
Zero Trust Information - notlukesky
https://stratechery.com/2020/zero-trust-information/
======
canadianwriter
As a side note, those two links at the end are certainly interesting - I must
admit I was on the filter bubble bandwagon but this is pretty compelling:
[https://reutersinstitute.politics.ox.ac.uk/risj-
review/truth...](https://reutersinstitute.politics.ox.ac.uk/risj-review/truth-
behind-filter-bubbles-bursting-some-myths)

also on polarization:
[https://www.pnas.org/content/114/40/10612](https://www.pnas.org/content/114/40/10612)

The conclusion: "Many authors point to the Internet in general and social
media in particular as possible drivers of political polarization. We find
that polarization has increased the most among the groups least likely to use
the Internet and social media. Under appropriate assumptions, these facts can
be shown to imply a limited role for the Internet and social media in
explaining the recent rise in measured political polarization."

~~~
hydrox24
> We find that polarization has increased the most among the groups least
> likely to use the Internet and social media.

This could imply dominant second-order effects. Traditional media has changed
its content & form radically in response to the Internet.

------
jcrites
The article covers a lot of topics, but for folks looking for more information
about the zero trust approach to service security I'd recommend BeyondCorp (a
publication by Google):

[https://www.beyondcorp.com/](https://www.beyondcorp.com/)

~~~
jiveturkey
your link is not the Google publication. beyondcorp.com is an advertising site
by scaleft (owned by okta).

------
gz5
remote-first cultures, tooling, mindsets and processes are difficult. aspects
such as zero trust networking and zero trust info are of course important _,
but the people side is the difference between success and failure.

_ from the perspective of the founder of a remote-first startup, NetFoundry,
who was amongst the first to offer zero trust networking as a service.

------
badrabbit
I am very jaded against "zero trust". Google had a nice publication now
everyone and their mother have a "zero trust" something.

Just ask people what the difference between zero trust and role based access
control is. If you have rbac and everything uses it, is that zero trust? A
smart policy engine like... Windows AD?

To me "zero trust" just means do authentication the right way for everything.
You can ask 10 security companies what it means and you will get 10 diffrent
answers. I fear the hype train is drowning the architectural philosophy.

Ideally, if I ping a device in some random subnet unless I am authenticated
and authorized to specifically reach that node and this authorization is
audited routinely my icmp packet should never reach the destination. In
reality,nothing out there is that granular so people define it at diffrent
levels of granularity and scope and have their own zero trust. Also, Cisco's
TACACS+ was made for this. 802.1x was suppose to enable NAC for this as well
(for those who don't know TACACS supports granular authorization like sudo-
ish) people just never took it that far.

Zero trust is easily hijacked as a marketing slang, maybe something like
"authenticated explicit authorization" is better to avoid the awkardity of
having to debate "no,I don't think that is zero trust",especially given how
people are trying to apply it outside of infosec.

------
keiru
Firstly, getting this out of my chest: It felt like a really good note, except
for the graphs. The author acknowledges that he is pulling the Bell curve out
of his ass, but somehow serves to illustrate his point. But for some reason
the extra amount of information that would implicitly come from the internet
seems uniformly distributed across qualities. I would have expected a taller
(or wider) Bell curve if anything. Why even bother with graphs if there is no
semblance of meaning to it? Was he aiming for the target audience's math
fetish? I do appreciate silly illustrations, but I felt it distractingly
pointless.

Having said that, it's nice to see that people acknowledge the ways that
information was available, seeding the need to re-evaluate information
dynamics.

------
CatDevURandom
If you are looking to learn more about [https://github.com/pomerium/awesome-
zero-trust](https://github.com/pomerium/awesome-zero-trust) contains a
relatively updated list of zero-trust resources including google beyondcorp
papers, NIST draft, and so on.

------
frandroid
Weaving network infrastructure with COVID-19 propagation... Bravo

------
jcahill
> zero trust information

This is a mangled neologism for epistemic vigilance. We have many terms for
epistemological outlooks that describe them without conflating commitments and
information at large.

> Suppose that all published information followed a normal distribution [wrt
> quality of information]:

Or don't, because that's not remotely close to true or useful for modeling
what to do about it.

This criticism is worth making because assuming a normal distribution of
information quality makes the world already flat, and your problem reduces to
news media bias.

This type of simplification reflects tech-culture naïveté. It is not the case
that all problems are simply waiting to be properly understood as simple by
someone familiar with tech.

> This is not to say that the Internet means that everything is going to be
> ok, either in the world generally or the coronavirus crisis specifically.
> But once we get through this crisis, it will be worth keeping in mind the
> story of Twitter and the heroic Seattle Flu Study team: what stopped them
> from doing critical research was too much centralization of authority and
> bureaucratic decision-making; what ultimately made their research materially
> accelerate the response of individuals and companies all over the country
> was first their bravery and sense of duty, and secondly the fact that on the
> Internet anyone can publish anything.

This is not true. A push/pull of many factors plays into how modern science
gets done. Some of those factors include centralization, bureaucracy, piracy,
and individual judgment.

It is neither useful nor accurate to claim that "centralization of authority
and bureaucratic decision-making" prevented a group of researchers from
exploring research predicated on genome sequences whose coordination,
publication, and syndication all rely heavily on centralized infrastructure
projects and public health institutions.

Scientific and public health bureaucracies are complicated. Lifesci loves
preprints and dodging publishers, but it also loves centralized bioinformatics
and genomics infra.

I am comfortable generalizing "lifesci" here, because it's damn near
universal.

Every [reasonable] educated person resents or at least distrusts medical
regulators, especially those who work for them. So it's not saying much that
yes, of course, scientists do too.

Within lifesci, you would be hard-pressed to find scientists who aren't
simultaneously saying "open access good", "publish your data at <centralized
repository>", and "I can't believe that <govt agency> is <regulating something
incredibly poorly>."

This differs from attitudes of general populations, whose stances on health +
safety + environment bureaucracies seem to be well-predicted by factors
entirely unrelated to the efficacy of the tooling and services provided by
those bureaucracies. Often that means keystone issues that reflect information
diet, like views on GMOs and climate change.

If the first word out of your mouth when discussing the needs of modern
science is "centralization", you're engaging in wrongheaded techthink. It's
worth doing something about, of course, but it truly is immaterial to the
everyday workflows of most lab science.

I see this error a lot in tech infrastructure projects. It's frustrating to
see very cool, valuable things get built by scientist-coder teams who fail to
appreciate that "decentralized x" is not a selling point for the vast majority
of prospective users.

These projects often fail to achieve good market fit because they treat
problems of scientific research as if they're problems of consumer data
privacy. Nobody BLASTs a sequence because they just love the bureaucratic
directives of NCBI so much, nor do they contribute new GenBank sequence data
for the clout. They do so because it helps make their work feasible.

Don't underestimate the impact of that separation of concerns on scientific
attitudes toward centralization. It matters a hell of a lot that researchers
don't have to know how GenBank is built or what BLAST actually does as an
algorithm.

------
adamc
What I see here is that those with critical thinking skills will do just fine.
Those without the ability to winnow information sources and make reasoned
judgments will suffer, relative to news organizations as gatekeepers (the
prior regime).

~~~
JadeNB
> What I see here is that those with critical thinking skills will do just
> fine.

The problem is that it's extremely easy to overvalue one's own critical-
thinking skills, and so think that one is immune when one isn't. (In fact,
when experts are fooled in areas that they think are covered by their
expertise, then they tend to be worse fooled than non-experts.)

~~~
heavenlyblue
I think this is a typical example of populist mumbo-jumbo. How can you call an
expert someone who can’t consciously decide their own confidence intervals?

However it’s so much easier to then for a non-expert to say that their half-
baked solution worked due to the survivorship bias.

This point is incredibly popular because non-experts have less to loose by
making dumb choices in the first place and there are way more non-experts,
thus the whole set of non-experts can afford to be the fireflies in any
industry.

~~~
dntbnmpls
> This point is incredibly popular because non-experts have less to loose by
> making dumb choices in the first place and there are way more non-experts,
> thus the whole set of non-experts can afford to be the fireflies in any
> industry.

Or the "experts" have more invested in their "expertise" or are more
indoctrinated in their view and more stubborn to move from it.

If you look at the history of math, medicine, economics, physics, etc, the
biggest detractors of new ideas, new information, etc were the experts.

Take Cantor and his proof of countable and uncountable infinities. It's was
the experts within academia who attacked him relentlessly. So much so that it
sent Cantor to a mental asylum.

~~~
jmoss20
Oh please. Who else in the history of (say) physics would you expect to be the
biggest detractors of new physics? Botanists?

Cantor works as an example. Who was it that eventually adopted his ideas?

Experts aren't infallible, but they are (almost definitionally) the ones doing
the work to move their field closer to truth. They may miss the mark
sometimes, maybe often, but they're also the only ones hitting the mark.

~~~
dntbnmpls
> Who else in the history of (say) physics would you expect to be the biggest
> detractors of new physics?

Lots of physicists are detractors of "new physics"

[https://gizmodo.com/the-dirtiest-fight-in-physics-is-
about-t...](https://gizmodo.com/the-dirtiest-fight-in-physics-is-about-the-
universe-its-1828562461)

String theory has tons of detractors.

General and special relativity had detractors until experiments.

Newton and his physics was criticized. An "invisible force" called gravity
that mysteriously acts on objects across distances?

We could go back to copernicus, galileo and eventually to aristotlean physics.

> Cantor works as an example. Who was it that eventually adopted his ideas?

What's your point?

> Experts aren't infallible, but they are (almost definitionally) the ones
> doing the work to move their field closer to truth.

But that's not the point. You made it sound like all experts are. I proved to
you that it is not the case. Many times, it's the experts doing their
damnednest to prevent progress. It's a small group of experts who fight and
succeed against established expert dogma.

> They may miss the mark sometimes, maybe often, but they're also the only
> ones hitting the mark.

Who is they. You act like "they" are all working towards a common objective. I
showed you that's not true. Many times, sadly, experts work hard to maintain
the status quo.

I suggest you look up a book on philosophy or history of science. It'll be an
eye-opener. It seems like you still cling to the silly "perfect" idea of
experts.

