* Don’t worry. I’m sure LW2 is the only software from here on out which will have silly security bugs.
...Okay, I admit to some curiosity as to how you pulled that one off, though not enough curiosity to go poking around myself in the codebase. Is this one of those things where an explanation (public or private) can be given, at least after the vulnerability is patched (if not before)?
This is a case where, much like Eliezer declining to explain specifically how he won any of his AI boxing matches, I think it’s better to leave a question mark, since it’s a relatively harmless one (see also fighting the hypothetical): “If I were writing LW2, I would simply not write the lines with bugs in them.”
I didn’t deanonymize anyone. There are many Marks on LW (what with it being one of the most common male personal names in the West). The people on EA Forum who have been posting about it using the full username, they’ve deanonymized Mark. You should go complain to them if you think there is harm in it. And I am only the messenger about the deanonymization: anyone who uses GreaterWrong & related mirrors has already been deanonymizing all of the anonymous users every time they load a page for years now. A bit late to be worried. (Mark is currently arguing to keep this, saying “it works well enough”, which is uh.)
FWIW, I did actually manage to guess which Mark it was based on the content of the initial comment, because there aren’t that many persistent commenters named Mark on LW, and only one I could think of who would post that particular initial comment. So claiming not to have deanonymized him at all does seem to be overstating your case a little, especially given some of your previous musings on anonymity. (“The lady doth protest too much, methinks” and all that.)
I do, however, echo the sentiment you expressed on the EA Forum (that anonymous commenting on LW seems not worth it on the margin, both because the benefits themselves seem questionable, and because it sounds like a proper implementation would take a lot of developer effort that could be better used elsewhere).
LW2 developer here. I consider it a bug that it’s possible to continue ot comment through a deactivated account. I don’t consider it a bug that comments made through a deactivated account can be associated with the account name, since (in the normal case where an account never posts again after it’s been deactivated) the same information is also easily retrieved from archive.org/.is/etc. (And I can think of a dozen easy ways to do it, some of which would be a pain to close off.)
(The officially supported mechanism for anonymous posting is to just make a new single-use account, and don’t attach a real email address to it. We do not enforce accounts having working emails, though new accounts will show up in moderator UI when they first post.)
...Okay, I admit to some curiosity as to how you pulled that one off, though not enough curiosity to go poking around myself in the codebase. Is this one of those things where an explanation (public or private) can be given, at least after the vulnerability is patched (if not before)?
This is a case where, much like Eliezer declining to explain specifically how he won any of his AI boxing matches, I think it’s better to leave a question mark, since it’s a relatively harmless one (see also fighting the hypothetical): “If I were writing LW2, I would simply not write the lines with bugs in them.”
De-anonymizing people who have chosen to post anonymously on purpose isn’t harmless.
Then again, posting from a deactivated account as a hack for anonymity isn’t exactly officially supported either.
I didn’t deanonymize anyone. There are many Marks on LW (what with it being one of the most common male personal names in the West). The people on EA Forum who have been posting about it using the full username, they’ve deanonymized Mark. You should go complain to them if you think there is harm in it. And I am only the messenger about the deanonymization: anyone who uses GreaterWrong & related mirrors has already been deanonymizing all of the anonymous users every time they load a page for years now. A bit late to be worried. (Mark is currently arguing to keep this, saying “it works well enough”, which is uh.)
FWIW, I did actually manage to guess which Mark it was based on the content of the initial comment, because there aren’t that many persistent commenters named Mark on LW, and only one I could think of who would post that particular initial comment. So claiming not to have deanonymized him at all does seem to be overstating your case a little, especially given some of your previous musings on anonymity. (“The lady doth protest too much, methinks” and all that.)
I do, however, echo the sentiment you expressed on the EA Forum (that anonymous commenting on LW seems not worth it on the margin, both because the benefits themselves seem questionable, and because it sounds like a proper implementation would take a lot of developer effort that could be better used elsewhere).
LW2 developer here. I consider it a bug that it’s possible to continue ot comment through a deactivated account. I don’t consider it a bug that comments made through a deactivated account can be associated with the account name, since (in the normal case where an account never posts again after it’s been deactivated) the same information is also easily retrieved from archive.org/.is/etc. (And I can think of a dozen easy ways to do it, some of which would be a pain to close off.)
(The officially supported mechanism for anonymous posting is to just make a new single-use account, and don’t attach a real email address to it. We do not enforce accounts having working emails, though new accounts will show up in moderator UI when they first post.)