The US military wants to understand the most important software on Earth (MIT Technology Review)

In 2019, the US Air Force announced that it had just figured out how to launch a nuclear missile without using 8-inch floppy disks. My assumption, therefore, is that the word "understand" in the headline is, perhaps, an exaggeration, and the Pentagon actually just wants to verify that their dependencies are not full of random crap. Which is a legitimate concern, because everyone's dependencies seem to be full of random crap these days. They're couching it in terms of "threats" because that is how you get the US military to sit up and pay attention to you, not necessarily because they actually plan to put individual humans on a list or anything of that nature. I'm also rather skeptical that they'll get anything useful out of their buzzword bingo of machine learning keywords, but at least it's slightly less dumb than web3.

Source: https://www.nytimes.com/2019/10/24/us/nuclear-weapons-flo...

Well at least the article stops short of accusing everyone of being closet commie bastards. Who on earth allowed that piece of tripe to worm its way out from the 1950s and rewrite itself in 2020s terms?

When you see that sort of nonsense coming out of a well respected org such as MIT as a puff piece then you know that you had better avoid being "undesirable" and start being a better person. This bloke: https://www.technologyreview.com/author/patrick-howell-on... is one role model for you who can trot out this sort of drivell without whincing.

I understand that one must dumb down somewhat when communicating with the hoi polloi and other generally unwashed types but this is an article that clearly explains to children that we can't trust open source code because we can read it at any time. You can't blindly go around trusting something you can delve into and review yourself. You should allow adults to do that for you.

I'm acutely aware of many of the flaws that turn up in FLOSS - I follow dozens of bugzillas etc and mailing lists that exhaustively discuss how to deliver next month's bugs effectively and on schedule. I have some insights into the sheer effort that say jra goes to to screw up my Samba experience or some of you lot do with delivering Linux and that corbet bloke and his dodgy website.

I also get to tread the Patch Wednesday (yes weds not tues - "let he who is without fear ...") treadmill with absolutely no idea what is going on but I do it anyway: yay - CVEs with serious sounding flaws and some jolly exciting write ups but I can't look at the code - its a bloody cargo cult thing. Getting to the bottom of some of the weirder corners of Windows is quite a challenge - for example: AdminSdHolder - who knew, until you knew! What a load of cobblers.

https://techcommunity.microsoft.com/t5/ask-the-directory-... - Why would you? That's wankery in action - We've bodged a solution/papered over some cracks and expect you to do some weird shit. Soz/lol, that's the thing you engage when you do things like create a service account that can only change passwords without being a domain admin. You fiddle with perms on a LDAP container object to give rights to a user type object and ADUC can't do that sort of thing (lol).

Anyway, I doubt that the US military hasn't noticed where their software is coming from nor how it is written.

I didn't read the article yet, but I don't agree at all. I think your sentiment is true for most code, but there is also some very important code where it isn't true.

https://en.wikipedia.org/wiki/ICBM_address maybe? [Which in turn looks like a straight copy from the Jargon File entry].

> Likewise, from today's Security quote of the week:

> > Detecting hate speech is a good proxy for terrorist radicalisation. In 2018, we thought we could detect hate speech with a precision of typically 92%, which would mean a false-alarm rate of 8%.

The follow-on to that is good, though ...

In 2022, now we understand the problem better, our ability to detect hate speech has gone DOWN...

Cheers,
Wol

8% false-alarm (false positives) rate is... huge for such a small target.

A napkin math: if you have 1M participants, 100 participants are terrorists, and the test has 0% false negatives, then this test would drag in 100 real terrorists and 79992 falsely accused ones.

> Both quotes immediately triggered my "Snake oil" alarm.

Not half. The term "sentiment analysis" is causing my left eye to twitch and a vein to throb. I may go postal soon 8)

Or the people who like to nybble on their bytes from the big end or the little end.

Those preincrementing variables in for loop are very suspicious.

Tabs - spaces
vim - emacs
CLI - GUI
sysvinit - systemd
case-sensitive FS - case-insensitive FS
Dark mode - bright mode

You name it, clearly hate speech and terrorists everywhere. There is a lot of intel for the military to gain.

I personally like it, and feel it is accurate and clear - which is one of the things I love about LWN. I'm a fan of returning the "Defense Department" to the "War Department", and I like clear, non-DoubleSpeak language. "The US War Department's Research Division" would perhaps be even better. :)

What is surprising is how propagandized the US and its allies are, in that we can accept DoubleSpeak almost everywhere.

DARPA is the source of many important technological innovations, no doubt. As a taxpayer, I'd prefer that we just fund the research, and the funds not have to go through the military.

And I like it when the press shows a dedication to clarity and accuracy, which is very rare today. And this is one reason I support LWN.

> I'm reminded of the UMN debacle, as one particularly ham-handed example of how *NOT* to go about designing an experiment to answer the question...

Well it's much easier if your final goal is to actually add vulnerabilities, not publish a research paper on how it can be done. People who did the former simply did not talk about it and the vulnerabilities they added are still there. If they get caught at some later point they'll just say "oops! Sorry"; C makes deniability very easy.

I've seen a lot of comments like this one about the experiment = blaming the messenger. Even when correct, neither interesting nor relevant. I haven't read much about actual security gaps in the kernel processes. I hope I missed that.

But they clearly don't know their hardware - even Windows runs on top of Minix nowadays ...

Cheers,
Wol