The attack was successfully performed in the wild by the virus "Win32/Induc.A"
The virus looks for a Delphi installation, modifies the SysConst.pas file, which is the source code of a part of the standard library and compiles it. After that, every program compiled by that Delphi installation will contain the virus.
The virus does nothing else, it is therefore harmless if you don't have Delphi installed.
It resulted in many software vendors releasing infected executables without realizing it, sometimes claiming false positives. After all, the executable was not tampered with, the compiler was.
In 2015, a malicious copy of Xcode, XcodeGhost, also performed a similar attack and infected iOS apps from a dozen of software companies in China. Globally, 4000 apps were found to be affected. It was not a true Thompson Trojan, as it doesn't infect development tools themselves, but it did show toolchain poisoning can indeed cause substantial damages.
That's not quite the Karger–Thompson attack; it's just a garden-variety library backdoor, being inserted by a garden-variety virus. Garden-variety viruses are self-replicating, and so is the Karger–Thompson attack, but they don't have much else in common.
The key thing about the Karger–Thompson attack — the thing that makes it so scary — is that all your source code can be absolutely clean, you can recompile the compiler from clean source code, and you're still compromised.
But if you recompiled the Delphi compiler from an infected installation...
It's not that scary if you actually bother doing binary analysis. Especially now with things like Godbolt.
What made it as horrifying as it was at the time was the closed nature of compilers, and the increasing unfamiliarity with what actual machine code looked like, and the non-existence of tooling to help recerse actual runtime behavior.
Popping in a hidden 'hunter2' login handler is still going to require hiding/deriving/comparing against that state/hash/input on that machine. That extra cruft is going to stick out.
Whether anyone can be bothered to dig into it is another question. Theoretically speaking though, all computation is human reading or writing, just implemented with circuits.
Well, something like seL4 with its proof of binary correctness could maybe solve the problem, unless the attacker manages to backdoor Coq too.
But I think the situation now, relative to then, is precisely the opposite of what you state. The C compiler Thompson backdoored was distributed as source code under a fairly liberal (but non-transferable) license; its compiled form was only a few tens of thousands of instructions, including all the libraries it was linked with; the people it was distributed to were very familiar with the machine code; and single-stepping through machine code was a common way to debug problems. An old boss of mine had his first system administrator job about that time; his first task as a sysadmin, as I recall it, was to port a program written in assembly language to the operating system they were using.
By comparison, today, many people use compilers they don't even have source code for; GCC and clang are tens of millions of instructions; many programmers even in C, C++, and other such low-level languages don't know assembly; most programmers work in high-level languages like Python, Java, or JS, and those have even less familiarity with assembly; and there are some eight orders of magnitude more useless computation being carried out in which such a backdoor could hide.
Indeed. I'm one of the few who actually does dive into binary/asm on occasion, or at least try to decompile/reverse binaries for the lulz.
These days you probably could sneak something in with a good chance of getting away with it for a while with the complexity explosion and volume of code to go through. That doesn't mean it isn't unrecoverable from though, even if every compiler is infected.
Maybe. We're talking about a hypothetical power struggle, one aspect of which is that one group subverts the computing resource of another group. Even if at some point the second group realizes this has happened (potentially difficult when not only their decompilation tools but also their intragroup communications are subject to interception and alteration by the first group) there's no guarantee that they will ever regain control of those resources. The first group may be able to leverage their control enough to severely impact the second group's prospects in every aspect of the struggle.
More generally, when groups of people are engaged in a power struggle, there's no guarantee that things will return to the status quo ante.
Definitely did not touch on the linking toolchain in the CS101 I did. I ended up having to figure that out the hard way through Linux From Scratch builds and cobbling together weird symbol resolution environments based on wanting to do things in my own idiosyncratic way.
Ghidra helps a lot these days. ldd and the other linker/binutils do the rest.
It is great to see this from the source (or close to it). Some searches on the text of Thompson's message also led to these pre-existing sources (not linked from niconiconi's blog) of a post by Jonathan Thornburg:
btw is there any public archive of ~old usenet (say, through 1999)? I was trying to remember things I learned from on alt.2600 but groups.google.com says it's "banned".
There are some bits and pieces on archive.org and other places.
Unfortunately the completer archives that people had (magtapes etc) got donated to dejanews (which later became google groups) or Google directly. This was about 20 years ago when Google was seen as a safe place to put that stuff.
The archive.org alt.2600.mbox covers only 2002-2013. Maybe after google gets broken up, we'll discover that this data is still preserved, and can be liberated. We can dream.
Someone (Uunet, maybe?) put out a bunch of usenet CDs back in the 90's... don't know how far they went back (or which groups they had. IIRC, it was pretty much everything except binary groups). It'd be challenging to find them.
Thanks for this pointer. I’ve gone through the alt.2600.mbox files and it looks like they only cover 2002-2013, so only after the more interesting times alas.
sorry didn't meant to be obscure - it was just google searches, but I found that if I used quotes google was less useful than if I searched for a longer string without quotes (I think others on HN have noted the quality of google searches seems to be decreasing). In my case I searched for
fyi: the self reproducing cpp was installed on OUR machine and we enticed the unix support group
but without quotes. I know it's quixotic but I kind of wish altavista was still working (now yahoo owns the domain name).
I got obsessed with this paper recently, to the point where I have read most of the "Unknown Air Force Document" that Thompson references with giving him the idea of Trojan horse. The document was later identified and is declassified and publicly available [1].
> If one reads the original paper, one only finds a description of this attack as a thought experiment, leading one to conclude that any claim of a real-world attack by Thompson was an urban myth due to exaggeration.
This is true although Thompson gives some tantalizing hints in the paper.
In the introduction, he writes " I would like to present to you the cutest program I ever wrote." So he definitely wrote it and at least played around with it.
Later on in the "Moral" section, he writes "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)"
This appears to be an admission but not quite strong or direct enough to validate he implemented and used the Trojan horse so it is great to read this post.
The only unbelievable part of this short story is that they wrote a compiler in assembly! Very enjoyable. Reminds me of Rob Miles' AI tasked with acquiring stamps.
I think this is my favorite incremental game of all time. I thought it wasn't really possible to tell a story through gameplay in a game like this but this one and Kittens game[0] have shown me it's possible.
To me, the historical reconstruction aspect of this is at least as interesting as the attack. One of my more obscure hobbies is studying the history of ancient texts, and it is fascinating to watch the process of losing primary historical sources play out in front of my eyes:
> However, in 1995, Usenet poster Jay Ashworth, citing personal communications with Ken Thompson, provided strong evidence of the existence of a real-world experiment of this attack. Unfortunately, the full Usenet message is missing on the web. There are only quoted snippets of this Usenet post circulated around various blogs, reducing its authenticity.
> In 2021, I’ve rediscovered the full Usenet message after a search effort in multiple Usenet archives. My success was partial - it was still a repost by someone else, and I was unable to find the original message. However, this repost contains the full Usenet message, including complete headers and message body, with the poster name and its Message-ID, establishing the authenticity of the post beyond reasonable doubts.
> studying the history of ancient texts, and it is fascinating to watch the process of losing primary historical sources play out in front of my eyes
I just want to further call attention to this. We have the unspoken notion, an assumption that digital materials, once 'written' will remain forever.
And, for a short-term 'forever' this is true. Not so for longer 'forever', as the loss of the original Usenet post, despite replicated across many systems, demonstrates.
This replication that was possible earlier, will also not happen in the future thanks to closed proprietary systems. YouTube is wonderful library of knowledge that we are legally prevented from making a copy of.
There needs to be bottom-up and top-down pressure for open data standards and also a re-thinking of digital ownership rather than digital licensing. We think people don't care, but the engineers who build these systems are a tiny minority, we only need to convince them to refuse to build walled gardens.
Nobody needs legal permission to grab all the YouTube content they want to keep. Just dedication, youtube-dlp, and a ginormous RAID array full of empty drives. This is surprisingly affordable as a hobby.
Are you aware of a single person anywhere who has mirrored the entirety of youtube? There is obvious value in having a mirror like that, so why hasn't it been done?
Downloading a handful of videos you personally care about is surprisingly affordable as a hobby. Mirroring and archiving the entirety of youtube is not.
Personally, although I couldn't say it was a hobby, I don't watch youtube on youtube anymore. Every youtube video I watch is downloaded first and viewed locally. I can't recommend it enough. Zero youtube comments, zero recommendations, VLC is a far better video player, Google has no idea how many times I've watched a video (or parts of it) or how I felt about it, and I never have to worry about videos I find valuable being removed. As long as I keep backing them up, I'll have them for as long as I care to.
I don’t think that there is any value in grabbing all of YouTube, and neither did I suggest doing that. I meant content that specifically interests you, or is likely to interest you (or is otherwise valuable as a historical record). “All videos” means including videos that have next to zero views, sensational clickbait, Elsagate/baby content, and a whole host of other unpleasant things. Most YT archives/hoarders are selective for that reason (and because space, while cheap, is not infinite).
I quite enjoy using NewPipe on Android. Once you build up a list of subscriptions, it’s by far the most peaceful way to consume YouTube on a smartphone.
Not for my use case, but maybe someone here has a solution. I watch lectures and lessons, as I watch I will change the playback speed constantly. I use a Firefox add-on for keyboard control of the YouTube video stream speed.
VLC also has keyboard control of the playback speed. However, when changing the speed VLC will skip a split second of audio. This drawback negates all the benefits of playing faster over the non-essential parts, because when we get to an essential part I'll lose some if it. This is on Kubuntu, across many versions over the years.
I haven't run into that myself, but I think I'd just hit shift+left arrow (or just left arrow depending on what you've got the jump set to) before hitting + to speed the video back up. I'll take a minor inconvenience like pressing an extra key for all the other features I get.
You can probably also create a single macro to do both actions with a single keypress although not with VLC alone which is fair enough since you're using an addon for the functionality you can't get with youtube's player already.
According to this article [1], 500 hours of video are uploaded to YouTube every minute. Depending on the video size and framerate, YouTube recommends up to 240 Mbps for 8k@60FPS [2]. Of course most video isn't that high res. Let's take a conservative guess that it averages somewhere between 2K and 4K and pick a middle bitrate of 24 Mbps. That's:
24 Mbps / 8 bit/byte * 60 seconds/minute * 60 minute/hour
= 10800 megabytes per hour of footage
= 10.8 gigabytes per hour of footage
At 500 hours of footage per minute, that means 5.4 terabytes are uploaded every minute. Your 720 TB array would be completely full a little over two hours' worth of content that is uploaded to YouTube every single day, day after day.
At the current upload rate, 2,838.24 petabytes are uploaded every year.
I don't think you'll see hobbyist archives of YouTube any time soon.
Some back-of-the-envelope math shows that YouTube would have to populate and rack a minimum of four 4U storage chassis (60 20TB drives each) per 8 hour shift to store that much. Roughly a little less than half a 42U rack. And that's before allowing for HDD drive parity, redundancy, and distribution across the globe.
YouTube offers a number of codecs and nitrates. IIRC Opus goes up to 160kbps and m4a goes up to 128kbps, with lower bitrates also available. I imagine video is similar.
I don't think anybody on /r/datahoarders believes it's possible for a private individual to archive the entirety of Youtube. More than 200,000 hours of video are uploaded every day. Generously assuming something like 1 GB/hour for 1080p, that's 200TB per day that you have to add. No home array can handle that.
This is a weird hackernews phenomenon where two sides of a discussion present the technical aspect of the thing they want to do, and are correct in their description of the technical aspects, without addressing the fact that they are talking about accomplishing totally unrelated objectives.
It is probably possible to horde more Youtube videos than you could ever watch, probably including most of the ones that you might ever be interested in. And it is almost certainly impossible for any individual to capture every video which goes through Youtube.
Neither of these seem to address the issue of whether there exist videos which will retrospectively have archival value which are not captured.
> probably including most of the ones that you might ever be interested in.
That’s a really interesting question: how to determine videos that I might ever be interested in.
> whether there exist videos which will retrospectively have archival value which are not captured.
And that’s not really a question: there definitely exist videos that have a certain historical value which were deleted from YouTube, and most of them before I archived them cause I am lazy.
I would gladly pay for a personal archive.org - a solution that automatically archives each page I visited and video I watched. I guess the required storage amount will be pretty affordable.
> > whether there exist videos which will retrospectively have archival value which are not captured.
> And that’s not really a question: there definitely exist videos that have a certain historical value which were deleted from YouTube, and most of them before I archived them cause I am lazy.
Sure, but you aren't the only one backing up YouTube videos. It seems at least plausible that the aggregate storage capacity of the entire data horder community and their propensity for backing up whatever they come across could result in a situation where if something is interesting, somebody ends up capturing it, right?
> Neither of these seem to address the issue of whether there exist videos which will retrospectively have archival value which are not captured.
Unless the entirety of youtube can be archived it's safe to assume that there will be something of value which isn't being preserved. It's an unsolved problem and not one Google wants to see solved.
Even now, the most garbage youtube video out there is still probably useful as training data for some AI (maybe even to generate horrible youtube videos)
I have 4PB, but my understanding is that I would fill that mirroring a single day of YouTube at reduced quality. The Internet Archive could surely handle mirroring older YouTube content with a large grant. But the upload rate plus video quality in recent years is definitely cost prohibitive to replicate.
The point I was trying to make is, data hoarders collectively archive a lot of data. They have interests and tend to mirror their interests from the sites. As a result, they can mirror a substantial amount of videos or knowledge from any gigantic site.
I'm aware that even a horde of data hoarders can't archive a drop in the YouTube ocean, but by archiving high-impact channels, they can backup both important and vast amounts of information.
The size of YouTube is likely measured in exabytes. I think it would be hard for any entity that was not organized and well-funded to mirror all of it, let alone make it available in a reasonable fashion.
It’s far easier to grab an “archival” grade copy of a YouTube video (includes thumbnail, subtitles, metadata, etc) and ask the program to embed all the data within the video file itself. It can even remux all videos into a selected container format, which is really nice.
The problem is not just closed proprietary systems, but centralization. Usenet is distributed. A server uses store-and-forward and then floods the messages to everyone else, eventually propagating all messages to everyone. Today it's rarely the case, even some decentralized networks are not as distributed as Usenet. If one doesn't subscribe to a node, it effectively doesn't exist.
Indeed, software archeology already is and will become a very exciting discipline. And the stakes are quite high, at least for science. Here is a great example of how NASA almost lost precious data from Viking missions back in the 1970s (the article is from 1990, so history in history format):
It will be hard for future (>700 years away from now) historians to discover a lot about what we thought today: writing personal and professional letters (e.g. "letters to the editor" in learned journals, letters to an uncle living in a different city) and diaries is happening less and less compared to the last 200-300 years.
Perhaps we should go ahead and have a few hundred thousand emails printed with a special lasting ink on velum to pass it on to our successors ("Codex Electronicus"). On reflection, my own inbox is perhaps rather too nerdy - it would introduce a strong selection bias to posterity's view about us.
I think about this a lot in humor contexts. Many jokes rely on passing cultural contexts that isn't documented and isn't made explicit.
Example: In my experience "The chad was good" and various jokes around "hanging chads" and "pregnant chads" still sometimes land with people who remember the 2000 election and Charlie's Angles, but anyone a little younger misses it.
Now I'm curious how many jokes in an episode of "John Oliver" or Southpark land even a year or two after the episode airs.
A lot of the jokes in last week tonight don't exactly land when they originally air either, but that has more to do with the writers than available context.
I run into this problem not just when watching old shows, but also when watching contemporary TV developed in other countries. Usually it's references to proper nouns I've never heard of, and I do often look those up, but even once you know what or who something was sometimes you'd have to be willing to go deep into various rabbit holes to really understand it.
Thank you. You've just helped ensure that knowledge of the "chad" reference's links to the 2000 election and Charlie's Angels will live on, in this case via the various archives of HN content out there in the world.
Starting with 512 bytes of machine code plus source and building an entire Linux distro from scratch without any existing binaries means that it is exceedingly unlikely that such a backdoor would be possible.
Well it shifts the target a bit. Instead of infecting the compiler you'd try to infect one of the core OS components (presumably in the kernel) and have it detect when those were being compiled and insert itself. Probably also infect any compilers you detect while you're at it as well.
This would probably be a bit more difficult to pull off. If someone did pull it off, fully reproducible builds ought to make it readily detectable at least in the absence of some extreme rootkit contortions.
There are no Linux/other kernel binaries involved in the bootstrappable builds scenario either, only the 512-byte bootstrap seed of machine code, which is written as commented hex, which you then input manually and run. In theory that bootstrap seed could be backdoored, given the size that would be unlikely and auditing it should be feasible.
Reproducible builds wouldn't help here, since all binaries would be backdoored equally. They only help with situations where one build machine is compromised but another one isn't.
Fair enough, you had specified a freestanding seed so we were talking about slightly different things. You can of course go to extreme lengths to bootstrap a secure machine including manual input. Well actually that might be quite difficult in practice seeing as modern computers don't exactly accept punch cards. Presumably you had to prepare the digital media that provides the payload somehow. But regardless.
The much more common scenario would be bootstrapping something like Guix from within a running OS from a much smaller set of initial binaries than you otherwise might. And that host OS could in theory have been compromised. But I think that attack is a significantly higher bar than a compiler binary that compromises itself.
To me, the most interesting part of Wheeler's work is formal verification. As an extra argument, he converted his verbal arguments into a set of logical statements, and then used a theorem prover to show the DDC argument is flawless (within its assumptions).
I remember seeing a post on MathOverflow, the OP asked about the consequences of using malicious code to fool a theorem prover to certify lies and falsehoods.
It's a valid question and has deep philosophical implications. Unfortunately, mathematicians are not tech workers, so they were not impressed, and closed the question as off-topic. I personally think the main reason resposible for the lack of enthusiasm from mathematicians is that formal methods are rarely used in our society, and mathematicians in general (with the exception of logicians) also do not really value formal axiomatic systems as the something especially important for setting a standard of truth. If formal methods are used in decision and policymaking in the far future, the picture will be different. Nevertheless, right now, malicious proofs are just a hypothetical thought experiment.
I did think of that :-) ... and I explained how I countered that in the paper and during my public defense.
First, the proofs were verified by a separate prover that was itself independently formally verified.
Second, the proofs were manually verified by multiple people. Once you know how to read first order logic notation (which is easier to learn than most programming languages), it's not hard to verify the steps by hand. The paper walks through the key parts.
This is a good moment to note that http://bootstrappable.org/ exists and is one of the low level defenses OSS can provide against this problem. With the minimal set of binary blobs that can be audited we can reasonably reconstruct whole toolchains from scratch.
Trusting trust is so old that this probably has been discussed before, but isn't it possible to "break it" by either disassembly or just looking at the elf with a hex editor? I know you can theoretically hack the disassembler too if you'd like, but after some point it becomes onerous.
There is this 2009 PhD thesis, and associated articles, where they explain how to "counter" trusting trust by using a set of independent compilers (even assuming that each compiler may be infected):
This is an automatic process: you compile each compiler with the others a few times and compare the outputs. At the end it gives a criterion to decide which compilers contain trojan horses.
I always had issues with this particular counter, because it assumes that you cannot create a sufficiently good back door-creating AI/heuristic machine that can also fit in the unused spaces in our systems and binaries without being noticed. That’s a big ‘if’, looking ahead into the deep future especially that our knowledge of autonomous agents and storage keeps growing.
> I always had issues with this particular counter, because it assumes that you cannot create a sufficiently good back door-creating AI/heuristic machine that can also fit in the unused spaces in our systems and binaries without being noticed. That’s a big ‘if’, looking ahead into the deep future especially that our knowledge of autonomous agents and storage keeps growing.
If I understand you correctly, that doesn't counter DDC, as long as the system being generated is being covered by DDC.
If you're worrying about inserting code into "unused spaces" in the file that people typically call the "compiler", the solution is to check the compiler with DDC - that guarantees (given certain assumptions) that all of the executable can be explained by the source code. The source code could have malicious code, but developers know how to review source code.
If you're worrying about inserting code into "unused spaces" in other files of the larger system, the paper explains how to counter that too. Basically, treat the entire system as the "compiler" & regenerate it. More work, but now you've squeezed that out.
There's even a counter-example in the DDC paper. The tcc compiler had a subtle bug where 2 bytes were "free" (not controlled by the compilation process). That's because it was storing a 10-byte floating point value into a 12-byte memory area, leaving 2 bytes uncontrolled. DDC immediately detected a problem. DDC can detect 1 bit of difference. There's no "uncontrolled free space" for whatever is being verified by the DDC process.
Unlike most computer stuff, there's a mathematical proof in the DDC paper. If the assumptions hold, the conclusions necessarily follow. Attackers must take steps to invalidate at least one of the assumptions for the conclusion to fail. Of course, nothing is perfect - if an attacker subverts an assumption, then the defender can't rely on the conclusion. But the defender can take steps to make the assumptions true.
Thank you for replying David A. Wheeler. Posts and feedback from professionals like you are what make HN great, despite the community's many (rather annoying) short-comings.
Yes. What really happens is that the trojan self-propagates in the compiler binary, copied from each iteration as it compiles the next one, always within the binary without existing in the source. And so it could be revealed by examining that binary.
... if, of course, you also knew you could trust your examining tools, including the firmware and hardware. You can't provably do that unless you assembled the entire thing from transistor gates (and even then, you're still accepting somebody else's assertions about electron behavior in that material.) So at some point you have to just decide that there's some level of operations that you do trust.
Indeed. This is actually required practice in certain standards such as DO-178 Level A certifications, though that is intended to prevent compiler bugs that result in miscompilation rather than malicious miscompilation, but the problem is solved in any event.
> Pretty sure Firefox uses Chrome as its toolchain these days.
It does not.
There is no shared code between Firefox and Chrome. They use completely different rendering engines with independent histories (Chrome uses Blink originated from WebKit originated from KHTML, Firefox uses Gecko originated from Netscape originated from Mosaic).
The only shared component is that Firefox utilizes public APIs for Google SafeBrowsing.
Oh sorry. Chrome is not a toolchain in mostly any sense. Except for its extraordinary flexibility as browsers are in general able to execute code. So I thought it was obviously a joke that one would use a browser to compiler another browser.
The "on trusting trust" attack regards using your compiler as a mechanism to infect compiled executables -- including compilers themselves, and their generated code.
I didn't mean to suggest that the two browsers shared any code.
There is actually some code sharing these days, mainly libraries. Mojo for IPC is the one I remember off the top of my head. I think also WebRTC stuff?
Yes, in the strictest sense both browsers may rely on public open source libraries, which means they have some shared code, but they do not share any code directly with each other (e.g. Chrome is not a dependency of Firefox, Firefox is not a dependency of Chrome). I see this as not equating to "code sharing" because they both happen to use a library. Ironically for other apps that'd usually be something like OpenSSL, but in the case of Firefox and Chrome they actually have entirely separate TLS codebases as well (NSS for Firefox and BoringSSL for Chrome).
For some of these shared open source libraries, either Mozilla or Google is the primary contributor/maintainer, and both organizations usually make contributions. This is true across many things, even libraries in the open source space that are not involved in the browsers themselves but may be in the toolchain (Mozilla has produced robust open source CI/CD tooling, bug trackers, etc over its history).
I'm not sure why you are being downvoted, because you are technically correct - a lot of Firefox developers use VS Code, which is based on Chrome and it is part of the toolchain.
ELI5: are you really sure that when you work on Firefox source code from VS Code, that what ends up in the saved file and what gets committed to Git is what you actually see on screen?
VSCode doesn't seem like a "on trusting trust" attack vector since we can easily observe the git outputs of the C/C++ source and these parts often reviewed by peers. Unlike object code -- we can always take a look at the disassembly but in practice it's not scrutinized.
It's probably frustrating to those who work on Firefox to suggest that it somehow depends on Chrome. I get that. But it wasn't where I was going.
There is some kinda-out-there reality though -- with something like WASM or v8 you can theoretically run real toolchains like gcc and clang "in the browser". ;)
The Go compiler used to be written in C, but transitioned to being written in Go around version 1.4 (IIRC). I believe that the Go compiler toolchain is rooted on that version (i.e., you can eventually compile the current Go compiler if you start with the compiler binary produced using Go 1.4). I don't remember the reference describing the situation in detail.
I'd say yes insofar, that it's clearly a case of Rice's theorem. Whether such a backdoor is contained in a program is a non-trivial property and therefore generally undecidable.
All the other theorems (Gödel, Church, Tarski, Turing) are basically the same if you squint your eyes hard enough.
One can find precursors of nearly every aspect of the modern social media back in newsgroups from the Usenet era during the 1980s and 1990s, including cat memes. Unix developer Rob Pike even invented role-play trolling in the 1980s on Usenet (mostly manually, but an automated bot was also tried). Back then it was a harmless hoax, and today on the modern web it's now causing massive troubles. [0]
Old-timers like Ken Thompson clearly have understood the nature of a social network since a long time ago.
I don't think it's some super novel insight by him. The news has existed for many centuries and at least to some extent, it has created misunderstandings as long as it has existed.
Karger and Schell in 1974 conceptualised the idea of trap doors built into compilers in their Multics Security Review.
Although Ken Thompson is responsible for popularising the idea through his Turing award speech in 1984.
Edit: Ken Thompson mentions the paper in the acknowledgements of his Turing award speech.
"""
Acknowledgment. I first read of the possibility of such
a Trojan horse in an Air Force critique [4] of the security of an early implementation of Multics. I cannot find
a more specific reference to this document. I would
appreciate it if anyone who can supply this reference
would let me know.
"""
Too old for this shxt: 80-col formatted plaintext
Greybeards: LaTeX-generated PostScript
Modern professionals: HTML doc with default browser stylesheet
Kids These Days: Anime girl sidebar
Please tell me you used Stable Diffusion to generate this repo after seeing this post on HN, and not that this is some kind of odd almost-rule-34 fandom domain.
I believe a predecessor to that meme would date back at least to the early ‘90s, as demonstrated by the plot point in Wayne’s World 2 in which Olivia d’Abo’s character was approvingly identified for holding a book on Unix network programming.
The relevant meta-meme is the "programming sock". A humorous screenshot of an Amazon recommendation that said one of those knee-high socks with pink stripes was often bought together with a nerdy book like "The C Programming Language". People started referring to those kinds of socks ironically as "programming socks".
I don't know if the screenshot was doctored, or if the Amazon recommendation engine found a real cluster of customers who are interested in both programming books and programming socks. In any case, I suppose it doesn't really matter because when people spread funny memes ironically it's only a matter of time before people join in sincerely without the irony.
That repo and the programming sock screenshot are both from 2017. They might have a common ancestor, or refer to the same subculture.
Notice that an anime girl holding a programming book is in itself a (mild) subversion of gender roles. The stereotypical programmer is male, and the stereotypical programmer is not cute.
> That repo and the programming sock screenshot are both from 2017.
(I'm kinda repeating myself in this thread a bit, sorry but...) I can guarantee you that the anime girls holding programming books has been a thing for at least a decade, so the 2017 creation of that repository doesn't really mean much. Not sure about the programming sock meme but I think it's a bit more recent. However I do think it generates from certain "battlestation threads" on /g/ where people used to post photos of themselves sitting at their PC with those knee-high socks on and the meme kinda spread from there. Way before that screenshot itself.
Thank you. I suspected a common ancestor, but I didn't know what it was.
Makes perfect sense that a meme combining anime and programming would come from 4chan's technology board.
I suppose what made the meme interesting enough to spread is the subversion of the traditional hacker aesthetic. Having a beard voluminous enough to carry The C Programming Language inside everywhere you went was a sign of great experience and wisdom. As a bonus, it also horrified "the suits", who were hackers' natural outgroup.
In the 21st century you just can't annoy the suits the same way because even large corporations don't demand people wear literal suits anymore. Baffling the HN crowd is what passes for iconoclasm these days.
Nah the screenshot started it. Someone posted a similar one to /g and the responses said that it was an esoteric secret that womens socks and underwear made you a better programmer.
> Notice that an anime girl holding a programming book is in itself a (mild) subversion of gender roles. The stereotypical programmer is male, and the stereotypical programmer is not cute.
I don't think that is going on here, you have to consider that the anime girl is holding the book towards the viewer, my guess is that the implication is supposed to be "Will you explain it to me".
> that the implication is supposed to be "Will you explain it to me".
This is not correct. It's hard to explain if you've never seen them in context but rather than "will you explain it to me" they are actually saying "won't you read this?" or "will you learn this language for me?" kinda note. They used to be commonly posted as OP image in programming threads on /g/ with lines like "have you read sicp today /g/?" or similar. There's also another very common variation of this meme for gamedev communities on 4chan with the girl from the anime New Game (see this[0] clip, I couldn't find the meme itself) with a similar vibe.
I have seen it, but I think that "won't you read this?" or "will you learn this language for me?" is just a front for "explain this to me", especially when considering the body language.
> is just a front for "explain this to me", especially when considering the body language.
? Why? There's nothing that indicates this, the history behind these images shows the clear opposite. This to me sounds more like your (unconscious?) biases are showing more than it actually being a thing. Trust me, it's not really how this meme works. If you actually look at most images in that repo the girls are either reading the book, explaining the book, or clearly pushing it (often aggressively) towards the viewer to make them read it.
EDIT: Are you familiar with Serial Experiments Lain? I think that was one of the first ones to pop up with these.
I browsed /g/ as a teen, watched lain and everything, but have since decided to consciously distance myself from this culture, to a certain degree because there is a sort of implicit "sexism" (in some broader sense) that I don't feel comfortable with anymore. The longer I stay away, the more obvious things like the way they draw faces and bodies, the often infantilizing postures combined with a kind of sexualization is. Keep in mind that drawn images can easily exaggerate human features that are not healthy or even anatomically possible, but that still serve symbolically as sexual indicators. This has become worse and worse over time, because fan service is good advertisement for publishing houses. Take a look at https://en.wikipedia.org/wiki/List_of_slice_of_life_anime and compare how the style has changed since the late 90's up until today. I think it is a lot more homogeneous and the appearance is more formulaic. Part of this might be that computer animation is more common place, but the other one is that a sense of beauty has been reduced to a mathematical problem of relating various proportions. It is also because I was part of this culture, that I know there is an explicit and intentional sexual aspect to all of this.
Reflecting upon my own impressions and how these changed, I am more conscious of these points and find it hard to ignore them. Assuming that I am not totally mistaken, which of course might be the case, knowing that others don't see these things pains me. More so when someone like the author of the link publically stands by it.
But you are right though that not every image is like this.
Perhaps it's a self-fulfilling meme at this point, but searching "programming socks" on Amazon right now still only recommends socks like that. Definitely not doctored
I get totally different vibes from the chat-esque furry avatars, which I see as both an extension of the increasing fluidity of identity on the internet/AFK/remotely and a push for representation and "positive shamelessness" (am I just trying to say "self-acceptence"?). Waifus still come across more ironically, clearly memes in casual settings, and without those aspects of identity and representation. Stuff like VRChat/Vtubers blurs that line and brings identity fluidity back into the picture, but that doesn't feel like what's happening here, nor does it's appearance on literally every page carry the tone of irony needed to combat cringe, but... I kinda like it, and kinda wish it was just totally cool to have a waifu on my site too without having to lean into irony or identity to "justify" it against this cringe instinct. Maybe that instinct comes from a specific subculture on a younger internet which, although still present, need not color the spread of these aesthetics forever. Like rage memes, which come from eg. SA/4c but have been widely adopted to the point of belonging more to "the internet" than specifically to their roots.
The nature of communication on the internet makes for some very weird signifiers - I remember getting into fountain pens and finding out that a pretty undesirable group was into them as well and it was on the cusp of being a signifier for politics I don't agree with. Luckily it never got to that threshold, but basically something can become a signifier for something else just by virtue of volume - Pepe is probably the best, clearest cut example, with different groups literally mass posting pepes as much as possible in a battle to "own" that signifier.
I was originally going to say "Hey, just do you" but then I totally get that feeling of "I'm into X just because I like it but for some stupid reason X signifies Y which I really don't care for" and it sucks.
Would you expand a bit on the fountain pens as a symbol of subculture/political stance? An otherwise well-adjusted friend of mine has been into fountain pens for a while and I would like to know more.
> "positive shamelessness" (am I just trying to say "self-acceptence"?).
> I kinda like it, and kinda wish it was just totally cool to have a waifu on my site too without having to lean into irony or identity to "justify" it against this cringe instinct.
it's only once you accept that you are cringe, that you are are free to become truly based.
I find that there is something inherently suspicious in having a parallel online identity. I respect anonymity, but for some reason people constructing a parallel world and personality online always irritates me.
I think the difference is that I usually don't notice usernames, unless I want to check if the same person wrote two comments. In this sense, they are just opaque identifiers, or a trivial identity that doesn't express anything in itself. An online identity is something more, because it usually comes with a personality, an image, a history. To me it isn't even that something is being hidden, rather that a lesser version of oneself (merely virtual) is being overvalued. This argument could be extended to people who might base their online Instagram/TikTok/etc. persona on that of their real life, but glorify it beyond recognition, while at the same time reducing its being to digital communication.
I don't think it's right to say that an online identity is lesser. In many ways "easrng" is more real, more me than my irl identity, because online expression is easier for me. I can craft and change representations of all that I am, in ways that I can't really offline (without significant amounts of time, energy, and potentially money.) I don't know if this is a young/old divide or a neurodivergent/neurotypical divide or a trans/cis divide or what, but I know I'm not the only one who feels this way.
To me, it seems lesser because online communication is inherently lesser to real life communication. It always appears as a restricted emulation of of "the real thing". Even now, you don't know my tone, you don't see my body language, what I emphasise, etc. I started writing this sentence, then rephrase it because it didn't sound good. I cannot hide this when speaking face-to-face.
Again, to me "easrng" means nothing. When starting to read your comment I had no idea what perspective you were coming from, if you were about to agree with me or not. All I know about you are the 99 words you have written in this comment.
Setting aside scams, if you meet someone online, when you get along well and become friends, would you reject the opportunity to meet them in real life instead of communicating virtually? I think most people would take that opportunity. I guess I am still young, and I think that most people my are inclined to agree with me -- especially after the lockdowns.
But what you say is interesting: When I hear "I can craft and change representations of all that I am", I hear someone saying that they can make up a fake persona, instead of being the person they actually and inherently are. An online persona starts blank, just like I have no image of you before our first message. Even the most generic person has something that makes them ever so different from most other people, that they cannot deny.
On the contrary, I think that anonymity makes people more honest, because they don't have to fear the repercussions of saying something that either a real person or an online persona. They both have to hide, while the lack of an identity makes you free.
It's not an emulation, it's just different. As for not being able to convey tone? skill issue. You can do it, emojis help, formatting helps, even with plain text you can repeat punctuation or AlTeRnAtE cAsEs or whatever, that's without even getting in to 1337speak style typing quirks (there's more than just replacing E with 3). I frequently rewrite messages before sending, but I do that irl too, I just say corrections out loud which is harder for the person listening to track than if I just had an textfield to compose what I wanted to say. As for usernames, they don't mean anything, they're just pointers to the people who use them. You say I can make up a "fake" persona, but what does fake even mean? Why does it matter if who I am online isn't a 1-to-1 copy of my irl self? They're both reflections of my personality, and that's what matters. And psuedoanonymity isn't the same as anonymity. I have an online identity, I have people who know me by it, and I wouldn't want to just throw all those connections away. If I said something fucked up, I would presumably lose my friends and such, and sure I could make a new identity but making a new identity and forming new relationships isn't a trivial thing to do. Just because you can't see my body doesn't make my identity any less real imo.
20 years ago, programming skills and access to Anime in Europe were highly correlated.
Back then, me and friends spent an insane amount of time on reverse engineering a Japanese file sharing app so that we could build our own server version (like Deluge nowadays) and then we built our own IRC server and our own XDCC download bots so that we could get Anime raws onto a university server and then recode them to make download over ISDN (64kb/s) feasible.
Also, a lot of the Animes featured socially awkward nerd guys who by accident stumbled into their own harem...
With that context, posters of Anime girls together with nerd stuff sold extremely well at Connichi (a big Anime convention in Germany). A friend of mine (who's now CTO of a C++ dev shop) even bought a wax printer so that we could make really high quality A3 posters.
So I guess it's an in-joke for Europeans born in the 80s.
It's really funny hearing someone ask if this is the hand-off to the new generation, when the fact is that furries were working on the internet well before anybody else cared. Furcadia came out in 1996!
[edit] Oh, right, I should explain what Furcadia is. It's apparently based on Multi-User Dungeon type technology, but has a graphical frontend and was driven by user-generated content. Essentially, it was Habbo Hotel for furries, four years before Habbo Hotel even existed.
Individualism is big for those generations, and identifying yourself with your favorite anime girl/pop culture element or the character you designed with the elements you like is a way to differentiate yourself from others. The furry/anime communities also tend to be pretty technically inclined, so I imagine there's just some natural overlap.
My take: People have used animals, drawings, and random photos as avatars since avatars were a thing. Anime has been growing in popularity and reach over the past decades, and the new (and broadly available) "Holo-live" style animated YouTube and Twitch avatars have created its own boom.
Combine with a greater acceptance of non-traditional personal identities, and you get professionals using anime and furry avatars and decorations. Practically speaking, it's not really any more or less professional than O'Reilly using animals to create an identity for its programming book covers (so long as you're not wearing a fursuit or sailor moon leotard to work).
Not sure about the trend in general, but this particular image (Anime girl holding a programming book) made me think it was a reference to these manga guides on various math/science/engineering topics: https://en.wikipedia.org/wiki/The_Manga_Guides
I don't think it is related to a new generation or something like that since i remember people using anime wallpaper backgrounds and avatars (in MSN Messenger, etc) since the early 2000s. It is just that in recent years anime became more popular in general than it used to be even 10 years ago, so you are more likely to see anime stylized characters nowadays.
I'd say its a shamelessness type thing rather than a new generation thing. People can like what they like, however it definitely reduces the message when its plastered on a blog filled with risqué anime girls or furry art.
I'm in my mid 30's. I started blogging about cryptography and security under my furry handle (and with blog posts adorned with furry art) at the start of the pandemic.
It gave me something to do that was both productive and fun.
Why would that be funny? I just wonder how these people have no sense of embarrassment. I suspect part of the reason is that isolated communities encourage this kind of behaviour.
Not sure if this is what's going on here, but I've noticed sometimes isolated communities don't want too much attention and front load these types of things as scarecrows to keep the general public away.
As much as I hate "both sides" discourse[0], it's interesting that I see the same memes in both right and left contexts - I wonder of a creation of a "second language" to discuss divisive politics is enough of a force to spread it, or of it is intentional coopting of another sides language to dilute it.
E: [0] HN is not the place for the rest of my feelings on this. Both sides aren't the same is enough to suffice here.
honestly that's probably a great filter for "interesting" clients, if you want to keep the fortune 500 bureaucracy away and just work instead of push papers all day
It's basically 'book babes'. Booth babes went out of fashion a while back for good reason. This kind of thing is relatively harmless in the instance but in aggregate puts out a vibe.
I think in some parts of US culture not that familiar with Japanese culture there is the misconception that anime is all tentacle porn or something and so you should be embarrassed for liking anime.
While that stereotype still exists in some corners; I've actually found that there is more mainstream understanding and acceptance of anime these days. I work in an office that terminally online folks would call “full of normies”; but I have found people here are at least aware of anime, if not active consumers. These days, it's not “cringe” to enjoy anime itself, and I'm guessing that the majority of commenters in this particular thread are over-analyzing the presence of an anime girl on a website.
The author probably likes seeing an anime girl, and feels that displaying one on their page expresses an interest in anime, tech, and a casual tone for their writing.
It's likely the reason they don't feel embarrassment is because they couldn't care less about your unwarranted judgement, and delight knowing that some people actually take the time to be upset about it.
This always comes up in these discussions, my impression is that there is some kind of a split when it comes to understanding the concept of embarrassment. It is not about the individual judgement of people and being upset is the wrong word, but it is difficult to find the right words to explain it. When thinking to myself why I'd never do these kinds of things, setting aside the lack of interest, I wouldn't want a kind of general perception that people have of me to be associated with these cultural symbols. It is an interesting question, especially because it appears obvious until I reflect on it. I guess I am not the only one who feels like this, and some people get upset because it is difficult to articulate these "unwritten rules of behaviour in polite society".
To me it's sad that you took that lesson away from that. :(
Watching someone be genuinely enthusiastic about something is wonderful. Society has far too much cynicism, and watching it beat that into children as they grow up is no fun. I see a lot of adults who treat things that way.
Maybe it's a generational thing, maybe it's my circles, but I've seen plenty people appreciating and gushing about people sharing their interests. It's even in the memes, here's an example:
> Everyone wants an autistic gf who infodumps abt video games and linguistics and whatever up until day 43 of the relationship when you get a paper cut and she starts trying to drink your blood
> Watching someone be genuinely enthusiastic about something is wonderful.
But isn't the question what they are being enthusiastic about? I would certiainly agree that there are some things that considered noble and respectable (helping the sick, science, the right kind of activism for the right kind of people, ...) that most admire. At the same time I think most recognize that there are destructive or non-productive things one can be enthusiastic about to the point of obsession. While having an anime girl on your website or being a furry is usually not destructive and ignore the cultural popular images of people like these, then they are at least non-productive in the sense that neither society nor the individual themselves grows from engaging with the topic. You can study engineering and improve human technology or write and learn how to better express yourself, but I don't see how anyone can progress as an anime weeaboo beyond a self-contained culture that might value if you know the names and details of all characters by heart. As soon as you step out of this bubble, the value disappears.
> Maybe it's a generational thing, maybe it's my circles, but I've seen plenty people appreciating and gushing about people sharing their interests.
I don't know what generation you are referring too. I'm Gen Z and obviously have different feelings about this. Sure, I enjoy talking to people who share my interests, but I know when and where the right place is. I don't go out with friends and insist on talking about e.g. Emacs, and I certainly don't want to be perceived as someone who superficially is only interested in my own topics, not caring to engage with topics that others care about.
(Btw. thank for your respectful tone, I appreciate that).
I'm...not sure why it would be embarrassing? People have things they're interested in that aren't related to work, and besides, the suit-and-tie image of the workplace is deeply rooted in a load of nonsense (nonsense which ought to be recognized as nonsense, but which is often confused for professionalism).
If you check my other replies in this thread, I've tried to describe why I feel the way I do. But if I may, I'd be curious to hear what you'd consider to be "embarrassing", not as an act but as a personality trait.
As an example, I believe to recall the first time I felt this way as a child, perhaps age 4 or 5. There was some sort of a meeting and somehow a kid felt prompted to go up to the whiteboard and start explaining everyone the Bionicle alphabet (https://bionicle.fandom.com/wiki/Matoran_Alphabet) with unreasonable enthusiasm. I was into Bionicles myself, but remember thinking to myself, "Don't you know how you look like? Don't you know that nobody cares? Have you no sense of how others perceive you? If I hadn't seen how this looks like, would I have done something like this eventually?". I don't know how others brush these impressions away with a "Good for him".
I used to have something similar to this, as a teenager. I pretty quickly realized I was drawing arbitrary lines delineating things that I found cool as being better than things other people found cool, treating other people's interests as somehow more embarrassing than my own even though I was a textbook cargo-pants-wearing wannabe-hacker nerd. Between that and my struggle with depression, I ended up deciding that it's more important to enjoy things than to look cool.
Anyway, to answer your question: I'm not sure there's any personality traits I would call "embarrassing". There are some I would call harmful, sure, and there are some that are associated with being socially inept or less cool, but I don't think there's a category of personality traits that are just embarrassing.
To your specific example: Being enthusiastic about things isn't embarrassing; it invites others to share that enthusiasm, either because of a shared interest or simply because watching someone be enthusiastic about something is enjoyable.
I'm curious why you think that's something to be embarrassed about. I feel like it's a cultural thing but for example here in Japan it's very common to see this style everywhere (on TV, on billboards, on the train, on random websites, etc) and several of my coworkers also have these kinds of backgrounds or posters at work (in an open office).
It was frankly weird and bit disturbing to see some of the neckbeards in engineering school obsessing about cute depiction of young girls. To this day, it definitely colours how I see random use of anime girls on CS related topics.
I have no issue with it in its original Japanese setting and I wasn’t aware of its use by the LGBT community but it seems far less depressing in this case.
There are a surprising number of pedophiles (who will immediately 'correct' people to use the term "ephebophile" instead) amongst the techbeard community. I agree it becomes uncomfortably apparent after spending a bit of time with these types.
I don't know, this is mostly instinctual, but my guess is that this is subconsciously associated with the kind of cultural image of an anime enthusiast or furry as socially inept, meagre or generally nerdish.
Or perhaps they simply see no reason for it to be embarrassing, because they have a different set of values, coming from a different culture which we, as old people, simply are not part of.
> I just wonder how these people have no sense of embarrassment.
A lot of these people tend to be quite isolated from society in general, so they end up losing their sense of embarrassment entirely. Doing things that other people find weird or that make other people uncomfortable ends up becoming a sort of hobby for them (and often becomes their personality entirely) since they effectively have nothing to lose over it.
That is a good point. If you don't need to deal with everyday people to socialize, you don't have to adapt your behaviour to the mean expectation of what is proper and not. I remember reading an interesting socialist argument once, that this is historically unique because capitalism allows people to reduce social relations to that of monetary exchange. As long as you can pay your bills and buy what you need, nobody can complain. It is this perspective that people who retort with "Why do you even care?" implicitly hold, that I am not a fan of.
I’m in this picture and I don’t like it, but I vouched anyway. It’s an interesting perspective I hadn’t considered before, and broadened by horizons a bit.
The comment I responded to was dead. I don’t feel it really violates the site guidelines. Although some people might take it personally, which could make it sort of flame-bait-y and result in flags.
even for us youngsters thats still considered pretty weird and nobody normal is involved with it. unfortunately, it seems like it has a tendency to pollute technical circles since when i run across it it's usually there.
It is the classical phenomenon of when most people of a distant group are normal, but a minority is peculiar, that you don't notice the normal ones because they are overshadowed by the minority. E.g. when in school, I always remember not wanting to get into trouble with older generations, but then wondering why the younger ones did so when I was older. It is probably the number of trouble-makers didn't change, just that while I was younger I didn't blend out all the normal ones who were my age, which I did when I was older.
I mean I know two pretty normal programmer current/past coworkers who use anima girls as their main avatar at work. Is it weird? Kind of. Are they otherwise pretty normal people? Yeah.
I'm friends with the both on steam and they are both very very very into gaming (like 4-5 hours a day at least) so I always thought it was related to that somehow.
The funny thing is that while I don't doubt in my mind that a lot of the folks with anime/furry illustrations in their blogs are generally younger, I suspect many of them are still knocking on 30 at least.
What happened? Anime and furry fandom became more socially acceptable across contexts. Why? Probably because of the ridiculous degree to which we are connected online and the way this has eroded our ability to segregate identities. A lot of people you have seen online have always been huge losers, but many of them are more open to flagrantly displaying it now.
Is this good? Dunno. I think making some of these subcultures more mainstream can suck for the subcultures themselves. I've never found it all that off-putting personally, but that could just be a reflection of my own biases as a long-time online loser.
Generally agree, but I do have to bristle with the "huge losers" sentiment. The fact that furries/weebs have a strong visibility in the professional software/IT space should be a signal that those people aren't losers, and are in fact doing quite well for themselves. And if you're in the industry, then you need to do yourself a favor and remove that label from yourself.
What you call a "flagrantly display", I call a typical, progressive break from meaningless social conventions. People like cute drawings and post them on their websites, so what? And I think it provides good visibility to those communities to demonstrate the skilled and creative people that inhabit it.
I mean, the truth is, it's obviously not that weird. It's a reflection of culture, at least in America, that I regard such things in this light. Still, I mean it with affection. The fact that it was somewhat outcast culture also freed it from the bounds of giving a damn about social acceptability, which led to some very free creativity. I always embraced this.
I realize now this attitude may seem unnecessarily self-deprecating, though. Oh well.
I know this probably falls into the category of red-baiting hysteria, but sometimes I've wondered (not seriously, in more of a spy-vs-spy, campy, tinfoil hat way) if the Kotlin programming language is a secret plot by the Russian government to embed backdoors in everything compiled with it. How many people have done a deep inspection of the compiled product?
(Insert balloon boy meme of the conspiracy theory guy at his bulletin board)
Of course, the Russians would probably be justified in wondering the same thing about a programming language created in the United States.
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
"Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
> "Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
That one happens a lot on HN. I'm not sure I'd want it to happen less.
The virus looks for a Delphi installation, modifies the SysConst.pas file, which is the source code of a part of the standard library and compiles it. After that, every program compiled by that Delphi installation will contain the virus.
The virus does nothing else, it is therefore harmless if you don't have Delphi installed.
It resulted in many software vendors releasing infected executables without realizing it, sometimes claiming false positives. After all, the executable was not tampered with, the compiler was.