The racial achievement gap is probably one of the most significant problems educators in the US think about. I think one of the biggest obstacles to improving it (not causing the problem, but making solutions difficult or ineffective) is that low-performing urban school districts tend to correlate strongly with strong teachers' unions and big, mismanaged school administrations where things are too bureaucratic and incompetent for anybody to be able to really effect significant change.
I'm not sure I support charter schools as a universal good, but they've actually proven to be pretty consistently effective at improving the educational attainment of low-income black/hispanic students [0-1]. When the local school system is a political quagmire and objectively failing in its mission to educate students, it's probably the only way out.
The meta-problem is that the people most actively involved in improving the racial educational achievement gap are precisely the type of people to reflexively dislike charter schools (because it's "right wing", although I see it more aligned with the centralization vs decentralization axis) and maybe even feel overtly threatened by them (because of their union job). Also, charter schools have to actually figure out how to get buy-in from low-income black and hispanic parents, figure out how to serve this community better, and can't hide behind the excuse of cyclical poverty + orwellian bureaucracy anymore.
I think a lot of educators really would rather work in a system where bad outcomes are guaranteed and thus not their fault, than one in which they actually have the ability to make more than just performative progress in serving the needs of their underprivileged student body.
Why do you assume racial achievement gaps indicate problems with schools? For example, Asian students perform much better than white students. We don’t say that indicates a problem with how schools educate white kids. Instead, most people see it as a predictable consequence of asian immigrants being filtered for higher education. By that same token, why would we treat Hispanic students having lower scores as indicative of a problem with the schools? The U.S. Hispanic population is subject to the same immigrant filtering effect, but in the opposite direction. Both immigrant groups largely arrived in the last 50 years. Why would we assume the effects of the initial filtering would disappear so quickly?
Here’s a modest proposal: American schools are actually quite good across the board.
Why do you assume racial achievement gaps indicate problems with schools?
GP didn't say that, but educators of course see schools as an important area to address the gap. The literature is pretty clear on this being a complex problems with schools being an important wedge to break the vicious circle.
There is no shortage of young naive newly minted teachers who are eager to go into those low performing urban schools and help turn things around. But very few of them last more than a few years in those schools, they get badly burned by reality. The ones who last almost inevitably become callused and bitter, having lost all of the hope they had at the start. The biggest problem with those schools is the students themselves, and the families of those students. They're incredibly dysfunction and stymie all well intentioned efforts to help them.
Insofar as charter schools can help, it's because giving enough of a shit to apply for and go to one weeds out enough of the lost causes that would only disrupt everybody else. In fact, I think the best ways to improve those public schools is even simpler; make attendance optional. Families who give a shit will still attend, while all the trash will voluntarily stay home.
Hell no. Making attendance optional sacrifices way too much.
It's like reducing incarceration rates by never jailing people for anything short of murder. Sure, it improves on that one metric. Obviously. But the adverse effects elsewhere make it a nonstarter.
If you could trust self-selection to only ever stop the "lost causes" from attending? The absolute worst, most disruptive, least likely to ever benefit from education students? Then maybe.
But in practice, for every student like this there would be ten more who would benefit from school education if they attended, but wouldn't attend if it was optional.
And for those missing students, the difference between getting the classes and being left to their own devices might be the difference between becoming functioning adults, low in income but stable, and being locked in a vicious cycle of poverty, substance abuse, violence and crime.
Which is bad for the students in question, and even worse for the society.
You'd be surprised. America is an incredibly fucked up society. Free meals, Healthcare. Hell, even cheaper tattoos. There is a certain segment of the population where "jail" does not have the same meaning as it does for you or I.
I wouldn't trust any data about charter schools that came from the Hoover Institute. Plenty of red states with weak labor laws have awful educational systems.
At least near me the biggest problems facing the "urban" district compared to suburban ones is declining student populations as long time homeowners age in place and the maintenance costs of 100 year old buildings compared to 10-20 year old ones in the suburbs. Teachers tend to get paid the same or less in the city district and administration counts are higher but fairly close on a per student basis compared to the burbs.
This is before you get into the socioeconomic factors that make one student population more susceptible to starting and falling behind.
> At least near me the biggest problems facing the "urban" district compared to suburban ones is declining student populations as long time homeowners age in place and the maintenance costs of 100 year old buildings compared to 10-20 year old ones in the suburbs
The building maintenance is a red herring. I believe in my district, it's about 10% of the budget on average.
Every urban district I'm familiar with has higher per-pupil funding than ~90th percentile suburban areas. (Seattle versus suburbs, Detroit versus smaller towns)
Wouldn't a declining student population mean more money per student? And it seems like it would often (but not always) be cheaper to maintain existing buildings vs building new ones?
I'm also wondering how much of the new suburban buildings are financed with debt, and the costs just haven't really caught up to them yet.
The only reason I became anything today is because my parents who were poor but cared very much were able to "opt out" of the shit-tier local public school that pandered to the kids who would rather not learn before it was too late for me.
Just a couple disruptive kids per class can ruin an entire generation of students for a grade level. And there were far more than just a couple. Not to mention kids who had no business being in those classes - when the class is half full of low-performers they drag the rest of the kids down with them as the environment completely changes.
The focus these public school districts have put on the low performing and low achievers at the expense of those there to learn is astounding and perhaps civilization-ending if it continues. More resources should be spent on those there to help themselves vs. trying to shovel ever-more resources at people that will never provide a return on that investment.
At this point the local district here spends magnitudes more on special education and catering to IEP students than they do any AP level classes or other high performer programs. In fact they continue to destroy any advanced track segmentation in the favor of equity, and the teachers union nearly killed public magnet schools off entirely recently. They will try again until they are successful.
It's an obviously bad strategy, and apparently results don't matter. Dragging everyone down is not a plan for success.
This is the single political hill I will die on. Removing the ability for poor but high functioning families to give their kids a chance to get out of their circumstances because it raises uncomfortable questions is downright evil.
Other western countries everyone loves to champion so much have this figured out. Student tracks are a good thing. Put high achievers on an advanced track earlier than later and get them out of the general population of students before it's too late for them.
And yes, it's obvious to anyone who's ever been to a decent number of different types of schools that the only thing that truly matters is the other students (read: parents) that go there. Anything else is a rounding error.
As bad as it was 30 years ago when I was going to school, it's infinitely worse now from watching nieces and nephews attending their local public schools. Until they were able to transfer out to magnets at least.
There's one slow-motion conservative victory happening that's getting relatively little news coverage (and that's a good thing, lest there be more pushback): allowing more alternatives to public schools, funded by taxpayer dollars. Charter schools are the most obvious example, but I expect this to eventually be expanded further. If 10 homeschooler families want to get together and hire a professional teacher, there's no reason why the state shouldn't pay for it (provided the kids pass grade-level standardized tests).
Like you said, 99% of what makes a "good" school good is the quality of the other kids who go there. Since there's absolutely no political will for expelling the troublemakers (even in most conservative districts), the only remaining option is to build more lifeboats.
> the schools are able to kick out any underperforming students
Being able to kick out disruptive students has a pretty big influence on the remaining students.
How do you distinguish between underperforming-non-disruptive students and under-performing-disruptive students, especially as the almost all the disruptive students are going to be underperforming anyway.
You make it sound difficult. It's not. Schools are filled with security cameras. When a student attacks another, expell him. And none of that "the victim tried to defend himself so we have to expelled him too, we don't care who started it" horse shit. The schools have cameras, use them.
What I was getting to WRT to the GP's post about how charter schools kick out under performing students in order to "prove" that the public school system is inferior.
I'm trying to determine how he distinguishes between kids that are kicked out to make the school look better and kids that are kicked out because they are disruptive.
I already know how to do that (cameras, etc), I'm just wondering why he doesn't consider that school that kicks kids out might be kicking out disruptive kids.
I don't consider myself right wing, but I guess in this case I wouldn't care even if it were nominally right-wing, because it's more important to give students good educations than it is to perpetuate institutions (eg giant school systems with awful performance) that might ideologically better align with my beliefs but are clearly not working.
Also, while I don't think students should be pushed out of charter schools purely for bad performance (if they are putting in the effort), I do think that poor minority parents should have the right to send their kids to schools that don't force students to share classrooms with disruptive or way-behind-grade-level students. When educational outcomes under the local public school system are really bad I think school-choice just makes a lot of sense as a way of figuring out what policies are popular/effective/unpopular/harmful.
The implication seems to be that charter schools are superior, but does that jive with other countries' successes? A commonly given alternative explanation is that the public options in the US are deliberately sabotaged via budget restrictions, and then the resulting poor performance is used to justify further cuts—a similar dynamic has been fairly recently executed in Alberta with public health care.
There is very little correlation between per-capita student spending and student outcomes. We should fund our public schools adequately but no amount of funding can overcome a bad environment in a student's home or neighborhood.
And to be clear: we fund our schools at a higher rate than basically any other country in the world. We are fifth in the world in per-pupil student funding behind only Luxembourg, Norway, Austria, and South Korea.
Heape-Johnson, A., McGee, J. B., Wolf, P. J., May, J. F., & Maloney, L. D. (August 2023). Charter School Funding: Little Progress Towards Equity in the City. School Choice Demonstration Project.
In some states and cities the difference is more extreme than in others.
I think the specific form of "charter schools" we have are mainly a US invention, but a lot of countries (like the Netherlands, where it's more common than not) actually just let students use public funds to go to private schools, which would melt the heads of most people who oppose charter schools because it's "right wing".
Charter schools are I think a direct response to figuring out how to fix low performing, big school districts in the US. So while I have no idea if private or public schools do better in the Netherlands, I think we'd need to find something more like the Baltimore public school system in another country to make the right comparison.
> A commonly given alternative explanation is that the public options in the US are deliberately sabotaged via budget restrictions, and then the resulting poor performance is used to justify further cuts
I find this hard to address because it's not really a matter of policy but of ulterior motives or conspiracy. I personally have no secret plan to make public education even worse by posting about charter schools on hacker news. To me it's just about giving students the option to get educated by an independent institution rather than be forced to attend some of the worst public school systems in the country.
Nazis drink water and post on internet communities too. And that's a homeschool network, not a charter school.
Honestly, this might be a good opportunity for you to think about why you find charter schools such a nonstarter JUST because they tend to have more support among those on the right (which I'm not) than those on the left. That's actually one of the big problems I was trying to point out: people have extremely strong opinions on educational policy because of these ideological left vs right things rather than on what students actually need!
> why you find charter schools such a nonstarter JUST because they tend to have more support among those on the right
So my general impression is that the republican party, nationally, note I am distinguishing the republican party form political right in the USA, has not been supportive of education in terms of financing or in promoting the necessary environment to ensure high quality and consistent education.
My general impression is that the republican party is for charter schools.
An argument that says trust/invest in the system promoted by the party that has been undermining/unsupportive of the current system does not invoke my trust/sympathy.
This is not a topic I have done rigorous investigations on, but what little I have done normally shows a lack of hard evidence and apples to apples between charter schools and traditional public schools.
> And that's a homeschool network, not a charter school.
They were registered as an online charter school, which is why the Ohio DOE got involved at all. They wouldn’t have investigated an individual homeschooler. (Many “homeschool networks” or the like do this because it makes it easier for their clientele to prove they’ve met the meager legal requirements of homeschooling. Justifies the price tag, yknow?)
> Honestly, this might be a good opportunity for you to think about why you find charter schools such a nonstarter JUST because they tend to have more support among those on the right (which I'm not) than those on the left
You’ve imagined a whole backstory and character arc for me, which is sadly more interesting than the truth. I think charter schools are repugnant because they operate under little to no oversight and, around these parts, have a reputation for abusing students (see reason one).
You seemed to imply earlier that the right wing connection was irrelevant or unimportant to the concept of a charter school. It isn’t, really. It’s an essential feature of the system, and why they’ve become so popular as of late after decades of failed leftist attempts at the same thing.
People should study charter schools here in Sweden where it’s common. It’s such a corrupt profit motivated segregation mess, it should be avoided at all costs. It’s taken a very well functioning public school system that had a high lowest standard across the board and segregated them by cherry picking cheap to maintain students.
Then we also have the pure frauds, no education to the students until the finally gets shut down 5-10 years later when all inspections are done. etc etc.
Why on earth willingly let in the profit motive into this? It was introduced right wingers in Sweden too ofc, boat loads of profit to their supporters.
Now it’s also very hard to get rid of when state capacity has been reduced over the years.
Why wouldn’t I want a school to be able to kick out bad kids? Violent and disruptive kids need to be warehoused away from actual future productive members of society, rather than forcing 90% of kids to have their education ruined by 10% of bad kids
Prepare to build a fuckton more prisons then. Most kids can get turned around from a bad path if they get the right support early on. I don't want to live in a world where we write off 7 year olds forever.
There was a famous study that tried to test this - the Perry Preschool Study. [1] Basically they enlisted a number of high risk children - black, low iq, low income children. Half were placed into a high quality specialized preschool program (that lasted two years for 2.5 hours a day) with small class sizes, half were not, and they followed what happened over the next 40 years. The results were definitely impactful, but not the sort of major turn around one might hope for.
So for instance 55% of the control group ended up being arrested 5+ times by age 40, while 'only' 36% of the experiment group did. I think the thing this demonstrates is that intervention can help, but is also insufficient alone. Students who are in a sufficiently high risk scenario need ongoing support and treatment that they're not going to receive at a normal public institution. And not only that but they will remain disproportionately disruptive to other student's educations at normal institutions, even with years of ongoing care.
In Germany children only spend between 5.5 to 6 hours at school per day. You‘ve raised that amount to 8 hours now and the outcomes are not that much better since the number represents being arrested at least five times. If you get arrested four times, you would be considered a model student.
Reading the actual study, this appears to be a preschool program of 2.5 hours minimum, not adding on to an existing school day. There are also a lot more details about outcomes and they're wildly positive for an intervention period of just two years. The authors estimate the ROI (from increased productivity and savings on various costs) at an astounding 16x.
There are way more metrics in there, including more crime stats. The one somenameforme chose to highlight has a ton of ambiguity, leaving it open to the reader to guess that maybe all the program participants were arrested merely four times by age 40, so in fact this program sucks (plus somenameforme's scare-quotes on "only"), but the paper itself contains far more information and paints a clear picture of outstanding success for a relatively small intervention. Somenameforme's characterization of the study doesn't match the contents.
If that's the evidence a person's citing, the evidence they've cited is screaming "this works great", not the opposite, as implied. It may still not be true, but if so... cite different evidence to support that, because this study says this intervention was wildly successful.
Make sure you're reading the study and not just glancing at their charts. They try to present their data positively to the point that it can be quite misleading. For instance you might see things like 67% of the experiment group having an IQ of 90+ at age 5, contrasted against only 28% of the control group.
But read further down on the details and that difference disappeared almost immediately after the end of the intervention. It follows in line with a well known fact that childhood IQ is primarily driven by environmental factors whereas adolescent and especially adult IQ is primarily driven by the IQ of your parents - paradoxically, strengths or deficiencies in earlier life notwithstanding.
And their decision to set the baseline for arrests at 5+ is obviously doing something akin to p-hacking. It makes it clear that near 100% of the entire sample (males at least) ended up in prison, likely multiple times. The ROI from the program had nothing to do with increased productivity - it was driven almost entirely by less time spent in prison. It led to the interesting fact that 93% of the ROI came from males, precisely because the females had a much lower baseline criminality rate.
In a nutshell, the main benefit of the program was reducing the criminality rate of the experimental group to a level that is still orders of magnitude higher than for society at large. That is a good thing, but it also emphasizes that something like this would only be the beginning of special care needed to try to ensure these sort of people could live remotely decent lives.
The person who wrote that site spent quite a lot of time writing, yet unfortunately little reading. Heritability is, by definition, the degree of variation in a trait, within a population, due to genetic variation. The heritability of an accent is zero.
One clever way this is measured is twin studies, which also are not what most people, particularly those who prefer to write more than read, think. You don't search for twins separated at birth, but instead compare the differences in a trait between identical and non-identical twins. If the variation is greater, then the trait is generally significantly heritable. So for example - height would be an obvious one. By contrast the variation in accent between identical and non-identical twins would be zero.
The person who wrote that site is Cosma Shalizi, who very certainly knows what "heritability" is. Unfortunately, you appear not to. "Heritability" is simply the ratio of genetic variance to phenotypical variance. It's not genetic causality. Whether or not you wear lipstick: highly heritable. The number of fingers on your hands: not heritable.
So it's a blog from some guy with no background in genetics. Your definition is correct, as is your statement that it's not genetic causality. But to discuss heritability you need to understand the most typical, and reliable, way it's assessed. That would immediately clarify to you why lipstick wearing (or your accent) is not heritable, yet the number of digits you have (at least at birth) most certainly is. Here [1] is Wiki's take. You can also pick up any textbook on genetics.
I don't think "Cosma Shalizi doesn't know what he's talking about" is a good hill to die on, and you've now expanded your portfolio of opponents to Ned Block, from who I shoplifted the heritability point.
Direct genetic causality is not the only mechanism through which genes select for phenotypical traits. Genes also select and interact with the environment.
A person you respect in one field is not necessarily all-knowing within that field and, most certainly, not outside of it. This is especially true on topics that become politicized. This is not just because of the 'our side' vs 'their side' stuff, but because these issues can and have destroyed the careers of high profile people who adopt the wrong opinion.
Unlike the individuals you have cited, James Watson is a geneticist, spent his entire life studying and working on genetics, and in fact was even the person who discovered the structure of DNA. But because of his views on the genetic aspects of IQ (which inherently becomes intertwined into race, as race is just shared genetic ancestry), he was completely demonized, his career destroyed, and various honors revoked. Higher profile people speaking on these topics publicly know this all too well, so it mostly just turns into cheap virtue signaling as opposed to adding some genuine insight.
In your case, the examples they've offered are simply wrong, as would be immediately apparent with the most typical method of measuring heritability!
You're irritated because I gave you an output of the broad-sense heritability statistic that conflicts with your intuitive understanding of what "heritability" means. Now you understand how people feel when commenters randomly throw around the term "heritability" with respect to cognitive ability.
This is a "not even wrong" situation. Is cognitive ability significantly genetically determined? Maybe, maybe not. A broad heritability statistic from a twin study isn't going to resolve the question.
I promise, the author has studied and thought more carefully about the question than we have.
Fair warning: you would not be happier if I cited a molecular geneticist on this subject. Your argument gets even harder to sustain once you bring GWAS into the picture.
I'm not at all irritated besides the fact that you're relying on examples that simply are incorrect, and instead of responding to this issue in any way you're linking to walls of text from somebody who (1) has made plainly false statements on the topic already and (2) has literally 0 qualification in the field whatsoever.
It'd be akin to arguing to somebody who wants to claim the Moon landing was faked, and after the rather straight forward rebuttal of their argument links to some blog in the tens of thousands of words from some statistician they claim is "very smart." It's silly.
For the experiment, you don't want it to be a "moral dilemma" at all.
If the group-splitting decisions are made by humans, it inevitably introduces a systematic bias. That bias then will show up in the outcomes, and confound the very data you got out of your way to gather.
The easiest way to avoid that is to split the groups randomly.
If anything we need to double the amount of money paid to build high-intensity “schools” for those kids, and then reduce the amount of money needed for the good kids, because honestly all of that money is wasted now on the bad ones. We should also imprison criminals but that goes without saying. If we don’t have enough prisons to house violent criminals then we simply need more prisons, or release them only into communities that vote for such a thing (maybe rich liberal communities only etc.)
> We should also imprison criminals but that goes without saying.
Obviously we need effective justice.
But since we are on the topic of ineffective schooling, there is an argument to be made that US prisons are more effective at punishment than rehabilitation. Which seems to please some people, but just adds another undertow to society.
A loss for criminal inmates, and everyone they impact, family or stranger, after they are released.
Education is worth looking at with respect to an entire culture, with many important contexts beyond/outside school. From before school age (huge), onward.
There's a great early TED talk from a Lawyer trying to stop death row inmates being executed.
He realises that the simplest and easiest intervention is to stop the violent crime happening in the first place, and the cheapest and easiest way to do that is to intervene in the future murderers childhood. The specific example he gives is a client with a schizophrenic mother who needed more support.
They are allowed to screen prospective students up front. They also won't kick out under-performers for getting Ds. They will find a disciplinary reason to do so.
Every one of us could have been kicked out of school at one time or another if we had fallen under the microscope looking for an excuse.
No, that's also misinformation. Public charter schools in most states aren't allowed to screen prospective students up front. Any parents can enroll their children, and when a charter school is oversubscribed they use admission lotteries. And they follow the same disciplinary procedures as other public schools.
If you want to be exceedingly pedantic, a student at a typical charter school in the United States has much weaker due process guarantees than a student at a public school. The school administration at a charter school has much less government oversight by design, and in some states there is effectively none.
They appear to be essentially correct. There is little variance by state in how they accept students from the public. Were you thinking of a particular state? Here's information on the admission laws for each state from Wested. https://wested2024.s3.us-west-1.amazonaws.com/wp-content/upl...
In zero states can you show up at a charter school and say “I live next door, I want to enrol” and be enrolled. That is an enormous difference from public schools that immediately eliminates the most disadvantaged students from the applicant pool.
Moreover, some charter schools require things like parental time volunteering, which eliminates more kids, or introductory essays - they don’t score the essays! They just require it to be done! By horrible coincidence this eliminates more cough lower performing children, who simply never submit a completed application for the lottery, so sad. This definitely happens in multiple states but here’s one specific example:
> By horrible coincidence this eliminates more cough lower performing children
If it's not scored it can't possibly eliminate low-performing children on that unconflated characteristic alone - a motivated underperformer will still get in.
It eliminates the unmotivated, which correlates obviously with underperforming. While it can be a vicious circle, I'd say no-motivation -> underperformance is of much greater relevance than underperformance -> no-motivation.
The obvious hint is how it tests the parents too. sure. maybe they are very motivated but just work so much they cannot volunteer or spare any time, but doesn't that also somewhat render their 'motivation' moot as well?
Your link is about the mandated lottery system that applies when too many applicants submit applications to the same charter school, so it clearly doesn’t protect students whose parents were strongly advised not to apply.
Are you thinking of a particular situation? Charters usually have to market to fill the school because it's expensive to operate below capacity. (That's not unique to charters; public school districts also market to maximize voluntary enrollment.)
OK, here's a question. Should every sportball team in the US be prohibited from being selective? Everyone, regardless of their capability, should be able to play on the same field. Including paraplegics because it's not their fault.
Trans people in school/collegiate sports resulted in a lost US election for the Democrats (sports scholarships are a thing). That's how important it is.
And no, I don't think that the advanced education is essential. General education is, but not advanced courses. And of course, everyone absolutely deserves a fair _chance_ to get the best possible education.
I think humans are hard-wired to distrust and dislike certain forms of self-promotion because of the risk of false signalling. In small tribes of apes everybody knows everyone so trumpeting one’s accomplishments is basically trying to change people’s perception of something without changing the actual underlying signal.
The higher status strategy almost always ends up being countersignaling, where “trying too hard” is basically the opposite of counter signaling. The problem (this is something I am actively learning in my work) is that the way society is set up right now requires you to participate in the “attention economy” and build your brand/reputation in a group far larger than an ape-sized tribe. Because you’re not established in those circles a priori you have to start with signaling instead of counter signaling.
Basically, you have to have a PR team and win the hearts and minds of The Atlantic and Forbes before you can make a public spectacle of your ketamine habits. If you skip straight to that you’re just an insecure loser with a drug problem. But after everybody knows you and what you’ve done then you can establish yourself as a tortured artist, which is socially “better” than being just a regular artist.
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
I don’t think that argument really works in situations like this because hacking Burger King requires a pretty high level of intent + ability and isn’t something that just naturally happens. Like you have to sit down and say “Today I want to try to hack Burger King” and then spend several hours doing just that.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
This is a red herring. They're obviously being silenced because they just obtained evidence that Burger King is recording and algorithmically analyzing every customer interaction to ensure that their wage-slave employees say "You rule!" the correct number of times per order. This is horrifying and dystopic, and it's certainly the bigger story here.
Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
The screenshot of the email lacks detail so I don't know what part of the DMCA the author breached here, but this feels a lot like your standard DMCA abuse.
We’ll use an influencer for example. A false dmca claim has costs for them. Immediate costs in time, demonetizing, and reputation. It also has longer term risks - e.g., copyright strikes become bans. They are incentivized to pushback but have limited tools to do so.
When dealing with a company whose business is filing dmca complaints using an automated system, the business model isn’t a lawsuit - it’s a settlement where the influencer is made whole and you get paid. The risk to the company is existential if you have enough clients using you to push back and risking them getting a platform ban or an injunction against them filing automated dmca complaints. Say they file a thousand complaints a day against a thousand YouTube channels. If even 50 of those channels file a counter claim it’s going to set off alarm bells.
All that being said the most toxic part of this is the company calling itself a cyber security company and trying to obfuscate seemingly pretty responsible disclosures using dmca.
Can we start discussing 'you can run your own website/cloudflare/isp/backbone' conversation all over again instead of addressing some basic level of fair play?
This fits with the complete lack of care for ethics and societal awareness from Gary and Paul on down. They just want companies that can succeed by the usual amoral metrics of Silicon Valley (money). Which is entirely their right, but here is one of the social cost in a form most “hacker” founders can maybe appreciate. (As opposed to a low income resident getting evicted to make way for an illegal Airbnb)
> Why do you think copyright has anything to do with the post?
Because the Digital Millenium Copyright Act is for copyright. You haven't stated how the blog post infringes upon BK's copyright at all, so... yes, seems like a standard fraudulent DMCA claim.
> First thing first. This is NOT DMCA abuse. The DMCA is the only way to communicate with web companies and take down content. As such, it has become the legitimate way to take down any content that needs to be taken down, in the absence of alternatives.
This assumes that companies should be able to take down any content they do not like. This is very much not the case. The DMCA is very specifically only for copyrighted content.
From copyright.gov[1]:
> To be effective, a notice must contain substantially the following information:
> ...
> (v) a statement that the person sending the notice has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
> (vi) a statement that the information in the notice is accurate, and under penalty of perjury, that the person sending the notice is authorized to act on behalf of the copyright owner .
This is pretty clearly DMCA abuse. TFA isn't using any of BK's copyrighted content, which is what a DMCA claim alleges. Just because people have abused the form... pretty much since inception does not mean that it's not perjury to do so.
If BK wants to press charges for unauthorized usage of computer systems, that's another route. This would involve a police report, not perjury, and would probably not take down the website.
It's DMCA abuse because that process is only legal to use in case of actual copyright infringement, not just any content you might have a moral claim over.
You can see on the email that the "Original work" field is just a link to the BK website.
> It's DMCA abuse because that process is only legal to use in case of actual copyright infringement, not just any content you might have a moral claim over.
I will reply to this comment because it's the easier to address, you're really hitting on the main misconception :D
It is incorrect to think that the DMCA form is only valid for copyright.
You need to contact the other party to start a legal dispute, you can do so by any available communication channels. The website is hidden behind cloudflare which purposefully hides the identity of the author and prevents any contact, except via a DMCA form. Burger King filled the DMCA form to get in touch with the author. It's merely a mean to legally contact the author and start a dispute, in the absence of better options.
It worked, cloudflare forwarded the form to the author (and the author decided to take down the article on their own). I really can't think of any reason why it would not be considered a reasonable and legitimate use of the form. All the better because it's an official legal form.
> The website is hidden behind cloudflare which purposefully hides the identity of the author and prevents any contact, except via a DMCA form
The blog post says that the author contacted Burger King and they had some sort of communication channel available, Burger King just chose not to use it.
DMCA is NOT a contact form. Part of the process is an attestation that you are the owner of a copyright and the content is infringing on that copyright, lying on that is perjury (even though I've never seen it enforced, perjury in general is rarely enforced). The convenience of DMCA as a contact and takedown form does not legitimize it's use as one.
It's fraud and perjury to file a DMCA claim for any reason other than someone infringed your copyright. A DMCA claim is only valid if you swear on penalty of perjury that the target infringed your copyright. Otherwise it's meaningless.
Just because it's the tool they have doesn't legitimize the use of a copyright takedown just to take down information they do not like. DMCA is specific and in theory limited (though many companies abuse it) the proper channel for non infringing content you don't like is the courts.
It is irresponsible. It brings attention to an issue that has not yet been resolved, which will likely lead to users getting data stolen/scammed.
Even the most security-aware companies have a process to fix vulnerabilities, which takes time.
I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.
It could never be anywhere near as irresponsible as the original bad security practices, though. At some point, if you wanna make money by handling people's sensitive data, you are the responsible party, not everyone else.
Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.
Yes, that is why responsible disclosure almost always comes with deadlines. You give the chance for the company to resolve the issue and mitigate user impact. But if they are taking so long that the user impact will be higher than you just disclose.
You don't, but you make a judgement call based on different criteria, such as how difficult the issue was to find, maybe how popular/big the site is, etc., as to whether or not you think anyone else is likely to know about it already.
users at large have a right to know if their data is being handled recklessly by any person or group, and just because some entity has arbitrary rules and poor communication/practices on how they want to tell them disclosures, it doesn't in any way make it irresponsible to let the public know: hey, your shit is getting recorded and is available for anyone to download and listen to.
I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
Also "Oh, you hacked us? We'll call the police right away. You're going to jail." - followed by you actually going to jail for many years. Sometimes, anonymous, public, uncoordinated disclosure actually leads to the best security outcome in the long run, since security researchers in jail isn't that.
Yes. I live in a state where a journalist reported a Department of Education system leaking teacher SSNs and the governor sent state troopers after him.
You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
I've been trapped in a quasi-NDA on bug bounty platforms too. The vendor just refused to make the report public long after the vulnerability had been fixed, likely to cover it up in case of any resulting damages claims (it was a financial platform and the bug affected withdrawals of customer funds).
The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.
That's the tradeoff. If you disclose it broadly without a grace period, someone who didn't even know about the vulnerability before will exploit it faster than even the best postured companies can fix it.
That seems to depend a lot on the vulnerability, and the company, and the users.
I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".
I’m saying out loud “I think rebranding coordinated disclosure as responsible disclosure has negative impacts and we shouldn’t do it”.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
It won't change until there is better regulation with muscular enforcement. Right now the choice is between paying an $X bug bounty and the vague possibility of some problem for not paying a bounty (e.g., someone sues you, or a PR fiasco causes you to lose customers). That basically means a choice between a 100% chance of losing $X right now (to pay the bounty) or an unknown but probably low chance of an unknown but probably high cost later on. Without any specific incentives, most people making decisions at companies will just choose to gamble on the future, hoping that they can somehow dodge the consequences.
To change that calculus, the chance of that future cost needs to go up and the amount of it also needs to go up. If the choice is between a $100k bug bounty now and a $10-million-dollar penalty for a security breach, people will bite the bullet and pay the bounty. If the CEO knows he will lose his house if its discovered that he dismissed the report and benefited financially from doing so, he will pay the bounty.
The consequences need to be shifted to the companies that play fast and loose with customer data.
> I’m curious about the legal/reputational implications of this.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
I guess I mean the legal risks to both sides. Security is only a portion of what I do and I only dabble in red teaming (this is the first time I ever tried it on a third party).
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
Ah. I don’t have much optimism that companies like Burger King will ever get that 2nd signal (mostly because I don’t think the average consumer-facing business suffers much impact from this kind of incident), but I agree with your premise.
Appreciate your clarification despite the bluntness of my reply.
This sucks. As a developer who puts a lot of effort on security, I hate that companies can get away with such negligence.
I hope people invent AI bots which uncover vulnerabilities and make them available publicly for free, in real-time. This would create the right incentives for companies.
Modern software has become a giant house of cards, under the control of foreign powers who possess asymetric knowledge. This is because our overarching legal system protects mediocrity and this gives nefarious skilled people with a massive upper hand, while hurting well-intentioned skilled people who try to build software the right way.
The nefarious skilled people don't need to ask for permission and don't need to convince anyone to make money from their schemes... Well-intentioned skilled people build products which are impossible to sell or monetize because nobody cares enough about security... Companies mostly externalize the consequences of vulnerabilities to their users and leverage market monopolies to keep them.
No. Just because there's a blog post about a fixed vulnerability doesn't imply that it's ok to write a blog post about an unfixed vulnerability.
I'm not saying it's wrong to post a blog post about an unfixed vulnerability. I'm just saying that the existence of a blog post about a fixed vulnerability has no impact on whether it's ok or not to post a blog post about an unfixed vulnerability.
Can you explain some of the technical goals of your project and the overall model you're thinking about implementing?
You mentioned sub-cent tx fees, 100k tps, and what I presume to be atomic swaps for stablecoins. Are you thinking about something like $0.10 fees or something like $0.0001 fees? At $0.10 fees at 100ktps that end up representing $100/s in tx costs which is about $8.6M/day or $3B/year. Presumably you expect to make more per year on this project in the ideal case, so are you intending to allow the fees or TPS to "float" upward, or to restrict participation in the L1 to only trusted partners, or for the network operators to make money off the interest from holding the stablecoins' currencies in reserve? What if demand exceeds 100k tps?
Since this will be a corporate backed project how do you plan to handle sanctions and government currency controls, eg if Uncle Sam tells you to drop support for Iranian currency, how will that work?
Will there be account/transaction privacy built into the network through ring cryptography or zk proofs? I'm assuming no, but if your answer is yes and Uncle Sam takes issue with that, what is your plan?
Why? It is a screaming good deal for >90% of companies to take as many problems like “employee credentials can be used to access user passwords”, “we need to develop, release, operate, and support something where small mistakes introduce security breaches + hire people capable of property doing that work”, and “if someone gets this private key they can use it to impersonate any user” off their plates as they can.
It’s good that Bob’s App Factory cares enough about security to hand off hard parts to Google for $X/mo if they’re not confident in their own ability to handle it better themselves. I trust Google more with my data than any other company in the world, including Bob’s. Bob’s a great guy but I doubt his IT department is reviewing every change in keycloak and preventing unilateral access to hmac keys.
Agreed that sometimes it makes sense to outsource, if Bob's App Factory is big and complex enough to actually need SSO, but isn't big enough to want to run it themselves. (I was thinking more F500, which is what I did a lot of SSO work for.)
But if you are a larger company who is outsourcing security, then you're subject to enterprise sales and vendors (Google excepted) who might be ridiculously incompetent. (Even if you have people on staff qualified to vet vendors of infrastructure, now you're in SaaS enterprise sales territory, where decisions aren't always rational or informed.)
And you're also looking at lots-of-eggs-in-one-basket centralized single point of failure for swaths of the country, which is a more attractive target than Bob's App Factory alone.
I think this assumes Gartner just coincidentally offer the right kind of branding and messaging to drive $100M+ technology spending decisions at the present time.
I have a feeling the people running such a successful marketing machine are smart enough to know that over time, decision makers' tastes and preferences will shift as younger generations age into their target audience. Maybe they won't be able to pull it off but I suspect they're well aware that millenials will be listening to something different from their conjoined triangles of success.
Lately I've been trying to reprogram myself to be more self-critical when I run into successful products that don't speak to my own personal tastes - it's really easy to just say "other people are stupid" but I don't think it's usually the full answer. Gartner is kind of like the technology Consumer Reports for F500 executives - it's not really any different from you looking at the rating breakdown for a vacuum cleaner or kitchen appliance back when Consumer Reports was the go-to source for product reviews.
Baby boomer executives are not stupid just because they couldn't tell you exactly how relational databases and Linux work. And it's gonna be a while until insanely busy and established 65 year olds start making significant purchasing decisions based on anime avatar tweets, so Gartner's audience definitely shouldn't be underestimated.
FTA: Also, there is no target salary or salary range. This is a red flag for a couple of reasons:
- It sends a message that the actual compensation is going to be rubbish.
- It sends a message (combined with the evidence from the advert spamming) that the hiring company will be paying different levels of compensation based on where the applicant lives.
That last one is particularly inexcusable. We call it a 'compensation package' for a reason: the employer is compensating the employee for using their expertise, time, and energy to make the employer money. It has nothing to do with the CoL where you live, and everything to do with how much the company values you in that role.
——-
While I mostly agree with the sentiment I think this is pretty normal and not nearly as much of a faux pas as the author is making it out to be. Kinda applies to a lot of his points - some of these aren’t unequivocally bad hiring practices, they are just polarizing or a matter of pros and cons.
Hot take: a lot of job openings for highly specialized skills or from small-medium sized businesses are not posted with specific salary bands in mind, just “as much as it takes to get a great candidate, but not more than their expected value”. In some cases you could legitimately be open to candidates costing anywhere between $80k and $500k - it looks weird to list a job that way, would you do it? Maybe it turns some candidates off, maybe it prevents scaring off candidates who would be great fits and accept the offer. Maybe it’s not worth getting upset about
And the article is about Canonical making multiple job postings all around the world where California labor laws aren’t applicable…
Regardless, I think there are underrated issues with mandatory pay bands that aren’t obvious unless you’re on the hiring side. Let’s say you legitimately are open to hiring candidates from anywhere from $100k to $300k. For candidates closer to the $300k end they might not want to apply if they think they might get offered way less than they want, and it might attract a lot of candidates on the $100k end who will make it all the way through the process and then get upset when they’re not offered something closer to $300k. Also, for companies like Canonical, they have enough name recognition and genuine supporters that they probably don’t want to talk to candidates who are only applying because they saw a big number (and if they have to, it makes harder for candidates that are better fits to get noticed).
There’s understandably a lot of strong feelings about hiring practices right now and I know a lot of candidates will tend to assume the worst because of how they’ve been treated by other companies. But sometimes companies just make multiple listings so they show up for candidates around the world instead of as a spam tactic, are flexible on salary, and have a culture that values different things.
In California at least, nothing stops you from asking about expected pay as part of the application process and setting expectations for individual candidates early. From the applicant side, I'm constantly amazed at how many companies are shamelessly advertising senior level jobs with embarrassingly low salary ranges. Being able to weed out companies whose _upper_ bound is less than I'm making now as a government contractor (i.e. very much not FANNG pay) saves a ton of time.
I never had to work on that, but I imagine you would publish a position at the 100k-200k range, and another one at the 200k-300k range. In fact, that may still be too large a range.
Or are the people in that large range interchangeable from the employer's point of view?
Why did my engineering team handle payments through Stripe instead of building a custom payment processor? Aren’t they supposed to be engineering things?
Coding agents presumably don't know how to deal with non-coding things. Stripe's real value isn't in its technology, but it sorting out the complex human problems associated with payment processing. Sending a number over a network is not any great feat. Getting humans to agree that number has meaning is another matter.
I'm not sure I support charter schools as a universal good, but they've actually proven to be pretty consistently effective at improving the educational attainment of low-income black/hispanic students [0-1]. When the local school system is a political quagmire and objectively failing in its mission to educate students, it's probably the only way out.
The meta-problem is that the people most actively involved in improving the racial educational achievement gap are precisely the type of people to reflexively dislike charter schools (because it's "right wing", although I see it more aligned with the centralization vs decentralization axis) and maybe even feel overtly threatened by them (because of their union job). Also, charter schools have to actually figure out how to get buy-in from low-income black and hispanic parents, figure out how to serve this community better, and can't hide behind the excuse of cyclical poverty + orwellian bureaucracy anymore.
I think a lot of educators really would rather work in a system where bad outcomes are guaranteed and thus not their fault, than one in which they actually have the ability to make more than just performative progress in serving the needs of their underprivileged student body.
[0] https://hechingerreport.org/proof-points-charter-schools-hav...
[1] https://www.kqed.org/news/11953408/charter-schools-show-gain...