In France, there are always enough polling stations. Schools and town halls are polling stations. More people whose ballots to count? That's automatically more people to run polling stations and count the votes. The very notion that some areas may be disenfranchised by lack of polling stations is inconceivable.
In France, people must show ID to vote, and must register in advance where they will vote with their ID, so multiple-vote fraud is almost impossible: it would require complicity between multiple government services, that check the one-to-one-to-one correspondence between people and identity documents and polling stations. Even then, a cheat there would leave quite a paper trail, especially as polling stations record who voted. For that effort, each cheater with duplicate identities could only go to so many different polling stations in a day. Massive fraud would be hard to pull off, and even harder to conceal.
In France, there are no complex ballots on which one needs to do markings with the right kind of pen. No confusion as to how to mark ballots. No manipulation by making some names come first or appear multiple times. No subjective judgment to declare which ballots are valid and how interpret them. No need for expensive untrustworthy machines to process them in a timely fashion. Instead, voters are sent one clearly printed ballot for each of the available options. The same ballots are also available at the polling station. Each voter goes in an isolation booth, puts his ballot of choice in an envelope, then gets out of the booth and publicly puts the single envelope in the ballot box after his ID is verified and name is checked off by assessors of multiple rival parties. When the boxes are counted, in public, only envelopes containing a single unadulterated unmarked untorn uncrumpled pristine genuine ballot are counted as valid. The process and the criteria it applies are fairly clear, objective, hard to get wrong, and hard to dispute.
In France, ballots are cast in transparent ballot boxes in front of everyone. The boxes stay in full view of everyone until they are emptied and the ballots counted the same day at the same site by many people of all parties. The counts are reported immediately by phone in presence of the assessors, who also sign the report, that can be checked thereafter for each polling station. There is no opportunity for anyone to stuff ballot boxes or insert fake numbers in the counting. There is no counting by "machines" that can be pre-programmed or hacked to cheat. There is no keeping ballot boxes overnight where they can be tampered with. There is no set of privileged people with access to ballot boxes who can do a switcheroo or a stuffaroo.
In France, there are no "mail in ballots", where anyone with suitable access could insert or delete thousands of ballots with no way to assess afterwards the integrity of the process. If for some reason you cannot be present on the ballot day, you can register in advance to give your voting proxy to someone you trust to vote for you. But no one may be delegated more than two proxies, thus closing an obvious venue for massive fraud.
In France, it's the people themselves, not the communist "civil service", that runs the elections with every step along the way checked by many people from many rival parties. The only exception is the one-to-one-to-one correspondence between voters, IDs and polling places, but that's not massively gamable without detection. Therefore, the count of the ballots is widely considered trustworthy by everyone and never contested, while requiring no advanced technology whatsoever beyond opaque envelopes and transparent ballot boxes. French people watch with deep contempt and appallment the baroque, expensive, unfair, seemingly absurd, and completely untrustworthy process used in the USA.
AND YET, in France, the communists still cheat and still conquered Power, in an irreversible tight grip. It's just that they don't do it by tampering with the count. They do it by completely controlling the schools, the mass media, the campaign finances, the "civil service", and the courts. Thus, they can brainwash people, spread their uncontradicted narrative, defund any opposition, harass any opponent out of being able to afford a living, and fine or imprison the occasional overly active opponent. If people vote "wrong", they will just force a re-vote until they vote "right" at which point the change will be made irreversible (as for the European Constitution).
In the USA, the communists control schools and media, but not so completely that they can totally hush opposing ideas: churches, a few exceptions like FOX, and now the Internet, break their stranglehold. Communists control the Democratic Party, the "civil service" in all cities and at the federal level, but don't control (all) the courts, so can't arbitrarily oppress their opponents. They control public funding, but there is just too much private funding that they cannot control, so they can't just defund their opponents. That is why they resort to tampering with ballots using a system OBVIOUSLY DESIGNED to enable fraud.
What's even more "funny" is that both voter registration and mail-in votes make a mockery of ballot anonymity—and then in modern times, preferences are obvious on social media and via the massive government surveillance. Since anonymity doesn't meaningfully exist, a trivially simple and obviously cheat-proof process would just be to make all votes public and count them, then leave enough time for losers to triple check that it was all legit. So, really, the complexity of the process is not even justified by anonymity as it is in France. (Whether anonymity is itself a good thing or not is another question.)
In the end, you have no way to trust the process. Not only that, it is obvious that SOONER OR LATER the process is bound to be exploited. You can be naive and believe it wasn't exploited YET (but then, you better provide an explanation compatible with the existence of gerrymandering). However you are stupid, evil or crazy (alternatives not exclusive) if you believe it's a trustworthy process the results of which you and everyone else should blindly accept as the basis for Political Sovereignty.
Elections are a sham. Always have been. Always will be. Like France's only serious and honest presidential candidate, ever, said: "If voting could change anything, it would have been prohibited long ago." (« Si voter changeait quelque chose, il y a longtemps que ça serait interdit. » — Coluche)
Regarding Slave reparations: About everyone in Europe was a slave (in Latin, "servus" — serf) since Diocletian's socialist "reforms". Emancipation came very slowly through the emergence of free cities, literally the first meaning of "bourgeoisie" — people living free in cities rather than slaves on the land. Only "blue blood" descendants of the conquering German master race who reigned for over a thousand years as "noblemen" can claim to have no slave ancestors. Plus maybe the Swiss. Thus, almost all white people are owed reparations by this standard. From whom, though? Well, most black people in America descend from the tiny minority of slave owners and slave drivers of the time...
Never mind that most "white people" in the US descend from migrants who came well after slavery was abolished in the US. Socialist race-peddlers will have the white family of a recently emancipated russian serf pay reparations to the black family of a malian slave trader just based on the color of their skin. Now who's the racist? The topic of "slave reparation" has only been but a pretense for socialists to raise taxes on whoever may possess anything, to foster parasitism and to create permanent race-based caste divisions. The least logical something, the better they like it. Their ideology of death actively opposes reason.
People who call for "unity" as the only imaginable solution to violence thereby admit that they are incapable of imagining non-violence towards members of an outgroup. Theirs is the very emotiology of hate they falsely claim to "fight"—because their only vocabulary is violence.
Emotiology—it doesn't even pass the bar of an ideology. There is no claim and no attempt to coherence of ideas, logical principles, or even persistence of opinions. Just opportunistic slogans and fleeting emotions that the masses are supposed to mimic from their elite controlers.
What is "unity"? It's the emotional delusion you feel when LSD prevents your brain from functioning properly, that some deranged or underdeveloped brains can feel without drugs, and that leftists peddle onto the ignorant masses to justify violence against their dissenters.
This emotiology is literally brain damage, spread as a memetic infection of pandemic proportions. My thoughts and prayers go to the victims... oh noes, I caught the infection... tell my wife that I love her!
Ceux qui en appellent à "l'unité" comme seule solution imaginable à la violence avouent par là-même être incapables d'imaginer la non-violence envers l'Autre. Ils cultivent précisément cette émotiologie de haine qu'ils prétendent "combattre"—parce que leur seul vocabulaire est celui de la violence.
Émotiologie—il n'y a même pas là de quoi faire une idéologie. Aucune revendication et aucun effort pour la moindre cohérence des idées, les moindres principes de logique, ni même aucune permanence des opinions. Juste des slogans opportunistes et émotions fugaces que les masses sont supposées singer de "l'avant-garde" qui les contrôle.
Qu'est-ce que "l'unité"? C'est l'illusion émotionelle que l'on ressent quand le LSD empêche votre cerveau de fonctionner correctement, que certains esprits dérangés ou sous-développés peuvent ressentir sans drogue, et que les gauchistes propagent auprès des masses ignorantes pour justifier de leur violence contre leurs dissidents.
Cette émotiologie est littérallement une maladie mentale, qui se répand par une infection mémétique à l'ampleur d'une pandémie. Mes pensées et mes prières vont aux victimes... ah zut, je suis infecté... dites à ma femme que je l'aime!
Mes amis étatistes sans cesse me demandent comment telle bonne chose pourrait possiblement exister sans les tas (de parasites légaux): l'informatique, les routes, les pompiers, l'école, les chemins de fers, la musique, la charité, etc. Et pourquoi pas l'amour pendant qu'on y est?
Car chacun sait que toutes les bonnes choses sont inventions des tas (d'irresponsables institutionnels). Le summum de l'inventivité est atteint par les adjudants chefs entre deux aboiements d'ordres aux recrues d'une armée d'esclaves, suivis de près par les bureaucrates entre deux siestes.
L'informatique? Elle est née du génie d'un ministre entre deux coïts avec des putes de luxe.
Les routes? Inventées par un bourreau entre deux têtes coupées.
Les pompiers? Inventés par un inspecteur des impôts entre deux contrôles fiscaux.
Et même le sel, fut trouvé par un préhistorique chef des tas (de bandits génocidaires) qui noyait un dissident.
L'école? Inventée par un enseignant public, parce que les millions de fonctionnaires de l'éducation nationale de cette époque reculée s'ennuyaient entre deux vacances, ne sachant pas quoi faire de leur temps grassement payé par les tas (de voleurs impunis).
L'amour? Mais sans les tas, comment aimerait-on? Heureusement qu'un cheminot a eu cette idée, le génie l'ayant frappé juste après qu'il fut nationalisé! (Question: comment les chemins de fers pouvaient-ils même exister avant d'avoir été nationalisés? C'est un des grands Mystères de l'Église des tas.)
Jamais des citoyens libres et responsables ne voudraient ni s'organiser ni dépenser le moindre centime pour des problèmes aussi importants qu'évidents. Ils n'auraient d'ailleurs aucune idée de ces problèmes, laissés ignorants sans le génie des luminaires qui nous dirigent. Et jamais ils n'oseraient agir s'ils devaient assumer la pleine responsabilité de leurs actes, sans pouvoir se cacher derrière un Establishment qui les protège de toute punition pour leurs agissements.
Vivent les tas (de menteurs psychopathes)! Notre Dieu collectif, d'où dérive toutes bonnes choses.
Comme le dit un jour un prophète: « Tout dans les tas, rien hors de les tas, rien contre les tas ! »
This short essay describes some challenges I leave to the next maintainers of ASDF, the Common Lisp build system, related to the "magic" involved in bootstrapping ASDF. If you dare to read further, grab a chair and your favorite headache-fighting brewage.
ASDF is a build system for Common Lisp. In the spirit of the original Lisp DEFSYSTEM, it compiles and loads software (mostly but not exclusively Common Lisp code) in the same image as it's running. Indeed, old time Lisp machines and Lisp systems did everything in the same world, in the same (memory) image, the same address space, the same (Unix-style) process — whatever you name it. This notably distinguishes it from traditional Unix build, which happens in multiple processes each with its own address space. The upside of the Lisp way is extremely low overhead, which allows for greater speed on olden single-processor machines, but also richer communication between build phases (especially for error reporting and handling), interactive debugging, and more. The upside of the Unix way is greater parallelizability, which allows for greater speed on newer multi-processor machines, but also fewer interactions between build phases, which makes determinism and distributed computation easier. The upside of the Lisp way is still unduly under-appreciated by those ignorant of Lisp and other image-based systems (such as Smalltalk). The Lisp way feels old because it is old; it could be updated to integrate the benefits of the Unix way, possibly using language-based purity and effect control in addition to low-level protection; but that will probably happen with Racket rather than Common Lisp.
One notable way that ASDF is magic is in its support for building itself — i.e. compiling and/or loading a new version of itself, in the very same Lisp image that is driving the build, replacing itself in the process, while it is running. This "hot upgrade" isn't an idle exercise, but an essential feature without which ASDF 1 was doomed. For the explanation why, see my original post on ASDF, Software Irresponsibility, or the broader paper on ASDF 2, Evolving ASDF: More Cooperation, Less Coordination.
Now, despite the heroic efforts of ASDF 2 described in the paper above, self-build could not be made to reliably happen in the middle of the build: subtle incompatibilities between old and new version, previously loaded extensions being clobbered by redefinitions yet expected to work later, interactions with existing control stack frames or with inlining or caching of methods, etc., may not only cause the build to fail, but also badly corrupt the entire system. Thus, self-build, if it happens, must happen at the very beginning of the build. However, the way ASDF works, it is not predictable whether some part of the build will later depend on ASDF. Therefore, to ensure that self-build happens in the beginning if it happens at all, ASDF 3 makes sure it always happens, as the very first thing that ASDF does, no matter what. This also makes ASDF automatically upgrade itself if you just install a new source repository somewhere in your source-registry, e.g. under ~/common-lisp/asdf/ (recommended location for hackers) or /usr/share/common-lisp/source/cl-asdf/ (where Debian installs it). This happens as a call to upgrade-asdf in defmethod operate :around in operate.lisp (including as now called by load-asd), so it is only triggered in side-effectful operations of ASDF, not pure ones (but since find-system can call load-asd, such side-effects can happen just to look at a not-previously-seen, new or updated system definition file). Special care is taken in the record-dependency method in find-system.lisp so this autoload doesn't cause circular dependencies.
Second issue since ASDF 3: ASDF was and is still traditionally delivered as a single file asdf.lisp that you can load in any Common Lisp implementation (literally any, from Genera to Clasp), and it just works. This is not the primary way that ASDF is seen by most end-users anymore: nowadays, every maintained implementation provides ASDF as a module, so users can (require "asdf") about anywhere to get a relatively recent ASDF 3.1 or later. But distributing a single file asdf.lisp is still useful to initially bootstrap ASDF on each of these implementations. Now, by release 2.26, ASDF had grown from its initial 500-line code hack to a 4500-line mess, with roughly working but incomplete efforts to address robustness, portability and upgradability, and with a deep design bug (see the ASDF 3 paper). To allow for further growth, robustification and non-trivial refactoring, ASDF 3 was split into two sets of files, one for the portability library, called UIOP (now 15 files, 7400 lines) and one for ASDF itself (now 25 files, 6000 lines as of 184.108.40.206), the latter set also specifically called asdf/defsystem in this context. The code is much more maintainable for having been organized in these much more modular smaller bites. However, to still be able to deliver as a single file, ASDF implemented a mechanism to concatenate all the files in the correct order into the desired artifact. It would be nice to convince each and every implementation vendor to provide UIOP and ASDF as separate modules, like SBCL and MKCL do, but that's a different challenge of its own.
There is another important reason to concatenate all source files into a single deliverable file: upgrading ASDF may cause some functions to be undefined or partially redefined between source files, while being used in the building ASDF's call stack, which may cause ASDF to fail to properly compile and load the next ASDF. Compiling and loading ASDF in a single file both makes these changes atomic and minimizes the use of functions being redefined while called. Note that in this regard, UIOP could conceivably be loaded the normal way, because it follows stricter backward compatibility restrictions than ASDF, and can afford them because it has a simpler, more stable, less extensible API that doesn't maintain as much dynamic state, and its functions are less likely to be adversely modified while in the call stack. Still, distributing UIOP and ASDF in separate files introduces opportunities for things to go wrong, and since we need a single-file output for ASDF, it's much safer to also include UIOP in it, and simpler not to have to deal with two different ways to build ASDF, with or without a transcluded UIOP.
As a more recent issue, ASDF 3.3 tracks what operations happen while loading a .asd file (e.g. loading triggered by defsystem-depends-on), and uses that information to dynamically track dependencies between multiple phases of the build: there is a new phase each time ASDF compiles and loads extensions to ASDF into the current image as a prerequisite to process further build specifications. ASDF 3.3 is then capable of using this information to properly detect what to rebuild or not rebuild when doing a incremental compilation involving multiple build phases, whereas previous versions could fail in both ways. But, in light of the first issue, that means that trying to define ASDF or UIOP is special, since everything depends on them. And UIOP is even more special because ASDF depends on it. The "solution" I used in ASDF 3.3 was quite ugly — to prevent circular dependency between a define-op asdf and define-op uiop, I made asdf.asd magically read content from uiop.asd without loading uiop.asd, so as to transclude its sources in the concatenated file asdf.lisp. This is a gross hack that ought to be replaced by something better — probably adding more special cases to record-dependency for uiop as well as asdf along the way.
Finally, there is a way that ASDF could be modified, that would displace the magic of bootstrap such that no special case is needed for ASDF or UIOP — by making that magic available to all systems, potentially also solving issues with cross-compilation. (UIOP remains slightly special: it must be built using the standard CL primitives rather than the UIOP API.) But that would require yet another massive refactoring of ASDF. Moreover, it would either be incompatible with existing ASDF extensions or require non-trivial efforts to maintain a backward-compatible path. The problem is the plan made by ASDF is executed by repeatedly calling the perform method, itself calling other methods on objects of various classes comprising the ASDF model, while this model is being redefined. The solution is that from the plan for one phase of execution, ASDF would instead extract a non-extensible, more functional representation of the plan that is impervious to upgrade. Each action would thus define a method on perform-forms instead of perform, that would (primarily) return a list of forms to evaluate at runtime. These forms can then be evaluated without the context of ASDF's object model, actually with a minimal context that even allows them to be run in a different Lisp image on a different Lisp implementation, allowing for cross-compilation, which itself opens the way for parallelized or distributed deterministic backends in the style of XCVB or Bazelisp. Such changes might justify bumping the ASDF version to 4.0.
As usual, writing this essay, which was prompted by a question from Eric Timmons, forced me to think about the alternatives and why I had rejected some of them, to look back at the code and experiment with it, which ultimately led to my finding and fixing various small bugs in the code. As for solving the deeper issues, they're up to you, next ASDF maintainers!
"What is the Matrix? Control."
This essay was originally written by Daniel A. Nagy and published on his Facebook page on April 2nd, 2017. It is the third part in a series. The first two parts are available here: Part 1, Part 2. All three parts were originally published on facebook: Part 1, Part 2, Part 3.
In the first part, I have discussed the so-called Independent Media™, the seeming conspiracy of mass-media workers, especially, but not exclusively journalists, in creating and perpetuating a virtual reality by biased reporting and analysis, serving the interests of the International Community™. In the second part, I have discussed the role of Student Activists™ in doing the footwork and providing a recruitment pool for the rest of the International Community™. I have argued, that there is no need for these people to actually conspire or to be in the service or the pay of some shadowy background power; they are merely following their own perceived interests and their own thirst for power and status.
In this third part, I will look at the other side of the same academic coin:
Their faculty and administration are not only tolerating political activism on campus, but actively encouraging and supporting it, as long as it serves the interests of the International Community™. On one hand, there is nothing new or surprising about the best scientists being in the pay of the most powerful rulers. Similarly, it is quite common for them to provide legitimacy and support for their paymasters. What is new, however, that there seem to be no rulers around. On paper, the best Liberal Universities™ are independent and private, yet, they act as if there was some shadowy background power pulling the strings and showering them with money and prestige, as powerful rulers of the past have done. Well, if you state that much in public, you are only going to make a fool of yourself.
Just like in the case of Independent Media™, academics are actually in the driver’s seat of the International Community™. They do not serve anyone in particular, but exercising and protecting their own power. As it always happens at the nexus of power and science, science suffers. Entire bogus fields of study emerge that have nothing to do with uncovering the secrets of the world using the scientific method and even legitimate scientific pursuits get corrupted by biased funding and publishing. I believe that the root cause for this to go largely unopposed is that division of labor and specialization have deepened so much during the past century that non-specialists came to rely too heavily on academic credentials and KPI’s such as publications in Prestigeous Journals™, which, in turn, are measured by another KPI, the so-called impact factor. This provides cliques of mutual support that cite each others’ papers and also sit on editorial boards of journals with an opportunity to completely capture entire disciplines and even to create new ones, irrespective of actual scientific merit.
When enemies of the International Community™ attempt to mimic its behavior by operating universities of their own or attempting to endow their cronies with academic titles, they invariably fail, often quite comically. Just like in the case with journalists, no matter how much the king pays to the professor, no matter how much money he plows into shiny campuses, it will never be as prestigeous and attractive as a true, independent Liberal University™. The best possible outcome for such attempts is complete capture of the institution by the International Community™ in which case the ruler might have bought himself a temporary, highly conditional (upon unwavering loyalty) peace.
In this light, it is not at all surprising that one of the core tenets of the International Community™, in fact, one of the core Democratic Values™ is that public policy needs to be based on scientific evidence. This is a huge departure from the practice of past rulers who might have paid keen attention to scientist advisors, but would have never given up agency or responsibility by delegating policymaking to scientists. This practice of requiring scientific evidence (in practice: academic approval) for policy decisions utterly corrupts science, for it implies that the only way to influence policy is to influence science. Thus, power is spoken to truth, honest pursuit of science in politically charged fields such as economics or climate becomes impossible.
As any person in the position of power, these academics are, of course, corrupt. Since they have near-absolute power, they are very corrupt, in fact, but also very expensive. This might seem like a weakness, and indeed it is sometimes possible to destroy individual academics by unmasking their corruption, but that may prove very difficult, expensive and dangerous. Going after entire Liberal Universities™ or fields of study, however corrupted, is a surefire way to draw the ire of the entire International Community™.
The true and ultimate weakness of academia is that it is entirely unnecessary and useless in the age of the internet. They hardly do anything useful anymore for anyone but themselves and their powerful friends. If you want to actually learn something, there is no reason anymore to enroll in an accredited degree-earning program, because you can listen to lectures and read papers by the best in any field online, often for free. There is also no reason to pay any attention, as employers, to academic credentials. If you need to hire scientifically trained talent, you can look at results of online competitions, open-source work, etc. If really needed, you should test the applicant in-house on the subject. Remember: the proof of Poincaré Conjecture was not published in a peer-reviewed journal and the Fields medal awarded for it was turned down. The best strategy for freeing yourself and the world from power-thirsty academics with top-notch credentials is to ignore them out of power.
Those who are doing real science no longer need to rely on academic credentials, even if they happen to have them.
Dear crypto-currency hacker friends,
I had the following epiphany about decentralizing crypto-currency transactions, into a network of repudiable centralized operations with ultimate decentralized arbitration, thereby achieving ledgers with both high-throughput and high-trustworthiness. I would appreciate you helping me find out whether it is original, already well-known, or well-debunked.
The essential innovation brought by Bitcoin was a way to achieve consensus without centralized management. Unhappily, this consensus is technically very hard to achieve, economically very expensive, and it is slow and has low throughput, etc. Centralized systems are much cheaper to operate, much faster, much more reliable, etc.; but ultimately they are subject to failure or abuse by the operator: overcharging or outright censorship of transactions, double spending on their own transactions, inflation, confiscation, outages, gross negligence, etc. A big question today is how much the advantages of distributed consensus can be combined with those of centralized management without also combining their disadvantages.
I was reading about the Bitcoin Lightning Network, OmniLedger, and other proposals to decentralize crypto-currency payments in a safe yet speedy way. Then I was reminded of the notions of (1) Voice and Exit and (2) Slasher-style denunciations. Voice and Exit are the idea, common among libertarians, that what keeps infrastructure managers honest and efficient is mostly not (a) the ability to "Voice" complaints and maybe cast a tiny vote in picking who the next collective manager will be for everyone, but (b) the ability to individually "Exit" the set of customers of your current service provider, or even of all existing service providers, thus becoming your own provider and possibly that of others (extreme case also called "Enter"). Slasher-style denunciations are the idea that if cheating is possible to some parties, these parties can be motivated not to cheat by having skin in the game that they will lose should their cheating be detected and denounced (this idea was first applied to cryptocurrencies by Vitalik Buterin as part of a proposed Proof-of-Stake protocol called Slasher; I heard about it in the Tezos White Paper).
In a crypto-currency, public key cryptography is used so that funds in a public ledger are assigned each to an entry protected by a publicly recognizable lock. Only the actor who knows the matching secret key (typically called Alice) can sign the checks that spend funds protected by a given lock (in some more advanced cases, it can be a set of actors each with many keys, interacting through a "smart contract"). There is no way within the system to cheat by spending funds controlled by someone else: you may crack their computers or torture them to extract their keys; but supposing that their software, hardware and wetware are secure, remote participants in the protocol cannot rob these funds. Inflation and confiscation, two risks commonly associated with phanæro-currencies (currencies that are not crypto-currencies), can also be written out of the protocol at the time it is designed, before it is adopted; or they can be made to follow predictable patterns that users may accept before they adopt the currency, or reject and the currency with it. The main risks that remain in a cryptographic ledger are: (C) censorship of transactions, with includes gouging of transaction fees under threat, and locking or destruction of funds that thereupon cannot be spent anymore, and (D) double-spending of funds by a malicious actor, who promises to deliver the very same funds simultaneously to multiple recipients and run away with benefits received in exchange before the deceived victims hear the news.
Now, notice that both remaining kinds of bad events require a bad actor, typically called Mallory (or sufficiently incompetent one — here as always, any sufficiently advanced incompetence is indistinguishable from malice). In the case of a centralized chain, the central manager can easily catch small fraudsters and punish them (say by confiscating or destroying their funds); but the central manager may herself become fraudulent, and/or fraudsters will do their damned best to become the central manager (and will eventually succeed). Guarding against these two possible behaviors by Mallory having become the central manager is the one on only (but oh so difficult) purpose of the distributed consensus protocol. If only Alice and her partner Bob could somehow safely let someone trustworthy like Trent guarantee their transactions against small time thieves like Mallory, without Trent himself turning into Mallory! Then they could have very fast transactions at lightning speed, yet that are robust and trustworthy, without a single point of failure or trust.
Therefore, what is ultimately required from the consensus protocol (centralized or decentralized) is a "justice" system that guarantees the right of Exit: if Alice's account is currently managed by Trent who tries to price-gouge her or censor her or otherwise fails to process transactions out of incompetence or dysfunction, then Alice can denounce Trent to Judy, repudiate him as her notary, and either transfer her account to Ted instead, or start her own notary business. (To incentivize Trent not to censor transactions in general and exit transactions in particular, some of the fees associated to the exit transactions would be paid by Trent if the matter reaches Judy, though Alice has to pay at least as much in fees to reach Judy, or else there is an unfair weapon whereby rich operators can pay to bankrupt their competitors with a multiplicative effect.) Once she finds a trustworthy notary willing to record the transaction, Alice can send funds to Bob; and if no notary is willing, Alice can register herself with Judy and self-notarize the transaction; that will be technically more demanding and possibly more expensive due to Judy's fees, but the option is always available, prevents outright censorship or freezing of funds, and sets a cap to how much transaction notaries can gouge before losing all their customers. An additional incentive for notaries to never censor or gouge their customers would be to tie the benefits they receive to the presence of these customers: the ability to charge fees or inflate the money supply (in a limited way); those benefits constitute "skin in the game" the fear of losing which makes a powerful motivator for notaries. (This is another point that Tezos gets well.)
As for the second kind of risk, double-spending, it only happens when Mallory is a notary and signs away the same funds multiple times. When receiving funds from Alice as signed by notary Trent, Bob must make sure to tell everyone about it, and complain loudly and timely to Judy if he hears of a double spending attempt, and wait for long enough that no one else did issue a complaint that Alice and Trent were actually Mallory in disguise who was trying to double-spend. To determine whether a transaction is valid, Bob therefore "only" has to track what the manager Trent said, and wait for Judy to validate what was the (digest of the) official state of transactions notarized by Trent, and check that Judy did not publish a repudiation of Trent by Alice, or a denunciation of Trent's behavior by a double-spending victim. And here's the great advantage of this proposal: it is infinitely faster for Judy to not publish negative messages than it would be for Judy to actually publish positive messages.
To make it costly for Trent to even try to cheat and maybe succeed if there is a glitch in the system, Trent has to put skin in the game by leaving funds under a lock with its name attached. Then, if Trent is otherwise found to have facilitated double-spending, these funds will be lost: half earned by whoever denounced Trent to incentivize denunciation, and half destroyed (Trent could preemptively denounce themselves under a false identity, and avoid losing, if there were no destruction). If Trent himself is not an anonymous node in an anonymized network, but a large well-known corporation with lots to lose should its operations be found to be either fraudulent or incompetent, all the better: more skin to lose in case of either censorship or double-spending attempt, and no ability to profit. And yet if governments try to crack down on such institutions, the ledger can easily fall back a lot smaller servers hiding behind TOR and its rivals or successors. As for regular clients, they can use anonymizing techniques without loss of robustness to the system.
In a degenerate case, there is one very fast high-throughput centralized transaction network, plus a slow low-throughput validation network that keeps it honest and efficient; if and when the centralized transaction network fails, becomes too expensive, or starts cheating, everyone suddenly raises the issue with Judy and moves to a new network; the process may take some time and cost a lot of money, but that these transition costs put a cap on how much the network can suck.
In less degenerate cases, there is a federation of management networks, with fast cheap transfer in-network, and several options of inter-network transfers: go ask Judy to switch notary (slow and expensive but guaranteed), have Trent tell Ted about the transfer, and wait long enough to make sure no one denounced Trent as a double spender to Judy, or if you're in a hurry and/or feeling trusty, pay Faythe, some trusted intermediate with accounts with both Trent and Ted, to do the transfer. When receiving funds from someone you don't fully trust, always wait for Judy to confirm what Trent says. If you must use the services of Faythe, look at how much bail money she left in escrow at various notaries, and decide whether she will want to lose them all so as to indulge in a short-lived spending spree before she gets denounced.
The last issue is: how do you make sure that Judy keeps doing her job, that she is actually listening to denunciations and publishing them, etc., etc.? Well, that's where you need a more traditional Consensus system: instead of being a central authority, which would only push back the issue and leave us with yet another centralized system with extra steps, Judy can be a protocol on top of a decentralized consensus system (or rather THE decentralized consensus system, some of my friends would argue), whether it is based on Proof-of-Work (effective but expensive), Proof-of-Stake (cheaper but more fragile?), or whatever the most trustworthy technique of the day is (today, Bitcoin, tomorrow, the Moon?). Denunciations are therefore published and accepted in a consensual priority order from which the protocol uniquely determines how and in whose favor the ledger is adjusted. Settlement of denunciations would have to have clear precedence and reconciliation rules, which would make the code quite complex, especially since suddenly large swaths of a vastly different blockchain technology has to be made part of the codebase. Ultimately, though, such is the cost of reconciling the advantages of centralized and decentralized: its codebase must contain both the centralized and decentralized systems, plus some code to reconcile the two. If the system has its own decentralized blockchain, early denunciations will be considered as adding sufficient weight to the chain as to make censorship hard; but not in a way that would allow toppling the chain (and thus double spending) using retroactive denunciations.
Note that even when censorship of denunciations somehow happens at the level of Judy, it can become "common knowledge" very soon that certain transactions were fraudulent, at which point the notary disbarred while multiply-spent funds and his bonds are effectively frozen until an uncensored denunciation is published that establishes who gets the reward for proving the fraud. Consensus is only needed to determine who gets the reward, whereas common knowledge is enough to stop people from being defrauded. This in turn means there is little incentive to censor denunciation and positive incentive to publish them. But it also means that people managing serious money should keep listening to consensus-less decentralized chat networks in addition to the consensus. Happily, consensus-less decentralized chat is both cheap and fast. To reduce the incentive for both retroactive cheating (indian giving) and censorship, denunciations can't freeze funds that Judy couldn't prove were multiply spent within the timeout window for a confirmation; but the notary's bond has to remain posted for a much longer time, and is still lost if they were found to double spend. The bond can be made of user subscriptions, that are only released if no fraud was proven for an enter cycle (say one week to one month) after the end of the subscription; if Alice goes to Judy to denounce Trent, and Trent loses the fee he collected from Alice (which causes deflation and/or goes back to a pool that pays miners; Alice does not get the money back, and must pay the miners a fee to invoke Judy.)
I admit that I don't understand the economics of mining enough to say whether my construction can be used with a system that is ultimately cheaper than Bitcoin's Proof-of-Work network at achieving a robust Decentralized Consensus. I would guess that mining costs could be kept proportional to fraud expectation given the suspected (un)trustworthiness of the notaries; but that would mean that fraud would appear when the costs are too much underestimated. Still I do believe my construction manages to combine the throughput of centralized systems with the robustness of decentralized systems, at the same overall cost and latency as existing decentralized systems, and hence much reduced cost per transaction compared to pure decentralized systems, and much improved robustness compared to pure centralized systems. This construction thus uses distributed consensus as an arbiter between competing centralized systems, such that the price paid for consensus is proportional to fraud and/or failure and born by those who are dishonest or make bad decisions instead of being proportional to the active value of the network and born by those who are honest and make good decisions.
Now, please tell me what I have missed, if anything. Is this construction actually robust, or are there flaws I failed to see? Is it original or has someone already proposed it? Even if it basically works, are there hidden costs and issues I have failed to consider?
PS: some of my friends told me that while the specific way I frame this idea might be original, many of the same general concepts are already used in projects to federate blockchains, such as Blockstream Liquid or Ethereum 2.
Last night I had this dream of what might make an interesting novel of political fiction. In this timeline, the Republic of China (Taiwan) alone in the world has kept a delegation for the Republic of (South) Vietnam. The RVN embassy is still occupied by an official Vietnamese delegation, reduced to three people living off a small stipend from the Republic of China, that hasn't increased since 1975, with a Chinese guard on duty during the day. One night, a group of Vietnamese revolutionaries break in and take over the delegation, led by a notorious anarchist, a martial artist, and an international lawyer. They carry with them an old drunkard who happens to have a claim as heir to the ancient throne through a previous Emperor's affair, and declare the Restoration of his Dynasty. They somehow convince the old delegates to join their cause. Of course, Taiwan will be taken aback by this revolution, and immediately revoke what stipend and guard they were granting to the delegation; but the RoC will not dare violate the sovereignty of the entity they tried to prop up so long — at least not until and unless it itself violates international law. And so Taiwan will follow a wait and see policy.
The anarchist takes the new Emperor in his Imperial Suite, a reserved suite on the top floor of the building. He leads the other men upstairs with the drunk man on tow. However, an astronomical society has taken over all floors of the building but the ground floor and entresol; the rent they pay is how the delegate made his comfortable living despite the low stipend from RoC. Trying to keep going to the top floor, the men discover that it is only accessible by a ladder leading to the higher levels of the telescope, which is impractical for men carrying a drunkard. However, a late-staying astronomy student explains that they already reached the original top floor, the observatory having been added later. Part of the Imperial Suite was kept, but as an impeccably preserved museum room inside the offices, not really usable as an actual room. The revolutionaries still use it symbolically that night, but in the morning, the Emperor will "decide" that from now on he shall occupy a simple maid's room in the entresol.
When the drunkard wakes up with a major hangover, the anarchist talks to him with deference due to the Emperor, yet explains in no uncertain terms that he is in control as the new Regent. The Regent has one goal for the Emperor: make Him become a dignified figure (no more alcohol) who will become relevant as an assassination target. There only three ways out of the embassy: installed on his rightful throne in Hue, dead, or abdicated in favor of another heir approved by the Regent. His fortune will follow that of the Restoration: ascetic for now; but princesses and concubines, fast cars and private jets if they are wildly successful. And a lot of it will depend on the Emperor's ability to project dignity indeed.
The first appointments of the day are for the new Emperor and his Regency to receive the CEOs of various international companies of mercenaries. The Empire offers that it will setup its Court in Exile; companies can file actions; the Court will decide whether there is a Casus Belli, and then declare war on the enemy and grant the mercenary a letter of marque in exchange for titles in the loot and/or conquest. The mercenaries will however then have to follow the strictures of an official army and be subject to Court Martial for transgressions. Of course most governments won't recognize the Empire and its letters of marque. At least in the beginning. But that's where a mutually profitable relation is born: by respecting international law better than existing governments, the Companies and the Empire can lend Credence and Legitimacy to each other.
Selling flags of convenience, setting up Court, delivering passports, negotiating mutual recognition with odd States, maintaining good relationships with Taiwan, making statements to the press, teaching the Emperor how to be sovereignly (and preparing an online course on Natural Law based on those teachings), preparing a secret contingency plan for when Taiwan turns inimical or falls, plotting against the Vietnamese communist regime, dealing with spooks from various countries and non government entities, improving internal security, drawing an internet fan base as well as government backed opposition from SJW groups, etc., are daily activities of the Regency. All of that until... well, next episode, if any