site banner

Culture War Roundup for the week of July 15, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

9
Jump in the discussion.

No email address required.

I do hope the fallout from this crap will be immense. Cloud was bad idea from beginning. This type of cloud security too.

This is like seeing a jet plane crash in the 1960s and being like "this idea will not work" or the Titanic sinking and thinking the same thing. Enough companies rely on such services that evidently it's worthwhile despite these risks.

Enough companies also relied on massive amounts of lead in the fuel they use for decades. In the digital era - not having all your data and services under your roof will forever be a bad idea. It's just that the beancounters were tired of paying those pesky sysadmins a livable wage.

I am not against the concept of services per-se. But the critical ones should always be self hosted. And moronic, useless antivirus part of the security theater is up there with critical. Anti virus hasn't been needed on windows for a long long time.

The best comment on all things cloud is way before the cloud was even a concept:

With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead

This is the opposite of the cloud.

It is Software-as-a-service, but the processing wasn’t being done on someone else’s computer.

This isn't "cloud" in any meaningful sense.

Indeed, if these computers were in the cloud, they'd be fixed much faster.

Hmm centrally managed, by a third party, not on premises, critical security infrastructure with kernel access? There is definitely reading of cloud service that describes it.

The machines are on prem. That's the whole point.

If the machines were off prem they would be managed by some company with at least basic sysadmin competence and it would merely be a major annoyance to fix this. As it is, every mom and pop with a moron for an IT department is going to have to fix it themselves.

My company’s shiny new ERP system is hosted by our vendor, a large and growing company which sells to many industry verticals. The system is still down.

If our little SMB IT department had been running it on premises, we would never have installed endpoint protection on our servers. We may have had all kinds of other problems we couldn’t hedge against because of our scale, but we have the good sense to weigh the risks ourselves instead of complying with a customer’s backside-covering audit checklist.

You're right that I failed to consider that there are tiny cloud shops out there. When I was talking about cloud I was thinking about the big three.

Well, not cloud, but internet in general.

These machines all updated something, because they are connected to the internet and set up for automatic updates.

People learn pretty quickly that automatic updates are a terrible idea. Even if the update doesn't screw up your data or your workflow, e.g. by taking away some feature you were depending or crapping up the UI, it's likely the update process will kick in at an inconvenient time (like in the middle of a presentation). So they turned them off. Security people started crying about unpatched bugs, and got enough corporate power to get automatic updates considered a "best practice" (when it's not), and here we are.

The problem is that no automatic updates is also a terrible idea, as a majority of systems don't get patched, ever. The ideal is manual updates but responsible companies/admins testing before deployment, and sadly I don't think that's gonna happen. The second best is gradual/tiered deployments with the ability to opt out, which is more realistic but still require more effort than many companies are willing to provide.

I personally think that "no automatic updates" is better than the current hellscape of "lol we can break your device at any time", even with the problems it causes. I'd rather have hella security issues on the Internet than have my stuff randomly break (or just get worse) without my intervention.

Automatic updates are the worst thing . Everyone hates them yet companies do it.

Automatic Windows updates destroyed two of my work laptops at my last job.

I've had Windows 10 updates fuck up some of the older software I have running for my job.

And people wonder why I turn Windows 10 updates off.

Now I'm going to have to fight off a Windows 11 upgrade, so as to not fuck up said software. You'd think local IT would be more paranoid about just gleefully installing whatever it is Microsoft tells them too, but...

I can't speak for your IT department, but in the past we would always test updates across a cross section of the business before rolling them out to everyone. Maybe like 10% of the computers would get the test updates, and we would only deploy if we had no issues on the test PCs. That's really all you can do though, sometimes issues come up even with testing.

"Internet was a bad idea from the beginning" is certainly an interesting argument.

I can definitely agree that canary-less fast global rollouts were a bad idea from the very beginning though.

How long do you wager it'll be before a major car company [thinking of Tesla here but I'm pretty sure they all do this now] bricks a significant number of its electric cars by pushing a bad update (rendering the car unable to start)?

That seems best case. What if it bricks while driving?

Probably highly unlikely. I have worked on mission critical software. While it wasn't automotive it was in a similar field. The code I wrote took six months to reach production. At that company we wrote maybe 5% as many lines of code per work week compared to a normal company. There was also extensive testing.

There may be individual events that happen. Mass brickings are unlikely.

Considering the overall quality of automotive software is 100% garbage I'm not as certain a massive screw-up would be as unlikely.

More like, for all of its benefits the internet has always been, and will always be, a point of vulnerability.