33 Matching Annotations
  1. Sep 2023
  2. Jul 2023
    1. most of what we do when we look at power is we say, "This person is bad, let's get them out." And then we end up with another bad person a few minutes later or a few months later. And as a result of that, we end up replicating the exact same problems over and over and over.
      • we look at a bad person
      • try to get rid of him/her
      • when we do, then another bad person ends up in the role
      • this is because we are treating the symptom, not the root cause
    2. And so when we have this simplistic view of power, we're missing the story. What you really need is a system that attracts the right kind of people 01:18:20 so that the diplomats who are clean and nice and rule-following end up in power. Then you need a system that gives them all the right incentives to follow the rules once they get there. And then if you do have people who break the rules, there needs to be consequences. So the study from UN diplomats and their parking behavior actually, I think, illuminates a huge amount of very interesting dynamics around power,
      • how to create a system that mitigates abuse, based on the UN diplomat parking example
        • create a system that attracts the right kind of people so that the people who are clean and nice and rule-following end up in power.
        • Give them all the right incentives to follow the rules once they get there.
        • If you do have people who break the rules, there needs to be consequences.
    3. the reason I focus on the system so much is not just because it's something that's so important, it is, but also because it's the most straightforward thing to change. Trying to change a psychopath or trying to change a bad leader is hard.
      • key insight
        • changing a psychopath is hard
        • changing a system that produces the psychopath is easier
    4. systems make an enormous difference. Systems make a difference on a few levels. The first is that rotten systems attract rotten people.
      • key finding
        • rotten systems attract rotten people
        • good systems attract good people
    5. if we want to end up with a world that is shaped by the best of us, rather than very often the worst of us, we have to think carefully, we have to engineer a system.
      • key insight
      • quote
        • if we want to end up with a world that is shaped by the best of us, rather than very often the worst of us,
          • we have to think carefully, we have to engineer a system.
          • think of the worst person for the job position you are hiring for
          • design the system to
            • screen that person out
            • if they do manage to get in, have oversight that can eliminate them from the post
            • have a system in place that looks upwards to the top position to scrutinize them and hold them accountable
    6. when we design systems in an intelligent way, we can screen out 00:11:09 and topple the Martin McFifes of this world.
      • key strategy
        • design system to screen out power hungry people
  3. Jun 2023
  4. Mar 2023
  5. Dec 2022
  6. Feb 2022
  7. May 2021
  8. Apr 2021
    1. To prevent race conditions and deadlocks, we highly recommend that each of the communication channels is serviced on a separate thread that maintains its own client buffer state and messaging queue inside your application. Servicing all of the pseudoconsole activities on the same thread may result in a deadlock where one of the communications buffers is filled and waiting for your action while you attempt to dispatch a blocking request on another channel.
  9. Mar 2021
  10. Jan 2021
    1. Group Rules from the Admins1NO POSTING LINKS INSIDE OF POST - FOR ANY REASONWe've seen way too many groups become a glorified classified ad & members don't like that. We don't want the quality of our group negatively impacted because of endless links everywhere. NO LINKS2NO POST FROM FAN PAGES / ARTICLES / VIDEO LINKSOur mission is to cultivate the highest quality content inside the group. If we allowed videos, fan page shares, & outside websites, our group would turn into spam fest. Original written content only3NO SELF PROMOTION, RECRUITING, OR DM SPAMMINGMembers love our group because it's SAFE. We are very strict on banning members who blatantly self promote their product or services in the group OR secretly private message members to recruit them.4NO POSTING OR UPLOADING VIDEOS OF ANY KINDTo protect the quality of our group & prevent members from being solicited products & services - we don't allow any videos because we can't monitor what's being said word for word. Written post only.

      Wow, that's strict.

  11. Oct 2020
    1. A while ago we put a system in place to monitor our servers for abusive request patterns and send 503 Service Unavailable responses with custom text depending on the nature of the abuse. Our hope was that the authors of misbehaving software and the administrators of sites who deployed it would notice these errors and make the necessary fixes to the software responsible.
    2. Take responsibility for your outgoing network traffic If you install software that interacts with other sites over the network, you should be aware how it works and what kind of traffic it generates. If it has the potential to make thousands of requests to other sites, make sure it uses an HTTP cache to prevent inflicting abuse on other sites.
    1. Another thing you can do is to add pain to the second part of it. Attackers want the list of valid usernames, so they can then try to guess or brute force the password. You can put protections in place with that as well, whether they are lockouts or multi-factor authentication, so even if they have a valid username, it's much harder to gain access.
    1. Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities.
  12. Jun 2020
    1. Google’s novel response has been to compare each app to its peers, identifying those that seem to be asking for more than they should, and alerting developers when that’s the case. In its update today, Google says “we aim to help developers boost the trust of their users—we surface a message to developers when we think their app is asking for a permission that is likely unnecessary.”
  13. May 2020
    1. Website administrators then get access to their visitors’ risk scores and can decide how to handle them: For instance, if a user with a high risk score attempts to log in, the website can set rules to ask them to enter additional verification information through two-factor authentication. As Khormaee put it, the “worst case is we have a little inconvenience for legitimate users, but if there is an adversary, we prevent your account from being stolen.”
  14. Apr 2020
    1. Since the authenticity token is stored in the session, the client cannot know its value. This prevents people from submitting forms to a Rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to http://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery). If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.
    1. Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters.
    1. Anti-automation on the form where a key can be requested is one thing, stopping someone from manually registering, say, 20 of them with different email addresses and massively amplifying their request rate is quite another.
    2. I got way too many emails from people about API requests being blocked to respond to. Often this was due to simply not meeting the API requirements, for example providing a descriptive UA string. Other times it was because they were on the same network as abusive users. There were also those who simply smashed through the rate limit too quickly and got themselves banned for a day. Other times, there were genuine API users in that West African country who found themselves unable to use the service. I was constantly balancing the desire to make the API easily accessible whilst simultaneously trying to ensure it wasn't taken advantage of.
    3. Combating Abuse with Firewall Rules
    4. Make more than 40 requests in a minute and you're in the naughty corner for a day. Only thing is, that's IP-based and per the earlier section on abusive patterns, actors with large numbers of IP addresses can largely circumvent this approach. It's still a fantastic turn-key solution that seriously raises the bar for anyone wanting to get around it, but someone determined enough will find a way.
  15. Nov 2019
    1. Threads are closed to new comments after two weeks, or if the submission has been killed by software, moderators, or user flags.