquake for the area and a total eclipse near the same area? In a cheap fantasy or horror movie, those would make pretty solid omens. If only we had a third, that would make the story work even better.

Oh, wait. We do. Every eighty or so years, we expect T Corona Borealis to undergo a recurring “nova explosion”. The star has brightened slightly since 2016 and dimmed last year, which matches what astronomers saw in 1946. We expect to see it flare up—making the star as visible as Polaris sometime before autumn starts.

Or, if you don’t like one of those three, by the end of April, a significant chunk of the United States will watch two cicada broods will simultaneously come out of hibernation. The Northern Illinois Brood (XIII) gets Iowa, Illinois, Indiana, and Wisconsin, and wakes up every seventeen years. The Great Southern Brood (XIX) gets Alabama, Arkansas, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maryland, Missouri, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, and Virginia, waking up every thirteen years. For those struggling with the math, this means that they show up together once every two hundred, twenty-one years. If you live in Illinois or Indiana, I can only assume that your streets will host regular turf wars for the next few months, as cicada gangs rumble with tiny little switchblades…

Anyway, if you decide to prepare for the end of the world, I support you, but don’t believe that the IRS will accept “world probably ending, frowny face” as an excuse for filing your taxes late.

Other Ends of the World

This doesn’t really connect with anything, but the idea of omens indicating the end of the world in popular culture largely seems to come from interpretations of the Book of Revelation. It under-girds the White Evangelical Christian obsession with supporting Jerusalem, because despite their anti-Semitic leanings and teachings, they believe that arming right-wing Jewish people in a sea of Arabs will force the final battle.

You see, as I’ve discussed many times before, the sorts of people who use Christianity as a shield against criticism for their terrible actions and ideas also happen to sit on the losing side of history. This has led them to believe that the world has grown irredeemable, and so they believe that, rather than living good lives now, they should instead try to accelerate the coming of the Rapture, so that they can transubstantiate out of here. They call every instance of cooperation or kindness “Satanic,” because they now object to the idea of making society better.

This reminds me that, in the 1980s, DC Comics started setting up—and then abandoned—a company-wide crossover with essentially this plot, but they used the Hindu Yuga cycle instead of Revelations as the basis. Certain entities previously thought of as “good” decided that they had lost the game, and figured that they could get more out of life by ushering in the vice and misery of the Kali Yuga, and rush through it in hopes that the next Satya Yuga golden age in the cycle would give them more of an advantage. I don’t know of any actual groups that have similar beliefs, but the pieces of that philosophy sit right there.

And neither of these seems to have any relationship to the cosmism-influenced Silicon Valley obsession with a Singularity that’ll let them Rapture themselves into a PC to avoid the consequences of their actions as they play golf in the metaverse with Frosty the Snowman and…I don’t know, blonde-haired surfer-Jesus?

I don’t know if I have anywhere to go with this, but the strange idea of fast-forwarding to the end of the world to finally get an unquestioned authoritarian regime strikes me as interesting, especially across multiple cultures. It feels almost comically nihilistic in its drive to avoid taking responsibility for the world that they actually live in, because they hope that they can design their own on the other side, as a reward.

Common Threads?

Well, like I said at the top: Don’t bet on this post coming together into a coherent whole. Yes, many of the bits that I wanted to talk about relate to Free Software/Culture. Yes, many of them relate to endings. All of them relate to storytelling and who controls those stories. But mostly, that sounds like after-the-fact justification, rather than anything resembling a plan, and I apologize for trying to cram four blog posts into one, here. That said, I think this would have seemed stranger if I used four Sunday posts to talk about these items, especially when you start wondering why I’d waste time on earthquakes and eclipses in May…

Plus, back when I went to college, we used to joke that you knew that you had a good class coming up when the professor walked in, sat on the edge of the desk, and let out a sigh. Once you set the stage like that, you knew that you’d get a wide-ranging discussion that only really incidentally touched on the intended topic, but would probably prove as educational about similar topics, overall. Blogging needs far more of that energy. 😉

Credits: The header image comes from the untitled header image of The end of Pepper & Carrot and my next project by David Revoy, made available under the terms of the Creative Commons Attribution 4.0 International license.

By commenting, you agree to follow the blog's Code of Conduct and that your comment is released under the same license as the rest of the blog. Or do you not like comments sections? Continue the conversation in the #entropy-arbitrage chatroom on Matrix…

Get monthly ^* updates on Entropy Arbitrage posts, additional reading of interest, thoughts that are too short/personal/trivial for a full post, and previews of upcoming projects, delivered right to your inbox. I won’t share your information or use it for anything else. But you might get an occasional discount on upcoming services.
Or…	Mailchimp 🐒 seems less trustworthy every month, so you might prefer to head to my Buy Me a Coffee ☕ page and follow me there, which will get you the newsletter three days after Mailchimp, for now. Members receive previews, if you feel so inclined.
Email Address
First Name
Last Name
Email Format	html text


* Each issue of the newsletter is released on the Saturday of the Sunday-to-Saturday week including the last day of the month.
Can’t decide? You can read previous issues to see what you’ll get.