site banner

Culture War Roundup for the week of July 22, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

7
Jump in the discussion.

No email address required.

The narrative is that in a certain sense CrowdStrike fiasco was caused by regulators who promoted its use on the basis that it ensures full security with a single tick in the box. If true, this is an example of regulator failure more than CrowdStrike failure.

Regulators have a duty to ensure that their recommendations are fit for purpose. It also includes evaluation of risks from the accepted solution. When Boeing 737 Max planes were falling from the sky, it was the fault of Boeing because they self-certified any changes. You could argue that the regulators should not have allowed that without proper overview but I would not directly blame the FAA yet because Boeing lied.

However, in case of CrowdStrike it is different because they relied on 3rd party software and that puts more responsibility on the regulators to ensure that CrowdStrike service really works and the remedies are in place when it fails.

Another case of improper regulation is covid vaccine mandates in many countries. In certain conditions vaccine mandates could be justified, for example, in case of a very deadly, fast spreading disease and very good vaccine which is not the case with covid. The regulator failure here is even more apparent because vaccine mandates were introduced after the data about vaccine inefficiency to prevent infection and spread of covid was already published in peer-reviewed journals.

I am not arguing for stronger or more regulations, I am demanding better regulations which fulfil their purpose instead of ticking boxes.

CrowdStrike going from nothing to having such a large influence in a decade, and the background of it's founders, is enough of a weird smell that it makes me suspect regulatory capture rather than merely regulation. But I don't have anything concrete to base that hunch on.

The vaccine mandates weren't meant to do anything about covid. They were meant to punish political dissidents.

Which regulators and which regulations? Honestly curious because I don’t know. There is not exactly a comprehensive central cybersecurity regulator in the U.S. to my knowledge. Some might be governed by SEC, others by DOE, which can make recommendations which I’ve seen only practically enforced by market means through cyberinsurers refusing to underwrite policies without sets of protections put in place prior by the insured.

caused by regulators who promoted its use on the basis that it ensures full security with a single tick in the box.

Regulators/insurers don’t promote a specific vendor, but either suggest or mandate specific controls that might be able to map to particular products/features, which is probably a GRC (governance risk compliance) pencil pusher or auditor/consultant task. Crowdstrike Falcon is a platform with lots of different features that can be licensed, but is primarily an EDR/NGAV tool that runs on workstations and servers. You’ll check one or a couple checkboxes, but not all, such as increasingly required autonomous response capabilities within a network traffic analysis IDS/IPS which is situated much differently both physically and conceptually in a cybersecurity stack than a CrowdStrike EDR.

CrowdStrike seems to have such a large footprint because of excellent positioning and business development - they were first on the cloud-managed endpoint scene while other vendors were stuck supporting legacy on-premise solutions, and they had waves of VC funding that compounded their growth.

such as increasingly required autonomous response capabilities within a network traffic analysis IDS/IPS which is situated much differently both physically and conceptually in a cybersecurity stack than a CrowdStrike EDR.

I've found that when people handwave in this specific way there's usually a more interesting story they're condensing for time. Who is increasingly requiring autonomous response capabilities for IPS? My read is that it's barely even true on paper in 800-53 rev 5 or CMMC2.

Who is increasingly requiring autonomous response capabilities for IPS

Cyber insurers/underwriters for the policies I’ve seen which are common to a particular vertical I have exposure to. And then some extended federal requirements if the entity within that vertical has a service relationship with sensitive gov assets.

And they are legitimately considered very good in the industry by penetration testers.

They fucked up an update big time, but they got their market position by having a competitive product.

Which regulators and which regulations?

I'm pretty sure this is generally pointing at NIST guidance, compliance with which has been leveled as a requirement on Federal contractors, and probably has shown up in the private sector cited as best practice for things like insurers looking at IT risks. There have also been increasingly loud recommendations from the government about software development practices generally, but I'm not sure exactly how those are enforced.

Honestly most of the relevant regulations I've worked with aren't dumb. Sometimes painful to implement, and maybe sometimes overbearing, but not completely unreasonable.

I am not arguing for stronger or more regulations, I am demanding better regulations which fulfil their purpose instead of ticking boxes.

The problem is that box ticking is the essence of "regulation" as understood today. There is no alternative available in a managerial system.

Back in the Bull Moose days you could use the administration to put forth an informal sense of fairness and talk to actual humans in charge of things, but long after the other Roosevelt the only lever left is altering what boxes are present on the box ticking exercises. There is nobody you can negotiate with one on one on either side of the table. It's legions of bureaucrats all the way down.

I think this is a fundamentally hard question: "How do we design the system to give incentives to maximize the robustness of infrastructure in the public commons?". I don't have a complete answer here, but it's easy enough to point to failures on both sides of this sort of thing: there has been no shortage of major incidents stemming from unpatched systems on the Internet. This seems like the first major incident in which the systems we put in place discourage that (automating the rollout of security fixes) have, themselves, failed.

I don't think a perfect solution exists today. The NIST guidance to keep your systems updated and install AV is better than nothing, but no checkbox-based system is really substitute for a good head on one's shoulders aware of what's going on. I think there is good discussion to be had about what the rules and incentives should be, but unless your system is "hire smart, capable, competent people", and really even then, I don't expect perfection. And honestly, our really smart, capable people are probably better utilized working on harder problems than IT security for non-life-critical systems.

Regulators in the US are notoriously corrupt. See the 2008 fiscal crisis.