Since we're on the topic of certificates, my app (1M+ logins per day) uses certificate pinning with a cert that lasts for one year, because otherwise it would be a nightmare to roll the cert multiple times in production. But what would be the "modern" way to do smart and automated certificate pinning, now that short-lived certs are becoming the trend?
Don't. Don't pin to public certificates. You're binding your app to third-party infrastructure beyond your control. Things change, and often.
Note that pinning to a root or intermediate seems 'sensible' - but it isn't. Roots are going to start changing every couple of years.
Issuing/intermediate CAs will be down to 6 months, and may even need to be randomised so when you request a new cert, there's no guarantee it'll be from the same CA as before.
This, have you thought about what happens when your CA needs to revoke your certificate because of some issue? can you even realistically re-pin before it's revoked (hours-days)?
The certificates will expire, but (as far as I'm aware), you're still allowed to use the same private key for multiple certificates, so as long as you pin to the public key instead of to the certificate itself, you should be fine.
The real modern way to do certificate pinning is to not do certificate pinning at all, but I'm sure that you've already heard this countless times before. An alternative option would be to run your own private CA, generate a new public/private keypair every 45 days, and generate certificates with that public key using both your private CA and Let's Encrypt, and then pin your private CA instead of the leaf certificates.
> The certificates will expire, but (as far as I'm aware), you're still allowed to use the same private key for multiple certificates, so as long as you pin to the public key instead of to the certificate itself, you should be fine.
It's allowed, but the intent of short cert expiration is to also have short private key lifetimes, so that point in time key compromises have time limited forgery potential. If the same key is used for a long period, someone who got the key once can download your public certificate and use that with the key they have.
> The real modern way to do certificate pinning is to not do certificate pinning at all, but I'm sure that you've already heard this countless times before. An alternative option would be to run your own private CA, generate a new public/private keypair every 45 days, and generate certificates with that public key using both your private CA and Let's Encrypt, and then pin your private CA instead of the leaf certificates.
The tricky thing here is you need to serve your private CA signed cert to pinned clients and a PKI cert to browser clients. If you want cert pinning for browsers (which afaik, is very limited availability), you should pick at least two CAs that you are pretty sure will continue to issue you certs and won't be delisted; bonus if you're also confident they won't issue certs for your domains without your explicit consent.
I would also recommend two private CAs, if you're doing private CAs. Store them physically separate, so if one is compromised or becomes unavailable, you can use the other.
I still think 'don't pin' is the best advice, but absolutely it should never be done to public CAs. I agree with your point about different endpoints, but maybe one endpoint for pinned apps, separate to your browser-based sites/endpoints.
I think the suggestion of pinning the public key and keeping the same private key across certs is the best option. But if you don't want that, perhaps this is a (high complexity, high fragility) alternative:
- Make sure your app checks that enough trusted embedded Signed Certificate Timestamps are present in the certificate (web browsers and the iOS and Android frameworks already do this by default).
- Disallow your app to trust certificates that are more recently requested than N hours. This might be hard to do.
- Set up monitoring to the certificate transparency logs to verify that no bad actor has obtained a certificate (and make sure you are always able to revoke them within N hours).
- Make sure you always have fresh keys with certificates in cold storage older than N hours, because you can't immediately use newly obtained certificates
Pinning the intermediate CA should work. Alternatively, calculate the cost of updating the cert pinning mechanism if it's custom and compare it to paid, 1 year certificates (though those will go away eventually too).
On the other hand, if you're using an app specific server, there's no need for you to use public certificates. A self-generated one with a five or ten year validity will pin just as nicely. That breaks if you need web browsers or third parties to talk to the same API, of course.
Please don't suggest pinning a publicly-trusted intermediate. The CA may change which intermediate they're using at any time for any reason with no warning, and then the app which pinned that intermediate is hosed.
It depends what intermediate you pin, but the CA can also choose to change the root certificate they use at any time like Let's Encrypt did in 2024 when the CA that signed their cross signed certificate stood to expire. Plus, depending on where you get your certificates from, the reseller certificate may already be an intermediate rather than its own root.
You should probably pin the highest certificate in the chain that's going to stay current for as long as possible. Or, if the goal is just "I don't want people snooping around in my app's traffic" rather than "I want to protect against a rogue CA being used to hijack my customers' traffic", reuse the private key in the CSR and pin that, it'll get the job done.
You can prepare CSRs with new public keys years in advance. It'll take some certbot/ACME scripting to use them instead of aurogenerating new ones on the fly, but that way you can pin your future certificates. Add pins as you prepare new CSRs and drop them as the certificates expire, and depending on the size of the list you choose you should be good for months or years without app updates.
Plus, if you do any key pinning, you'd probably do well to also pin a backup public key you haven't used in case your CA/infra collapses and you quickly need to redo your HTTPS setup.
DOGE found basically nothing, and they worked with an axe trying to cut anything that come close to waste. So I am not sure where you see all this "waste and corruption".
The goal of DOGE wasn't really to cut waste and corruption, just stuff they didn't like.
I'd argue that most of the military is waste and that America has no need to involve itself in wars. Something like Japan's SDF is sufficient and the extras could help with domestic infrastructure and public transport.
I am convinced that you can find waste (probably not as much corruption) in every modern government. However, you need people to really dive into the processes, ask what and why those have been set up in the past (every rule has an origin story) and if they can be bundled or streamlined. Same with expenses, you need things like forensic accountants and time to understand things.
Doge wanted to take shortcuts and destroyed everything without having alternatives in place. They had hoped for short-term wins, and neither the workers there nor their boss has the attention span or the experience necessary to really understand and optimize processes, thus reducing waste.
> neither the workers there nor their boss has the attention span or the experience necessary to really understand and optimize processes, thus reducing waste.
The Government Accountability Office is a congressional body that's been doing exactly what you describe for years. It's old - so it goes against the narrative that government waste is unmonitored, it's also unglamorous, boring, and not meme-able, and most importantly non-partisan, so it won't reliably dominate the news cycle with outrageous partisan talking points.
Bad faith argument. Why are you moving the discussion to DOGE when that's not what I was talking about?
You know the word "governments" that I used, means a lot more than the current TRUMP administration, right? Broaden your mind and PoV.
And also, how can you say with a straight face there isn't ongoing and never has been waste and corruption in any government? Again, think for yourself, ignore $CURRENT_EVENTS.
Look at your nation's government contracts that funnel taxpayer money to private pockets, then look at the output. Has there been value delivered proportional to the money spent at reasonable market rates? If not, then money was definitely wasted via incompetence, pocketed via corruption, or both.
This is so prevalent and is has become the norm everywhere for so long, that people are not even giving it a second thought anymore when it comes to government corruption, but somehow people want to be spoon-fed sources as if it's an unbelievable conspiracy theory.
Here is one example of waste: FedRAMP certified software often costs 2-10x equivalent non-certified software. That means the government is paying a lot more than anyone else for the same thing.
Why? Well part of it is because getting and keeping that certification is itself expensive. There are expensive audits, that take up a lot of time, and generally require paying specialized consultants to get through. All of your cryptography needs to be done using expensive FIPS certified "modules". There are requirements about the hardware you run on. All of your vendors also need to be FedRAMP approved. The requirements often add a lot of friction to normal operations and slow things down. In many cases it is easier, and cheaper to run/build an entirely separate product for FedRAMP possibly in a separate data center, which adds a lot of cost. And to be honest, a lot of the requirements are mostly security theater.
But another reason is just that the government is willing to pay that high premium for a stamp of approval.
To be fair, it is warranted for the government to have some assurance of the security and quality of software they use, especially if the software is used for more sensitive purposes. But the certification process is overkill for many places software is used, and I think that if some effort was put onto steamlining the process, the cost could be brought down.
Let's do a thought exercise on your loaded question, considering government waste and corruption has been thoroughly covered by journalists since the invention of the free press and are a Google search away for you.
If I don't post sources, then you just accept government corruption doesn't exist, simply because nobody Googled for you?
If I do post sources, then what? Do you just suddenly change your mind and accept that stuff documented by the press it does exist?
Where, in good faith, were you hoping this conversation leads to when you were asking that?
It's not that there's any more fraud or waste in government than in private business, it's that it's less tolerated. I think the main reason for this misperception is that in the private sector, people pay a la carte for particular goods and services, while in the public sector, people pay for shared infrastructure even if they rarely use it themselves. So they are left with the feeling that they aren't getting their money's worth. But of course everyone benefits economically and socially from a stable and prosperous society, even if they can't put their finger on discrete services they use. The reality is that it simply costs a lot of money to maintain a large, modern society. Indeed, it actually costs more than we are paying here in the US, as evidenced by a growing debt that has been a bipartisan creation.
Believing in the mantra of waste, fraud and abuse is comforting, because it implies we could be getting all the same benefits for less money. But there really is no such thing as a free lunch.
If your democratically elected government spends money in ways you find unwise, you can vote for someone else, so that also tends to self-correct (albeit on a longer time scale).
The problem isn't the obvious things, in the government or your restaurant example. It's the less-obvious things---your favorite restaurant might cheat on its inspections, for instance. The rate of food poisoning there may go up, but you'll still be unlikely to be the one that gets sick. And the prices will go down slightly, as they are able to cut corners. This kind of "waste, fraud, and abuse" tends to go to an equilibrium, where the cost of finding and eliminating the fraud is similar to the cost of the fraud itself. And this equilibrium happens in both government and the private sector.
The idea that a modern technological nation of hundreds of millions of people could dramatically cut its spending and maintain its standard of living is a utopian fantasy.
> If I do post sources, then what? Do you just suddenly change your mind and accept that stuff documented by the press it does exist?
Then I can read them, find similar sources, judge how much I trust them, and get a better idea of how much corruption and waste you are claiming exists.
While I am sure corruption and waste occurs, if it’s such a serious problem, there ought to be some evidence of it, direct or indirect.
What’s the alternative, I just accept your claim as fact? Or I “google” it until.. what? I find sources that support your claims?
>If I do post sources, then what? Do you take your words back and admit that stuff documented by the press it is real?
If you post sources he will nitpick them to all hell. It's a classic bad faith argument move since it moves the discussion from one of the subject to one of source validity.
You usually see HN's resident handful of chronically linkposting jerks do it in the other direction (i.e. they make some insane statement and shit out cherry picked sources to back it up and it's up to everyone else to disprove them) but I suppose it could be used in this way too.
It's not bad faith when it's a legitimate request, which depends on the assertion.
If I say the sky is blue because of plane chemtrails, and you ask me for a source, that seems valid.
As with any large procurement system, there is moderate government waste in proportional terms, but one of the primary drivers of that waste is... anti-corruption systems operating as intended.
If you require 4 more forms than private sector, in order to be more sure there isn't corruption, then you've just imposed a cost that creates no value.
>It's not bad faith when it's a legitimate request, which depends on the assertion.
No offence, but comparing asking for proof of corruption with proof of sky being blue of petrochemicals is a biased bad faith argument.
Asking for sources on corruption is more like asking for proof that the earth is round, which is definitely not a legitimate request, but more trolling masquerading like an innocent request and dodge scrutiny ("It's just a question bro, why r u mad lol").
Nothing wrong with asking such a question per-se, but that's something you can also google yourself due to countless occurrences from legitimate sources, hence why it's in bad faith to ask such a thing from others, and should be more strictly moderated as many here abuse this "sauce or gtfo" attitude in bad faith to discredit a pov without providing any arguments.
> Has there been value delivered proportional to the money spent at reasonable market rates? If not, then money was wasted via incompetence, pocketed via corruption, or both.
I'm going to unpack this a little. The second sentence does not actually follow from the question asked by the first sentence.
"Value" is a loaded term as used here. Not all value is economic. Most value has a degree of judgement involved. I may consider an outcome to be of high value where you see the outcome as low value, and vice versa.
"Reasonable market rates" is a peculiar term to use when speaking about things government does. There are things we want as a society that would not be adequately replaced by market solutions. Roads, for example.
Your answer to your question contains a logic error due to the language choices of the question. You disagree with the value versus the cost spent. That does not mean there was corruption. It just means you disagree. Other people can hold the opinion that the value was worth the cost.
I am not claiming that there is 0 corruption or waste ever in government. I am saying that there has been an effort to create a perception that there is far more corruption and waste than actually exists. That in turn is being used as justification for taking a wide variety of actions that would be hard to sell otherwise.
If value is such a nebulous term then that should make your job easier not harder because it lets you make comparisons to the "dysfunctional bigco" end of things.
The people you are arguing with think government is inefficient. They will be more than satisfied with an honest accounting that results in a conclusion that the government spends 5/10/20% more per result than private sector. Just having an actual number one can be confident in would be a huge step forward. But outside the most narrowly scoped of comparisons you people rebuff any such request for all but the most narrowly scoped accounting of expenditures with a bunch of hand waving which just makes it look like the problem is even worse.
> it lets you make comparisons to the "dysfunctional bigco" end of things.
I don't like to compare governments and companies, personally. They're very different kinds of structures with (hopefully) quite different goals. They probably shouldn't look much like each other.
> But outside the most narrowly scoped of comparisons you people rebuff any such request for all but the most narrowly scoped accounting of expenditures with a bunch of hand waving which just makes it look like the problem is even worse.
Setting aside whatever you mean by "you people", since we are all people, hopefully all on Team 'Make Things Better', and don't need to be divisive:
That seems to be what was requested here OF those making the claim that the accounting currently shows an unworkable level* of waste, requested BY those unconvinced of the claim.
* - Or perhaps I misread the magnitude being claimed. Could you clarify with a number, please?
>"Value" is a loaded term as used here. Not all value is economic. Most value has a degree of judgement involved.
No it isn't. Most value CAN be objectively measured. I'll give you examples. US outspends all the other developed nations at healthcare, education, childcare and yet is behind them all in actual results with poor education, high infant motility and lower life expectancy. That's what waste and corruption does. Germany beats France at military spending and yet it's military is significantly less capable than France's. Waste and corruption. I could go on.
If someone tells you the value of their work can't be objectively measured, it's because they're dodging accountability and they have their hand in your pocket and wish to keep it that way.
>There are things we want as a society that would not be adequately replaced by market solutions. Roads, for example.
Fine, let's go with roads. If the "market price" price for road construction is 6 million/KM, but your government signed a deal with a contractor for a basic road at 20+ million per KM without any objective justification of why the price hike, then the taxpayers are being taken for a ride, called waste and corruption.
And I'm not even saying anything out of the ordinary. Such grifts are the norm in plenty of countries.
> Germany beats France at military spending and yet it's military is significantly less capable than France's.
No idea if that's true. But my impression was that France's military has been rather more...active post WW2 than Germany's. So maybe it's just about practice and readiness to go to war.
The French are not just active, they have capabilities Germany straight-up lacks.
A nuclear aircraft carrier, nuclear ballistic missile submarines, solid overseas expeditionary capability (France could sustain a few thousand troops in Africa, Germany almost certainly could not match that), and a few amphibious assault ships, to name several big ones that immediately come to mind.
France developed a nuclear program immediately after WW2 in order to not depend on America for nuclear security. For obvious reasons Germany didn't do that.
Germany didn't need expeditionary capability after the war. It probably doesn't need to project force beyond its continent even today. France regularly had military entanglements in its former colonies, and probably still does. Capability is a function of necessity.
Assuming the goal of said systems are the same between countries: but they're not.
In the US, the goal of the healthcare system is to produce profit. So the simpler explanation is that the healthcare system consumes more money and produces less healthcare because it spends more to produce profit.
Government chose the system, not the voters. And the government chose the system that benefits the private sector not the population because of corruption(call it lobbying if that makes it easier for you) from the private sector.
I've never heard Americans say "I want a system that costs me a lot, makes other people rich and give me northing in return".
> US outspends all the other developed nations at healthcare, education, childcare and yet is behind them all in actual results with poor education, high infant motility and lower life expectancy
US healthcare and childcare are private, not government. Likewise I suspect much of the education cost is private colleges/schools, not government.
You seem to be arguing that the private sector is less efficient and more corrupt than the public sector.
“ the private sector is less efficient and more corrupt than the public sector”
That is easily the case if you aren’t careful. Private health insurance has a big incentive to drive up cost of the medical sector so they can take a few percent as profit. Defense contractors have almost no incentive to reduce costs, quite the opposite.
I guess it depends on what you call efficiency. If you define efficiency as extracting maximum profit then modern corporations are very efficient. If you define it as providing products and services at low cost, then they are inefficient.
What's Medicare and Medicaid and why do they cost the government over 2 trillion?
On a per capital basis, even if you don't include private healthcare spending, the US stil spends more per capita on healthcare than the other developed countries.
Medicare and Medicaid exist because, as a society, we decided it was better to not let the old, the disabled, and the poor have zero access to health care.
Medicare and Medicaid are expensive because we incorrectly apply market economics to healthcare.
None of that requires corruption. It's a mixture of over-commitment to market-based solutions and a bare minimum of empathy enshrined into law.
You keep talking around the point and moving the goalposts. I never criticized Medicare and Medicaid. I criticized the US system which outspends all other developed nations, while obtaining poorer results. A lot more money is being spent but looking at the end results it's clearly not going to the right places. So where is the money going? That's the very definition of mismanagement and corruption.
I lived in DC for years, so i've had this discussion probably 8000 times already.
Time for 8001 i guess.
Let's separate waste and corruption - they are fairly different things.
Let's then split waste into:
1. Programs <someone> (don't care who) thinks are not worth doing or shouldn't be done by government, or whatever - IE the overhead is not what people are arguing about, and even if the program had zero overhead, and government was being as efficient as possible, <someone> still thinks it shouldn't exist.
2. Programs with high overhead or otherwise seem inefficient.
There are other things you can consider waste, but this feels like the majority of what people argue about.
#1 is often subject to widely varied views on what government should be doing or you name it. For this discussion, you can be <someone> and decide which fall into #1 and which fall into #2 :) We'll just assume literally everything in #1 is waste and should be killed.
If you kill everything that people initially think falls into #1, the US would probably spend no money. The majority of the budget is covered by things people think they disagree about, and want gone or not gone or whatever.
However, for most people , if you remove the ignorance of what things are and what they are doing, and then you killed everything that actually falls into #1, it would not make a huge dent in the US budget. This is because the majority of people tend to support, at least in the sense of saying it doesn't being in #1, the things that are actually the majority of the US budget.
and then we'll ignore #1, because reducing the overhead wouldn't matter, and if you take the same view as most people, it will not be a big pile when you get down to brass tacks.
Let's talk about #2.
#2 is often subject to arguments about the overhead. This is much easier to discuss.
Most arguments about the overhead are about how high it is. This is, IMHO, not a useful measure at all.
Asking whether something has high overhead doesn't tell you what to do if the answer is "yes".
Better questions to ask (IMHO) are "Do i want the outcome this program achieves" (if not, it falls into #1), and then "Can i get the outcome on the same timeframe, with less overhead, and enough less overhead that it's worth it".
The answer to the latter is often no.
Sometimes it's yes in a theoretical sense (should it be possible to achieve the outcome for less money), but still no in a practical sense (can you actually pay someone to achieve the outcome for less money), even if you removed bureaucratic constraints (IE just stuck with the real requirements to achieve the outcome).
Often times it's no practically because of scale- i can have 4 hard drives delivered by amazon tomorrow at 8am. I can't get them to deliver 4 million by tomorrow. On top of that, even if they could, while the odds are they are not the only people who could deliver 4, they may be the only people who can deliver 4 million. In that case, they have no reason to not charge me a near infinite amount of money since nobody else can do what i want. So it is very high overhead, but you can't actually reduce the overhead without changing the requirements. So if you want the outcome, as is, you have to accept the overhead.
Plenty of times it's no in both the theoretical sense, and the practical sense, because notions of overhead amounts are wrong, and things are not as high overhead as people seem to believe. As an example, people continue to think USAID has high overhead, but it actually does not by any objective measure. In USAID's case, it just has funny accounting called NICRA. Anyone who digs enough to actually calculate the real overhead, consistently discover (and agree) it's competitive with private organizations that do the same. See, e.g., https://www.astralcodexten.com/p/sorry-i-still-think-mr-is-w... for a reasonably new example of someone discovering this.
Of course, there is certainly plenty of waste in government, but it's a lot less than people think.
Well, "waste" is often defined by conservatives as "anything spent on the poors and/or not given to the rich" - by that standard, yeah, there's a lot of "waste" in the US government.
Close! A drop in the bucket! Which is why it’s important the bucket is always getting larger, that way everything is a drop and no single thing is worth making more efficient!
There are lots of single things worth making more efficient. This isn't one of them. This isn't even remotely close to the top decile of the list. This is probably in the last 5% of things you'd want to fix.
It's not principled to solve problems in stupid ways, it's actually just stupid.
Here's where someone who has thought about the problem for more than 5 seconds would likely start: gigantic healthcare organizations defrauding Medicare, in particular vertically integrated pay-viders.
Literally tens of billions of dollars per year in known, easily detectable fraud.
Right. A couple hours to instantly save millions by looking at active vs purchased licences is barely worth the effort. Exactly what is the threshold where people with your perspective won’t handwave away explicit irrefutable waste and say “oh that? who cares it’s nothing”?
Your argument is that the government doesn't waste money?
Are you sure that's a defensible position?
Nearby a vacation spot there is a sand dune next to the road, and a carpenter spent an afternoon building a ramp over it so that his son could drive his mobility scooter onto the beach. The city tore it down, then took over 2 years to build it back, worse quality, at a final cost of over $40,000.
What do you make of this story, and how did DOGE even attempt a fix?
What's the point of "restitution" if it came from the victims anyways? The Sacklers would have kept all of their ill-gotten gains under this settlement. The amount they'd be paying is practically just the interest from their earnings.
I have a hard time with the concept of retribution alone, but I think if it is phrased in terms of modeling societal standards and demonstrating to others that this behavior is unacceptable, it is still valuable to society. I guess you can mark that under "deterrence", but it's less about sending a signal to future would-be criminals, and more about communicating and demonstrating societal standards to the entire society at large.
justice from whom? Just because they got a prescription doesn't mean they lost complete body autonomy. The lack of personal responsibility regarding drugs around here is insane.
The whole basis of this suit is that a Purdue subsidiary went out of their way to market these pills as non-addicting. "Personal responsibility" in this case clearly lies on those actors, not the addicts.
I'm not sure about the justice aspect, but I wouldn't underestimate how powerfully addicting some of these drugs can be to the point where it can override your "personal responsibility". Same thing with any substance like alcohol or cigarettes, gambling, over-eating, etc. It's very easy to slip into abuse and an addictive response and susceptibility isn't universal.
Opioids are highly addictive. If you're vulnerable and your doctor eagerly prescribes them because it feeds their wallet, you can easily loose control.
Expecting some personal agency is now victim blaming? Detoxing from opioids is not fatal. It sucks. But it's doable. You don't need to take your entire prescription. Take it while you're in pain.
If you were prescribed heroin and proceeded to take it, you would end up addicted and unable to quit. Full stop. It is exceedingly rare to overcome opiates, you underestimate them greatly.
"The thing I have noticed is when the anecdotes and the data disagree, the anecdotes are usually right. There's something wrong with the way you are measuring it," - Jeff Bezos
That’s a pretty weird take to me. Crime stats and polling of people’s perception of crime show this as clearly the wrong approach for instance.
Most studies show that no matter what direction crime is going in, a substantial majority of people think their neighborhoods are safer and that everywhere else is basically a war zone that is getting worse. There’s a total disconnect locally/nationally in perception that is also detached from crime stats.
All of this is to say that the anecdotes are basically all but worthless in the case of understanding how bad crime is on any appreciable scale beyond a few blocks of one’s neighborhood.
>Crime stats and polling of people’s perception of crime show this as clearly the wrong approach for instance.
The only crime stat you can trust is murder and that's because bodies can't be hidden (easily).
Everything else gets swept under the rug.
When I wanted to report my car broken into I was hung up on three times because of a poor quality line, which was fine before I told them what I was calling for. When I went there in person I had to wait 40 minutes for someone to take my report and give me a reference number for my insurance.
One need only download a community based self reporting app like "citizen" to see how much crime really exist.. It's more than you'd like know. Like the previous poster said, not everything is reported.
I'm sure apps like this are targeted towards an already paranoid and crime-obsessed demographic, and they're going to be full of false positives. Not sure you can take that sample as representative.
But this hasn't changed over decades. Policing never was 100% effective and crime was always underreported. Yet if you ask people it's crime getting worse YoY.
But as long as the stats are not reliable, that's unknown territory. Maybe the police is getting more lazier, maybe less, maybe there are less people reporting because it is seen as useless, maybe there are more because they get tired of it, one can simply not get a picture independently of where the trend is going.
Policing was effective enough that I never had to find someone to unlock a case for me at the store unless I was purchasing something particularly valuable. It was effective enough that you didn't see videos of people looting stores or driving around breaking into cars with impunity.
I don't know, these things were cliche plot devices in 1970s-1980s films and it appears everyone was convinced America headed into Escape From New York future. Naturally, few people had cine/video cameras on them at any time.
And yet, if more people you know report being victims of crime, and the official statistics point to a decrease, the people upthread are happy to declare a decrease.
> The only crime stat you can trust is murder and that's because bodies can't be hidden (easily).
Seems to be a significant decline since the 90’s, followed by an increase since 2016, and a Covid dip followed by a resumption of the increase. It’s still a lot lower than it was in the 90’s.
This is actually a perfect example of Bezos being right on the money. You are measuring it wrong. The first and last articles focus only on violent crime, which is not what most people who are complaining about crime mean here. 538 is a little better, but their charts only go through 2019 before it became a major issue again. Only Vox seems to get it closer to correct (though still hung up on the violence thing):
> One theory that came up again and again is that city residents and visitors are, to some extent, conflating actual violent crime with broader indications of urban disorder.
If you are a leader like Bezos or a city politician you need to meet your customers / constituents where they are and fix the problems they want fixed whether or not it they are saying precisely what they mean. The anecdotes are right and the statistics are wrong.
It’s just a refutation of naive bias towards statistics, which is rampant in big organizations (see the McNamara fallacy). This is codified in the idea of being “data driven”, which is the right thing if your data is a true proxy for the thing you care about; in practice it often isn’t and you have to incorporate some more flimsy or subjective signal to better understand a problem.
Bingo. The obsession with quantification is a crutch that allows uncreative people to delegate their decision making to a mechanical analysis of raw data, rather than a first-principles understanding of their problem space.
It's probably related to how much or little we read about crime more than any true crime level. If we see 10 news articles everyday about crime, then we think there are a lot of crime around. If we read zero articles about crime, then it barely exists in our perception. What happens in reality does not affect our perception as much, as we probably seldomly see it for ourselves and when we see it, it would be difficult to objectively and statistically judge the crime level's direction with such few data points and biased experiences.
It's similar to Hans Rosling's comments about poverty in the 3rd world. It often sounds like poverty is increasing as time goes by, but if looking at statistics, overall poverty is decreasing and have been doing so for decades.
Exactly, in the case of crime there are so many more vicarious anecdotes. If people were only allowed to discuss crimes that they were personally victim to, we would not be under the impression that crime is worse than ever.
When I have to spend 10 minutes finding a store employee to unlock a case for me to buy underwear and socks at Target when I didn't have to five years ago, I conclude that crime has gotten worse.
When I see videos on the internet all the time of criminals just walking into stores and grabbing whatever they want while the security guard looks on and does nothing because the police will side with the criminal if he touches them, it is perfectly valid to assume that crime is worse.
When the police do nothing to enforce the law I do not trust the statistics because they are based on reports to the police.
Maybe the statistics are right, over the whole city, but where I live, crime has gotten worse.
Where do you live? It sounds quite bad. Has SF got that bad? I haven't been there since I worked there in 2015, but I read the authorites gave up on some crime?
I noticed neither any crime or homeless at that time. But people now seem swear it has gotten to be a big problem.
I was last there a couple years ago when the "SF is a lawless wasteland" nonsense was gaining a lot of traction. I saw some needles, some foil, a broken window or two, but otherwise it was a very calm and inviting city. Any city due to greater density will have more observable crime, but people are crapping their pants over exaggerations.
> When I see videos on the internet all the time of criminals just walking into stores and grabbing whatever they want while the security guard looks on and does nothing because the police will side with the criminal if he touches them, it is perfectly valid to assume that crime is worse.
How many videos have you seen on the Internet of stores just calmly going about business with no shoplifting going on? The number of videos on the Internet is not an indication of any overall trend. The stuff you're seeing makes it onto YouTube because they are outliers.
Why have I only started seeing these outliers in the last few years? Also, the worst part of the videos isn't that they happen, but that they are allowed to happen. If the criminals weren't calmly going about their business without even wearing a mask and instead running from the security guard it wouldn't be so frustrating. If the news stories had a mugshot of the police arresting them quickly since their face is all over the internet it wouldn't be so infuriating. If the police didn't allow the criminals to run open air fencing operations right outside BART stations, I wouldn't be this mad.
Could there be other reasons why these videos are being uploaded more, and why you are being served them more over the last few years? Access to videography has been growing constantly since smartphones were introduced. There are now multiple platforms for uploading these videos, and doing so is easier than ever. These platforms algorithmically optimize for engagement and do this by promoting ragebait and controversy. And there are now entire, active communities dedicated to sharing/spreading/promoting these (r/PublicFreakout has almost 5M members). What you happen to be seeing may not reflect any sort of trend, either up or down.
I dunno, it seems in line with most stereotypes being more true than false [1]. “Common sense” is often derided in online spaces like this, but when there hasn’t been a massive media / social effort to convince the population otherwise [2], it’s pretty reliable.
Taking a quick glance at the articles you linked shows the same behavior as those reporting on the economy - defining disingenuous targets so they can claim their headline is true. To tie this back to anecdotes, I think it comes down to trust. When my neighbor says they’re afraid to lose their job due to housing, food, childcare being a lot more expensive I dont see any motivated reasoning behind that statement. On the other end, economists (and all the articles you linked) have many incentives to distort the truth. On average anecdotes are going to come from a more truthful place - both because you trust the source and know their biases.
I definitely understand where you are coming from and would never deny these things are happening. But my point is that argues for too much trust in anecdotes and people’s perceptions.
We all know memory is incredibly faulty, for instance. Yet people have a very high perception of their own memory’s accuracy. It’s kind of in the same vein. It’s not that people can’t remember things accurately, it’s that we need to start from a place of skepticism when depending on it. Same thing goes for people’s perceptions of crime, the economy, etc. Their anecdotes and lived experience, insofar as they can even accurately explain their lived experience, needs to be put into context re: its value for determining “reality.”
That being said I would never undermine the value of how people feel. If people don’t feel safe, that is a bad thing too. And we can cite all the stats in the world we want but ultimately feeling unsafe is not a good thing and that perception needs to be addressed.
You're making the exact same mistake as the poster you're answering to warns about - you're mixing the objective reality ("absolute crime numbers") to percieved reality of population.
If the population percieves themselves unsafe and unhappy, your numbers don't really mean much to them because to restore happy society you need to look at *perception* and fix the reasoning behind it. Making the crime stats number go down won't do that by itself.
> you need to look at perception and fix the reasoning behind it.
Many times that perception is shaped by the media we consume, which has no obligation to have any connection to the reality on the ground. At that point whatever is done to improve the reality doesn't have to have any impact on people's perception.
Which means that the fix is to change the media not the metrics. That's the gist of the argument - if your improvements of "reality" aren't making people happier, you're changing the wrong metric. In this case you need to change the media, not crime stats.
Changing the underlying reality without improving the perception leads to a political disconnect. Improving the perception without improving the underlying reality just makes people happier, but not better off. You have to do both if your objective is to improve people's lifes.
I agree. So, which one do you prioritize? Currently, it seems to me as if people's (mis)perceptions are leading them to vote against policies that will make them better off, so we need to correct perceptions first.
I don't really watch any broadcast/cable news these days. Was at a restaurant that had it going on their TV and my goodness all it was saying is "FEAR FEAR FEAR FEAR". Absolute mind rotting garbage.
I was at an airport the other day and I was struck by how I saw four different new stations all covering one tornado in a town half way across the country from me. This was top line national news for like 20min with reporters standing by downed trees and going on and on about the “utter devastation.” It seemed pretty small potatoes tbh but maybe I was missing context?
You would think there is some sort of tornado epidemic nationwide based on the way they were acting. Tornadoes happen all of the time, and they are very tragic for those involved, but y’all aren’t hearing about every house that burns down in my city lol
In a different response I actually remarked on how I would never talk down to people who feel unsafe because we can cite all the stats we want in the world, but their feeling secure is very important as well.
That's fair that perception is often wrong - but that's a different issue.
Perception is also in large part the very thing that matters when it comes to crime. That is, do I get to live in peace or in constant worry? Do I get my property priced "fairly" when I sell or dramatically underpriced because of this perception that the area is unsafe? To summarize, in what you describe "crime stats" are ignoring half or two thirds of the problem.
In San Francisco, "crime stats" are further muddied because of massive underreporting and cherry picking the definition. So called quality of life crime might be considered irrelevant because it rarely causes massive loss of property or injury. But it does make life extremely stressful for the locals (depending on the neighborhoods where it might be "tolerated" i.e. left rampant, or might not be tolerated.) In this case, "crime stats" deliberately not measuring anything very relevant.
See also recent discussion of the squatting issue in Spain.
Location: Italy
Remote: Yes
Willing to relocate: No
Technologies: Project Management, Business Analysis, Teamwork, Business Development, Software Architecture, Leadership
Résumé/CV: https://www.matteofanciulli.eu.org
Email: dott.matteo.fanciulli at gmail.com
----
I am currently working as a Technical Project Manager (TPM) at one of the largest banks in Italy, leading the development of the new mobile App.
My favorite part of the job is finding the best solution for the client and seeking the most suitable methodology and adapt it to the characteristics of the project, with a flexible approach.
As a TPM, I deal with the client in all stages of the service, starting even before a budget is established and a project is created.
After the project starts, I:
• Manage the project budget and timeline
• Review technical documentation and architectural decisions
• Manage and monitor the consulting firm we outsource the development to
• Provide usability feedback to ensure that the app meets platform requirements.
• Support the consulting firm with the integration of the legacy system
Because 99.9% of twitch problems, and bad press, from the last few years are focused on people using Twitch as an onlyfan funnel. I would cut them out asap.
That just doesn't seem demonstrably true but I'd love to see some citations. My recollection is that Twitch's biggest issues have been regarding gambling and high-profile bans for misconduct e.g. DrDisrespect or nudity from streamers who don't even have OnlyFans accounts.
I expect it to last forever, unless it's written otherwise in the package. Do you expect your oven to stop working after 5 years if nothing is broken inside?
If the page content included the content that was supposed to be behind paywall, but you didn't agree to any ToS because you never had seen the paywall, how far in the forest does the pained cry of IP lawyer carry?
Or you give ads based on the content the user is reading/watching and not who he/she is. So you read an article about skydiving? You get served skydiving equipment ads. This way you are EU compliant since you don't track the user.
Fine if you are a skydiving magazine. What about a generic newspaper like The Times?
Unpopular opinion but I think Google's FLoC is actually a reasonable solution that allows sites like that to exist and also has minimal privacy implications. The people who are against it just want to have their cake and eat it.
