A case for seasonal newsletters; why should us expect more security from tech companies even though there’s no absolute security; and why academic researches on software engineering is of limited value (and how to get the most out of them).
Most newsletters would benefit from being time-boxed or run in a “pop-up” style.
That is: Seasonal, or with a hard stop.
There’s something powerful about knowing an end exists — for both writer and reader.
Deadlines are probably the most powerful tool for subverting our inner procrastination dingdongs.
Seasonality means the recurring deadlines themselves will end. It’s a great combo.
The more attention a reader gives your work, the higher their “value.”
The path to the book —
collimating experiences, working through thoughts, iterating on ideas into that final book form —
nourishes and challenges in ways I fail to believe a million tweets ever can.
A book is a creative distillation more dense than a hundred newsletters, which themselves are a creative distillation more dense than a thousand tweets.
As distillation increases, so too does difficulty.
But that difficulty flows from the very opportunity to iterate and refine.
You learn to see that difficulty as a positive signal, that you’re probably on the right track.
As a writer, once you’ve experienced and understand the power of iterating on the scale of books, it seems kinda obvious to align your work and life around the act of making of them.
I’ve come to see newsletters — and the pop-up newsletter in particular — as a key part in this book making process.
Instead of charging for newsletters, I run a membership program, the proceeds from which fund the freely available work.
Members get a bunch of perks, but the most obvious perk is a big discount on my books and photographic prints.
I see these memberships as little down payments on my future book work (and as such try to return the entire cost of membership each year in discounts).
I find that Twitter and Instagram are good nets for capturing general attention around my work. I use them to funnel folks to my main newsletter,
This constellation of a core newsletter birthing shorter-term pop-up newsletters helps create mini-“events,”
which help introduce folks to my SPECIAL PROJECTS membership program.
And then those members become the groundswell audience of my books.
The pop-up newsletters themselves often seeding those very books.
This whole goofy dance feels like a durable, self-contained ecosystem under which I maintain (I think?) a healthy amount of control.
The model: The most powerful and interesting media model will remain raising money from members who
don’t just permit
but insist that the product be given away for free.
The value comes
not just what they’re buying,
but who they’re buying it from and who gets to enjoy it.
The bigger those two pools get — the bigger the membership, and the bigger the audience — the better it gets for everyone.
The reason: The most economically powerful thing you can do is to buy something for your own enjoyment that also improves the world.
This has always been the value proposition of journalism and art.
It’s a nonexclusive good that’s best enjoyed nonexclusively.
We should all want perfect security
There is certainly more that corporations like Apple and Google could be doing to protect their users.
However, the only way we’re going to get those changes is if we demand them.
Not all vectors are created equal
While cynics are probably correct (for now) that we probably can’t shut down every avenue for compromise,
there’s good reason to believe we can close down a vector for 0-interaction compromise.
What can we do to make NSO’s life harder?
Adding a firewall is the cheap solution to the problem,
and this is probably why Apple chose this as their first line of defense.
But actually closing this security hole is going to require a lot more.
Apple will have to re-write most of the iMessage codebase in some memory-safe language,
along with many system libraries that handle data parsing.
They’ll also need to widely deploy ARM mitigations like PAC and MTE in order to make exploitation harder.
All of this work has costs and (more importantly) risks associated with it
The problem that companies like Apple need to solve is not preventing exploits forever, but a much simpler one: they need to screw up the economics of NSO-style mass exploitation
NSO’s genius is that they’ve done something that attackers were never incentivized to do in this past: democratize access to exploit technology
NSO can afford to maintain a 50,000 number target list
because the exploits they use hit a particular “sweet spot”
where the risk of losing an exploit chain —
combined with the cost of developing new ones
is low enough that they can deploy them at scale.
That’s why they’re willing to hand out exploitation to every idiot dictator —
because right now they think they can keep the business going
even if Amnesty International or CitizenLab occasionally catches them targeting some human rights lawyer.
But companies like Apple and Google can raise both the cost and risk of exploitation
not just everywhere, but at least on specific channels like iMessage.
If we simply pat Apple on the head and say “gosh, targeted attacks are hard, it’s not your fault” then this is exactly the level of security we should expect to get — and we’ll deserve it.
As much as I value empirical evidence, software research is also a train wreck where both trains were carrying napalm and tires.
Common Knowledge is Wrong
a standard problem with secondary sources: most of them aren’t very good. They corrupt the actual primary information to advance their own agenda.
Finding things is pain
The usual problem people raise with research is the cost
The bigger problem is finding the papers to read
Here’s the only technique I’ve found that works, which I call scrobbling even though that means something totally different:
Search seed terms you know, like “cost of bugs”, in an appropriate journal
Find papers that look kinda relevant, skim their abstracts and conclusions.
Make a list of all the papers that either cite or are cited by these papers and repeat.
Find more useful terms and repeat.
Most Papers are Useless
A lot will be from before 2000
Not that more recent papers are necessarily good
the academic-industrial complex is set up to discourage replication studies
Good papers are useless too
Nobody believes research anyway
You don’t study the research to convince others.
You study the research because you’re rather be technically correct than happy.
sometimes there is stuff that we can all agree on.
there’s a difference between ESE as a concept and ESE as practiced
the academic incentive structures are not aligned a way that would give industry actionable information.
There’s much more incentive to create new models and introduce new innovations than do the necessary “gruntwork” that would be most useful
academics should at least make a conscious choice to do work that won’t help the industry,
as opposed to thinking their work is critical and wonder why nobody pays attention
even if the research is a giant incoherent mess of sadness,
it’s still possible to glean insights,
as long as you accept that they’ll be 30% research and 70% opinion.
You can make inferences based on lots of small bits of indirect information,
none of which is meaningful by itself but paints a picture as a whole.