Soatok’s Informal Guide to Threat Models
46 points by sloanelybutsurely
46 points by sloanelybutsurely
I was going to command him for managing to for once write a blog post without becoming an obnoxious condescendant jerk, and then I reached the (usual on his blog) matrix hit piece.
"Unkind" is a valid flag for a comment, and I wonder if we should not strive to make the tech internet a better place by stopping to entertain the abrasive tone that the author is way too often speaking with on his blog and stop upvotting, if not ban altogether the domain.
That was a perfectly reasonable criticism that quoted the object of critique in full, and provided substantive points of disagreement. This is a far better example of criticism than most.
I am not saying he is wrong or that his critique lacks value. In fact, reading his blog has brought me to follow his judgement and consider Signal to be better than matrix cryptography wise.
Edit: I've realized that "hit piece" implies untruthfulness, I didn't know that and used it to mean "arsh critique done with an attempt to bring down".
Yet, being right or an expert doesn't give you the right to be an ass. The paragraph where he compares matrix's (poor) threat model to signal's absence of one somehow manage to concludes with an extremely condescending "attempt award" for the person who wrote matrix's threat model. This kind of attacks on the people behind matrix are common on his blog and are bordering harassment imo.
Nah I think it's fine in tone.
...Also I do think that the "everything is a graph" protocol should in fact be treated as a research project that delivered the conclusion that "oops graph algorithms are actually really hard to reason about"
Graph thinking is powerful but expensive. It's great for rigor. Rigor is great for security analysis. But it's not a panacea.
I don't get how you square calling someone an "obnoxious condescendant jerk" and then propose banning the guy for being unkind? Like, be the change you want to see.
You're right, maybe I should have stayed with only obnoxious. Conveying disapproval of one's behavior without turning into personal attacks is hard - especially in a foreign language - and I'm afraid I did cross the line here. Sorry about that.
Why are we so concerned about tones and words instead of actions?
TFA was unkind to Matrix. They didn't hack, stalk, harass, or dox anyone, they just used mean words to wrap up their criticism. Their criticism exists because Matrix's threat model has largely remained unchanged since 2021 even after multiple attacks that were neither covered by, nor deliberately excluded from, its scope.
If you don't like the window dressing, instead of calling the author an obnoxious jerk and feeling bad about it, why not take the insight underneath the negativity and carry it forward towards a solution? That would benefit everyone, wouldn't it?
Somedays, I feel like we on the Internet focus too much on tone, rather than substance, simply because it's (qualitatively) measurable.
(Or maybe it's quantitatively measurable too? I'm not up-to-date on what AI has done to language.)
It's Contempt Culture: https://blog.aurynn.com/2015/12/16-contempt-culture
No it isn‘t. Matrix/Element is a commercial entity with sponsorships by government institutions (among others) and ambitions to move into the official communications space.
They should be held to a somewhat higher standard.
Belittling Matrix users would be a different thing but he didn’t do that.
This is the justification that comes back again and again. They are "bad" because they are <insert reason here> and hence it is ok to be cruel and lack any form of empathy. Do you really think that working for a commercial entity makes it ok to be on the receiving end of soatok's "attempt award" paragraph? I don't.
You yourself agree that this is "belittling", how on earth have we come to the point where it is acceptable to use this kind of tone for anyone we disagree with as long as we can pretend that it is a morally valid attack on someone with more power/responsibility?
No, sorry. If you aspire to be a solution for nation states or public health solutions you have to deliver and deal with criticism.
Matrix is not someones hobby or passion project anymore.
So to Matrix’s threat model author, I award the following: poorly drawn star with the words "an attempt" written over it.
This is not merely criticism in my opinion.
How is it not criticism?
Is the self-directed "poorly drawn" in the alt text somehow supposed to detract from the author's point?
If you're gesturing at something else, it isn't obvious to me what you mean.
yep, it's not unwarranted* contempt. soatok's argument is that matrix is contemptible, and he enumerates why
*: that old “contempt culture” argument relies on the tech being contemptible -- e.g. imagine a SQL layer which doesn't support ? params -- but folks either don't see it, or don't care because it wasn't explicitly written out