Setting aside the Forgejo issues for a moment, I can’t quite see the logic behind the author’s description of a “carrot disclosure”.

As written, it’s a third option for disclosure, beyond 1) coordinated disclosure (often 90 days for the vendor to fix things) or 2) full disclosure (immediately going public, esp when the vulnerability is believed to be actively exploited). But what the author describes as the carrot is to publish only the output of a proof-of-concept, and then the onus is on the vendor to figure out both the vulnerability and the fixes.

This seems wildly irresponsible to me, to put the effort into writing a working PoC but then to willfully withhold it, so as to basically force the vendor into a wild goose chase. And that’s the best case scenario, when the PoC is actually legit. At worst, it’s a DoS against a vendor (causing them to re-audit code to find a bug that doesn’t actually exist, eg hallucinated AI slop) or is a form of defamation to scare users away.

Then there’s the issue of when it’s not a “vendor” per-se but a group of volunteers of an open-source project, which I will distinguish from commercial vendors as “maintainers”. Is it ethical to withhold an already-written PoC from FOSS maintainers, whom often do not have the material capabilities to do a full-scale audit when given basically no clues?

To be clear, I’m not a security researcher and have done zero disclosures of any form. But if I ever ran a project and received a so-called carrot disclosure, why shouldn’t I immediately call their bluff and treat it as full-disclosure? This situation seems like Schrodinger’s Cat, where the only way to rip away the uncertainty is to throw open the box. Worse case, the project suffers the reputational hit for having a legit vulnerability. But best case, the vulnerability is non-existent. But what this supposed “third way” purports to do is no different than sowing the seeds of fear, uncertainty, and doubt amongst users. Someone tell me how this isn’t one step away from extortion.

I think game theory would say that any and all recipients of “carrot” disclosures should always call the bluff, immediately and vocally. I don’t see any way for such disclosures to be anything but unnecessarily antagonistic. I refuse to credit the term with any legitimacy.

I’m not familiar with cereal bags being accepted for recycling at grocery stores – although I’m aware that grocery store recycling in California has deep issues regarding implementation – but regarding why a chip bag is different than a cereal bag, my guess is that it has to do with the former being air tight.

Chip bags are intentionally filled with gas (usually nitrogen) in order to preserve the contents for a long shelf life. Rather conveniently, this also helps the chips not smash up against other chip bags in the same box, at the cost of fitting fewer bags into a shipping container. As such, chip bags have to be air tight, and mylar is good at that, as evidenced by mylar balloons that keep helium inside for far longer than a latex balloon (to the sadness of every electricity provider on Earth).

Whereas I suspect the clear plastic – maybe polyethylene? – bags used for cereal have different requirements, because a cereal box already provides mechanical protection against other boxes, and an expectation that cereals (a bona fide breakfast foodstuff, compared to chips which have always been categorized as a snack food) will be eaten in quantities that make recyclability a priority; this is a guess.

I also think cereals might historically have been just free-floating inside the box, in the same way that dishwasher power detergent is still packaged within a thick cardstock box, with a pour-out metal spout. That said, this citation seems to indicate that cereal bags are in-fact liners, which would suggest the primary reason is one of food safety, if contact directly with the inside of the box would be a problem.

And this kinda makes sense to me, since nobody would want to eat soggy cereal if a bit of rainwater seeped through the box and contacted the food.

Interest rate: the percent increase per compounding period . Almost totally useless unless the compounding period is also known.

APR: a metric which extrapolates an interest rate and compounding period out to one year, less any unavoidable fees. Because this metric can be computed for any savings instrument or any loan, it can be used to directly compare rates between different savings or lending institutions.

APR is still computable even for something which won’t last for 1 year (eg a 6-month Certificate of Deposit), for things with a compounding period longer than 1 year, and can deal with promotional offers, such as a savings account that pays 5% for the first 3 months and then returns to a normal rate of 1% ongoing.

Whereas before APR came into existence, it would have been possible to trick people with a seemingly “high” interest rate but it would have a longer compounding period, or they would charge an obligatory “exit fee” that takes a haircut off the interest at the end.

While the law cannot change the mathematical fact that an interest rate must also have a compounding period to be usable, USA law enforces that whenever an APR is given alongside an interest rate, it must have been computed accurately, with large penalties if not.

In the best possible scenario, a BIOS/UEFI password lock will prevent an adversary from using the computer as-is. If the adversary has an objective to quickly fence the computer, then this objective is foiled. Note that preventing the computer from physical access would also foil this objective, since that prevents the adversary from even accessing the machine.

But that’s the best case. In a more-worse case scenario, the adversary wants to steal data from the computer. A firmware password will be useless if the adversary removes the HDD or SSD from the machine. This is, instead, correctly solved with drive-level encryption, using a password or smart card to unlock.

The reason why open-source firmwares (BIOS/UEFI) might be uninterested in implementing a password is because: 1) preventing physical access is more effective, and 2) because it’s arguably a form of security theatre: commercial firmware vendors include a password feature because some customer once asked for it, but not with security as a well-thought objective. Open-source projects have a habit of not implementing pointless features.

TL;DR: physical access to a machine is fatal to any and all security protections

Yes: https://en.wikipedia.org/wiki/Mandatory_referendums_in_Switzerland

Switzerland is also a rarity where there isn’t quite a separate head of state (eg UK Monarch, German President) but also the head of government role is done by a council of seven, where the majority decision is what happens. So the legislative body writes the law and the council of seven is tasked with executive power to carry out the law.

The modern Swiss constitution (1848) took inspiration from the American constitution (1789), but rather than a consolidated head of state/government like the American President, they wanted to hew even closer to the long-standing ideals of democracy amongst the Cantons, to also avoid concentrating too much power to individuals. Thus, even though the Swiss Federal Council rotates the title of president every year in turn, it confers zero extra powers.

Like with all things, it’s a matter of degree. Democracy and socialism are not inherently incompatible, but can be mixed together at different ratios. For example, a democratic socialist society could follow in the Swiss model of direct democracy, meaning everyone has a say in the policy decisions. Such policy decisions include the law but also how to utilize the means of production, which the state owns entirely.

Whereas another democratic socialist society could realize their democracy through a representative model, where citizens elect a local representative that goes to the capital and votes in a state committee on how to amend the law or utilize the means of production, which the state owns entirely. Here, political power is wielded by a committee but the complete socialist ownership is intact.

Yet another democratic socialist society could be much softer on the state ownership of all the means of production. The state might own the utilities, roads, schools, and all land, but may permit certain collectives to privately own businesses that generate value and to distribute those earnings equally amongst themselves. This could be considered a transitional step, since it allows for a controlled amount of capitalist-style development to occur, while avoiding huge concentrations of private capital. But it could also be a step backwards if the state already fully-owned the means of production but then voted to release some of it to small co-ops.

While words have to mean something to be useful at all, I wouldn’t spend too much time trying to fit all possibilities into neat categories. Ultimately, socioeconomics are fluid.

We are all currently traveling through time, though at a forward rate of 1 second per second (within your stationary frame of reference, since time dilation is a thing). But I take that you mean “time travel” as in advancing into the future at a faster rate, or going into the past.

In both cases, we do currently have the means of hermetically-sealed transportation. This is how, I believe, moon samples were collected in the mid 20th Century, since there was a possibility that alien life would be contagious to humans or that humans would destroy any samples of alien life. I think Tom Scott or someone did a video on the topic.

So while the biological risk would complicate time travel and visiting other humans, that alone doesn’t make time travel “impossible” because we could just have the travelers stay in their TARDIS or whatever. Like how people signed wills in 2020 atop automobile hoods.

There are plenty of other reasons why time travel is impossible though.

I’ve not used it, but have heard decent things about Kagi, a paid search engine. Supposedly, it finds things like how old Yahoo or old Google worked, without AI (but is optionally available?), and no ads.

I would think the major barrier to entry is the business model: ad revenue goes to those that can deliver results. Google AdSense has dominated that realm for years, so it would take a major upfront investment to challenge them on that. Not much different than how it’s hard to compete with established airlines to a particular airport that they already serve. Economies of scale tend towards consolidation.

In California, a U turn is considered a left turn that keeps going. As a result, a U turn is legal anywhere that a left turn is legal, except when signs are posted otherwise. So in a left-turn pocket/lane, it is both reasonable and expected that people will make left turns, some of which will continue into a full 180 degree turn. People who do U turns are doing what is allowed, and they have every right to do so. If this seems like a problem, then talk to your transportation department to restrict U turns.

I’m not aware of any aspect of a U turn procedure that would be any different than than a standard 90 degree turn: use turn signals, look for oncoming traffic, look for pedestrians, turn slowly as required by the radius, roll out of the turn with careful acceleration.

As the other commenters have noted, what sort of adversary are you trying to protect against? There is no such thing as “security for its own sake” but rather security measures like E2EE are to protect against specific types of attacks. Do you believe a ticketing system is vulnerable to attacks that E2EE would mitigate?

As an aside, please do not consider PGP to be a pinnacle of signing or encryption. I’ve opined in another project before about why Late 20th Century PGP isn’t that good in the 21st Century.

But even with a modern replacement for PGP, how would E2EE even work for a multi-user ticketing system? If everyone on the support side has the same key, then key management becomes (as usual) the most crucial part of the operation, and remains an unsolved problem at scale. This is no different than physical key management, when every member of the custodial team needs to have the “super key” that opens every door of a university campus.

American English speaker here. While I would understand what “to auction away” means, I’m not aware of anyone here in California that would say it like that. Usually, I would say “to auction off”, which follows in a long series of other “X off” verbs, like “to bake off” or “to shake off”, all of which usually involve some sort of adversary or competition.

Note that we do use the verb “to give away” but that would mean a gift without compensation, which is definitely not an auction.

Civil forfeiture and DEA is a separate problem unto itself, and you’ve always hit on the key points: DEA operates within the country, whereas customs is at port of entries. DEA’s corruption and geographic reach mean they have caused far more problems than any customs agent, in pursuit of a 1990s zeal that “drugs are bad” and expanding that into a parallel law enforcement system, despite already having a federal law enforcement department: the FBI. Civil forfeiture should be abolished as unconstitutional, violating due process, equal protection, and property law.

So yes, once you’re in the country, there is a risk to carry around large sums of cash. But that’s hardly connected to the customs declaration requirement, and certainly cannot be connected to the declaration requirement on the way out.

When entering or exiting the USA, the rule is that cash or financial instruments need to be declared above $10,000, but you can bring as much as you want. So bringing a literal suit case of Swiss francs worth $5 million USD is perfectly fine, provided you tell the customs agent.

While I can’t really advise going to the USA right now, it’s not like they will confiscate cash above $10,000. The particular phrase used in most places is “freedom of capital”, meaning that money can flow into or out of the country without significant impediment. The entire USA financial sector relies upon freedom of capital, whether that’s electronically or – if need be – with bundles of cash.

Declaring cash helps prevent money laundering, since people intending to secretly move money would not want to declare to customs. The threshold is intentionally set so that normal people going on holiday with cash or travelers checks (yes, I’m aware it’s 2026) won’t be burdened by the rule.

I very much don’t care for AI, but yeah, I posted it because an unexpected Rickroll – whether from AI or not – is still as funny as ever.

That said, I’m also aware that Mike Masnick is a recognizable name, of “Protocols, not Platforms” fame, also the person who coined the Streisand Effect, and probably most relevant, is a BlueSky board member (therefore not as interested in ActivityPub), those may be part of the downvotes too. Nevertheless, we take the rough with the smooth.

At least in the USA, not really. The federal income tax main form, Form 1040, has all the big-picture totals like taxable income, deductions, credits, computed tax, payments and withholdings, and finally the amount owed to or from the government. Some fraudsters that want to steal someone’s tax refund will in-fact file a fraudulent Form 1040 with a massively-inflated number in the deductions box, which then causes a large tax refund check to be mailed to the fraudster, who then absconds. Fortunately, this is much harder now because of cross-checks by the IRS, before issuing a refund.

For actually claiming the largest and most common deductions, taxpayers would attach Schedule A behind their Form 1040, and would compute their itemized deductions, such as state taxes (which they federal government mostly doesn’t tax, to avoid doubly taxing that income) and home mortgage loan interest. These are much harder for the IRS to verify, because that would require more cross checks into each state’s system.

Form 1040 is two sides of a sheet of paper. Schedule A is one side of a sheet of paper. Lots of taxpayers can in-fact file their taxes with no more than 5 sheets of paper, total. The tax changes in 2017 saved only about one sheet. This is not a thick envelope by any means, but quite frankly, e-file is free for the federal return so individuals rarely mail their return. Businesses and trusts, however, do still mail.

Minor gripe: the tax return is the paperwork that is sent in to the tax office (thus “returned”). And the tax refund is the overage which the tax office sends back to the taxpayer.

A huge return is a large stack of papers. A huge refund is a large direct-deposit onto one’s bank account.

Obligatory XKCD: https://xkcd.com/3138/

Please let such a thing never exist!

I think the market for each is quite a bit different. Prop guns, whether functioning or not, are often regulated in law as “replica firearms” because while they may (or not) be functional, the issue is that they are intentionally similar to the real thing. Hence, some jurisdictions have limits on who can sell replica firearms and who can buy them.

One rank below firearms and replica firearms, air/pellet guns and BB guns propel small balls or shuttlecocks (?) made of metal using compressed air or spring power. These could still be harmful to people, but aren’t usually fatal, which makes them effective for pest control or target practice, in lieu of live firearms. Accordingly, these are often regulated like how knives are: don’t just hand a pellet gun to a child without supervision, and don’t assault people. Otherwise, do as thou whilst.

Meanwhile, airsoft guns propels small plastic balls using springs, compressed air, or electro-pneumatic pressure. By sheer virtue of having less density, a plastic airsoft projectile carries less energy than a BB pellet, and certainly a lot less than a live-fire bullet. Also, whereas firearms can attain supersonic velocities, the speed of sound puts a firm cap on what a plastic, ball-shaped projectile can achieve, when not using chemical-based propulsion (ie gunpowder).

Only 8 US States regulate airsoft guns, and even those that do are not restricting them as heavily as firearms (except New Jersey?). The common requirement is that an airsoft gun should have an orange tip. That means a majority of Americans are potential customers for airsoft, and that means an environment will form that host matches, competitions, and so on. Big market means lots of producers, so lots of variety, high quality, and lower prices for all.

Whereas, what’s the market for replica firearms? Show business? Gun enthusiasts?

Even when something is fairly inexpensive and readily available, the nature of the thing may preclude it from being well-noticed in public, even if it’s not being intentionally obscured at all. Things that move are an especially good example, because most people don’t really pay significant attention to passing traffic or stuff moving approximately 3-5x faster than their own walking pace, with the exceptions of when they themselves are in motion too (eg seeing another train while riding a train), or if the object is coming straight at them.

An example suited for fellow Americans: seeing the same color and model of your car, parked in public, is very easy to spot, because that’s how you’re accustomed to seeing your own car: stationary. Whereas seeing your own car in motion (while you’re stationary) is slightly harder because: 1) it’s whizzing by for only a few seconds, and 2) you’re not used to seeing your own car drive away from you. Confirmation bias then means that you rarely see that same model of car in motion.

Drones have the same perceptional bias, but compounded by the fact that humans aren’t in the habit of scanning the skies overhead for drones. And even if they do, identifying a hovering drone means to spot a small dot that’s hanging dozens of meters in the air, or being within earshot (inverse-square law limits this distance). And if the drone is moving, then spotting it is even more difficult, although it does have a moving audible footprint now.

Finally, there’s the operator, which in almost all circumstances is stationary. Yet, for similar reasons, why should anyone notice if someone is standing in a forest, looking at a screen with a set of controls? If nobody is around, is a drone operator even there? As a fairly solitary activity, it’s no surprise that few have ever seen a drone actually being operated, much the same that loads of people know of Pokemon cards and yet few have actually seen the TCG played out on a tabletop (this fediverse audience excepted).

TL;DR: the general public only perceives things that are easily perceivable. When did you last see your car moving?

The short answer is that it depends. Some countries have treaties where civil court judgements (ie money compensation) from overseas are honored domestically, meaning the domestic court would not have to relitigate the facts but would just be to re-issue the local equivalent of an order to pay up.

Seeing as this is a lawsuit in the UK, Valve does not appear to have a dedicated business location in the UK or EU, and that Valve has not already stopped offering services, I would guess that they don’t intend to skip town. The appeals process in British courts is similar to how it is in the USA, so there would be room for any award to be adjusted downward, before being forced to pay it.

Also, to not pay a lawful judgement in one jurisdiction would cause potential issues in other jurisdictions, such as the massive EU market next door. This is precisely because Valve doesn’t operate a subsidiary but is doing business under their USA corporation. So the EU authorities would be within their rights to curtail the same corporation that skipped on a lawsuit in the UK, even when the UK isn’t part of the EU anymore.

Note: some lawsuit judgements are explicitly disallowed from being “repatriated”, such as lawsuits regarding free speech in the USA. Under the SPEECH Act, an overseas judgement for speech that would have been legal if said in the USA. Thus, that judgement cannot be collected on USA territory or against USA bank accounts. It would have to be collected against the person when they’re traveling, or from their non-USA bank accounts.