Eric S. Raymond's Blog, page 5

Officiant: “One comes before us today who wishes to become a Sworn Brother. Let him approach.”

Officiant: “Are there two Brothers present who will affirm that the candidate is of sound mind and good character, being aware that the penalty for error in this judgment is expulsion and disgrace?”

Upon hearing affirmations, the officiant continues:

“Very well. Aspirant. Take your firearm in your dominant hand. Raise it in the posture I now demonstrate, and repeat after me. After each line, the assembled Brothers will affirm with one voice.”

My gun protects the weak.

SO MOTE IT BE!

My gun speaks for liberty.

SO MOTE IT BE!

My gun defends myself, my neighbors and my nation.

SO MOTE IT BE!

My gun guards civilization.

SO MOTE IT BE!

With this oath I become a Sworn Brother of the Order of Defenders.

SO MOTE IT BE!

I will defend, and teach others to defend themselves.

SO MOTE IT BE!

I will shoot neither in anger nor haste nor from any sort of intoxication, but in grave knowledge of the consequences.

SO MOTE IT BE!

When a Sworn Brother calls for aid in defending, I will answer.

SO MOTE IT BE!

These things I swear by all I hold sacred.

SO MOTE IT BE!

Following the initiation, all repair to a shooting range for convivial practice.

I wrote the above after thinking about Rudyard Kipling’s Ritual of the Iron Ring for newly-graduated engineers.

Rituals like this exist to express and formalize what is best in us.

The Order of Defenders does not exist. Perhaps it should.

Hi, I’m Joe Biden. I’m the perfect apparatchik – no principles, no convictions, and no plan. I’m senile, and I have a problem with groping children. But vote for me anyway because orange man bad.

Hi, I’m Kamala Harris. My white ancestors owned slaves, but I use the melanin I got from my Indian ancestors to pretend to be black. My own father has publicly rebuked me for the pandering lies I tell. I fellated my way into politics; put me into the White house so I can suck even more!

Hi, I’m Elizabeth Warren. Even though I’m as white as library paste, I pretended to be an American Indian to get preferment. My research on medical bankruptcies was as fraudulent as the way I gamed the racial spoils system. So you should totally trust me when I say I’m “capitalist to my bones”!

Hi, I’m Bernie Sanders. I honeymooned in the Soviet Union. I’m an unreconstructed, hammer-and-sickle-worshiping Communist.

Hi, I’m Kirsten Gillibrand. I used to be what passes for a moderate among Democrats – I even supported gun rights. Now I’ve swung hard left, and will let you just guess whether I ever had any issue convictions or it was just pandering all the way down. Tee-hee!

Hi, I’m Amy Klobuchar, and I’ve demonstrated my grasp on the leadership skills necessarily for the leader of the Free World by being notoriously abusive towards my staff.

Hi, I’m Robert Francis O’Rourke. It’s not actually true that my friends call me Beto, that was fiction invented by a campaign consultant as a play for the Hispanic vote. I’m occupying the “imitate the Kennedy” lane in this race, and my credentials for it include DUI and fleeing an accident scene. The rumors that I’m a furry are false; the rumors that I’m a dimwitted child of privilege are true. But vote for me anyway, crucial white-suburban-female demographic, because I have such a winning smile!

Hi, I’m Pete Buttigieg. I was such a failure as the mayor of South Bend that my own constituents criticize me for having entered this race, but the Acela Corridor press loves me because I’m fashionably gay. And how right they are; any candidate you choose is going to bugger you up the ass eventually, but I’ll do it like an expert!

Hi, I’m Bill de Blasio. I’m as Communist as Bernie, but I hide it better. And if Pete thinks his constituents don’t want him in this race? Hold…my…beer!

Hi, I’m Cory Booker, and I’m totally not gay. OK, maybe I’m just a little gay. My city was a shithole when I was elected and I’ve done nothing to change that; I’m really just an empty suit with a plausible line of patter, especially the “I am Spartacus” part. But you should totally vote for me because I’m…what was the phrase? Oh, yeah. “Clean and articulate.”

Hi, I’m Marianne Williamson. If elected, I will redecorate the White House so it has proper feng shui. I am the sanest and least pretentious person on this stage.

David Gelernter recently wrote an essay on Giving Up Darwin that is not obviously stupid. Dr. Gelernter, in many ways an astute thinker, does not commit obvious stupidities – but I have had to call him out before for allowing himself to be blinded by a hunger for epistemic gaps that fit the shape of religion. Apparently it is, alas, time to do that again.

The central argument of Gelernter’s essay is that random chance is not good enough, even at geologic timescales, to produce the ratchet of escalating complexity we see when we look at living organisms and the fossil record. Most mutations are deleterious and degrade the functioning of the organism; few are useful enough to build on. There hasn’t been enough time for the results we see.

Before getting to that one I want to deal with a subsidiary argument in the essay, that Darwinism is somehow falsified because we don’t observe the the slow and uniform evolution that Darwin posited. But we have actually observed evolution (all the way up to speciation) in bacteria and other organisms with rapid lifespans, and we know the answer to this one.

The rate of evolutionary change varies; it increases when environmental changes increase selective pressures on a species and decreases when their environment is stable. You can watch this happen in a Petri dish, even trigger episodes of rapid evolution in bacteria by introducing novel environmental stressors.

Rate of evolution can also increase when a species enters a new, unexploited environment and promptly radiates into subspecies all expressing slightly different modes of exploitation. Darwin himself spotted this happening among Galapagos finches. An excellent recent book, The 10,000 Year Explosion, observes the same acceleration in humans since the invention of agriculture.

Thus, when we observe punctuated equilibrium (long stretches of stable morphology in species punctuated by rapid changes that are hard to spot in the fossil record) we shouldn’t see this as the kind of ineffable mystery that Gelernter and other opponents of Darwinism want to make of it. Rather, it is a signal about the shape of variability in the adaptive environment – also punctuated.

Even huge punctuation marks like the Cambrian explosion, which Gelernter spends a lot of rhetorical energy trying to make into an insuperable puzzle, fall to this analysis. The fossil record is telling us that something happened at the dawn of the Cambrian that let loose a huge fan of possibilities; adaptive radiation, a period of rapid evolution, promptly followed just as it did for the Galapagos finches.

We don’t know what happened, exactly. It could have been something as simple as the oxygen level in seawater going up. Or maybe there was some key biological invention – better structural material for forming hard body parts with would be one obvious one. Both these things, or several other things, might have happened near enough together in time that the effects can’t be disentangled in the fossil record.

The real point here is that there is nothing special about the Cambrian explosion that demands mechanisms we haven’t observed (not just theorized about, but observed) on much faster timescales. It takes an ignotum per æque ignotum kind of mistake to erect a mystery here, and it’s difficult to imagine a thinker as bright as Dr. Gelernter falling into such a trap…unless he wants to.

But Dr. Gelernter makes an even more basic error when he says “The engine that powers Neo-Darwinian evolution is pure chance and lots of time.” That is wrong, or at any rate leaves out an important co-factor and leads to badly wrong intuitions about the scope of the problem and the timescale required to get the results we see. Down that road one ends up doing silly thought experiments like “How often would a hurricane assemble a 747 from a pile of parts?”

To get a better handle on the problem, it helps to ask the kind of question D’Arcy Thompson did in his monumental 1917 book “On Growth and Form”: why is a hen’s egg round?

The shape of an egg can be neatly described by a parametric equation in three variables, but neither that formula nor those parameters are encoded in the chicken genome. The chicken genome describes a relative simple production rule about the timed release of various egg-component chemicals; that rule doesn’t know anything about the spatial organization of the result.

What happens instead is a dance between the construction steps and the diffusion physics of the chemicals. The egg shape is supplied by the principle of least action. The chicken genome’s recipe captures – incorporates – this physics without actually coding it.

Thus, if you derange the egg-formation recipe with point mutations, the outcomes are limited by the physics. You may abort egg formation entirely, or you may get ellipsoids with differing sizes or shapes. What you won’t get is cubes or Klein bottles. Random variation in the egg-production genome doesn’t produce random variation in the shapes of eggs – it produces sharply constrained variation. The design space that mutations of the recipe are exploring is many orders of magnitude smaller and more continuous than you’d expect from a “pure chance” account.

Gelernter makes a similar mistake when he asks “Starting with 150 links of gibberish, what are the chances that we can mutate our way to a useful new shape of protein?” But this is never a question evolution has to answer. The nearest correct question would be “Starting from 150 links of a protein we know is already selected for usefulness because it’s already expressed in an organism, what are the chances we can mutate to something else useful?”

Again…the physics of van der Waals forces mean that a small change in coding for a protein is likely to produce a small change in its folding. As with eggs, point mutations are highly unlikely to jump a large distance in expressed phenotypic design. And – this is the point – they are thus unlikely to jump far away from a design that is productive for something.

The question Gelernter actually asked is a silly straw man that depends for its apparent force on the reader having no intuitions about the effects of a history of successful adaptation – or of the constraining role of extragenetic natural laws – at all.

Gelernter himself is definitely not stupid or ignorant enough to fall into this kind of error when he’s thinking clearly. From which we can only conclude that, on this subject, he refuses to think clearly.

The sage Confucius was once asked what he would do if he was a governor. He said he would “rectify the names” to make words correspond to reality. He understood what General Semantics teaches; if your linguistic map is sufficiently confused, you will misunderstand the territory. And be readily outmaneuvered by those who are less confused.

And that brings us to the Jeffrey Epstein scandal. In particular, the widespread tagging of Epstein as a pedophile.

No, Richard Epstein is not a pedophile. This is important. If conservatives keep misidentifying him as one, I fear some unfortunate consequences.

Pedophiles desire pre-pubertal children. This is not Epstein’s kink; he quite obviously likes his girls to be as young as possible but fully nubile. The correct term for this is “ephebophile”, and being clear about the distinction matters. I’ll explain why.

The Left has a long history of triggering conservatives into self-discrediting moral panics (“Rock and roll is the devil’s music”). It also has a strong internal contingent that would like to normalize pedophilia. I mean the real thing, not Epstein’s creepy ephebophilia.

Homosexual pedophiles have been biding their time in order to get adult-on-adult homosexuality fully normalized as battlespace prep, but you see a few trial balloons go up occasionally in places like Salon. The last round of this was interrupted by the need to take down Milo Yiannopolous, but the internal logic of left-wing sexual liberationism always demands new ways to freak out the normals, and the pedophiles are more than willing to be next up in satisfying that perpetual demand.

Liberals have proven themselves utterly useless at resisting the liberationist ratchet, so I’m not even bothering to address them. Conservatives, if you want to prevent the next turn, don’t give the pedophilia-normalizers maneuvering room. Rectify the names; make the distinctions that matter.

Epstein’s behavior is repulsive because we judge young postpubertal humans to be too psychologically immature to give adult consent, but it’s nowhere near the evil that is the sexual abuse of prepubertal children.

Part of the problem here is that our terminology for some of the distinctions is multivalent. Sometimes “child” refers to a legal status, sometimes to the developmental stage before sexual maturity, and sometimes to a less well defined stage of psychological development, with further confusion because these don’t happen on the same calendar-year schedule for all individuals.

Epstein recruited girls as young as 14. Yes, really icky and I think it is quite right he was prosecuted for statutory rape. But women that age who are not only nubile but psychologically adult do exist, even if they’re very very rare – in 60 years I think I’ve met exactly one. Alas, women a few years over the nominal age of consent who are still immature enough that they are not really competent to make sexual decisions are rather more common.

Until we have a rectification of names in this area, great care is warranted about who we call a “child”, and where we draw the line between creepily asymmetrical relationships and outright perversion. And this matters above the personal level.

There are real rings of pedophile monsters out there, notably in Hollywood where sexual abuse of child actors has a long and sordid history that has recently begun to resurface. Dammit, conservatives, don’t spend your credibility in an overheated fling at Epstein lest you find you’re out of rhetorical ammunition and allies when the real monsters need to be taken down.

Nobody stepped up to design a Loadsharers logo, so I did it myself. Here it is:

Yeah, I’m not much of a graphic artist, but I can do a semi-competent job of whacking together a simple logo when I need to. If you’re an actual pro and think you can fix this or do better, have at it. The XCF I made this from is in the Loadshaers repository at https://gitlab.com/esr/loadsharers

The only fly in the ointment is that I’m not entirely sure who owns the clipart image of Atlas that I’m using. I found it on some random sludgy “free” clipart website, in two versions: one with a copyright asserted by Can Stock, another inviting download from a site called Dreamlines. But I couldn’t find it by search and eyeball on either site. Email to Can Stock got no response.

I fear the only way I’m going to find out is if I get a Cease and Desist letter. At which point I’ll reply by saying “I tried…and have you got a vector graphics version I can buy the rights to?”

If you are a Loadsharer, feel free to display this proudly on your website, with a link to loadsharers.net. Someday there might be T-shirts.

Instapundit recently linked to an article at the libertarian Reason magazine with a premise I found – considering the authors and the magazine – surprisingly dimwitted. No, a border wall is not necessarily morally equivalent to the Berlin Wall, or anywhere near it. Consider Hadrian’s Wall, or the Great Wall of China. Sometimes there are actual barbarians on the other side of it.

But this does motivate me to try to clarify my own thoughts about libertarianism and immigration. Is there, in fact, any libertarian defense of border and immigration controls?

Let’s dispose of a red herring first. The fact that immigration controls are enforced by a government is not dispositive for at least two reasons. One is that one may be a minarchist libertarian, holding that governments have a legitimate but small and rigidly constrained set of duties including national defense; to the extent that border and immigration controls are construed as national defense, there’s no problem in principle with them. That’s the easy case, which I’m going to ignore for the rest of this essay except to note that I think this is how the founders of the U.S. would have conceived the matter.

Even for anarcho-capitalists like myself, government enforcement of law may be regarded as a historical accident that in itself doesn’t tell us much about which laws arise from the natural rights of individuals. The question to be addressed here is whether any system of law founded on those natural rights could include border controls on a defined territory.

The first question on the way to answering that is what “natural right” could border controls possibly be a defense of? The obvious one is that they might be justified as a form of collective self-defense. If you’ve got a peaceful, prosperous libertopia going, you’d really prefer not to have a bunch of people who haven’t signed on to your social contract walking in. Because you’re likely to have to kill or expel a lot of them in self-defense, and who wants that aggravation? Better to keep them out in the first place, allowing in only those who are willing to contract. Or who are sponsored by a citizen who is willing to post a bond against their behavior for the first N years.

(I’m being vague about how the process of binding oneself to the libertopian social contract works because there are a couple of different theories about that. None of the differences among these theories is relevant to the present essay. I will note that under any of them, “libertopia enforces the law” would cash out to “insurance companies pay security agencies to do it because the alternative is profiting less on those crime-insurance premiums”.)

Generally speaking libertarians don’t have a problem with border controls when the people trying to cross them are organized invaders, or individual criminals. The problem case, related to why immigration has become a hot-button issue in today’s politics, is whether border controls that keep out peaceful immigrants protect any natural right of the libertopians.

Libertarians like to avoid making nebulous ethical claims about groups, so let’s reframe this. J. Random Foreigner shows up at the border of libertopia, claiming he wants to become a member in good standing. What policy should the insurance companies tell their security contractors to have in order to optimize the expected change in payout on their crime-insurance policies?

Notice how this helpfully concretizes the problem. Instead of having abstract arguments about rights, defense of the rights of libertopians is priced into the insurance company’s decisions by people with skin in the game. Notice also that this gives the insurance companies an incentive not only to keep out bad actors, but to let in good ones. Criminals are loss generators; people who genuinely want to join the libertopian social contract, and are capable of doing so, are profit generators.

Let’s start with some obvious extreme cases. The guy has MS-13 tattoos? Nope, nope, nope. Obvious high risk. The guy is wearing Amish plain clothing and has a Pennsylvania Dutch accent? Let him in – those people are famously law-abiding and we can always use good farmers. In both cases one could in the extreme be wrong; Amish guy could be a sociopath and MS-13 guy could have given up gang life. But no rational person would bet on this and the insurance company won’t if it wants to maximize its profits.

Let’s continue by disposing of some obvious objections. Will the insurance companies exclude black- or brown-skinned people? I don’t think so. And if you think so, you’re probably a racist I want nothing to do with.

Why do I say that? Remember, the insurance companies are trying to optimize the effect of immigration on their profits. If you believe that having a black or brown skin is a sufficiently reliable predictor of being a loss generator for the insurance companies to use it, there are only two possibilities. Either you are wrong, in which case you have an irrational fixation about race and should be deeply ashamed of yourself. Or you are right, in which case the entire objection to “racism” as a belief system pretty much vanishes. I think the former is much more likely.

On the other hand, screening for a minimum IQ threshold would make a lot of sense from what we know about the correlation between IQ, time preference, and criminality. Set at any reasonable level, almost all Ashkenazic Jews will pass that screen, while many Australian aborigines and sub-Saharan Africans will fail it. This looks like racism, but isn’t; the only ethical question here is how predictive your tests are of the qualities required for an individual to function as a libertopian.

(Which also disposes of the usual nonsense about cultural bias in IQ tests. Cultural bias is actually part of the point here; you want immigrants who can function, speak your language or at least learn it rapidly, assimilate. A bit of cultural bias in the tests might be a good thing, though I’d myself be inclined to try to tune it out.)

Since you probably don’t want a repeat of the Rotherham/Cologne/Malmo rape-gang atrocities, there are some combinations of age, religion and country of origin that should be a crash landing. Anyone you have good reason to suspect of believing infidel girls are fair game to be “taken with the right hand” (as the Koran puts it) should be turned away. Worst case there’ll be a rape or murder victim, best case somebody will have to shoot him.

The predicate for this isn’t as simple as “Muslim” or even “Muslim male”. The university-educated 40-something Persian engineer I used to have as a downstairs neighbor would have been a good bet; anyone aged 13 to 35 from the back county of Afghanistan or the Tribal Areas of Pakistan, on the other hand…

Now let’s talk about the subtler aspect of the screening problem, which our hypothetical tribesman is a good lead-in to. This is the part I didn’t understand until recently, and why I’m more sympathetic to immigration restrictionists than I used to be.

Libertopia has both tangible and intangible assets. The intangible ones include, for example, the intelligence and pro-social traits of its people. Another is its voluntary consensus about how things ought to be done – and (which is not quite the same thing) the social contract itself. If I am a member of the contract network of security professionals and arbitrators that enforce libertopia’s norms, I’m not going to think my job ends with defending the tangible assets of libertopians. In fact, I’d consider identifying and defending the intangible assets more important, because they’re more fragile.

Again, let’s concretize this. One of the intangible assets I benefit from as an American – and which I would expect libertopia to have – is that in my society, I can usually make handshake deals with strangers and expect them to be honored. I live in a context of what people who study this sort of thing call “high social trust”. (In part because I avoid the places in the U.S. where social trust levels are low.)

This is more important than anyone who has never lived outside a high-trust society really understands. In low-trust societies, you can’t count on anyone outside your family or tribe not to betray an agreement for short-term advantage. Large-scale cooperation is difficult. Rates of crime and violence are high, the law is unreliable, and at the extreme blood feuds are a common way of pursuing disputes.

The sociologist Robert Putnam is now (in)famous for noticing that diversity – whether it’s linguistic, ethno-racial, or religious – erodes social trust. This is why in “diverse” societies people tend to self-segregate into groups of like kind; they want to deal with neighbors whose behavior they can predict. But what Putnam found is that diversity does not merely erode trust across groups; it erodes trust within them as well.

If I’m a citizen of libertopia, one of the things I want defended with my crime-insurance premiums is the high trust level of my society.

This is why my position about immigration policy in the real world is different than it used to be. I started with the usual libertarian disposition in favor of open borders. I also started with – I’m now ashamed to admit – the usual Blue-Tribe presumption that opposition to unrestricted immigration is at best vulgar and plebeian, at worst narrow-minded if not actually racist.

I should have listened more and reflected the class prejudices of my birth SES less. I now understand that the core complaint of the anti-immigration Trump voters isn’t even about illegals low-balling them out of jobs, although that’s certainly a factor. It’s “I want to keep the high level of social trust I grew up with, and I see mass immigration – especially mass illegal immigration – eroding that.” They think the political elites of both parties, and corporations profit-taking in the labor market, are throwing away that intangible asset to plump up a bit more power and profit.

I now think that is a serious – and justified – complaint.

In the short term, the willful denial of this problem by our soi-disant “elites” is probably Donald Trump’s best hope for reelection in 2020. And no, I’m not excluding the booming economy; I think this matters more to his base, even if they have trouble articulating it. And I don’t think that priority is wrong.

In the longer term, what is to be done about it?

I think I’ve already shown that the contingent fact that real-world border controls would have to be enforced by a government is not really a bar to designing them. Americans made choices over generations to build the asset called “high social trust”; the fact that they must now, practically speaking, use government to defend it is no more problematic than are government-enforced laws against theft, rape, and murder. How we transition from the current system to libertopia is an orthogonally different question.

To begin with, I’d have the Border Patrol and ICE do what libertopians would do. Screen by individual merit and by culture of origin, deliberately excluding people from barbaric low-trust milieux, people who don’t speak English, people with seriously subnormal IQs.

Because I think I know what policies are ethically proper for libertopians to do to defend themselves, I think I know what is ethically proper for Americans to do. And it all has to begin with the premise that coming to the U.S. is not a right, it is a privilege you earn from the expectation that adding you will be good for the health and future of America.

For a few years in the 1990s, when PNG was just getting established as a Web image format, I was a developer on the libpng team.

One reason I got involved is that the compression patent on GIFs was a big deal at the time. I had been the maintainer of GIFLIB since 1989; it was on my watch that Marc Andreesen chose that code for use in the first graphics-capable browser in ’94. But I handed that library off to a hacker in Japan who I thought would be less exposed to the vagaries of U.S. IP law. (Years later, after the century had turned and the LZW patents expired, it came back to me.)

Then, sometime within a few years of 1996, I happened to read the PNG standard, and thought the design of the format was very elegant. So I started submitting patches to libpng and ended up writing the support for six of the minor chunk types, as well as implementing the high-level interface to the library that’s now in general use.

As part of my work on PNG, I volunteered to clean up some code that Greg Roelofs had been maintaining and package it for release. This was “gif2png” and it was more or less the project’s official GIF converter.

(Not to be confused, though, with the GIFLIB tools that convert to and from various other graphics formats, which I also maintain. Those had a different origin, and were like libgif itself rather better code.)

gif2pngs’s role then was more important than it later became. ImageMagick already existed, but not in anything like its current form; GIMP had barely launched, and the idea of a universal image converter hadn’t really taken hold yet. The utilities I ship with GIFLIB also had an importance then that they would later lose as ImageMagick’s “convert” became the tool everyone learned to reach for by reflex.

It has to be said that gif2png wasn’t very good code by today’s standards. It had started life in 1995 as a dorm-room project written in journeyman C, with a degree of carelessness about type discipline and bounds checking that was still normal in C code of the time. Neither Greg nor I gave it the thorough rewrite it perhaps should have gotten because, after all, it worked on every well-formed GIF we ever threw at it. And we had larger problems to tackle.

Still, having taken responsibility for it in ’99. I kept it maintained even as it was steadily decreasing in importance. ImageMagick convert(1) had taken over; I got zero bug reports or RFEs for six years between 2003 and 2009.

I did some minor updating in 2010, but more out of completism than anything else; I was convinced that the user constituency for the tool was gone. And that was fine with me – convert(1) had more eyes on it and was almost certainly better code. So gif2png fell to near the bottom of my priority list and stayed there.

A few years after that, fuzzer attacks on programs started to become a serious thing. I got one against GIFLIB, which was issued a CVE and I took very seriously – rogue code execution in a ubiquitous service library is baaaad. A couple of others in GIFLIB’s associated utility programs, which I took much less seriously as I wasn’t convinced anyone still used them at all. You’re going to exploit these…how?

And, recently, two segfaults in gif2png. Which was absolutely at the bottom of my list of security concerns. Standalone program, designed to be used in input files you trust to be reasonably close to well-formed GIFs (there was a ‘recover’ option that could salvage certain malformed ones if you were very lucky). Next to no userbase since around 2003. Again, you’re going to exploit this…how?

Now, I’m no infosec specialist, but there is real-world evidence that I know how to get my priorities right. I’ve led the the NTPsec project for nearly five years now, reworking its code so thoroughly that its size has shrunk by a factor of 4. NTP implementations are a prime attack target because the pre-NTPsec reference version used to be so easy to subvert. And you know what the count of CVEs against our code (as opposed to what we inherited) is?

Zero. Zip. Zilch. Nobody has busted my code or my team’s. Despite half the world’s academics and security auditors running attacks on it. Furthermore, we have a record of generally having plugged about four out of five CVEs in the legacy code by the time they’re issued.

That’s how the security of my code looks when I think it’s worth the effort. For libgif I’ll spend that effort willingly. For the GIFLIB tools around it, less willingly. But for gif2png, that seemed pointless. I was tired of spending effort to deal with the 47,000th CS student thinking “I know! I’ll run a fuzzer on !” and thinking a crash was a big deal when the program was a superannuated standalone GIF filter that hasn’t seen any serious use since J. Random Student was in diapers.

So two days ago I marked two crashes on malformed input in gif2png won’t-fix, put in in a segfault handler so it would die gracefully no matter what shit you shoved at it, and shipped it…

…only to hear a few ours later, from my friend Perry Metzger, that there was a shitstorm going down on Twitter about how shockingly incompetent this was.

Really? They really thought this program was an attack target, and that you could accomplish anything by running rogue code from inside it?

Narrator voice: No, they didn’t. There are some people for whom any excuse to howl and fling feces will do.

A similar bug in libgif or NTPsec would have been a serious matter. But I’m pretty good at not allowing serious bugs to happen in those. In a quarter century of writing critical service code my CVE count is, I think, two (one long ago in fetchmail) with zero exploits in the wild.

This? This ain’t nothin’. Perry did propose a wildly unlikely scenario in which the gif2png binary somehow got wedged in the middle of somebody’s web framework on a server and allowed to see ill-formed input, allowing a remote exploit, but I don’t believe it.

Alas, if I’ve learned anything about living on the modern Internet it’s that arguing that sort of point with the howler monkeys on Twitter is a waste of time. (Actually, arguing anything with the howler monkeys on Twitter is a waste of time.) Besides, the code may not be an actual security hazard, but it has been kind of embarrassing to drag around ever since I picked it up.

So, rather than patch the C and deal with yet another round of meaningless fuzzer bugs in the future, I’ve rewritten it in Go. Here it is, and now that it’s in a type-safe language with access bounds checking I don’t ever have to worry about that class of problem again.

One good thing may come of this episode (other than lifting code out of C, which is always a plus). I notice that the GIF and PNG libraries in Go are, while serviceable for basic tasks, rather limited. You can convert with them, but you can’t do lossless editing with them. Neither one deserializes the entire ontology of its file format.

As the maintainer of GIFLIB and a past libpng core developer, I don’t know where I’d find a better-qualified person to fix this than me. So now on my to-do list, though not at high priority: push some patches upstream to improve these libraries.

I can walk again.

Wearing a joint-immobilizing boot brace, so I lurch around with a gait even more graceless than my usual palsied semi-stumble, but I can walk. And shower. And make my own breakfast. Hallelujah!

Better news: my prognosis is good. The joint had osteoarthritic damage that may be trouble down the road, but I’ve been osteoathritic in both feet for years now without symptoms. The big good news is that the joint cartilage wasn’t damaged, so I should get full use of the ankle back.

Boot brace for three weeks, physical therapy to strengthen the ankle after that. I won’t be back in kung-fu class for a while. Still, the medical level of this saga is going as well as could be expected.

The financial level, not so much, We got socked with a surgery bill of $2,238 today. Followup and PT…I don’t know what that will cost,but it won’t be cheap.

What’s worse, healthcare.gov chose this perfect time to yank our ACA subsidy because we can’t document the regular income streams. Of course we can’t document them because we don’t have them. Which means we have to pay another $2000 to keep our existing coverage for just the next month, and the bureaucrats have told us to apply for Medicaid. Which we may not be able to get before open enrollment in January.

This means the amount of money I need to pull in without burning savings just went up by $2000 a month. Which is doing a good job of keeping me focused on getting Loadsharers off the ground. If it does well, I’ll do well, and have successfully attacked the larger problem of LBIP funding.

There’s going to be a Linux Journal article, and at least one technology-press interview. I’ve even (gasp!) tweeted about this, something that happens approximately once every other blue moon.

I have a list of 11 people who have taken the pledge. I think we need around 11,000 (mostly supporting LBIPs other than me) to make a real dent in the problem. So please, go out and prosyletize to your tech-industry friends, and ask them to spread the word. We need this to go viral.

At the end of my last post I said I was wandering off to think about scalable, low-overhead recommendation systems.

It’s funny how preconceptions work. I know, I think better than most people, how often decentralizing systems to avoid single points of failure is good engineering. Yet I had to really struggle with myself to jettison the habits of thought that said “If you want to use money to help people, you’re going to have to build a centralized, heavyweight structure around the management of that task.”

But struggle I did. Because I’d already tried that, and failed.

I also had to get past the idea that identifying good funding targets can be crowdsourced. Nope. Identifying candidates and digging up information on them can be, but actually evaluating merit and centrality will take knowledge most contributors not only lack but have no strong reason to try to acquire.

Once I got my head clear, this is what came out:

http://www.catb.org/esr/loadsharers

The basic trick here is piggybacking not just on the payment transfer capacity of remittance systems but on their patron/client communications channels as well. That way Loadsharers doesn’t need to manage anything itself other a handful of adviser web pages and a bunch of trust relationships.

Also notice the implications of how I designed the Adviser role. By the time we have a half-dozen or so advisers I won’t be key man anymore. That’s intentional.

I also like the fact that there will, in effect, be a (mildly) competitive market in adviser skill, with loadsharer contributors tending to gravitate to advisers who exhibit activity and diligence. That’s intentional too.

I just finished giving a talk – by remote video – at South East Linux Fest, about the Load-Bearing Internet Person problem.

An LBIP is a person who maintains the software for a critical Internet service or library, and has to do it without organizational support or a budget backing him up.

That second part is key. Some maintainers for critical software operate from a niche at a university or a government agency that supports their effort. There might be a few who are independently wealthy. Those people aren’t LBIPs, because the kind of load I’m talking about isn’t technical challenge. It’s the stress of knowing that you are it and you are alone, the world out there has no idea what a crapstorm it would be if you failed at your self-imposed duty, and goddammit why doesn’t anybody care?

LBIPs happen because some of the most critical services can’t be monetized. How do you put a meter on DNS? Or time synchronization? Or having a set of ubiquitous and reliable crypto libraries? Where there’s no profit stream, markets are not going to directly solve this problem.

I know at least two LBIPs whose health has broken under that strain – Dave Taht and Harlan Stenn. Me, I’m still generally healthy, but my recent medical issues have re-focused my mind on the LBIP problem.

I spent seven years trying to solve this problem by founding an organization to collect funds from sponsors and distribute them to LBIPs. That was the Internet Civil Engineering Institute. It shut down late last month because, as it turns out, recruiting people who are both willing and entirely competent to run an organization like that is really difficult. I failed at it.

(I’ve designed and founded two nonprofits that survived my departure and are still on mission, one 17 years on and the other 26 years on. I’m actually good at that game, but ICEI failed anyway. Possibly someone smarter or more streetwise than me could have made ICEI work, but given my previous track record of success I don’t think that would be a smart bet.)

What I said at SELF was this: centralized attacks on the LBIP problem have failed, so we need a decentralized, distributed one. Services like Patreon, recurring PayPal remittences, and SubscribeStar give us the technology to do that. What we need to add is consciousness about the problem and some social engineering.

Here’s the challenge I put to the audience there: If you have a good paying job, earmark $30 a month – the equivalent of a moderately-priced restaurant meal. Identify three LBIPs. Remit them $10 a month.

Then go to every gainfully employed programmer you know and explain to them why they should do the same thing, and also further spread the word.

The fanout is important. One of the failure modes we want to avoid is for all that support to go to a handful of highly visible hackers like, er, me. There are lots of LBIPs working in obscurity; we need to solve this problem at scale, not just for a few prominent figures.

The SELF audience liked this idea – and then somebody raised the question I should have expected: “How can we know who to fund?”

Sorely tempted as I was to say “There’s always me…”, I didn’t. That would have been a humorous answer of the funny-because-it’s-true kind, but the discovery problem is a serious one. Several other questioners chewed on various possibilities. I ended up saying I would try to jump-start a discovery process on my blog by collecting a list of LBIPs.

That’s not going to be a solution that scales well, though. We’ll have to feel our way to a better one; I have some ideas which I’ll develop in future posts.

I do have a name for the effort – thought it up a few minutes ago. Loadsharers. We need to work out how to be effective loadsharers.

For now, my comments are open. Please check in if you (a) want to take the loadsharer pledge – $30 in 2019 dollars to one, two, or three LBIPs every month (ideally three), or (b) have an LBIP to recommend.

I will curate a list of LBIPs I think are worthy. I should not be the only person doing this. Eventually we’ll set up a recommender system and a way for LBIPs to declare funding goals. Mumble web of trust? Something like that should be doable.

Please do not wander off into trying to design a better mediation/discovery system in this comment thread (yeah, I know my audience). Save that for my post on that topic, coming soon.

As final and obvious point: yes, I think I’m a worthy LBIP, go ahead and do that $10 thing at me, initially. (Note to self: create a “Loadsharers” tier.) But I have a relatively low monthly figure that I consider “enough”; above that, I’d really rather the money went to other people.

So don’t be surprised if, a few weeks down the road, you get a patron notice from me saying “Enough! Roll a D6 and if it comes up 5 or 6, drop me and go fund someone else.”

/me wanders off to think about scalable, low-overhead recommendation systems…