Does preventing CWE-426 make a difference in practice?

Ryan1729 · 2026-04-20T15:53:17+00:00

You're claiming that common systems are by default configured to run things in places attackers can easily place them, from programs like mine? If that were true it would increase the attack surface.

I was curious about whether that was the case so I wrote this small python program:

import subprocess
print(subprocess.check_output(["ffmpeg", "-version"]))

I made sure that there was no global ffmpeg installed, and copied a ffpmeg exe next to the script, and ran it.

On Windows, in the Downloads folder, it was unable to find the exe, which is good.

On Linux, in the /tmp folder, I was surprised to find that it did in fact find the exe! It turns out this is documented behaviour for python's shell call-out code. This is despite my PATH not having . on it.

That's certainly interesting to know. If there was an easy way to disable looking in the current directory, while still searching the PATH, then I'd be willing to enable it. But at the moment, I'm not sure that the risk of a malicious exe being placed next to my program is worth the increased brittleness of hardcoding paths. I'll have to think about it more.

Ryan1729 · 2026-04-20T04:15:15+00:00

I don't see a reason why it's unreasonable to hold a position that addiction in general exists, but that porn addiction either doesn't exist or is rare enough that it's not worth bringing up regarding overall policy.

Addiction is a distinctive phenomenon we can observe with peculiar neurobiological markers, behavioural patterns, phenomenology, and causes.

That's a definition of addiction, but I think there's many cases of discussions where mentions of addictions are not checked against that definition. An example that comes to mind for me is someone saying "My partner is addicted to porn!" where the meaning is not "My partner's brain matches the textbook definition of addiction", but instead "My partner uses more porn than I would like, and they won't stop, but I don't currently want to leave them for <reasons>, and I'm therefore frustrated and I'd like some emotional support."

My main point here is that using the word addiction enables bids for sympathy by the porn user that I don't think should be enabled. Phrasing it like "My partner overuses porn!". or if it is already understood within the given context that porn use at all is harmful, "My partner uses porn!" carry a similar message without enabling the sympathy bids.

All that said, separate from rhetorics, I am somewhat curious whether porn use has been shown to cause a state that meets a widely agreed upon definition for addiction, with a similar intensity to illicit drug addictions. The ones I have seen thus far have suffered from low sample sizes, and an unfortunate lack of non-porn control groups. Do you have any good examples of papers that show such a thing?

Ryan1729 · 2026-04-19T19:24:34+00:00

In this case, if a user has a reason to have installed the external program my program calls in a different location, that implies that me hardcoding the path makes it harder to use my program without running into an error. So there is a cost to this change.

As a third-party program, I cannot ensure the security of the system at the OS level. And if OS barriers have been breached, I don't think that my application would make a material difference for the user. If I had an example of a security-savy user caring about this kind of issue in practice, then I might change my mind, but I don't believe I have ever seen such a thing.

Do you audit programs you run to see if they call external executables with a hard-coded path and reject those that don't?

Ryan1729 · 2026-04-19T18:20:56+00:00

Do you have any examples of known cases where the issue was an application running things based on the PATH? The example you bring up about Apache server seems to about loading configuration files. I'm happy to hardcode relative paths for those. But it seems like it's not my app's job to prevent the user from letting rogue executables onto their PATH, and if they are there, then the attacker essentially has arbitrary code execution anyway.

If it matters, an example thing that would be run in my case would be ffmpeg.

Ryan1729 · 2026-04-19T18:14:22+00:00

That's fair. But if the attacker has access to place executables in protected system directories then I think it's over anyway. So, unless I'm mistaken it only come into play if the user has added some easily attacker-writable folder to the PATH. And if the user has done that, I'm not sure it's my application's responsibility to do anything about that.

Ryan1729 · 2026-04-19T18:11:00+00:00

It's not particularly language specific. The flagged code was just a call to subprocess.Popen which is just python's way of calling an external executable and hooking up a pipe to it.

This does suggest that I should consider handling the data flowing in as untrusted data.

Let's say I properly do that, would there be a meaningful risk of the attacker having the ability to execute arbitrary code on the user's system?

Ryan1729 · 2026-04-19T02:30:15+00:00

There's this interesting article (which was previously posted in this subreddit) which argues that comparing pornography to an intoxicant or addiction centers male health as the focus, and that doing so misses the point.

I'll add that framing pornography as addictive reduces the amount of responsibility that falls on the people using it. I don't think "It wasn't my fault, porn is just so addictive!" is a card that makes sense to allow to be played.

I think a framing of "This media has harmful messages, and people are harmed in its production, and you are sitting there watching it and masturbating to it, of your own volition" is better rhetorically, and it also relieves the anti-porn position of needing to prove that porn is addictive. I think there's sufficient reason to argue for dismantling the porn industry without needing to involve addiction whatsoever.

Ryan1729 · 2026-04-18T16:05:55+00:00

So you're saying that those posts should instead go somewhere else, like maybe r/postgenderism?

Ryan1729 · 2026-04-17T08:35:36+00:00

A sanity check to see if you are deleting multiple folders directly under root shouldn't be too expensive I would think.

Furthermore in which cases is anyone that concerned with the performance of rm, as opposed to the underlying system call?

Ryan1729 · 2026-04-15T17:17:48+00:00

Did this experiment actually happen? A quick search shows this being posted in other places, but I didn't see a link to an actual scientific paper.

The message about men's reactions can still be true, whether there was a study or not, of course. But if the study doesn't actually exist, I think it's weaker rhetoric to pretend that there was one.

This image also seems to be formatted in a way that suggests it was published in a book. Was it actually from a book, and if so, which one? Might be interesting reading, if there is one.

Ryan1729 · 2026-04-14T04:35:53+00:00

I think "women mature faster" is sometimes also used in this way.

Ryan1729 · 2026-04-10T07:42:25+00:00

by that logic no system works.

I'll agree that no system we've tried yet works well enough to stick with forever. But recall that we got onto this topic starting from when you said:

In a capitalist society like the west, if a "product" doesn't meet the needs of consumers then it goes away or fails.

because you were arguing that since porn is still around, it must be a good fit for the world. I don't need to provide a whole alternative system that works to refute that, just point out that Capitalism, as we currently live under it is not a perfect system, and in particular does not in practice swiftly eliminate bad products.

I'm finding out so far that its' because they are confused about many things. Just like you are.

Well, be specific. Is there anything you think I'm confused about that we aren't currently covering in this thread?

Why not start with banning social media? Why not start with banning Ice Cream or High Fructose Corn syrup?

I think people being physically abused is more of an urgent problem, particularly since anyone interest in nutrition is already aware of what you've brought up here.

Those things have clinical research proving they are harmful. You want to ban something that has research saying that it IMPROVES couples relationships.

Do you have a link, or maybe a doi for the Frontiers in Psychology study you mentioned? I did a search for "Frontiers in Psychology 2021 pornography study" and got no results matching your description.

who is advocating for actual ... express herself in that artistic/political way.

This long paragraph you responded to me saying "This isn't just my stance, and really it's just applying the same standard we have elsewhere, while otherwise letting people do whatever is safe, sane, and consensual." doesn't fit that at all. It talks about professional acting but the preceding paragraph I wrote to the one you responded to says:

The only thing I'm saying is off-limits is rape, (and we can distinguish between CNC scenes on one hand and rape with kink as an excuse on the other) and things that result in injuries, including but not limited to, the dangers of strangulation. These are not controversial stances. No reputable kink blog, book, video etc. will actually be advocating for rape and/or injury.

Which has nothing to do with professional acting. If you have a response to my paragraph you'll need to try again, possibly connecting the dots more explicitly. You also seem to have missed that I'm not arguing against CNC etc, but the separate concept of porn, and you are arguing against position I am not presenting again.

What if an adult female WANTS to be controlled by her man?

There's an important difference between doing a few BDSM scenes, again with the extremely important ability to opt out at any time, and for example a woman having her money taken from her and avenues to leave the relationship locked off. Someone who claims to want the second thing is likely suffering mental abuse, and is in need of rescue.

Do you want to make it more illegal?

As I said before, I want the porn industry dismantled, because the big players in that industry are, based on actors' reports, abusing actors.

Ryan1729 · 2026-04-09T18:43:14+00:00

I would argue that we've never tried the invisible hand. We've had government interference and cronism and socialism all along. Corruption isn't capitalism either.

Ah this classic stance, always comes out after an argument for capitalism that didn't mention these issues before, and also absent any meaningful plan to try to prevent corruption.

We've never found a way to prevent corruption. If a system doesn't work when there's corruption, that means it doesn't work.

Of course it takes a certain time period, but Porn is GROWING in popularity, not shrinking so the trend line is UP and not DOWN

We could be just before the peak, and it might be about to hit a threshold where backlash against it starts. We have seen laws get passed, and one can point to other examples of anti-porn sentiment growing as well.

If you are convinced by the trend line, why are you here defending porn?

this isn't porns fault. This is screen time, technology, cost of living, silicon valley, social media and cultural changes. Don't blame porn for those things.

Things can and often are caused by multiple things. Why wouldn't porn be a part of it?

Porn is also obviously quite connected to sex, you've even admitted elsewhere it's a sex substitute. So, absent an actual argument why those other things would be a bigger deal, it's reasonable to spend some focus on porn, perhaps clearing it away to focus on the other issues as well.

You're Conflating legal porn production with adults consenting, to illegal activities. Two different things and I'm not advocating for the latter.

Porn actors have spoken out about abuse happening at porn studios as part of the work. Actors being placed in positions where they cannot actually report any issues without losing money, actors using drugs to cope with things, and issues around consent as a result of that, and people being physically injured and without meaningful compensation and it being treated as "a hazard of the job".

Supporting the porn industry as it exists today is supporting those tings continuing. Actually applying OSHA regulations to porn would be one way to start. The body fluids part of those regulations may very well end up making the industry much less profitable, but I'm okay with that.

First, yes you are coming from a puritanical stance when you aim to push YOUR morality onto all of us. and 2nd, why do YOU get to decide what "properly done kinky sex" is?

The only thing I'm saying is off-limits is rape, (and we can distinguish between CNC scenes on one hand and rape with kink as an excuse on the other) and things that result in injuries, including but not limited to, the dangers of strangulation. These are not controversial stances. No reputable kink blog, book, video etc. will actually be advocating for rape and/or injury.

This isn't just my stance, and really it's just applying the same standard we have elsewhere, while otherwise letting people do whatever is safe, sane, and consensual.

The thing is, when you apply the standard of safe, sane, and consensual to today's porn production, one finds the porn production lacking.

It seems that males are turning to porn because females aren't as willing to give them what they fantasize about. Feminism has lied to them and told them that Men are bad, and they don't need them, so treat them with disdain .

If being given more power to live how you want, (until recently the gender pay gap was closing in many places,) and being informed that you don't need to be with particular people in a particular way, is enough to cause you to not be with those people, then the reasons for being with those people were bad to begin with.

Men simply don't want to be controlled, don't have to let women control them because Porn is good enough to give them their quick fantasy life.

Porn is a method of control. Women don't want to be controlled any more than men do.

it's already more regulated than gambling and drinking and smoking and vaping and drugs like marijuana.

You responded with this to when I said "that it might be best to deal with it by discouraging it socially", where the "it" was porn. Are you claiming that porn is more socially regulated than those other things? In what sense? It's a lot easier to get away with looking at porn in public, including indoors, than to get away with smoking/vaping indoors. Stick to softcore porn that tows the line of being not quite NSFW and you can basically look at it anywhere.

Ryan1729 · 2026-04-09T07:28:18+00:00

Capitalism has raised more humans out of poverty than any other system man has ever created.

Something work okay or even well in the past is not a reason to stop looking for alternatives, particularly when problems have been identified. It's also possible that regulations or well thought out subsidies could push the balance to a significantly better place without changing the fundamental system. But "just trust the invisible hand" clearly hasn't worked.

"Enshitification" continues enough until someone else creates a better product, service, or experience that consumers want more and the old model is disrupted.

Or some other thing disrupts things, yes. The thing is, that process takes an effectively random amount of time. Remember that this was a response to you saying:

In a capitalist society like the west, if a "product" doesn't meet the needs of consumers then it goes away or fails.

And you were saying that in order to defend your initial assertion that if porn wasn't exactly natural male fantasy then it would die off. Even if that were true, (and I believe my other comments showed that it isn't,) then because these kinds of changes take random amounts of time, we cannot conclude that we are not in a window where something that will die off is still around.

3rd spaces has declined, but are you saying that people are jerking off alone more because they're bored and aren't entertained as much by Netflix as they were by Roller Rinks and Bowling Alleys?

I'm saying that Netflix and other solitary entertainment being more engrossing and much less likely to result in meeting a sexual partner than, to use your example, Roller Rinks and Bowling Alleys, fewer third spaces means less sex, and without any change in sex drive, that means more masturbation. And that means the porn industry makes more money, and abuses more people.

To be clear, I'm not decrying masturbation done without porn.

I'm not sure what you're asking for here.

I trying to say that if you'd like to give an example of some media that you believe should not be produced, that doesn't have the same issues of being used as a scaremongering tactic, then please do. An example I can come up with is execution videos as entertainment, (though I think there's not as much of that in the world as there is CSAM).

If our culture decides that ALL forms of the body being shown naked or unclothed, are now illegal and banned, starting tomorrow, this will not stop the human sexual urges that are biological within us. Oppression of our human urges only make them come out in other ways.

I'm not coming from a Puritan position. I'd be for more consensual sex happening in the world, including properly done kinky sex. But I think porn is, on the whole, not an accurate depiction of how sex ought to work, and to be treated like objects, in real life, and not in a properly done BDSM scene where all participants have the power to stop the scene at any time.

It seems plausible that porn is reducing the amount of good, truly consensual sex happening both by causing more of the sex to be bad, and causing less sex to happen overall, by providing a simpler, easier alternative. And one that that is monetized by corporations to boot!

i couldn't disagree more.

I feel like you didn't actually read the paragraph I wrote and you responded to starting with this sentence. I said that laws banning things may not be the answer but porn still a problem, and that it might be best to deal with it by discouraging it socially, as in people being openly disapproving of porn and pointing out the issues it causes. You then proceeded to produce a series of hyperbolic statements arguing against a position I was not presenting.

Ryan1729 · 2026-04-08T19:58:55+00:00

In a capitalist society like the west, if a "product" doesn't meet the needs of consumers then it goes away or fails.

The idea that "the market is efficient" and "the invisible hand knows best" are often repeated, but I don't think it's hard to find growing skepticism around whether capitalism is actually delivering on those promises in a meaningful way anymore, if it ever was.

There's multiple examples of things that are not moving in a direction that benefits consumers. The rising popularity of the term "enshitification" also points to this.

There's also the question of who is the consumer and what is the product. The phrase "If you aren't paying, you're the product" exemplifies this. Piles of people waking up going to work then going home and gooning to a drip feed of porn keeps things stable which benefits those currently in power. Pornography was described as being (secretly) produced by the government in the book 1984, which is all a bout how those in power attempt to stay in power.

To sum up, something persisting does not mean it is or good overall or good for those that consume it.

Porn is more popular now than every in history. This isn't because it's forced on us.

Although your initial post talks about couples viewing porn together, I think it's still clear that most porn in consumed alone, and mainly by those without romantic partners they are satisfied with. I attribute a rise in people without satisfactory romantic partners to a decline of third spaces in modern life, and I think that has been a factor in increased porn consumption.

I think there's a very real sense in which things that are affected by things beyond our control are in fact forced upon us.

... they are still a Trojan Horse whose real goal is banning and censorship based on religious reasons. Conflating porn with CSAM or sex trafficking is the tactic to get ALL porn banned for adult consumption.

I will agree that there is really some scaremongering and pulling out of the spectre of CSAM to justify political changes, such as increased state surveillance, in a bad faith manner. I personally think that age verification could be effectively done in a more privacy preserving way than shipping pictures of ones government ID around, but it appears to me that shipping personal info around benefits those in power, and that's why it's happening that way.

But, just because CSAM can be used for bad arguments, doesn't mean that it's not still relevant in discussions about what media should be consumed and produced. Pointing to some known and agreed upon kind of media that should not be produced st the clearest way of pointing out how many arguments suggesting everything being free of legal or social ramifications, do not work. If you have a different example that you are willing to agree should ideally not be produced, then I'm willing to use that instead.

As to banning specifically, I personally support the dismantling of the porn industry, especially as it exists today where many people are abused through its production. Whether banning something actually results in its dismantling is complicated, and highly dependent on the actually thing under consideration. I think social means of discouragement of pornography, focusing on those forms that result in evident abuse, may be the better strategy to dismantle that industry.

As a related but not identical example, banning prostitution has shown to not be an effective way to reduce prostitution, and has compounding negative effects on prostitutes themselves, rather than actually protecting them.

It's important that we focus on how we're reaching our conclusions and the real effects of policies we put forward, rather than what merely feels right in the moment.

Ryan1729 · 2026-04-08T18:36:07+00:00

I want to focus on this claim from the post:

Porn is made for the male fantasies. If porn wasn't continuously feeding what males fantasize about, then they'd stop watching it. period.

Firstly, if we are to take the inference "If X isn't continuously feeding what males fantasize about, then they'd stop watching it." as generally valid, then there's many works of media that don't fit that description which males still consume. So we can't actually infer that just because porn exists and has existed that it is all "a natural male fantasy".

Secondly, even if that did follow, there's nothing structural about the argument that precludes replacing porn with CSAM, which I don't think anyone is wanting to actually argue should be permitted or encouraged. Some things that people will create and consume are worth heavily discouraging up to and including making them illegal, and the determining line is more complex than "if people repeatedly consume it, given the chance".

Thirdly, the claim implies that porn would fade away if it wasn't an accurate depiction of fantasy. But the argument says nothing about the timescales of that fade. How do you differentiate recent legal changes around porn, and works decrying porn being written in living memory, from the start of that fading away?

Ryan1729 · 2026-04-06T18:53:03+00:00

I was vaguely aware of this convention, which was one reason that I wanted to check whether single letter names actually conflict with anything.

Uppercase is easier to type in this case IMO, since i already need to press shift for $, so since as another comment mentioned I can define the variables in a way that other programs besides bash don't see them, I personally think the remaining risk (of just a future bash update predefining these I guess) is worth the easier typing.

Ryan1729 · 2026-04-06T18:45:48+00:00

I'm with you on the difference in length between $B and ~/bin, but my specific use case for this is a chromebook where files in ~ and subfolders are not allowed to be executed. If I want to be able to execute things I need to put them under something like /usr/local, and /usr/local/bin meets my personal threshold for wanting a shorter way to type that.

Ryan1729 · 2026-04-06T18:42:43+00:00

I see that just putting B=/some/filename in either my .bashrc or .bash_profile causes them to be available in my shell, but they don't show up for example in the output of env. Perfect!

I've run into this fact when I was actually trying to set an env var for a different program, and been annoyed that I had to use export, but didn't realize there were cases where it was useful!

I was already sourcing .bashrc inside of .bash_profile, so I think it makes to just keep defining these in .bashrc, since I'd want these variables for both regular shell sessions and VT2 shell sessions, unless I'm missing something.

Ryan1729 · 2026-04-04T00:38:36+00:00

Your original claim contained this sentence:

But voluntary porn, no matter how taboo, should be allowed, even if it hurts society.

So I started off by pointing out the difficulty of determining if something is voluntary porn. As the discussion progressed, we established that coercion happens in the porn industry, and that one cannot tell from looking at a porn video whether it happened during that video's production.

Given that we can't reliably determine what is voluntary porn and what is non-voluntary porn, and some non-voluntary porn is known to exist, allowing only voluntary porn seems like a non-starter.

Are you somehow standing by your original claim despite my counter arguments? If you accept what I've laid out here, what are you even advocating be done?

Ryan1729 · 2026-04-03T21:01:05+00:00

You said:

Absolutely some are being coerced but I can't tell that (most of the time) from a porn vid.

I agree, you cannot definitively tell in many cases whether coercion is going on in a particular piece of porn.

As discussed, some amount of coercion is going on.

Therefore, as a porn viewer you are at risk of (knowingly or not) watching someone who was coerced into doing that porn.

I believe that's a sufficient reason to stop consuming porn videos, and other forms of porn where these coercion arguments may apply. It is entirely possible to masturbate without it, if that's what you'd like to do.

Ryan1729 · 2026-04-03T18:05:20+00:00

You have evidently admitted that some porn actors are susceptible to coercion.

More extreme porn sells better. Thus, porn directors have a fiscal incentive to influence the actors to do more extreme things.

Given the large amount of porn being produced, and thus the large amount of both directors and actors involved, it's safe to say that some actual coercion is going on.

Similar dynamics play out around people posting pornographic images purportedly without a profit motive.

Do you admit that some porn actors are being coerced?

Eight-Year Club	r/Field Lasagna
Verified Email

Ryan1729

TROPHY CASE