Adam Victor Brandizzi

by Karla Burnett

SSL has been in the news a lot in the last few years—flaws like BEAST, Heartbleed, and POODLE have all had far-reaching consequences for the security of the Internet. But what do each of these vulnerabilities affect? And how does SSL actually work again?

To understand, we’ll first need a brief primer on the history of SSL. Initially developed by Netscape in the early 1990s, SSL was designed to provide security for HTTP connections, underlying the new HTTPS scheme. This meant Internet users could be sure they really were talking to, for example their banking site, and that no one else could see their communications. While version 1.0 was circulated internally within Netscape, 2.0 was the first version publicly released, in 1995. SSL version 3.0 was released a year later, in 1996.

By 1999 the development of SSL had been taken over by independent researchers. They made minor changes (version 3.1), that unfortunately broke backwards compatibility with SSL 3.0. Instead, they released a new version, named TLS 1.0. TLS 1.1 and 1.2 were released in 2006 and 2008 respectively, and as of July 2015, TLS 1.3 is being drafted.

These days, when people describe SSL, what they typically mean is SSL/TLS, since the protocols are largely interchangeable, and both can be used as the underlying security protocol for HTTPS.

But how do they actually work? At a high level, SSL and TLS allow, though don’t require, a client and a server to authenticate one another, and to decide on a secure communication method.

Now, let’s talk about what we mean by “secure communication method”. We really care about two properties: confidentiality, that no one else listening can understand our messages, and integrity, that the messages we receive really come from the the party we’re expecting. We also care about availability, that the messages we send can be read by the intended recipient, but it largely falls out of the protocol as designed.

We can achieve confidentiality in two ways, using either a stream or a block cipher. A stream cipher takes a secret key, and uses it to generate a stream of pseudorandom bytes. These bytes are then combined with the message, using a mathematical operation known as XORing, to produce a ciphertext. A block cipher works similarly, though on fixed size chunks of the message, known as blocks. In both cases, the ciphertext produced can only be used to recover the original message by someone who knows the secret key. To use either construction we need to agree on a cipher to use, and a secret key to use with them.

Integrity we achieve using something called an HMAC, or Hashed Message Authentication Code. A hash is a function that maps an arbitrary amount of data into a value of a particular length. Cryptographic hashes are hashes designed to be collision resistant, or hard to invert, meaning that given a hash value it is essentially impossible to find any piece of data that hashes to that value. An HMAC uses this property to provide integrity—we hash the message together with a secret key that only the two parties communicating know, to produce what’s called a tag, which we send along with the message. When the other side receives the message, they regenerate the tag themselves, and compare it to the tag we sent. If they are the same, they can guarantee that someone who knew the secret key sent the message, and that it hasn’t been tampered with. To do this, we need to agree on a hash to use, another key, this time for integrity.

Both our confidentiality and integrity schemes are forms of symmetric cryptography, meaning they require both sides to know the same key. To prevent replay attacks, where an attacker resends messages they previously saw go by, we also need to decide on a new set of keys for each new connection we establish.

To choose these keys, we use a construct called asymmetric cryptography, in which two parties with no shared knowledge can securely decide on a secret without an eavesdropper discovering it. There are several ways to do this, so both sides need to agree on how they’re going to exchange these keys. As part of this, they also need to authenticate one another, as we talked about earlier.

So, all together we need: a key exchange algorithm, including an authentication method; a cipher, for confidentiality; and a hash to use for our HMAC, to guarantee integrity.

These three properties are combined into one long string, called the ciphersuite. For example, if a client negotiated the Diffie-Hellman protocol (DH) for key exchange, with RSA for authentication, AES_256_CBC as a cipher, and SHA-256 as a hash, the connection would have a ciphersuite of DH_RSA_WITH_AES_256_CBC_SHA256.

Since clients and servers might each support a different set of ciphersuites, the first thing established in an SSL or TLS connection is the ciphersuite to be used.

When the client opens a connection to the server, it sends a ClientHello message, indicating the ciphersuites that it supports, and the version of SSL or TLS it is using, among other things.

The server then picks the “best” ciphersuite the client supports, based on its own preference list, and sends that back to the client in a ServerHello message. Before waiting for a response from the client, the server also sends its certificate, if server-side authentication is desired, its half of the key exchange, a request for a client certificate if one is desired, and then a ServerHelloDone message.

The client responds with a copy of its certificate, if requested; its half of the key exchange; a change cipher spec message, to indicate that all further messages will be encrypted with the chosen cipher; and a finished message, recording the client’s view of everything that has happened. This finished message is used to ensure that none of the unauthenticated communication between the client and the server was intercepted.

The server responds with its own change cipher spec and finished messages, and then the desired communication between the two sides takes place, using the agreed upon ciphersuite. This negotiation process is called the SSL/TLS handshake.

That’s all there really is to SSL and TLS, as they were designed. There are some subtleties around closing connections, and lots of things to watch out for in error cases, but those are the basic principles you need to understand for the attacks of the recent years.

Let’s start with the BEAST attack. Discovered in September 2011, it’s a vulnerability in TLS 1.0’s CBC mode block ciphers, which make up more than half of the ciphers provided by TLS 1.0. Although the vulnerability had been known about for years, and was preemptively patched in TLS 1.1, it took until 2011 for a practical attack to be demonstrated. The vulnerability allows a person in the middle to determine the content of an encrypted packet by guessing later ones, in what’s called a chosen plaintext attack. Client side mitigations are possible, while server side mitigation consisted of promoting RC4 ciphers above CBC ones, so that most clients would negotiate the more safe RC4.

In September 2012, CRIME was released—a compression attack against all current versions of TLS. In short, TLS supports compression, but was not correctly separating trusted and untrusted parts of a compressed message. An attacker who could control part of the plaintext, and observe the size of packets sent, could use this to calculate unknown parts of the plaintext.

Lucky Thirteen was released in February 2013, and was a timing attack padding oracle, affecting all SSL and TLS CBC mode block ciphers. It occurs because of the placement of data in messages; those with two correct bytes of padding are processed slightly more quickly than those without. This acts as a padding oracle, allowing an attacker to determine the plaintext of an encrypted message.

Just a month later, in March of 2013, additional biases were found in RC4, a stream cipher used in both SSL and TLS. This means that it takes a small number of bytes, and extends them into a much longer stream, which the original message can be XORed with. These bytes should be random, but as discovered in 2013, some of them are not as random as hoped. While not an attack per se, these biases allow an attacker who can perform 2²⁴ requests to recover parts of an encrypted message. This meant the RC4 stream cipher was no longer considered secure.

A year after CRIME’s release, in August 2013, BREACH was released. This was another compression attack against all versions of SSL and TLS, this time at the application level. Rather than relying on TLS compression, an attacker instead uses HTTP level compression.

In February 2014, goto fail was discovered. This was not a flaw in SSL or TLS themselves, but a bug in Apple’s SecureTransport implementation. When using DHE or ECDHE cipher suites, a particular check would always be ignored—that the certificate provided by a server actually belonged to it. This meant that the authenticity of the server a client was talking to could not be guaranteed.

Two months later, in April 2014, Heartbleed was released. This too was an implementation bug, though this time in OpenSSL, inside the heartbeat TLS extension. An incorrect bounds check meant that the server would trust the client to specify the length of a message sent. A malicious client could ask the server to send a message much longer than the amount of data available, leaking other information stored in server-side memory. This would allow, for example, the server’s private key to be leaked, and its connections to be intercepted.

Another implementation bug in OpenSSL was discovered in June 2014, CVE-2014-0224, or more informally, CCS injection. In this case, CCS stands for ChangeCipherSuite, and is the message that’s sent just before the SSL or TLS handshake is finished, to indicate that communication from then on in should be encrypted using the negotiated ciphersuite. Unfortunately, if an attacker sent a CCS message at a certain earlier point in time during the connection, they could coerce both sides into generating their key exchange secrets using only publicly available information. This would allow an attacker to read all further communication.

POODLE was released in October 2014 and, bucking the 2014 trend, was not an implementation bug. A padding vulnerability in SSL 3.0’s CBC block cipher allowed encrypted content to be leaked to an attacker, if they could persuade a client to visit a site that they controlled. This, in combination with the RC4 weaknesses previously discussed, meant that even with BEAST mitigations, no SSL 3.0 cipher could still be considered secure. This problem was exacerbated by the downgrade behavior of many clients—since TLS was not backwards compatible, in the event of a failed TLS handshake, many clients would automatically retry the connection with SSL 3.0. Unfortunately, an attacker could also trigger this behavior. Mitigations against this part of the attack were released, in the form of the TLS_FALLBACK_SCSV ciphersuite, but they required both client and server support to be effective.

FREAK, another implementation bug, affecting both OpenSSL and Apple’s SecureTransport, was discovered in March of 2015. To fully understand this bug, we need to take a brief trip back to the 1990s, when the US had strict laws around exporting weaponry, including strong cryptography. To support foreign clients who were unable to use this strong cryptography, a number of intentionally weak ciphersuites were added to SSL and TLS—the so-called export ciphersuites. In the late 90s, the restrictions on cryptography were weakened, however, support for the export ciphersuites has lived on in server-side implementations, often for compatibility reasons. FREAK allows a person in the middle to change the ClientHello ciphersuites from standard RSA to export grade RSA, even if the client did not allow export grade RSA.

Finally, in May 2015, an attack named Logjam was released, targeting the Diffie-Hellman key exchange method used in SSL and TLS. It provided a way for 512-bit, or export grade, Diffie-Hellman parameters to be factored. This meant the connections negotiated with this key exchange method could be intercepted. 1024-bit Diffie-Hellman keys also become unsafe, as they were thought to be within the range of adversaries with significant power, such as nation states like China or the US. The attack was also made more feasible by the sharing of Diffie-Hellman parameters across servers, which was previously thought to be safe, but drastically cut the cost of performing an attack. Reminiscent of FREAK, a flaw in the design of SSL and TLS also means that it is possible for an attacker to intercept the ClientHello message and downgrade the connection from standard Diffie-Hellman to export grade.

So where does all this leave us? SSL 2.0 has fundamental protocol flaws and is known to be broken. SSL 3.0 has no ciphers left that are considered totally secure, and support is currently being phased out of major browsers. TLS 1.0 ciphers are also in a poor place, requiring BEAST mitigations to be considered secure. TLS 1.1 and 1.2 are better off, with several of their ciphersuites still thought to be totally secure.

Unfortunately, adoption of TLS versions greater than 1.0 remains low, with only around 60% of sites supporting TLS 1.1 or 1.2. Additionally, keeping server-side ciphersuite preferences and mitigations up-to-date has also proved challenging—more than half of servers still support RC4 ciphers, and more than 80% of them are still vulnerable to BEAST.

What does this all mean for you? If you maintain servers, please keep their SSL/TLS libraries up-to-date. Take updates when you can, and review your ciphersuites periodically, using a tool like SSL Labs’ server test. As a client, your task is much easier—just use an up-to-date browser.

There’s still a lot of work to be done to make TLS easy to use, and to bring the protocol up to date with more modern cryptography. However, having more people understand the pitfalls we’ve fallen into in the past, and how to configure things in the present, will help keep everyone’s communications secure into the future.

Karla is a security engineer at Stripe, who enjoys breaking computers, fixing software, and assorted arts and crafts.

Let's block ads! (Why?)

I have been thinking about how size can affect culture and adaptability of groups recently. The topic once again came up today in a talk about what makes a healthy community. The answer to that will depend on the community's size and maturity. An open source project, in the words of one participant in one conversation I had recently on this subject, should have "the minimum level of structure to allow it to function effectively." I agree—just enough is the right amount. This article contains some ponderings on the relationship between size and communities, and some conclusions we can take from that.

Size and Culture

I have been thinking of this because of a few converging issues—one project I work on, which started with four people, now has more activity than we can handle, and we are thinking of how to grow the group of (OpenStack style) committers. I have been helping another project figure out how to create a governance structure to allow them to grow effectively beyond their current size, where they have about 10 active companies and about 150 active developers. And the company I work for has been going through some growing pains as we go past 10,000 people in size.

The work of Robin Dunbar comes to mind—he of Dunbar's Number. In How Many Friends Does One Person Need?, he examines the nature of communities of different sizes. He finds a number of group sizes that recur often, and their characteristics change at certain size limits: The specific sizes he points to are 5, 15, 50, 150, 500, and 5000—he suggests that there might be something special about this scaling factor of three. But he does not talk a lot about evolution—how group dynamics change as the groups grow. A few examples occur to me from my own experiences:

• One small company I worked for used to have a monthly dinner with all staff and their partners—possible when there were five or six employees and 8 or 10 people at dinner, but that gets more difficult as you get bigger.

• Another company, we were between 15 and 30 employees while I worked there—every morning, everyone, when arriving, used to say good morning to everyone else in the company. At some point (around 20 people), people stopped doing that, and just said hello to the people they met on their way to their desk, and the people in their immediate office.

• As mailing lists grow, the peer pressure to respond personally to any individual message diminishes. At a certain size, it becomes much more difficult to evaluate the authority level of a person posting on the list, and the social ties weaken between list participants. On one list I participated in, when the main list got too busy, they created a "developers" mailing list where they could hang out together. A similar phenomenon happens with IRC channels.

• I remember talking to a friend who was the founder of a growing tech company, who told me about the first time his company hired someone he had not personally interviewed—my recollection is that it happened after the company passed 50 employees, but before it hit 70. Around the time the company had 50 people, the overhead of interviewing and hiring new people grew beyond his ability to scale.

There are multiple other scaling events—when do you implement some kind of HR process for absence management, expenses, pay raises, and so on? How big are you when it becomes cost effective to hire a full time accountant, lawyer, administrator, talent acquirer? When is a single team in your company big enough that you need to hire or promote someone who is not a founder to management? How big before it is unreasonable to ask everyone's opinion on a work change that impacts everyone?

These events are specific to companies, but communities have similar scaling experiences. At some point, the project maintainer will not be personally reviewing all changes to the project. Tools and process will need to be added for managing bug reports, releases, automated builds, source control. As the project gets bigger, you will hit a point where it is more work than volunteers can do to maintain infrastructure, and your project may need to budget money for a sysadmin. And if you need budget for a sysadmin, you may be at a point whether it is worthwhile having someone work on fundraising, business development, content management, and other tasks that community volunteers traditionally do not do well.

Structure and Relationships

At each of these changes, required structure and process is one axis. The other axis, perhaps more significant, is how people in the group relate to each other. Individuals can have multiple identities at once, each of which is stronger or weaker. I can be part of a project and part of a company at the same time—and whether I consider myself a project foo developer who gets paid by company X, or a company X employee who happens to be working on project foo, is a very personal thing, depending on the depth of the relationships that I have with other members of the groups "project foo" and "company X."

The relationships with group members will change over time, as group size changes. I started my open source developer career as a developer of the GIMP, spent over a year as the GIMP release manager, and organized multiple GIMP events, but over time I have drifted away as the project evolved, and some of the people I had close relationships with in the project reduced their activity. At the same time as my ties to the GIMP were waning, I was spending more and more time in the GNOME project—and around 2004 or 2005, I would have considered myself more a part of the GNOME project than the GIMP. And so on throughout my career. I have maintained some lifelong friendships with current or former GNOME project members, but that is not such a big part of my identity any more.

There are a number of ways that identity can change as groups grow—and one of them is to break into sub-groups. A Nova developer may still feel like an OpenStack developer, but the personal connections with people working on the Nova project will be stronger. And the Nova core reviewers group will have even stronger relationships with each other. You see this happen with conferences all the time. When a conference starts out, and the number of attendees is in the low hundreds, you have a small number of organizers who are close friends, and attendees have rich relationships and conversations. As a conference gets to the high hundreds, you start to see "tracks" form, where big sub-groups gather to share knowledge specific to them—with a resulting lessening of awareness of what is happening in other projects. When the OpenStack Summit got towards 1500 or 2000 people, you started to see a completely separate sub-event forming for developers—the "OpenStack developer" identity is reinforced, at the expense of some awareness of the technical community in the greater OpenStack ecosystem. And now, with the main event over 5000 attendees, another inflection point has been reached, where in addition to per-project tracks at the developer summit, specific projects are co-ordinating smaller "mid-stream" events to encourage the creation of an even tighter per-project active participant identity. Beginning next year, the developer event will be held completely separately, which will help to reinforce the "OpenStack developer" identity by making that event smaller.Once again those numbers—150, 500, 1500, 5000 - Dunbar's inflection points—match quite nicely to the moment where the communities feel an unease with the state of affairs, and start to look for ways to scale further.

Loss of Voice

Christopher Alexander et al describe the "Community of 7000" (close enough to Dunbar's 5000) in A Pattern Language, a 1970s architecture book (part of the Portland Experiment series—hat-tip to Federico Mena Quintero for introducing me both to this and to Jane Jacobs' theories on the evolution of healthy communities). His characterization of this, which matches both Dunbar's group of 5000 (and coincidentally Plato's theoretical optimal size of a democracy, 5040), is that it is also approximately the size of a group where an individual feels that they have no say in the affairs of the group. It is also the size at which town meetings in Massachusetts can move from "open to all" to representative meetings, open only to elected representatives (6000 residents). And it is also a size at which companies tend to hit scaling challenges both in terms of revenue, cost of innovation, and general employee satisfaction (moving from "feeling like part of a family" to "feeling like a cog in a machine"). Geoff West has described (article) how companies (TED video) act like organisms—as they get bigger, their growth slows, and become dominated not by innovation, but by economies of scale. There are a multitude of articles describing the periods of growth, with periodical moments of crisis, in the growth of articles (here's one and one more). I contend that open source projects that stay centrally organized act more like companies, and those who achieve hyperdecentralization (what Ori Brafman describes as a "starfish" organization in The Starfish and the Spider) act more like ecosystems like forests and cities.

Conclusion

What does this all mean? It means that communities evolve and mutate as they grow. The minimum viable infrastructure for a small three-developer project is not the same as for a huge ecosystem like OpenStack. There will be moments of growth punctuated by moments of unrest—and at those moments, change is needed to allow growth to continue, or the community will stagnate and die. Those changes will occur around the boundaries of Dunbar's numbers. With each change, something of what went before will be lost, causing nostalgia, anxiety, and some discontent that things were better before. Good communities will pay attention to these emotional consequences too. Perpetuating the founding values of a community as it scales is a challenge, and as a community grows a mix of dogma, lore, and stories can be used to pass on values. It means that as communities grow, group identity, and the sub-groups that grow from group identity, needs to be managed—to avoid the anti-patterns of the clique, the water cooler, or corporate command and control. Applying consistent community values will help avoid such anti-patterns.

Let's block ads! (Why?)

Let's block ads! (Why?)

Alas! No one sings songs for Grondor. A sequel to a comic I drew 7 years ago!

I’ll be taking my annual Christmas break, but I’ll be back on December 31. See you then, and hope you have a happy and relaxing holiday!

I don’t actually admire Emperor Palpatine. He was just the first example I could think of of someone easily recognizable who was famous for urging others to kill.

Anyway, to counterbalance the unwholesome message of the third panel, I offer you this, the wisest thing Captain Kirk ever said about human nature.

Note from Missy: Huh! I thought for sure this speech was given to the dudes who had faces painted half-white and half-black, who were racist against the dudes who also had half-white and half-black faces, but the white and black sides were flipped. Some Trekkie I am.

As always, thanks for using my Amazon Affiliate links (US, UK, Canada).

Bonus Panel

The post Nothing From Santa appeared first on Fowl Language Comics.

loadingartist:

I WANT NOTHING

^ click for more Loading Artist comics!

tbt

I’m a woman without conviction

Ato fundador da cultura ocidental: logo no primeiro dia, Deus separou a Luz das Trevas.

Não quisemos mais saber das trevas. Tentamos escondê-las. As trevas são deploráveis.

————————————-

Eu moro num prédio. No térreo tem uns consultórios de dentista. Duas vezes por semana dispara o alarme. Geralmente de madrugada. Hoje eu cheguei da academia às 10 da noite e já estava disparado (está até agora). Entrei pelo corredor porque queria saber de qual consultório vem. Sempre esqueço de perguntar no dia seguinte. E quando encontro a síndica acabamos falando de chocolate. Ela tem duas lojas de chocolate aqui. Sei que em frente aos consultórios, vi um extintor de incêndio. É óbvio o que deveria acontecer num mundo justo. Eu pegava o extintor, tacava na porta e, lá dentro, espancaria o alarme com o extintor. Depois, eu seria presa. Não sem antes matar o dentista, claro.

Já fizeram um filme desses. Me representa demais.

————————————-

Eu vi os números da eleição americana. Não variou tanto. Republicanos tiveram os votos de sempre mais os do Cinturão Industrial. A Hillary perdeu aqui e ali. Mas nada que justifique disparar alarmes. A não ser isso. Que a gente sente profundamente. Que não está tudo bem. Que tem alguma coisa fedendo no Ocidente. Tão forte que é possível cheirar na periferia. Eu não sou uma pessoa de fortes convicções teóricas. Me entusiasmo rapidamente por ideias e leituras alternativas. Nunca achei que fosse uma qualidade. Sinto alguma fragilidade no meu edifício de pensamento. Atualmente, tenho achado bom. Tenho topado pensar qualquer coisa. Foda-se, né?

————————————-

“As inúteis querelas intelectuais, políticas e de escola não passam da expressão do enclausuramento da intelligentsia em seu mundo que se acaba. Ela não conhece seu próprio tempo. Este se vinga com todos os tipos de excesso“.

(Michel Maffesoli. A Parte do Diabo)

————————————-

Fiquei lendo um pouco de Maffesoli porque vou dar uma aula amanhã. Daí preciso de ombros de gigante. Quem não precisa? Nesse livro, ele basicamente fala sobre a revolta que germina silenciosa. A apatia política, o “deixa rolar”. Ele nos diz que algo muito grande está ruindo. Que seria a própria civilização ocidental. Que durante séculos, os filósofos se elevaram em busca do Bem. Instituições e processos que nos levariam a lugares melhores. Nunca aconteceu. Nunca vivemos bem. E o conjunto dessas práticas se revelou assustador (colonização, catequização etc). Mas havia um Bem como meta. Funcionando ali, na abstração. E o Mal nunca era mencionado. Quando acontecia, era para ser resolvido. Assim e assado e teremos paz e união entre todos. Não aconteceu. E o Mal, que estava homeopaticamente espalhado, foi tomando uma forma nova. E escapando pelas fendas. É o Diabo. Que veio cobrar a sua parte. Estávamos devendo.

Óbvio que Bem e Mal aqui são figurativos, né? Ele está falando das coisas que o Ocidente tentou esconder. Deus, Bem, Razão X Diabo, Mal, Paixões
————————————-

Eu fiquei muito chocada com uma coisa dos áudios todos vazados pela Lava-Jato. Com a tosquice da elite. Não esperava mesmo conversas tão chulas. Tutu no bolso é o interesse geral. Ninguém fala do Brasil. Nem como estratégia de dominar, sei lá, a África. É só víscera. Não há Iluminação. Nem dualidade mente e corpo. É só víscera. A parte do Diabo. Comentei com uma amiga. “Essa elite não faria um MASP“. Nunca faria.

————————————-

A maioria das pessoas tem chamado esses votos aí. Que eu recebo como convulsões, de voto racional. Como podem ser? Não há um entendimento qualquer do funcionamento do sistema. Há apenas um modelo de civilização desmoronando. Justamente porque a racionalidade era é uma fantasia. Como, então, o voto que “descobriu” que não se pode confiar no sistema vai usar JUSTAMENTE a ferramenta mais aplaudida desse sistema?

Não fecha. Ou você vota racionalmente de acordo com as regras. Ou você vai de anti-establishment com outra motivação.

————————————-

Várias coisas me incomodam no politicamente correto. Várias. Mas sou relativamente adepta. Só que quando eu vi a Janaína Paschoal fazendo o discurso da cobra, no Largo São Francisco, pensei “essa mulher tá louca“. Não falei. Porque não sou nem besta. Mas o esperado aconteceu. Muita reflexão sobre isso. O desserviço que era para a psiquiatria ver a loucura banalizada assim. Ontem, na Piauí, li a própria Janaína dizendo, de si própria. Clinicamente, acho que não sou louca; simbolicamente, acho que sim. Gente. Quem não viu ela rodar a bandeira? Plmdds.

A loucura é um trem que escapa, não é? Tá por aí. Tentamos classificar mas escapa. Catedrática de Direito de dia, à noite a louca do palanque. Fenda. Arrastou uma multidão. Fez o impeachment de uma presidente. A loucura é parte importante da persona dela. Por que é desserviço? Daí li que, no Senado, governo e oposição riam dela, debochavam. Iluminados. Racionais. Não viram que a Janaína Paschoal tinha o que é mais valioso hoje. As fendas abertas para as sombras.

————————————-

Uma merda de mundo desses só podia mesmo acabar em catarse. Maffesoli diz que a destruição e o excesso antecipam uma nova harmonia. A conferir?

————————————-

Sei que é tempo de olhar as entranhas. Odores e humores. O último lugar para entender por que o Temer vai cair é numa assembléia sindical, por exemplo. É no discurso da cobra que está o cheiro do ralo. Sindicalismo, coitado, não cheira a mais nada.

Uma aluna me perguntou por que eu não estava indo nas ocupações. “Pra não estragar“, eu respondi. É um novo tempo. Não há engajamento e projeto pro futuro. Só urgências. No hablo a urgência das ocupações. Tenho medo de chegar lá e querer ajudar. Deus me afaste de tentar ajudar.

————————————-

Problema de Gênero, da Judith Butler também vai direto na fenda. Para que a gente entenda gênero, precisamos apagar alguns indivíduos. E por isso que eles interessam. Eles nos mostram a falha desse sistema normativo. Uma travesti deixa claro que o sistema é autoritário. E não funciona perfeitamente. Gênero é tão autoritário quanto sexo. Parece piada a tal “ideologia de gênero”. É isso mesmo, seu pastor, estamos dizendo que não tem.

Eu nasci assim, eu cresci assim, vou ser sempre assim. Mas nem. Uma hora vai rachar.

————————————-

Outra coisa que o Maffesoli fala. Não é mais tempo de criticar. É tempo de admitir. Reductio ad cotidianus. Não é à toa, hein? Que quem acertou tudo foi um documentarista, Michael Moore. O que ele faz? Anda por aí. Conversa com um, com o outro. E uma repórter do El País vai falar com o eleitor da periferia que votou no Dória. E a gente fica uau. Mentira. A gente compartilha e escreve em cima “THIS”. Mas é isso mesmo. Os intelectuais não estão chegando a tempo. (Nem os jornalistas, né? Sempre depois.)

Maffesoli propõe uma nova metodologia da vida empírica. Mas não vem ao caso aqui.

————————————-

Todo mundo tem Sombra, né? Por isso que o imediatamente pós-eleição é interessante. Porque todo mundo se conecta com a irrupção. Depois nos ajeitamos de novo nas estatísticas. E nos acalmamos. A esquerda, irritante, diz que não tem Sombra. E avisa logo. Que não quer viver num mundo com intolerantes. E toma logo a atitude de extermínio ao seu alcance. “Vou fazer uma limpeza na timeline“. Limpeza. A parte de Deus. Tira o Diabo daqui. Eu tenho notado que a esquerda bloqueia mais que a direita. A fúria do unfollow traduzida como “faxina”. Limpar é o quê?

————————————-

O Charles Taylor (outro livro, outra coisa) diz que a modernidade desenvolve algumas éticas próprias. Ética no sentido de maneira como conceber o mundo e se mover dentro dele. Daí ele fala da “ética da expressividade“. Que é o fenômeno de opiniões de artistas terem o mesmo peso de opiniões de especialistas e políticos. Meu pai falava que não importa o que aconteça. A gente vai acabar sabendo qual a opinião do Caetano. Essa confusão do espetáculo com a vida e tal. E vi algumas pessoas dizendo que O Aprendiz foi crucial pro Trump. Inclusive o Sullivan diz assim:

“As táticas televisivas de Trump, aplicadas aos debates das primárias, acabaram por aniquilar rivais acostumados a outro tipo de jogo. E todo o nosso treinamento em reality shows nos condicionou a ter esperança de que ele seria o vencedor – ou, pelo menos, que ele permaneceria no jogo até a rodada final. Num ambiente de mídia assim, despido de qualquer pudor, muitas vezes os cretinos vencem. E no final você torce por eles justamente porque são cretinos.”

Plmdds. Alguém ainda NÃO leu o artigo do Sullivan?

————————————-

Mas aí você vai dizer que o Caetano apoiou o Freixo. Hollywood apoiou a Hillary. Mas não é tão fácil. Me parece que tem que haver um grau de agência do artista. Que nem todos se dispõem. Não é só a estampa. Tem que vir um engajamento. Mas tô pensando ainda nisso.

Sei que meus amigos todos ficam compartilhando Gregório Duvivier. Toda semana é isso. Eu, a última Iluminista, não sei que caralhos posso aprender com Duvivier. Mas ele lacra. Boa parte da discussão sobre o impiti foi travada por Duvivier X Lobão. Em determinado momento a Pitty entrou também. E o Roger, do Ultraje. Fernanda Torres se aventura vira e mexe.

Uma conhecida assessora do governo FHC postou no twitter que tinha ido numa estréia VIP do filme do Chico Buarque. Disse que amou e chorou. Seguidores caíram de pau. Ela, coitada, iluminista também, tentava dizer que o Chico era um músico que ela adorava. Ninguém entendeu. Cercam o homem nos restaurantes. E postam na internet.

————————————-

#SomosTodosDeploráveis

————————————-

Eu não sei mais se coloco o Crivella nesse esquema Trump/Bolsonaro. Acho que ele é tampador de fenda. Não vai funcionar. Talvez a IURD seja mais perspicaz. E esteja atuando nas fendas. Ali com errantes, cegos e retirante. Mas não sei. Me parece que apostaram alto no Sistema. Aprenderam como usar o sistema. Se tornaram experts no sistema. Que está ruindo.

Mas por que ele ganhou? Por que Os Mestres das Fendas não disputam prefeituras. O Zeigeist é mais embaixo.

————————————-

Nunca serei a pessoa a fazer a defesa de Sociologia no Ensino Médio. Sociologia na escola é para ensinar cidadania. Ensinar a votar. Ensinar e ensinar. O que adianta? Alguém acha MESMO que uma aula de cidadania faz um cidadão?

Alguém, fora os iluministas, quer ainda um cidadão?

————————————-

Eu fiquei lendo isso para preparar a aula. Mas não vou usar. Vou pegar o caminho velho de guerra. A classe trabalhadora vê seu padrão de vida deteriorar. Aqui ela culpa o PT, lá ela culpa os imigrantes. Fomenta o racismo. Além disso, a ascensão de mulheres a cargos de chefia coloca a masculinidade em questão.

Por isso, temos sempre que considerar a interseccionalidade entre classe, raça e gênero.

Vou falar isso. Mas nem que o Nate Silver aparecer pra mim que eu acredito. Não dá conta mesmo. Está análise fica aí. Com o Diabo rondando. E coisas saindo pelas fendas.

Let's block ads! (Why?)

Drawn with great humility and thanks to one of my favorite people. Scott did all of the real work, and I threw in some dirty jokes. So, hey, a pretty good deal all around.

Also,

Wednesday Book Reviews!

Our Magnificent Bastard Tongue (McWhorter)

I’m still on this McWhorter kick. This one was good, but not as good as some of the others. It’s about English and its interactions with other languages. The bulk of the book is about the idea that repeated conquests of English speakers resulted in English being particularly simplified in terms of its grammar, especially compared to related languages. There is also a large section on a proposed link between Celtic and English grammar, and even a section positing links between German and Hebrew. The latter idea is based on the work of Theo Vennemann, whose ideas are (as far as I could tell from google and wikipedia) found to be interesting but probably wrong. Because it’s McWhorter, there’s also a long lament about the popular usage of the Sapir-Whorf hypothesis. You get the feeling that his later book “The Language Hoax” was a great unburdening of linguistic angst.

An Extraordinary Time (Levinson) This is yet another book about the idea that we are in a period of stagnation in terms of economic improvement for the average western person. Although it was enjoyable, as a book it didn’t make a strong argument. Most of the book is (admittedly fascinating) historical tidbits about technological development, mostly in the 20th century leading up to the 1970s. Levinson’s perspective ultimately agrees with that of Robert Gordon and Tyler Cowen, at least to the extent that they all blame the nature of post-1970s technology for the failure to improve the average person’s life. And, like, the others, Levinson has hope that a few technologies on deck (e.g. self-driving cars) will reverse that trend.

<a href="https://www.amazon.com/gp/product/0062645358/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=0062645358&linkCode=as2&tag=ss00a2-20&linkId=2c7c808d43f64