One thing not mentioned is that the TrustCor VP (Rachel McPherson) spent the entire discussion trying to distance TrustCor from MsgSafe, the product that was coming under scrutiny for bundling the malware and engaging in false advertising about its encryption. She repeatedly categorized MsgSafe as a distinct business unit "operated separately and independently from TrustCor CA" to try to insulate the CA from getting damaged by MsgSafe's obvious problems.
One of the key factors in Mozilla's decision was that this supposed operational independence was a lie, because Rachel herself was the Director/VP of Operations for both business units [0]:
> The same individual was responsible for the day to day operation of both TrustCor’s CA business and MsgSafe. They are listed on TrustCor’s website as the VP of TrustCor’s CA operations and the Director of Operations for MsgSafe. [2]
> ...
> [2] Rachel McPherson is listed as the Vice President of Operations, having “access-to and control-over the CA and CA Business Operations” in a company document submitted privately by Rachel to Mozilla. Press releases on TrustCor’s website list Rachel McPherson as MsgSafe.io’s Director of Operations, e.g. https://web.archive.org/web/20221108224150/https://trustcor.....
The bad taste this left in my mouth was the glee with which it was conducted.
Delisting a CA is a thing you can do. It is a serious thing you can do.
But the internet drama surrounding this, and some posts on the mailing list itself, were overly emotional.
"Ha! We caught you! You damned executive, you!" is not exactly the tone with which I'd want to conduct weighty matters.
It was like looking back into the early-90s, when pitchforks-and-torches-because-we-technically-can were the norm. I don't miss those days, and I'd thought the internet had grown up more.
Apologies in advance for being the no-fun police, but we're talking about destroying a business. Even if it's a shitty business, run by shitty people, trying to do shitty things... just don't fucking dance. https://m.youtube.com/watch?v=0k5aVLi_yhM
If you look at the emails by Kathleen, she was very deliberate and professional in her phrasing. She only called Rachel out by name in a footnote, and never drew attention to the lie directly. I elided a whole lot of body text to put those two lines together, and even when combined Kathleen doesn't explicitly call her out for lying. That shows a lot of decorum and restraint on Kathleen's part, given the nonsense she was confronted with.
There were definitely some people on the mailing list who were less than professional (and of course on Reddit and HN), but the main decision makers were very careful and professional throughout. Rachel is the only one out of the core people involved who lapsed into immaturity.
Agreed. Kathleen and the browser reps, as far as I could tell, were nothing but professional and cordial.
But by Rachel's fourth reply(?), the response tone seems to shift. Suddenly it's okay for the peanut gallery to snark.
And I get it -- I probably couldn't have resisted a choice remark after being shoveled a load of what read like horsecrap.
But when "I’m not sure how exactly you’re involved in the CA community, do you represent a CA? A browser perhaps? Or any of the governing bodies? [...] Or are you concerned citizen consumers?" is responded to with "I think all of us are easily found via Google", that's less than the gravitas I'd expect.
And I find it fascinating HN cheered this one, when HN's 2nd favorite topic du jour is complaining about how large companies steamroll smaller entities whenever it suits them, without any standard process.
Yes, I fully agree about Kurt's replies—they were unprofessional and added no value. The others that chimed in at the same time were more thoughtful (though equally scathing), but were probably colored a bit by proximity to Kurt's.
> And I find it fascinating HN cheered this one, when HN's 2nd favorite topic du jour is complaining about how large companies steamroll smaller entities whenever it suits them, without any standard process.
I think the main reason it drew so much attention is because the TrustCor rep made such a scene out of it. Evasion and deflection escalated into ad hominems and conspiracy theories. By the time it hit the HN front page, it was pretty obvious that TrustCor couldn't be trusted, so there wasn't room for any sympathy.
Call me a pathological contrarian, but I try to step extra carefully when dealing with a matter where there doesn't seem to be room for any sympathy. More often than not, it's those obviously-righteous times that have led to my behaving like the biggest ass.
Better to do a happy thing with a smile on your face, and a grim thing with no expression at all.
So my response: CA's sell trust. Billions of people trust them. They should be above reproach. A CA in the root certificate store has supposedly passed through an arduous set of processes and should be rock solid.
While you may not like the tone of my comments, was there anything that was factually incorrect? I saw BS answers and called them out.
Specifically as to her question:
>Thank you all for chiming in. I’m not sure how exactly you’re involved in the CA community, do you represent a CA? A browser perhaps? Or any of the governing
If you look at the rest of the dev-security-policy@mozilla.org list posters it's the same 2-3 dozen people posting for almost a decade (myself included, going back to 2010 or so, I have a spreadsheet somewhere but it's easy enough to confirm).
Again: a CA should be like a bank, well run, regulated, and trustworthy, they should not be toppled over so easily by a group of random Internet volunteers. I would also point out that Microsoft retroactively removed them:
so say what you will about my tone, but the facts are the facts.
Also if anyone is interested we're looking at other root CA's, theres a few more that appear to be less then ideal. Heck within the last 3 months we've also had:
Discussion Item #1: A concern was raised about BJCA’s Beijing One Pass software, which apparently facilitates client access to a digital portal or platform. It was noted that BJCA had attempted to address suspicions about the software in Comment #15, that the software was needed to support a USB token and to install another certificate chain, and not the two above-referenced roots.
A follow-up question was whether a security report concerning the software would be made publicly available.
BJCA Response to Discussion Item #1: “This report is a communication document between our company and the competent government department, and it is not suitable for disclosure or submission to Mozilla because it involves confidential information. And because the security incident does not involve the certificate chain of the root inclusion case submitted to Mozilla this time, we made a clarification in the Mozilla root inclusion case by disclosing the main points of the report.”
==========================
Discussion Item #2: Two components were also mentioned: wmControl.exe and zfkeymonitor.exe.
BJCA Response to Discussion Item #2: The “suspected spyware behavior indicated in the report was caused by one of the drivers, wmControl.exe. This program is a driver provided by the USB Token manufacturer, Its software behavior is different from spyware and does not have malicious behavior. It is intended to ensure the normal use of this type of [device] in the browser. In addition, the USB Token for digital certificate corresponding to the driver wmControl.exe is an old version device, and its driver has been deleted in the new version of the certificate environment software (version >= 3.6.8)”. Concerning zfkeymonitor.exe, BJCA responded that their software did not include the zfkeymonitor program.
==========================
Discussion Item #3: Clarification was requested about root certificate installation by the One Pass software.
BJCA Response to Discussion Item #3: BJCA reiterated that their software did not attempt to install the two roots, but stated, “in order to improve the user experience, the BJCA certificate environment software chooses to skip user confirmation during the installation process, which may cause doubts for users. At present, we have plans to adopt advanced options in the new version of the software, allowing users to choose whether to confirm the installation, and support users to choose to add certificates and updates to the current user's personal storage instead of the computer's trusted root or trusted third party storage. No doubt that there is an obvious contradiction between convenience and security, which could improve the software security but degrades the user experience and increase our operation costs.”
According to BJCA, it maintains two separate systems:
a global, public-trust system that meets international standards (WebTrust, CA/Browser Forum, etc.) and issues and manages SSL/TLS server certificates; and
a national system that follows Chinese standards and issues and manages personal certificates, enterprise certificates and equipment certificates (e.g., Beijing One Pass software and certificate).
BJCA acknowledges that both systems are under control of the same legal business entity, but for the latter, the software is not part of the global, public-trust system.
BJCA says it “will also refer to the recommendations of experts, learn from the best practices of the public trust system, continue to innovate, practice corporate social responsibility, and strive to build a safe and reliable of cyberspace.”
==========================
Conclusion
We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).
If anyone is interested, we're looking into what can be done around the root certificate world, if you're interested feel free to reach out to me at kurt@seifried.org (I'm still in the exploratory phase, e.g. can anything actionable/useful be done, and so on).
In HN fashion, I figured the comment might be read by a person of interest.
So first off -- thank you for spending your time on something critical to the internet! I don't, and so my words/critiques are cheap.
Here's a couple questions I'm honestly curious about, from someone more tuned to the mores and social currents in the groups. And especially now this has fallen off the front page and is less visible.
DISCLAIMER: Neither of the below seem applicable to this situation in question. It definitely seemed the right call, for the right reasons. These are asked about NEXT time.
1) Do you believe the process, as it exists today, is resistant to accusations of bad faith, especially if a few participants are semi-captured into playing along at the onset? (I.e. the "create a lot of smoke and imply there's fire" scenario, perhaps by a commercial competitor with social connections in the group)
2) One of the comments noted that there wasn't a policy for the squishier corporate/organization expectations, which led to subjective judgement calls on whether legal/corporate/ownership structures looked right. Is this accurate? And if so, what are your thoughts on if their lack is a problem or not (including historical situations where it's said this also happened)?
1) Nope, as evidenced by the fact that we just had one existing root CA booted out due to apparent links to spyware (Trustcor) and a second CA applying with links to spyware (BJCA.cn) that may or may not make it in.
2) As I've said, CA's should be above reproach. A CA involved in any way with spyware has a clear conflict of interest that can (and has) resulted in major security problems for users (e.g. MitM interception).
Also a lot of this gets worse the more you look:
Asking HOW we are supposed to review these documents and confirm that the auditor is indeed a valid auditor, for example results in, well, no answer. Examples:
On 1, I was thinking about the opposite: a potentially-valid CA (probably a smaller one) that has some unclear paperwork, that someone pieces together a narrative about, with the intention of getting them booted.
On 2, agreed on the above reproach. But defining that across international and multiple legal jurisdictions, corporate structures, ownership structures, etc. seems... complex. And honestly, not something I'd trust myself with (as a primarily-SWE).
And the external audits don't attest to corporate structure, do they?
1) If that's the case they should be able to prove they are legitimate without to much effort. If a CA can't prove they are legitimate, well. Err.. they probably need to be booted then.
2) Correct but there are also many CA's that have managed to do a good job here. Why should we allow poorly behaved CAs in when it affects potentially billions of devices and people?
As for the external audits correct, they are very narrow in scope, there are also no requirements around change of control (e.g. company A buys an existing root CA).
Really? Every now and then some guy will tweet "Software so and so from Famous Company Z phones home all the time" and some HN user will "corroborate" and then a bunch of others will tell us we're the product and a bunch of other LLM generated tripe. Then it'll turn out to be a false alarm.
Outrage culture manifests commonly in nerd culture as this kind of rage.
> There were definitely some people on the mailing list who were less than professional
Especially people like Kurt Seifried who appears to have no relationship to any of the browser vendors or parties involved. Just some random person demanding answers from Rachel as though he is a prosecutor.
It doesn't seem to me like a public mailing list is necessarily the best way to handle this given the seriousness of the topic and the business impact to the company involved.
it concerns millions of users directly and billions indirectly.
yes we can trust Mozilla and the other browser vendors to do the right thing. we already trust them very explicitly when using their software.
but the public by default approach is pretty good for these things. IETF, NANOG and other big org lists are also public. yes as all mailing lists there are occasional flareups. (and yes browser vendors or various CA/B forum members can still start a shadow list to conspire)
... but the business impact happened when they did the not-the-right thing, to minimize their impact they could have declared this an incident, suspend issuance, withdraw from the trusted set and apply again later. they again did the not-the-right thing by trying to bullshit their way to minimal impact.
it's not exactly virtuous, but quite understandable to throw a few rotten eggs. (and the list could be CA/B members & candidates only).
It's wild that people think there is some sort of "CA Police" looking out for bad CAs. Sorry but random people like myself demanding answers during the public discussion phase is actually what the "CA Police" looks like.
If anyone is interested, we're looking into what can be done around the root certificate world, if you're interested feel free to reach out to me at kurt@seifried.org (I'm still in the exploratory phase, e.g. can anything actionable/useful be done, and so on).
Given the same facts, I come to opposite conclusion. To create trust, this business must be conducted in public & must be open access. Imposing any more barriers or concealing the dealings would be actively harmful to the process. Anyone is capable of presenting good data to inform these decisions, to show how & why trust should or should not be given, and that's great, that's how we let in the sunlight.
It is just a mailing list. No one has to take commenters seriously. I found the tone here by the cimmunity to be quite fine. But even if it descended sitnificantly, became much less professional, I wouldnt be happy per se but I would not until a long long descent begin to question the value of the open process. It is up to the reader to figure out what credentials people have; as Kurt said, you've got to do your own searching to find out. That there is noise in the channel (in this case it did not seem to come from the community) is not something we should restrict the processs to avoid; it is something we must allow & be able to be tolerant & resillient to.
I didn’t see that much glee in the thread. At most, maybe mild bemusement at how ridiculous the entire affair was, relative to how staid policy enforcement can be.
It was like looking back into the early-90s, when pitchforks-and-torches-because-we-technically-can were the norm. I don't miss those days, and I'd thought the internet had grown up more.
Yeah, the 90s, back when anti-trust was a thing and big companies occasionally actually got punished in meaningful ways for shitting all over society.
Sure, it was just a small fish, but it's still deeply satisfying to see someone fail to get away with it because it's so rare.
I can't say I've got sympathy for the business and it's owners, but my sympathies to the employees impacted is best focused on why employees must get so screwed over by the business going under, not on preserving the bad business.
> The conclusion on the mailing list was roughly: look, we're not here to find you guilty in a court of law, we're here to decide whether we trust you, and after all that we definitely don't.
They weren't untrusted just because of the behaviour. A really important dimension is that TrustCor certificates were only being used for very limited purpose. The actual decision is a a cost vs benefit analysis from the point of view of internet users. Because there's so little benefit, it takes only very little untrustworthiness before the best course of action is to distrust.
The browsers constantly wield this argument, but I don't like it. It necessarily leads to centralisation of CAs and going back to old days of VeriSign.
I don't think we should be going towards LE/ISRG being the only organisation allowed to issue certificates for "cost vs benefits analysis" of allowing other entities to issue certs. It would be a single point of failure and a massive target for various non-state and state actors.
I agree in general, but in this case it was pretty clear-cut: TrustCor was a CA primarily to serve a single product, MsgSafe.io. This is the same product that was found to have bundled the only known unobfuscated Measurement Systems malware and was also found to be claiming E2E encryption when very rudimentary tests showed they couldn't possibly be encrypting the email.
Since their only known benefit was issuing certificates in support of a quite-possibly-shady email system, I'm comfortable with saying that the cost-benefit analysis comes down firmly against TrustCor.
The "the only product known to have embedded unobfuscated Measurement Systems malware" phrase got used a whole lot, in the OP and in comments here as well as in the original email thread, but nobody really explained why that factor was important (or maybe I just missed it?)
Can somebody explain the significance of the malware being unobfuscated, and why that's apparently more concerning than if it had been obfuscated?
All known copies of the malware were obfuscated, meaning the variable and function names were renamed to nonsense. The version included in MsgSafe did not have garbled variables and it had source code modifications to hard code a MsgSafe certificate and servers.
This suggests that the relationship between MsgSafe and Measurement Systems was not a typical "oops, we added a library that turned out to be malware" relationship. Instead, they seem to have had access to the raw source code, rather than the packaged binaries, which in conjunction with other evidence indicates a close degree of collaboration between the malware developers and MsgSafe. It's not a smoking gun, but it's enough to warrant distrust.
The presence of the unobfuscated malware suggests that it originates with them, instead of it being an unwitting component of their application.
In other words: it suggests that the CA and the malware creator are one and the same, which was then further substantiated by their shared executives, addresses, etc.
The suggestion might be that Trustcor received an internal build of the SDK because of their close links to the company. Perhaps the developer who worked on the mobile app also worked for the company behind the SDK?
Rachel’s suggestion in the thread is that the other examples of this SDK that have been observed obfuscated are much more recent, and that perhaps obfuscation was something the company has started doing more recently.
Naturally, this led me to research how does one even become a CA?
* Developing and implementing a robust security infrastructure
* Completing an application process
* Undergoing an audit and validation process
* Obtaining accreditation from a recognized organization
* Maintaining compliance with accreditation requirements.
and then:
* On average, it can take several months to a year or more to complete the process of becoming a CA. This includes the time required for developing and implementing the necessary policies and procedures, completing the application process, undergoing the audit and validation process, and obtaining accreditation.
Wow, throwing away several months to a year of effort. It truly is something that takes time. I guess, a determined adversary will play the long con.
Discussion Item #1: A concern was raised about BJCA’s Beijing One Pass software, which apparently facilitates client access to a digital portal or platform. It was noted that BJCA had attempted to address suspicions about the software in Comment #15, that the software was needed to support a USB token and to install another certificate chain, and not the two above-referenced roots.
A follow-up question was whether a security report concerning the software would be made publicly available.
BJCA Response to Discussion Item #1: “This report is a communication document between our company and the competent government department, and it is not suitable for disclosure or submission to Mozilla because it involves confidential information. And because the security incident does not involve the certificate chain of the root inclusion case submitted to Mozilla this time, we made a clarification in the Mozilla root inclusion case by disclosing the main points of the report.”
==========================
Discussion Item #2: Two components were also mentioned: wmControl.exe and zfkeymonitor.exe.
BJCA Response to Discussion Item #2: The “suspected spyware behavior indicated in the report was caused by one of the drivers, wmControl.exe. This program is a driver provided by the USB Token manufacturer, Its software behavior is different from spyware and does not have malicious behavior. It is intended to ensure the normal use of this type of [device] in the browser. In addition, the USB Token for digital certificate corresponding to the driver wmControl.exe is an old version device, and its driver has been deleted in the new version of the certificate environment software (version >= 3.6.8)”. Concerning zfkeymonitor.exe, BJCA responded that their software did not include the zfkeymonitor program.
==========================
Discussion Item #3: Clarification was requested about root certificate installation by the One Pass software.
BJCA Response to Discussion Item #3: BJCA reiterated that their software did not attempt to install the two roots, but stated, “in order to improve the user experience, the BJCA certificate environment software chooses to skip user confirmation during the installation process, which may cause doubts for users. At present, we have plans to adopt advanced options in the new version of the software, allowing users to choose whether to confirm the installation, and support users to choose to add certificates and updates to the current user's personal storage instead of the computer's trusted root or trusted third party storage. No doubt that there is an obvious contradiction between convenience and security, which could improve the software security but degrades the user experience and increase our operation costs.”
According to BJCA, it maintains two separate systems:
a global, public-trust system that meets international standards (WebTrust, CA/Browser Forum, etc.) and issues and manages SSL/TLS server certificates; and
a national system that follows Chinese standards and issues and manages personal certificates, enterprise certificates and equipment certificates (e.g., Beijing One Pass software and certificate).
BJCA acknowledges that both systems are under control of the same legal business entity, but for the latter, the software is not part of the global, public-trust system.
BJCA says it “will also refer to the recommendations of experts, learn from the best practices of the public trust system, continue to innovate, practice corporate social responsibility, and strive to build a safe and reliable of cyberspace.”
==========================
Conclusion
We thank community members for their review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP).
> The conclusion on the mailing list was roughly: look, we're not here to find you guilty in a court of law, we're here to decide whether we trust you, and after all that we definitely don't.
I get the same feeling when I read the paroxysm about HN at the top of the page.
Just imagine how i feel, i read the comments here because you guys tend to be fairly leftie ranging to too far leftie for me while leaning more libertarian to the point that you guys mostly get why individual liberty is the most important part of a high functioning society. That usually means i get the best version of the argument i disagree with while keeping the collectivist i sanity to a dull roar. Only finding out now that i have been doing conservatism wrong by not also holding white people in high regard has been jarring......
I think the final claim is amusing and thought provoking, but maybe not actually true: getting hellbanned by browsers is extremely visible, and I don’t think merely being critical of Google (even in disparaging language) would result in them risking their appearance of impartiality.
I believe the suggestion is not to _just_ say "google is an adware company".
It's to say "sure we shipped spyware to android, we're guilty of what we are accused of, but google does it too and steals all the same information, but from even more people"
> I don’t think merely being critical of Google (even in disparaging language) would result in them risking their appearance of impartiality.
But saying "yes, we shipped the malware you claim we did" would have gotten them removed quickly, which is again what I think the actual suggestion was.
That's a finer point, sure, but I don't think anybody operates under the pretense that (1) Google is not an advertising and analytics company, or that (2) Google willfully introduces malware to end user devices (even if their actual software could be reasonably characterized as adware or spyware).
I don't understand the argument. Imply without data that 90% of a mailing list works for Google, and further imply that their involvement with an open standard is actually a ploy to secretly benefit their advertising business?
That doesn't seem very much like a "high road" to me.
I seem to find myself much more on the fence about this topic than the average person, but I will say I think the correct decision was made. No doubt can exist about a CA's trustworthiness. From what I gathered there are some serious unaddressed issues.
-The email system provided by Trustcor is NOT e2ee. By default the mail-service DOES allow trustcor the possibility of viewing the email, which is in direct contradiction to their documentation.
-They claim the closest association trustcor had to magsafe was "shareholders of shareholders" but given their own statements this seems to be misleading, if not completely false. (correct me if I am wrong)
They say that they are no worse than other CAs and their downfall was due to the attention the process attracted and liken it to "...a public interrogation held in a town square." I think I agree, but I also think that maybe this level of investigation should be more common.
Now extend this by thinking about how HTTP/2 and HTTP/3 implementations in all major browsers (and the libs they use) don't allow you to establish a connection without a CA based TLS cert.
It's going to make the already rocky CA/Browser/User triad even more fraught with dangers.
With EasyRSA, you can become your own CA for your own personal devices! (Though on Android, installing a custom CA does give you a perpetual warning notice.)
In combination with my PiHole setup at home, all my devices have names and SSL certificates, protecting them from being snooped on by things like my Chromecast!
If you mean becoming a CA that browsers list in their trust roots: you need to obey the CA/B baseline requirements[1], which are reasonably onerous given the position of extraordinary trust it affords you.
There are other requirements for other kinds of CAs as well (for example, codesigning in Windows).
And there's also a bunch of CAs grandfathered in the trust lists from the time there were less strict requirements. I think those are the CAs that we now see being yanked.
I think they've still got to do audits and what not, but following the rules and stuff isn't sufficient to get in the trust stores (and isn't sufficient to stay either; nothing in this case really has anything to do with the guidelines).
You also need to have some reason for browsers to care about your certs. Being available and interested in the 90s was good enough, but these days the route is probably pay an existing CA to cross sign your CA (which requires that you follow all the same rules as if you were in the trust stores), wait for usage, and then apply to be in direct.
They often issue certificates outside their own domains, for example they use them on middleware applications. It’s very common in large organisations.
> oh shit it's hacker news I've heard that people from the orange VC site are linking to this post! You are absolutely not welcome here. Cohost is not a place for you. you are bad and you hang out with white supremacists. please leave.
Is this an attempt at humor (in which case, I don't get it), or is the author serious?
HN at least definitely has a Bay Area libertarian bro-ey vibe in a lot of corners of the internet. I think the white supremacist part is up to your interpretation but the intent behind it is serious, at least.
Helps that the posts on HN are largely technical so discussions are generally politically neutral, but any time a political post that isn't even remotely relevant to tech or VC shoots to the top, the worst takes and sometimes downright bigotry will break loose and flood the comments. Most of them do get caught eventually with downvotes/flags/moderator action, but often the damage has been done as they remained visible for far too long.
My take is that political discussion/disagreements on HN are often avoided/stamped out, to prevent it taking over the site. If anything stands out about HN politically vs. the rest of the internet, it's mostly a "we don't talk about politics here" vibe.
However, when political discussion does happen, I tend to see a very wide diversity of political opinions on HN. There's a decent number of users who are generally against any sort of feminism, LGBTQ, anti-racist views, quite alt-right feeling, and there's a decent amount of overlap between those views and libertarians. However, there's also plenty of people with very opposite opinions, very left wing, pro feminism, pro LGBTQ activism, pro anti-racist activism, etc. Kinda like Reddit, you get all ends of the political spectrum. It does have probably the most "Bay Area libertarian bro-ey vibe" of any online community I spend significant time in, and while I'm personally not a fan of that viewpoint, I also think it's only one of many viewpoints on this site.
I've encountered the odd bit of really nuts racism that doesn't get moderated/removed, even if flagged (example: https://news.ycombinator.com/item?id=31722179), but that's rare, and I think that more falls through the cracks vs. dang literally being a white supremacist.
While I have seen a lot of it on the site, dang seems pretty willing to push back directly in a comment, or hellban such users (or uphold the hellbanning on review, I don't know how much is automatic).
My understanding is that comments and submissions can be flagged to death by users, but "hellbanning" -- that is, marking a user such that all of their future comments and submissions are dead by default -- is a manual action by dang or other moderators.
Accounts can be auto-killed via sufficient flags, plus some computational scoring I suspect.
I'll see and report spam accounts. The usual response is that those already were autokilled, or were killed shortly after I emailed (and prior to the moderators' response).
You'll also see dang occasionally commenting on autoflagged "green" (new) accounts. E.g.:
Huh my impression was always that the Bay Area is one of the least libertarian areas of the US, and the biggest ideological clashes on HN tend to come from the Valley startup scene views colliding with the rest of the world in an open forum. See how much wailing and gnashing of teeth there is over AI safety in the Californian startup scene, in which safety gets defined as a fear that an AI might talk like or have the views of normal people.
Let's use this as an opportunity to educate. Trying to label other groups things that are not true can be very hurtful to the people you pretend to be on their side. Here is a list of African American Libertarians. You should lookup things before you comment.
hackernews have a tendency to be very, very, very convinced that they're right, are smarter than other people, and that other people's lived experiences are irrelevant. Part of it is the common assumption that if you're smart in one area then you're somehow smart in all areas; for example, consider doctors like Ben Carson. Part of it is that many people in tech are on the spectrum or have underdeveloped social skills. Part of it is that one moderator can't possibly moderate everything as fast as on other forums. Part of it is that many people in tech are downright rich compared to most people. Part of it is that technically-minded people have more aggressive debating styles in order to get to the core of an argument and uncover the correct answer or solution faster, which can be very offputting to those not used to it
Some examples are any threads where the author uses nonstandard pronouns, such as this one from a few hours ago. Some people have terrible takes, and the proportion of them compared to places like for example reddit is higher
https://news.ycombinator.com/item?id=34446673
Anywhere which allows diversity is going to allow opinions you despise. Otherwise 1) it's not diversity or 2) you don't despise anything. Conclusion: Hacker News is more diverse than @arborelia. (Whether that's a good thing is up to you.)
Calling me a bad person because I occasionally interact with Hacker News is pretty surprising though. Nevermind her implications that I would be racist as well.
As much of a childish reaction as I feel her response is because she saw HN in site stats, I instantly won't read won't she wrote because of that.
Oh that's totally normal for people like that. There is an ambient assumption that everyone other than them is an empty vessel, waiting to be filled up by whoever happens to randomly pass by on that day, so if A is seen anywhere in the vicinity of B, then A must automatically have the same views as B, and that applies transitively to B and C and then C and D and so on ad infinitum. The only people immune to this are the woke who, of course, develop all their ideas independently and are totally immune from persuasion of any kind.
That's what she means by "nazis at the bar". It's some woke meme that says it's not possible to discuss anything with people who you disagree with, because you'll instantly become exactly like them.
That's all craziness of course - some sort of personality disorder in which basic empathy is lost and the way other people's minds work is badly misunderstood. These sort of people can be dangerous to those around them, and probably need psychiatric help, but it's not formally recognized as a disorder.
You've completely misinterpreted the point of "nazis at the bar." The point of the story is that if you tolerate assholes in a space, that space will become famous amongst assholes for being a safe space for assholery. Nobody "becomes exactly like" anybody, but the people who do not like assholes stop coming around, while the assholes keep coming, so eventually the space is just entirely asshole-occupied. Naziism is used as a signal that this is not regarding "people who you disagree with"; civilized people don't regard Naziism as a valid topic for disagreement -- and the war about that has been over for decades.
> civilized people don't regard Naziism as a valid topic for disagreement
see how fluidly you move between naziism as an analogy and asserting that it has a literal meaning such that the "war" about that has been over for decades? nobody here is a literal nazi not even close, so this whole argument is meaningless.
> the people who do not like assholes stop coming around
the whole point is that actually no, it is possible for people to strongly disagree yet stay talking and adults do so all the time.
I personally have ousted a nazi (her words for her identity) from multiple nonprofit board positions. She also worked with the synagogue bomber in Northern Indiana, who is also a nazi, and found guilty.
Although it is true that "nazi" was historically thrown around a LOT, especially during the 90's and earlier 2000's, with things like "Soup Nazi" and grammar nazies. Charlottesville was really the wakeup call that no, there are real white nationalists, neonazies, and similar, and they will attempt to take over at all costs.
And in the occult, there is Norse religion called Asatru - or faith of the Aesir. Unfortunately, groups like "Asatru Folk Assembly" are literally neonazi front groups, that peddle Asatru but with a racial purity identity. The anti-racist Asatruars have had to fight against real neonazies getting your group, "peacefully" suggesting racial purity, inviting more like them and running off the anti-racists... And after a bit, your group is now a neonazi front. This is a literal thing that happens.
These types are not to be tolerated, discussed with, or anything outside of running them off the moment they appear.
"Naziism is used as a signal that this is not regarding "people who you disagree with"
Yeah no, that's exactly what this is regarding. Anyone who doesn't think exactly like me is a Nazi and because you tolerate people that don't think exactly like me you're a Nazi too.
How is that any different than "anyone who doesn't think exactly like me is woke and dangerous to others?" I have to wonder if you're deliberately misinterpreting the parable just to give yourself more ammo in this culture war you seem to be fighting.
The plain and simple fact is that different communities have different threshholds for what sorts of opinions they find acceptable. The person who posted the article considers Hacker News to accomodate unacceptable opinions. Instead of just noting that fact and moving on, you've decided to get angry on the internet about "woke people." It's really weird, since their opinion doesn't affect you or Hacker News in the slightest.
Often the brigade down-voting of things that certain people consider to be a non-tech opinion is itself based on a highly-biased approach to what is appropriate for technical discussions. These are often the same sorts of discussion used dismissing discussions of alternative naming of git primary branches and other technical terms that have more accurate and less degrading names, or are entirely dismissive of codes of conduct for code repos or conferences.
I have quite often seen COVID-19 disinformation upvoted here, as well as many other conspiracy theories unique to a particular subset of the population.
I have often debated whether I want to remain part of the HN community—it is often toxic. But I also don’t want to cede space to people whose worldview is inimical to my own, so I stay and argue against the worst parts of it.
I'm not aware. If anything, I've seen a few cesspits and HN doesn't look like one. So, I'm surprised, and, naturally, would like to see a follow-up with more details.
Also, with all due respect, your comment reads aggressively, as an attack (my apologies if this wasn't intended as such), so I suspect you're going to get some strong reactions.
Just like that "if you're from HN you're bad, go away" banner. For what it's worth, I've also seen a few examples of groupthink bigotry, and I felt certain resemblance.
> would like to see a follow-up with more details.
Oversimplified summary of the complaint as I understand it: HN’s moderation policy is “thoughtful debate.” Marginalized groups do not appreciate their human rights being treated as being up for debate, politely or not.
I mostly read threads well after they've died down so I haven't seen it here, but I'd say for example anywhere not explicitly trans-friendly trans issues are debated by mis-informed cis people.
I have seen people disagree on various aspects of that, but I can't recall ever seeing anyone argue that their "human rights" should be taken away, outside of some comments that are being downvoted to hell and flagged.
"Mis-informed cis people" is quite a different thing than "human rights being treated as being up for debate".
If anything, I’ve seen HN be aggressively moderated in the opposite direction, where if you do something like point out men aren’t wholesale profiteers of modern society (pointing out suicide stats, education, often guilty until proven innocent & harsher sentences, etc) your comments get detached by dang.
Not OP, but the note surprised me too - I’m aware of a lot of the tendencies in conversations here, but it’s hard to really assess something from the inside, and the note feels harsher to me than I’d expect to be the common sentiment about this place. Can you share more?
I believe the answer is there when she complaints about the moderator. Probably she asked that someone was censored and didn't have her way. Now call me a white supremacist, but I tend to trust dang slightly more than someone that says that I'm bad without having met me.
It depends on the topic, with posts that are mostly about technical stuff (which of course is most things that get posted on HN) there's generally no hint of any of that.
But when anything gets posted that can be linked to race, or celebrates some minority, or talks about the climate I notice a disturbing amount of people crawl out of the woodwork and post some truly awful/ignorant things.
Yeah, I guess reflecting on this, there are a lot of good conversations that happen here, and because of that, I forget how much terrible shit also gets posted here. A lot of it gets downvoted into oblivion, but the bell curve on quality’s got some fat tails.
Yeah I'm kinda the same. I stick around because interesting/useful stuff gets posted here, and the discussion is mostly also interesting/useful.
But some days I wonder if I really want to hang around in a space where comments about "race realism" and obviously willfully ignorant climate change denialism are tolerated.
(like you said they usually get downvoted into oblivion, but not consistently enough for me to be comfortable that those people aren't still a fairly large minority of those engaging in discussion on this site).
You're using the standard definitions of those words. People like that use totally different definitions that are ideologically based, for example, expressing concern over discrimination against men = white supremacy to them.
> the reputation of this community outside of this forum
More like "the reputation of this community has with mega-narcissists who lack the empathy to cope with the fact there are people in the world who don't quite see things the way they do, and can't stand forums that allow people to voice opinions they don't like".
There are plenty of thing I don't especially like about HN, but "filled with literal white suprematists" is not one of them. I'm sure you can find the occasional post here or there that gets by unnoticed in some little seen thread, but that's certainly not the norm.
For people to whom anti-racism is a philosophy, you're a racist if you do or say racist things. For people to whom anti-racism is a religion, you're a racist if you're not sufficiently and publicly pious.
Being a toxic cesspool of the worst aspects of Silicon Valley tech-bro culture - racism, misogyny, antisemitism, conspiracy theory, elitism, aggressively ignorant hot takes and toxicity. For a lot of people - particularly women and LGBTQ+ in tech - this place looks like a den of alt-right creeps and incels, and being posted here is the last thing they want. If you want evidence of this you can just hang around with showdead on for a while in any thread that even vaguely broaches a political topic, or follow moderator dang's account long enough. You can also follow certain tags on Twitter or subreddits that archive the worst of HN. Some of what they discuss is taken out of context, but a lot of it isn't.
And to be fair, Hacker News is a diverse community, not a monoculture. It's entirely possible not to see the worst side of this place, depending on where and how often you post, and it's entirely within anyone's rights to dismiss criticisms of the community (although I think that would be a mistake.) But that reputation also isn't entirely unwarranted.
> If you want evidence of this you can just hang around with showdead on for a while in any thread that even vaguely broaches a political topic, or follow moderator dang's account long enough.
Judging a community by posts that are moderated away seems like the wrong way to go about things. By this standard almost any community is horrible $bad_thing. It's just that on HN you have a bit more transparency than many other sites. If you don't want to see that stuff then don't turn showdead on.
Now, I have my own criticisms of HN, and some (but not all) align with yours. But I don't really want to go in to details about that as I feel that's moving the goalposts from the claims made in the notice: "full of sexism and racism", "hang out with white supremacists", and that "the main moderator approves of it". "Out of touch elitist silicon valley nonsense" is not the same as any of that.
> this place looks like a den of alt-right creeps and incels
But it's not. There sure are some of those people, and their posts rarely do well (i.e. they're typically downvoted, certainly not the top post).
The funny part is that most of that criticism is from techbros from silicon valley that are in a denial and "not like the other tech bros". The statement about HN in the linked article is proof of that, it is a very typical bay area upper middle class white people "ally" discourse. But it's funny that people inside that bubble think that they aren't also techbros from silicon valley lol.
> racism, misogyny, antisemitism, conspiracy theory, elitism, aggressively ignorant hot takes and toxicity
A lot of people might say the same about America. And many people in America would view that with consternation.
It’s ironic, because I’d bet many of the people tarring everyone on HN with the same brush would be the first to resent being lumped together with their fellow citizens.
I do see some of what I would consider to be objectional viewpoints here (not to be confused with viewpoints that I simply disagree with). But it's also just about the only place I've found that has thoughtful discussion I find engaging (though, not all the time, of course). I have a very hard time finding anything of value on other websites. It's difficult even to find such engaging conversation with people in real life. So I guess I've just decided to take the good with the bad.
Isn't the point that you have to have showdead on to see that stuff, though? Most sites/communities don't let you read what got removed. In fact, every time I see a comment of that nature that's not dead, I don't manage to get done typing a rebuttal before it's been killed.
It's still a problem that they exist and persist as much as they do. If you're transgender or gay and you know every time something you write gets posted here there's going to be a tangential diatribe about your pronouns, mental faculties and secret agenda, it doesn't make this place seem any more welcoming if that stuff has to be constantly voted down, and flagging it doesn't magically separate it from the zeitgeist of this community. It's still a part of what HN is, if it's a part that some people fight against.
It's like living in an apartment with a pest problem. It doesn't matter how much you spray, you still have a pest problem.
I'm not sure I've ever seen a community with a smaller fraction of toxic posts than HN. If you keep showdead turned off you're talking about fractions of a percent. If that isn't good enough I suppose I wish them luck finding a place I suspect may not exist.
Sounds to me like you just can't mentally handle the mere existence of someone who disagrees with you, even if nobody's forcing you to listen to what they say.
Or maybe the author is overly offended at even the slightest things, especially considering HN is like the least toxic community I can think of.. except maybe a fountain pen forum.
It's a reasonable question. I'm sure many of the users of Hacker News use anime profile pictures and declare their pronouns themselves, with completly valid opinions.
> [Google is a] company that also distributes spyware, because they don't check what their ad customers are doing very well and let them run random JavaScript on random web pages.
Is this true? While it's absolutely the case that websites have very little control over what ad content is displayed (see, for instance, the work of https://checkmyads.org/), I don't think I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
Of course, Google touches other parts of the pipeline, and I'm sure that in their trillions of transactions, they have unknowingly participated in or facilitated transactions that route/suggest malicious ads to other AdSense-like ad-embedding or tracking solutions that might have RCE vulnerabilities. But it seems a bit of a stretch to call this "distributing spyware," any more so that it is to call a customs official who misses an illegal package a smuggler.
Pretty sure that is a reference to DoubleClick, which Google bought, who has a pretty long history of allowing their network to be used to distribute malware.
The basic summary as I remember it is:
Website A has a deal to show DoubleClick ads.
DoubleClick can choose to directly show an ad from their network, or sell the spot to another smaller ad network.
There may be multiple layers of reselling here.
Someone signs up to some tiny ad network that is just happy to get customers and don't care too much about vetting.
That someone probably uses a stolen CC to buy ad space, and because you can inject JavaScript as part of your ad, this person injects some malware.
There was a bunch of pretty high-profile cases of this happening on major websites (NY Times and Wired, iirc). Some were done using flash, back when that was a thing.
Every ad these days is 'spyware', despite the ineffectiveness of "personalized adverts".
I worked for an SSP, and always loved the data we got back from DMPs categorising the same user into "segments".
Sometimes they were a man, until five impressions later they weren't, the guesses at age varied significantly also.
That said, none of those DMPs were Google. I believe that they'd actually be able to correctly segment you, because, well, it's Google, one of the companies putting the brightest minds of our generation to work on the problem of optimising CTR.
The idea that a family, a household, or even just roommates, with no gmail, no login to much of anything, might all use the same computer, or even share a tablet? Well, that must give people at google a conniption fit.
They can distinguish you based on some fingerprinting and, most importantly, browsing behavior. That's what FLoC was about - with enough data, you don't need third party cookies to recognise a user.
> I don't think I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
I've personally witnessed it three times over the years because it usually ends with all users of the targeted sites being pushed to malware sites. Yes, it's happening via Adsense, and usually takes 1-3 days to stop. See also this article, that was one of the waves I dealt with: https://www.seroundtable.com/google-adsense-hijacking-19709....
I wouldn't swear on it, but I believe another wave was a few years later, 2018-ish. Not sure if Flash was still a thing back then, but Google has been allowing JS to run in ads as well (as far as I remember, at least in some formats), and someone bypassing their automated checks isn't unheard of.
Stealing one of patio11’s ideas, there is a whole bucket of internet points waiting for the person who can carefully document Google’s history of allowing arbitrary JavaScript injection. Two people mention examples below, but they reference DoubleClick (acquired by Google in 2008), and a 2015 incident.
Is this still possible? What measured does Google take to limit what advertisers can do?
P.S. in addition to internet points, you’d also be providing important information for anyone who cares about privacy and security. But I’m a little cynical, so did you hear about the Internet points?
> I've ever seen evidence that ad publishers, or anyone in that massive ecosystem, can inject arbitrary code, running in the browser's context, into websites who monetize through Google AdSense script tags alone.
It depends on what types of ads you allow. Sourcing a javascript from Google is always at risk of whatever Google wants to run, but some ad types include advertiser javascript in the creative [1]. There's controls in place to reduce the chance of malicious code, but that doesn't eliminate it. (Plus or minus when they serve ads from other exchanges, as others noted)
Most malware I see distributed in the wild comes from Google Ads. Often because the advertiser buys the top spot for "OBS download" so their malicious download is listed above the actual legitimate website for OBS.
MapQuest is my favorite one for malicious Google Ads, because it basically targets seniors. (This is a double whammy for Goigle distributing malware because these are usually pushing malicious browser extensions served by the Chrome Web Store.)
Google allegedly delists these when it finds them (usually after a ton of people have lost their crypto or whatever), but it keeps their profits from doing it.
This is garbage, but it’s unambiguously different from the current accusation (that if you have Google ads in your website, someone might inject arbitrary JS into your website).
This is why we saw the huge push to https. Google developers being able to control who is allowed to issue a certificate might have worked well in 2004 but not now.
Concerns about Trustcor (70 days ago, 36 comments): https://news.ycombinator.com/item?id=33541718
Mozilla moves to distrust the TrustCor CA (49 days ago, 64 comments): https://news.ycombinator.com/item?id=33813660
Mozilla, Microsoft yank TrustCor's root certificate authority (49 days ago, 354 comments): https://news.ycombinator.com/item?id=33810755
Linux Certificate Authority root stores have a too simple view of 'trust' (44 days ago, 118 comments): https://news.ycombinator.com/item?id=33876949
Being able to partially distrust a Certificate Authority is good (43 days ago, 14 comments): https://news.ycombinator.com/item?id=33890823