It's the classic issue of "normative" and "positive" descriptions that pretty much every industry faces.

"normative" means things you thing SHOULD happen

"positive" means the things that DO happen
It's probably biggest in Economics, where it's hard to have a rational discussion about what DOES happen because people are so concerned with what SHOULD happen.

It's a lot easier with physics or chemisty.
It's a big problem with law. There's a wide gap between what the CFAA DOES day and what people think it SHOULD say.

Infosec was up in arms that F12 "view-source" isn't criminal hacking, but that was a NORMATIVE statement. Nobody read the Wisconsin law to see what it DOES say.
POSITIVE statements aren't "victim-blaming". Instead, "victim-blaming" relies upon NORMATIVE statements.

It's not victim-blaming to say that if your outside in that area at night you'll get mugged, that's just a fact. It's victim-blaming to say you deserve to get mugged.
Or conversely, it's victim-blaming for the police to say they aren't going to do anything about it, or prosecutors to say they won't prosecute, because you SHOULDN'T (normative) been in that area at night.
With the recent SuperBowl QRcode issue, there's a mixture of both, and on both sides.

The entire purpose of QRcodes is for you to scan them. A SuperBowl add is probably the SAFEST of all QRcodes to scan.
But this comes close to saying "you shouldn't have to worry about the security of QRcodes, because that's what they are there for", which is a NORMATIVE statement.

The question is whether they are secure.
But conversely, the opposite is also normative, "you shouldn't do something risky like scanning QRcodes". This is a normative statement by infosec experts, claiming that your risk-aversion should be the same as their risk-aversion.
What's lacking on either side of "QRcode security" debate is POSITIVE descriptions of what the security risks are.

The answer is that phones ask you to confirm every action, and in a multi-step process, you have a chance to see risk before something happens.
Yes, it's largely safe to click on QRcodes and visit websites. No, it's very unsafe to then enter login information. So scan QRcodes to see the restaurant menu, but don't scan QRcodes to log into your MetaMask or banking account.
(MetaMask is a popular cryptocurrency/NFT wallet where people get hacked a lot through scanning QRcodes -- and then entering in their pass codes).

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham

Robᵉʳᵗ Graham Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Feb 16
So I did a thing.

Back a couple years ago, people were rewriting the classic 'wc' program (word-count) in their favorite programming language to prove theirs could be as fast as C.

So I decided to rewrite using my favorite algorithm instead: a "state machine parser". Image
The algorithm to count words (and lines and characters) is 3 lines long, the while(){} loop at line 25.

You are supposed to marvel at how this is absolutely NOT a word/line/char counting algorithm -- and yet, it produces the same results as 'wc'. Image
I implemented the same algorithm in JavaScript, and it ended up being faster than all those "I rewrote wc in my favorite language" examples. But the reason isn't that JavaScript is faster than their language, but because the ALGORITHM is faster. It also jits well. Image
Read 17 tweets
Feb 16
About an hour into it, when I'm describing DNS header compression on generating the query packet for "google.com" that they'll be asking me politely to leave.
I lie. It'll take hours to get to that point, as I first explain how Chrome caches DNS names before making a request to the operating system to do DNS resolution on it's behalf -- assuming they haven't enabled DNS-over-something.
I lie. There's probably a whole day's discussion of what happens when you click with the mouse on the screen to load the page, tracing the path of execution through Windows event handlers.
Read 4 tweets
Feb 10
Note that I'm not a solid source here.
1. I experience weird disruptions trying to make calls to the Ukraine cell phone network
2. Techies (who don't want to be named) said it was because the cell network was being DDoSed.

I'm just passing along what little I know.
I do know that while cell providers are supposed to have private links to each other, I know that a lot of traffic ends up going across the Internet backone, so the scenario is plausible (though not proven).
The weirdest thing was a recorded message saying the subscriber wasn't available, in english, but breaking up severely due to disruption on the network, which as I understand it, shouldn't be possible.
Read 4 tweets
Feb 10
Your regular reminder that presidents deserve neither the credit nor the blame for things such as "inflation".

Economies around the world are experiencing inflation for the same reason: stimulus spending and disruptions in the economy due to lockdowns.
Here is inflation from the Eurozone. It has the same spike as we do. It's hard to imagine how Biden caused that.
The things that economists cite that cause the current inflation were the steps taken during Trump's administration. Stimulus happened in 2020, the effects were seen in 2021. It was sticking upwards before Biden had a chance to make any difference.
Read 5 tweets
Feb 9
I woke up last week and discovered "selfie ring lights" are now a thing and I want to go on a murder spree. Image
The number at my local barber a couple months ago: 0
The number at my local barber last week: 6
Violence is never the answer.
Violence is never justified.

Except when murder sprees are justified, such as this case.
Read 4 tweets
Feb 7
It is partisan. Because republicans refused to participate. Because most are guilty of fomenting unrest by opposing the peaceful transfer of power.
It’s been over a year and republicans still haven’t cited any evidence substantiating their claims of election fraud. Yet they still claim the election was stolen.
You are a patriot if you fight a stolen election with evidence.

Claiming an election was stolen without evidence makes you the opposite of a patriot.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

:(