Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
via NNSquad Microsoft Corp. on Monday announced it has reached an agreement to acquire GitHub, the world's leading software development platform where more than 28 million developers learn, share and collaborate to create the future. Together, the two companies will empower developers to achieve more at every stage of the development lifecycle, accelerate enterprise use of GitHub, and bring Microsoft's developer tools and services to new audiences. All GitHub users forthwith will be required to run Windows 10 or subsequent Microsoft operating systems with all privacy options disabled, manage their code only by voice via Cortana, and install the new Microsoft Clippy 2018! Microsoft Office Assistant on all of their devices. Microsoft will now scan all GitHub materials for patent infringement and turn violators over to local authorities for arrest.
NNSquad http://www.seattletimes.com/business/bitcoin-backlash-as-miners-suck-up-electricity-stress-power-grids-in-central-washington/ But it's not simply the scale of requests that is perplexing utility staff. Many would-be miners have no understanding of how large power purchases work. In one case this winter, miners from China landed their private jet at the local airport, drove a rental car to the visitor center at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan County PUD officials, politely asked to see the "dam master because we want to buy some electricity." Bitcoin fever has created other, smaller-scale problems for the utility. Three times a week, on average, utility crews in Chelan County discover unpermitted home miners running computer servers far too large for the electrical grids of residential neighborhoods. In one instance last year, the transformer outside a bootleg miner's home overheated and touched off a grass fire, Chelan County PUD officials say. Just cut these cryptocurrency mining parasites off. Knock them off the grid. If they can generate their own power safely, fine. Otherwise, to hell with them.
Joon Ian Wong, QZ, 24 May 2018 http://qz.com/1287701/bitcoin-golds-51-attack-is-every-cryptocurrencys-nightmare-scenario/ Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency, bitcoin. It shares much of the same code and works in a similar way to bitcoin, with Bitcoin Gold miners contributing computational power to process new transactions. That also means it faces the same vulnerabilities as bitcoin, but without the protections that come from the large, dispersed group of people and organizations whose computers are powering the bitcoin blockchain. In recent days the nightmare scenario for any cryptocurrency is playing out for Bitcoin Gold, as an attacker has taken control of its blockchain and proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in circulation is valued at $786 million, according to data provider Coinmarketcap. Blockchains are designed to be decentralized but when an individual or group acting in concert controls the majority of a blockchain's processing power, they can tamper with transactions and pave the way for fraud. This is known as a 51% attack. The possibility of a 51% attack has been one of the concerns institutions such as banks and tech companies have had over the years about using the blockchain for transactions; some have worried that the Chinese government could at some point endeavor to do that, ordering all of the Chinese bitcoin miners to act in concert. It's unlikely for bitcoin, but for smaller cryptocurrencies, 51% attacks are a concern, one dramatized on a recent episode of HBO's series Silicon Valley. Cryptocurrency miners commit their computer processing power--or hash power--to adding new transactions to a coin's blockchain. They are rewarded in units of the coin in return. The idea is that these incentives create competition among miners to add more hash power to the chain. The more hash power is added, the better the chances of winning a reward. So what's a 51% attack? It's when a single miner controls more than half of the hash power on a particular blockchain. When this happens, that miner can mess with transactions in a bunch of ways, including spending coins twice. This is the *double-spending problem*, a puzzle surrounding digital money that has vexed computer scientists for years—and which was solved by bitcoin. But the solution only holds if no single miner controls the majority of the hash power on a chain. Bitcoin Gold has been experiencing double-spending attacks for at least a week, according to forum posts by Bitcoin Gold director of communications Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's hash rate and is double-spending coins. Since an attacker must spend coins in his or her possession, and can't conjure up new coins, the attack is somewhat limited. What's happening now, according to Iskra, is that exchanges that automatically accept large deposits are being targeted. The fraudster deposits Bitcoin Gold into an account at an exchange, where coins are traded. Once the exchange credits the Bitcoin Gold to the attacker's account, the attacker trades those coins for another cryptocurrency and withdraws it. The attacker can repeatedly make deposits of the same Bitcoin Gold it deposited in the first exchange and profit in this way. A bunch of other cryptocurrencies have been attacked in similar ways recently. Something called Verge has been hit twice in the last two months, leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and Electroneum have also suffered from 51% attacks not too long ago.
Google should be keelhauled for this (or at least the dolts who thought it up should be keelhauled, and the sailors doing the hauling should be given three toddy's of rum when the googlers' are half-way along the keel). HTTPS does not mean that the Web Site is secure. It means that it is transport encrypted. Similarly, that the web site is not using SSL/TLS does not mean it is unsecure—it simply means that the transport is not encrypted. There is a *LOT* more to being *secure* that merely engaging transport security. It should be noted that Google will not detect "forged" or MITM certificates, and that as a result much of what they hold out as "secure" actually does not even have meaningful transport security.
[In other news, your local second-level (province, state, prefecture, etc.) government announced plans to remove those curve speed caution signs to make the roads safer. Well, not actually. They have a bit more sense than Google. GW] http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/ Stephanie Condon, ZDNet, 17 May 2018 Google to remove "secure" indicator from HTTPS pages on Chrome Users should expect the web to be safe by default, Google explained. As part of its push to make the web safer, Google on Thursday said it will stop marking HTTPS pages as "secure." The logic behind the move, Google explained, is that "users should expect that the web is safe by default." It will remove the green padlock and "secure" wording from the address bar beginning with Chrome 69 in September.
Google previously announced that it would mark HTTP pages as "not secure" beginning with Chrome 68 in July. By October with Chrome 70, Google will start showing a red "not secure" warning when users enter data on HTTP pages. "Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning," Google said.
Gregg Keizer, Computerworld, 23 May 2018 https://www.computerworld.com/article/3275726/web-browsers/how-your-web-browser-tells-you-when-its-safe.html As Google moves to change how its Chrome browser flags insecure websites, rival browsers may be forced to follow suit. Here's how other browsers currently handle website security and what changes they have coming. selected text: Google last week spelled out the schedule it will use to reverse years of advice from security experts when browsing the Web - to "look for the padlock." Starting in July, the search giant will mark insecure URLs in its market-dominant Chrome, not those that already are secure. Google's goal? Pressure all website owners to adopt digital certificates and encrypt the traffic of all their pages. Security pros praised Google's campaign, and the probable end-game. "I won't have to tell my mom to look for the padlock," said Chester Wisniewski, principal research scientist at security firm Sophos, of the switcheroo. "She can just use her computer." [Let us change stuff for the people who do not know much about computers. That will make things simpler for them. These two sentences do not belong together.] But what are Chrome's rivals doing? Marching in step or sticking to tradition? Computerworld fired up the Big Four—Chrome, Mozilla's Firefox, Apple's Safari and Microsoft's Edge—to find out.
Liam Tung, ZDNet, 25 May 2018 https://www.zdnet.com/article/smart-lock-user-z-wave-pairing-flaw-lets-attackers-open-your-door-from-yards-away/ Up to 100 million Internet of Things devices could be at risk. starting text: Hackers may be able to remotely unlock your smart lock if it relies on the Z-Wave wireless protocol. According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable to an attack that forces the current secure pairing mechanism, known as S2, to an earlier version with known weaknesses, called S0. The problem with S0 is that when two devices, like a controller and a smart lock, are pairing, it encrypts the key exchange using a hardcoded key '0000000000000000'. So, an attacker could capture traffic on the network and easily decrypt it to discover the key. S2 fixed this problem by employing the Diffie-Hellman algorithm for securely sharing secret keys, but the downgrade removes that protection. The researchers have posted a video demonstrating the downgrade attack -- dubbed Z-Shave—on a Conexis L1 Smart Door Lock from lock manufacture Yale. They note that an attacker within about 100 meters could, after the downgrade attack, then steal the keys to the smart lock. Z-Wave chips are in 100 million smart gadgets, from lights to heating systems, but the risk is greater for things with security applications, such as locks.
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia. Dan Goodin, Ars Technica, 25 May 2018 http://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/ The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device. Limited persistence The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter—stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The officials wrote: The FBI recommends any owner of small office and home office routers rebo ot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware. In a statement also published Friday, Justice Department officials wrote: Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second stage malware and causing the first stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure. The US Department of Homeland Security has also issued a statement advising that "all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware." As noted in the statements, rebooting serves the objectives of (1) temporarily preventing infected devices from running the stages that collect data and other advanced attacks and (2) helping FBI officials to track who was infected. Friday's statement said the FBI is working with the non-profit Shadow Foundation to disseminate the IP addresses of infected devices to ISPs and foreign authorities to notify end users. Authorities and researchers still don't know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter [...]
*The New York Times* “Those are the decisions you don't want to be making for the first time during a real attack,'' said Bob Stasio, IBM's cyber range operations manager and a former operations chief for the National Security Agency's cyber center. One financial company's executive team did such a poor job of talking to its technical team during a past IBM training drill, Mr. Stasio said, that he went home and canceled his credit card with them. Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical touches. Whiteboards and giant monitors fill nearly every wall, with graphics that can be manipulated by touch. “You can't have a fusion center unless you have really cool TVs,'' quipped Lawrence Zelvin, a former Homeland Security official who is now Citigroup's global cybersecurity head, at a recent cybercrime conference. “It's even better if they do something when you touch them. It doesn't matter what they do. Just something.'' Security pros mockingly refer to such eye candy as `pew pew' maps, an onomatopoeia for the noise of laser guns in 1980s movies and video arcades. They are especially useful, executives concede, to put on display when V.I.P.s or board members stop by for a tour. Two popular pew maps are from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the defunct security vendor Norse http://www.norsecorp.com/ whose video game-like maps show laser beams zapping across the globe. Norse went out of business two years ago, and no one is sure what data <https://na01.safelinks.protection.outlook.com/ the map is based on, but everyone agrees that it looks cool. http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html
BAD BLOOD John Carreyrou Secrets and Lies in a Silicon Valley Startup 352 pp. Alfred A. Knopf. $27.95. *The New York Times* Book Review http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro "Despite warnings from employees that Theranos wasn't ready to go live on human subjects—its devices were likened to an eighth-grade science project—Holmes was unwilling to disappoint investors or her commercial partners. The result was a fiasco. Samples were stored at incorrect temperatures. Patients got faulty results and were rushed to emergency rooms. People who called Theranos to complain were ignored; employees who questioned its technology, its quality control or its ethics were fired. Ultimately, nearly a million tests conducted in California and Arizona had to be voided or corrected." Investors and personalities enamored by technological wizardry, though based on fundamentally fraudulent solutions, were suckered in by Theranos' promise to revolutionize routine blood tests with a few tiny blood droplets from a pinprick. ~US$ 1B dropped on a real "unicorn" sighting. The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues who possessed 110-ohm noses (striped brown-brown-brown per the Resistor color code) that kissed her fanny. Findings and facts that disputed her vision were concealed from investors. Knowing how to ask the right questions remains a valuable skill to possess. When an ethical, professional engineer confronts a situation of this nature, there are few alternatives to pursue: (a) become a whistle-blower; (b) continue to document findings that support legal discovery and a fraud investigation while holding your nose and tongue; or, (c) jump ship at the earliest opportunity. If something appears too good to be true, it is likely the case. P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a sucker born every minute." An aphorism that remains prescient today for the incurious or greedy.
https://www.npr.org/templates/transcript/transcript.php%3FstoryId%3D6140792 Get out your checkbook or boost your PayPal account balance. All the free services "enjoyed" today, that exploit volunteered information for a little dopamine, will shift to a subscription or micropayment model. The Internet as a true utility, like the water and power that comes out of the wall, billed per bit. Internet disenfranchisement is likely to evolve if meter ticks attributed to premium information become unaffordable. Will governments introduce a subsidy—a new entitlement—to boost the information "have-nots" into a realm approximating the "haves"? Or will there be a multi-tier model—surrender your data for 24x7 tracking and attention whipsaw for free, versus pay for the right to volunteer data with an explicit opt-in (EU ePrivacy) granting license and viewing preferences as the product?
http://www.bbc.com/news/technology-44279189 'Originally, the YouTube subscription feed was a chronological list of videos from all the channels that a person had chosen to "subscribe" to. The system let people curate a personalised feed full of content from their favourite video-makers. 'However, many video-makers have previously complained that some of their videos have not appeared in the subscription feed, and have questioned whether YouTube manipulates the list to boost viewer retention and advertising revenue. 'YouTube's latest experiment—which it said appeared for a "small number" of users—changed the order of videos in the feed. Instead of showing the most recent videos at the top, YouTube said the manipulated feed showed people "the videos they want to watch".' Algorithmic refactoring experiment adjusts video delivery order. YouTube apparently 'wins' over content creator/copyright owners, despite subscription historical preference and profile settings.
http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/ The risk? Online/automated/robot cashiers. Same as my grocery store self-checkout charged me for 22 avocados instead of 2. At least I could get quick refund from on-scene humans.
Evan Schuman, *Computerworld*, 26 May 2018 https://www.computerworld.com/article/3276347/mobile-wireless/amazons-echo-privacy-flub-has-big-implications-for-it.html Amazon has confirmed that one of its Echo devices recorded a family's conversation and then messaged it to a random person on the family's contact list. The implications are terrifying.
Asha McLean, ZDNet, 29 May 2018 http://www.zdnet.com/article/bank-of-montreal-cibcs-simplii-financial-confirm-customer-data-breaches/ Bank of Montreal, CIBC's Simplii Financial report customer data breaches The Canadian banks have reported being contacted by external 'fraudsters' claiming to have accessed information on an estimated 90,000 customers. The trial appears to be limited to 24 plates. The plates are digital displays that can be updated and modified remotely. Therefore, they can be updated immediately once car registration is updated. They can also be used to "broadcast" messages such as emergency and amber alerts, and can be set to display personal messages when the car is not in motion. http://www.dailymail.co.uk/sciencetech/article-5781915/California-starts-trial-digital-license-plates-allow-police-track-move.html or https://is.gd/NRJ4Ey The plates also broadcast information to sensors in or beside roads, and can communicate with each other. I trust it is not too difficult to point out the huge numbers of ways these plates could be attacked or misused. Asha McLean, ZDNet, 1 Jun 2018 CBA sent over 650 emails holding data on 10k customers in error. The bank has admitted discovering an issue with emails going to incorrect addresses. https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/ opening text: The Commonwealth Bank of Australia (CBA) has once again found itself in the spotlight for the potential mishandling of customer information, admitting it had sent over 650 incorrectly addressed internal emails. The bank said on Friday it had completed an investigation that was initiated after a concern was raised about internal CBA emails being inadvertently sent to email addresses using the cba.com domain, prior to taking ownership of that domain in April 2017. Its usual email domain is cba.com.au.
Two different dynamically changeable number plates. The traditional: http://www.youtube.com/watch%3Fv%3DwSFXyIlq5xw The $699 plus $7/month electronic paper version issued by the California Department of Motor Vehicles: https://youtu.be/XgyuIVePdEc I leave it as an exercise for the reader as to what risks exist in either. Asides that is from pointing out the stupidity of an electronic tag in the age of high quality Automatic Number Plate Recognition systems linked to a licensing computer. However, there is a second risk in being able to detect unlicensed vehicles; work overload. The Western Australian Police have had to turn off the unlicensed vehicle feature in their ANPR system because there are too many alerts! "WA Police 'can't cope' with high number of auto-detect car registration alerts" http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160
Zack Whittaker, ZDNet, 30 May 2018 https://www.zdnet.com/article/jira-bug-exposed-private-server-keys-at-major-companies-researcher-finds/ Jira bug exposed private server keys at major companies, researcher finds A major TV network, a UK cell giant, and one US government agency are among the companies affected.
https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation As VICE News reported earlier Thursday, a Google search for `California Republican Party' resulted in Google listing `Nazism' as the ideology of the party. This happened because of Google's Featured Snippets tool, which pulls basic information for search terms and puts it on the front page. These are also sometimes called Google Cards and Knowledge Panels. The information on these cards is often taken from Wikipedia entries, which is what seems to have happened here. Six days ago, someone edited the Wikipedia page for `California Republican Party' to include `Nazism', something that wasn't changed until Wednesday, Wikipedia's edit logs show. You take content from another site and put it into yours and pretend it's "the truth", and all that is an automated process. Can't see what might go wrong there.
https://www.washingtonpost.com/news/the-switch/wp/2018/06/01/signs-of-sophisticated-cell-phone-spying-found-near-white-house-say-u-s-officials/?utm_term=.3cff9618ae33 "A federal study found signs that surveillance devices for intercepting cellphone calls and texts were operating near the White House and other sensitive locations in the Washington area last year." Only Rip Van Winkle would have been surprised by this headline. What precautions are the SIGINT targets using to forestall intercept? Are they effective, or have they been compromised too? Whatever happened to good ol' "Blackbag" jobs?
NNSquad https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/ On Friday, VISA'S payment network suffered outages across Europe, limiting transactions for both businesses and individuals. Banks and commerce groups began advising customers to use cash or other payment cards if possible, and reports indicated that online and contactless transactions were having more success than chip cards. Though some Visa transactions still went through, the failure appeared widespread. The Financial Times even reported that some ATMs in the United Kingdom were already out of cash within a couple of hours of the first outage reports. Some observers saw in the outage a stark reminder of the fragility of payment networks, and the weaknesses in global economic platforms.
via NNSquad [Thanks, EU!] http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313 Ad-blocking tool Ghostery suffered from a pretty impressive, self-inflicted screwup Friday when the privacy-minded company accidentally CCed hundreds of its users in an email, revealing their addresses to all recipients. Fittingly, the inadvertent data exposure came in the form of an email updating Ghostery users about the company's data collection policies. The ad blocker was sending out the message to affirm its commitment to user privacy as the European Union's digital privacy law, known as the General Data Protection Regulation (GDPR), goes into effect. The email arrived in inboxes with the subject line "Happy GDPR Day -- We've got you covered!" In the body of the email, the company informed users, "We at Ghostery hold ourselves to a high standard when it comes to users' privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation."
The long running CISSPforum mailing list on Yahoo Groups is being closed by ISC2, effective June 15, 2018. An alternate mailing list, run by volunteer CISSPs, has been created on groups.io. Yeah, I know. Those of you who don't have the CISSP cert don't care. (Even those who, like Peter, have been given an honorary CISSP may not care.) But the reason the CISSPforum is being closed is kind of interesting. ISC2 itself isn't saying much about why. But most people discussing it seem to think it has to do with GDPR. Yahoo has not had the greatest success with security, so ISC2 may wish to limit it's exposure. The thing is, if I want to give people instructions on getting to the new CISSPforum, the easiest thing would be to send them to the page at https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or https://is.gd/lGXNgT if email mungs that and you want a shortened version). Yes, you are correct. That Web page is one of the postings on the new, supposedly private, "community" that ISC2 has created to replace the CISSPforum mailing list as a communications venue for the membership. And, if I want to send you to the existing discussion of the various privacy issues to do with the new "community," I can point you to https://community.isc2.org/t5/Welcome/Welcome-lets-talk-about-ISC2-no-censorship-Closing-of-CISSP/td-p/11021/page/2 or http://is.gd/GgHckH Or, you can search for it yourself, on Google: http://lmgtfy.com/%3Fq%3Dsee%2Bthe%2Bamazing%2Bdancing%2BCISSPs%2Band%2Ball%2Btheir%2Bdiscussions You will be able to see all kinds of discussion on the new forum. Do a Google search with any term you want, and include site:community.isc2.org as a term, and see what the amazing dancing CISSPs have said about it. (There is one area of the "community" that is not searchable, but it's fairly small.)
http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html De-Cix, the world's largest Internet hub, says Germany's spy agency is able to get a complete and unfiltered copy of the all data passing through its fibre optic cables Germany's spy agency can monitor major Internet hubs if Berlin deems it necessary for strategic security interests, a federal court has ruled. In a ruling late on Wednesday, the Federal Administrative Court threw out a challenge by the world's largest Internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service. The operator had argued the agency was breaking the law by capturing German domestic communications along with international data. http://rinzewind.org/blog-es
Originally posted here: http://medium.com/%40enkiv2/trendism-cognitive-stagnation-21c8e003df83 Trendism & cognitive stagnation (This is a follow-up to Against Trendism http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956) Basing visibility on popularity is a uniquely awful version of *tyrrany of the majority* because uncommon views become invisible, even if, were they to start on an even playing field, they would become popular. In this way, it encourages mental stasis: since ranking is based on an immediate appraisal of how popular something already is, and visibility is based therefore on past shallow popularity, there's no room for rumination. This is NOT an attribute of `technology' or `social media', but an attribute of visibility systems based on immediate ranking. Visibility systems based on ranking delayed by, say, three days, or with the top 25% most popular posts elided, would be fine. Our capacity to imagine new possibilities is based largely on our familiarity with the bounds of possibility space—we can only imagine views that are in the neighborhood of views we've heard expressed in the past. So, making the already-unpopular invisible limits imagination. (There are hacks we can use to make it possible to imagine views nobody has ever held. We can make random juxtapositions, impose meaning on them, and then figure out a justification for them—like tarot reading. Or, we can merely iterate from some basic idea, getting more and more extreme, while internalizing the perspective of each iteration as something someone could possibly believe in good faith. The former—the bibliomancy approach—is common in experimental art, while the latter is typical of dystopian science fiction. But, these hacks are pretty limited. We need a starting place. If we've only heard mainstream ideas, we're going to have a hard time going off the beaten path with the dystopia approach, while we will struggle with the bibliomancy approach because most ideas can only be made to seem reasonable with the help of other ideas. Getting into uncharted territories with either of these approaches is difficult unless you've already filled out the middle of your possibility space with other ideas, because in their absence you would need to independently reinvent them.) This is not a justification, in of itself, for banning metrics entirely. After all, this kind of exponential distribution happens with ideas even without the use of popularity signifiers: ideas spread, and popular ideas have more opportunities to spread. Trendism merely accelerates the process and widens the gap between the most popular ideas and everything else. Sites like reddit use segmentation to prevent total ordering of popularity from dominating, although this ultimately means that popular subreddits have a disproportionate impact on this total ordering when it is seen. http://redditp.com/r/all Similarly, we have seen piecemeal attempts to limit the effects of trendism for particular topics—the curation of trending topics at twitter and facebook, for instance, or ad-hoc ranking demerits for particular tags on lobste.rs. However, we could be applying the measurements we already take to counteract trendism rather than accelerating it: making popularity count less the higher it gets, removing overly-popular content entirely, boosting the visibility of mostly-unseen content, using information about organic reach in sites like twitter to boost the synthetic reach of people who don't have many followers (instead of boosting the synthetic reach of the rich), systematically demoting posts that comment on trending topics, spotlighting spotify tracks and youtube videos with zero views, and so on. Where trendism devalues the function of recommendation systems as novelty aggregators, these tools could be modified to be anti-trendist, pro-novelty, and promote a cosmopolitanism that broadens our horizons in ways traditional word-of-mouth never could. This is a unique capacity of recommendation systems over curators: recommendation systems can recommend things nobody has ever seen, and can recommend them on the grounds that nobody has seen them.
I don't wish to start a political argument, but from a practical POV, there is merit to the US method of "the winner takes it all"—eventually, one candidate wins, and incumbents should be let to do their job to the best of their ability. Compare that to relational methods in some European countries, which have brought about unstable governments which are reshuffled often (like in France before the 1968, or current Italy). History has proven—from the resign of Nixon to the recent upheaval in Armenia—that as long as freedom of expression and assembly are kept, the public would eventually be able to express enough dissent to get rid of corrupt politicians, no matter which system was used to elect them in the first place.
Please report problems with the web pages to the maintainer