The (heartless) thing about it is that drugs are not too different from many other things in society that are used by rich and poor alike but harm the latter much more.

The rich are far more likely to own firearms than the poor and far less likely to shoot someone or be shot.
The rich buy far more alcohol than the poor but are far less likely to drive drunk or be alcoholics .
The rich do far more drugs than the poor but are far less likely to become non-functional addicts.
The rich are far more likely to waste their education on party schools than the poor but are less likely to suffer the career consequences.
The rich and the poor engage in about the same amount of premarital sex but the former are less likely to have kids out of wedlock.
The rich gamble more often than the poor but are far less likely to become chronic gamblers.

To my mind, this suggests that the ultimate cause of these problems isn't the particular vices, but rather the cultural and economic context around them that causes them to be destructive. We should work at fixing that context, along with providing opportunity and support for everyone to work towards their own success, rather than wasting our time on proximate causes.

The only thing you can cryptographically sign is a binary. The rest is inspection by hand which won't scale.

Hey, I can make all kinds of tasks faster by precomputing much of the work and then looking it up in a table. Congratulations, you've (re)discovered another instance of a Space/Time tradeoff.

Now, in particular what they've done is still wicked cool -- it's a great idea to perform may millions of simulations ahead of time so that at runtime (heh) you can quickly draw on that data to adapt. It would be perfectly good research even without the over-the-top claim that they've somehow made the work faster as opposed to cleverly pre-computing much of it.

But that's research -- you do something neat and then you make a ridiculous overstatement to generate buzz ...

No. In fact it's absurdly difficult to reliably create reproducible builds. Debian has been working on this since at least 2009 (afaict) and has been plowing through issues but you still can't get an identical Kernel as the .deb. Heck, it was 8 weeks just for the Tor browser.

It's not just the compilation tools, it's the entire build environment that needs to be homogenized. All kinds of components will insert uname/hostname and paths into the binary, filesystems list the contents of a directory in undefined order, timestamps and permissions are embedded into tarballs and documentation, different locale produces other weirdness.

tl;dr: it's much harder than just installing an identical version of clang and hitting make.

[ And, as an aside, this goes back decades. The infrastructure around builds was never designed with reproducibility as a design goal. We are basically retrofitting this new requirement on decades of legacy code that never even considered that we would want such a thing ... ]

If the USA is the bastion of freedom, capitalism and independence, why are cab licenses limited by city bureaucrats? Why not let everyone who qualifies swim in the taxicab business leaving those who cannot stand the waters perish? I just don't get it!

Because historically taxis have engaged in a number of fraudulent and unsavory practices, outright racism in some cases and have generally made cities look bad. So there was a legitimate reason to regulate them in order to ensure that they didn't bilk (or take the long route) for gullible tourists, refuse rides to people of the wrong color, install fake meters, organize into a racket to overcharge customer or skip on carrying decent insurance.

Then, lo-and-behold, the well-meaning regulators were captured by the taxicabs (because they were smart) and turned around and instituted any number of illegitimate regulations designed to stifle competition. This is generally pretty easy in a democracy because when there's a small number of cabbies with a very large interest in certain policies, they can often get their way when there are a large number of citizens with contrary interests. It's the law of diffused costs versus concentrated benefits.

So now, instead of being predictably idiotic with our left/right pro/anti regulation, maybe we should think about stupid regulation versus smart regulation. Then we could distinguish a rule require cabbies to carry insurance for their passengers with one that limits the number of medallions to some artifical number. Or one that requires accurate metering of any form with one that requires a specific brand or type of metering. Or a law that requires cabbies to serve any part of the city with one that requires them to drive home from the airport empty instead of picking up a fare immediately after dropping one off (this one really I don't understand -- there is a line for cabs at the terminal!).

On the other hand, nah, let's just hurf about it....

Part of the problem is that it's easier to hire new folks than to reallocate existing ones without getting into political turf wars -- let alone shrinking some departments* that don't need the headcount. This means that the utility of a new employee is automatically greater than one that's been there forever, even if they are equal in skill, just because they can be put in the most useful position.

This is a facet of downwards-stickiness -- it's easy to tell an overstaffed* department that they don't get to hire new folks, it's nearly impossible to tell them to give up folks. But both of those are equivalent in terms of overall allocation of resources.

* Note: I don't mean to say that these folks are incompetent, only that demands change and a team that might be stretched thin one year because of a large project might have few demands the next. In fact, it's exactly the opposite -- the most talented teams end up overstaffed because they build things well and end up without much maintenance to do, rather than constantly chasing their tails duct-taping things up. We should be moving talent from those teams to where it's needed the most.

Who ever said that the IRS definition for the purposes of taxation is the correct one to apply to a RFRA claim over contraception?

I highly doubt that the Waltons would qualify, given that billions of dollars of WalMart stock is held and traded publicly.

The opinion restricts itself to "closely-held corporations" (a phrase used dozens of times) rather than /all/ corporations. They don't define with precision what that exactly means -- that kind of drudgery is the domain of the lower courts -- they did point out that Hobby Lobby is privately held by a small number of folks from the same family. It would seem clear to infer that "closely-held" is sort of an antonym to "publicly-held" here, so I think there's virtually no chance any lower court would allow Wal Mart or Exxon to assert a RFRA claim.

Now, since companies under 100 employees are already exempt from most of PPACA, the net net of this only covers the rare company that simultaneously large enough to be hit by the mandate but still owned closely enough to merit RFRA protection. In other words, not too many in the scheme of things.

[ Full Disclosure: I don't support what Hobby Lobby believes, I think they deserve to lose on the merits. But at the end of the day, I'm not going to make a molehill into a mountain for rhetorical or fundraising purposes. ]

Yes, you are right, I mistyped.

Public: { H(CC+Salt), Salt, Amount of money spent on porn, Amount of student debt }

[ where + is just shorthanded for "mixed with" ]

It's not at all within the realm of possibility for an attacker to brute force the CC space for each salt separately. So yes, an attacker can run through (2**CC_entropy) hashes to brute force a single entry, but that exercise provides him no help when he goes to do the next entry. Moreover, he can't spin up a few TB of storage on S3 and pre-compute anything useful.

The point of the scheme is to turn a pwn-once-win-forever game into a pwn-one-win-one game. This guy paid once and won the entire database. I would like him to have to pay that cost once for each entry.

Yes, a secret salt is no salt at all.

But there are very important uses for salting that make it better than assigning a random number -- it allows someone that does know the input value look up the relevant entry without any involvement from the secure side.

Imagine you had the following two datasets that you've partitioned:

Private: { Credit Card Number, Random Salt }
Public: { H(CC+Salt), Amount of money spent on porn, Amount of student debt }

Now whenever you want to obscure an entry, you do need to go to private one. But if you want to answer the question "How much money did a person with CC X spend on porn", you can look it up without entering the secure domain. But no one without access to the private side can find credit cards in the DB or other stuff -- to within the computational costs of the operation multiplied by the entropy of the salt.

Yes, which is exactly what the person in this article actually did -- he created a lookup table to accelerate brute-forcing the entire released dataset.

And yes, there are a trillion credit cards. But if each one gets a random 32-byte salt added to it, then that's a 4-billion-trillion input space ...

Um, the standard is fine. The phrase "One-way hashes based on strong cryptography" means (to any professional in the business) that one must salt the hash with sufficient entropy to make brute-forcing the input space impossible. So 16 digit CC has little entry, but add a 16-byte hash and you've somewhere.

So yeah, "strong cryptography" can't fix stupid, but those that know how to use it are plenty fine.

And this is counting just those around me:

East Asia: Han, Cantonese, Korean, Japanese,
Indian Subcontinent: Telugu, Tamil, Sinhalese, Punjabi,
West Asia: Syriac, Turkmen, Arab, Persian,
North Asia: Slavs of all flavors,
Europe: Scandinavian, Germanic, Anglo-saxons, Castilians,
Africa: Hamitic, Bantu,

Looks pretty diverse to me, at least once you get past the crippling simplicity of the "White/Asian/Black/Latin" universe in which the race-baiters are forever trapped.

I also hate to be the one to point this out, but given a free choice much (not all) of the world population starts consuming meat once given the economic means to do so.

In a world that seems to be lurching towards greater individual autonomy and personal choice, your solution does not strike me as likely to get off the ground. At the end, you'll either have to adopt more and more coercive action to meet your goal or accept that there are billions of independent agents with different preferences.

This.

It's an interesting conundrum. We can at least try to pass laws to prevent our governments from spying us, but even if we succeed we can't very well pass a law forbidding others' governments from doing what they will.

Ultimately, I don't see a solution that's plausible here.