On 07/11/2013 12:38 PM, Maxim Kammerer wrote:
On Tue, Jul 9, 2013 at 4:57 PM, Jacob Appelbaum<ja...@appelbaum.net> wrote:
While I think Maxim is viewed as exceedingly harsh in how he writes, I
think that your response is really the wrong way to deal with him. We
should consider that his cultural background is different and that as
far as I understand it, he isn't a native english speaker. Between the
two things, perhaps we might just ask him to be nicer?
I am often harsh because I dislike circlejerks. Activists are too
often completely unable to employ critical thinking when the result of
that thinking would go contrary to their ideology — even more so when
said activists lack scientific/technical education. E.g., recall that
case last year where legal activists on this list finally succeeded in
(or at least supported, not sure) enhancing export controls of
software [1]. I was as annoyed as you, but I wasn't surprised. This is
what these people do: claim they support some idea (e.g., freedom to
write software), but easily do something to the contrary when the
result is not aligned with their ideology. There is no critical
thinking involved — nothing in their life accustomed these people to
the need to think critically.
Anyway, back to the topic. I don't care much about Cryptocat, simply
because I don't care much about web programming. I don't think I
participated in a discussion about Cryptocat previously. I did
converse with Nadim when he was going to do something stupid in the
project once, but got tired quickly when he found it hard to grasp
simple CS concepts. So he fixed the problem, and I stopped caring,
fine. But in this thread, I pointed out something very simple:
Cryptocat paid for professional peer review (audit, whatever you call
it), and it didn't work.
I think the upshot of that is to steer whatever funds Cryptocat has
toward the form of peer review that did work, which is the bug
hunt (as well as look into other forms of peer review that would
be more effective). Paying someone to tell you what problems
they _did_ find makes it possible for the peer to self-validate their
"peerness" without referring to credentials, and possible to test the
claims of the peer that go
beyond the immediate evidence. E.g., the bug finder says the
programmer is incompetent because in the few places he cared
to look there were bugs; there's more money in the bug hunt
coffers; thus, a bug hunter who likes money would continue to
find bugs in other places until he drains the coffers.
It isn't perfect, and of course the community still has to work
hard to keep developers from claiming that no bugs found
with an outstanding prize means it's secure or well-designed.
But as one piece of the puzzle on a small project it is
a) transparent, b) the incentives of the peer line up with one of
the professed aims of the developer, and c) the peer has no
incentive to exploit a developer's hidden desire to confirm
that the software in its current state works as claimed. (Which
I'm sure all developers have even if they don't want to admit
it.)
-Jonathan
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
