site banner

Culture War Roundup for the week of May 6, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

6
Jump in the discussion.

No email address required.

Totally get where you're coming from. However, the last paragraph has I think the most important bit:

everything other than plugging in something

Most IoT devices are billed as, "You just plug it in, and it just works!" No one anywhere is standing at a store, looking at the baby monitors, seeing that one of the options lets them listen to it from their phone, and thinking, "Ya know, I really better not think about buying this and plugging it in unless I become an expert in network security." Just how no one stands in a store looking at toasters, thinking, "Ya know, I better not think about buying this and plugging it in unless I become an expert electrician." Like, should people learn more about network security and how their electrical system works? Yeah, sure. But while the breaker boxes in the store might have some sort of warning on them or cultural expectation saying that they mayyyyyybe shouldn't buy it and try to install it on their own without any expertise while the toaster doesn't have anything of the sort, nobody's internet devices have any such warning or cultural expectation. Even effin' routers, people just buy the box and plug the box in; it's easy! It's magic! Best case, they have the guy from the ISP show up to plug in the modem and the router, but he's not going to be fiddling with the security settings for them, either. Everyone is perfectly happy just letting it seem like plug-and-play magic.

Most IoT devices are billed as, "You just plug it in, and it just works!" No one anywhere is standing at a store, looking at the baby monitors, seeing that one of the options lets them listen to it from their phone, and thinking, "Ya know, I really better not think about buying this and plugging it in unless I become an expert in network security."

Let's say you were in charge of fixing this from the advertising side of things. What warnings would you add to this device so that even tech-illiterate users understand the risks of e.g. connecting this baby monitor up to the internet? Simple stuff you can fit on a pop-up or side of the box, because the user isn't reading the 100-page manual that probably already warns about this.

A big part of why you can just hand a toaster to someone with no further explanation is that people actually do know a lot about electricity and household appliances and can avoid the biggest problems. Nobody's dumping a live toaster into the sink to clean it.

Manufacturers should probably take this lower level of knowledge into account, but it's not as easy as "just make the device idiot-proof, like toasters!"

Let's say you were in charge of fixing this from the advertising side of things.

I guess manufacturers are in a tough position there because the lower level of knowledge means that quite uncomfortable things have to be put on the packaging. They can get away with putting the warnings in the 100 page manual for the toaster; it would put off buyers if the toaster they were looking at proeminently displayed "This toasted WILL kill you if you plug it in and take it for a bath!". Similarly, a baby monitor whose box said something like "Unless properly secured, this monitor can allow strangers to connect and listen in or talk to your child" will find itself selling less than the one that omits it.

I suppose the best move is to spin it as a feature. Put it proudly on the box! "Crowdsource your child's safety with the default password mode!"

the user isn't reading the 100-page manual that probably already warns about this.

I don't believe any user manuals actually warn about any of these things. The manufacturers simply do not care about security, because they don't have to, be it built-in, in manuals, or in advertisements.

it's not as easy as "just make the device idiot-proof, like toasters!"

Totally and completely agreed. I started off saying that one way we could fix this is to do something extremely simple, like banning default passwords. No manufacturer is going to put on their box whether they have a default password or not, so many consumers aren't going to know.

There has been some efforts in the US to create a Cyber Trust mark, where that is an indication that they have been built to some sort of standards (that aren't that far off from these regulations). This is a plausible approach, though we likely won't see whether it would have been effective (are consumers going to be paying close attention for this mark on a box full of ten other certification marks?), because they're probably just all going to bring their devices up to the UK standard. Could have been an approach, though.

I mean ideally people should be aware of the issues around network security to the point of being able to make reasonable decisions on whether a given networking device is safe to use much like they do every day with other devices and vehicles and activities. No one looking at a lot full of cars doesn’t make sure the car has airbags and seatbelts and antilock brakes. That’s not a super deep understanding of automotive technology, it’s pretty basic. And in home network security I think you should know enough to look for the basic security features. I wouldn’t buy a networked baby monitor that didn’t have at minimum password protection and encryption. I’m not an expert but I know enough to know that unencrypted information can be viewed by anyone with the appropriate receiver and that a device not protected by a fairly strong password is open to hacking. I think people are treating PNP devices differently than they treat other similar devices. It’s not that they are incapable of due diligence, it’s that they see computer devices and the systems around them as too complex to understand. They aren’t.

In the negligent users defense, users checking for features like "password protection and encryption" is more the source of the issue than the solution. Network security is a process, not a feature. I feel safer putting up a camera with no encryption and password protection that serve a standard video feed on the network than one that requires a cloud service with SSL, password, 2FA, etc... to function. The former would be forbidden to talk to anything outside of my internal network, and there would also be restriction to what it can talk inside the network. Security features are a very distant concern after proper access control. But cloud services I just have to trust. If you take the most secure device and give the whole planet a surface to attack it, it's a matter of when, not of if, it can be cracked. To its credit, the document does address some of this, but what happens when the company decides to discontinue the product line and deprioritize security updates on the cloud services for their baby monitor? The document does say they have to precommit to a support period, but there's support and Support.

Even then people can and do learn. And I don’t see why people assume that computer and network issues are that much more complicated to learn than any other security or safety concerns for anything else you might do or use. People can be taught this stuff. We managed to learn electrical safety and gas safety and safe driving and thousands of other problems that came along with new technology.

And I don’t see why people assume that computer and network issues are that much more complicated to learn than any other security or safety concerns for anything else you might do or use.

Well, that's because you trust yourself to get out of anything you get yourself into.

The problem with learning how to use computers is that, quite literally, everything's behind glass. The efforts to ameliorate this in the early '90s (and to a point, why early versions of iOS had the design language they did) were all attempts at solving this problem, and the reason the more famous ones failed (specifically Microsoft Bob) was because this problem is intractable outside of maybe VR- it's just side-grading from one "this is all behind glass, weirdly artificial, and I'm not truly in control of this machine's states" to "that, but at least it looks like a house".

With other forces of nature, such as electricity, gas, driving, etc., you're interacting with a physical thing. Human beings are exceptionally good at manipulating and understanding physical things- for electricity, you can physically guarantee that the current isn't going to go anywhere but where the wires conduct it. Same thing with driving (or at least, before we stuck shitty tablets in the dash).

Take away the state they're supposed to be directly manipulating, though, and make it both abstract and only accessible through a very specific set of fragmented language? And make it clear that (just like how people claim drivers would be better if there was a gigantic spike sticking out of the steering wheel) there are a bunch of [metaphorical, but sometimes very literal] loaded guns sitting inside the box? I don't blame anyone who hasn't had time/motivation to practice that in a safe environment for giving up pre-emptively.

(And the industry has done itself no favors- yes, there is an undo button, but the contexts in which it is useful and the powers it has within those contexts are not obvious even though with a plain-English reading they should be. Plus, now you have mobile-first design, which has to hide that functionality as a limitation of the user interface if it even has it at all... and every redesign that's made without actually proving it out, which UX designers love to do for some reason, chips away at the established knowledge base of a user little by little until there's nothing left.)

it’s that they see computer devices and the systems around them as too complex to understand. They aren’t.

I don't think it's that people are unwilling or unable- though there are certainly plenty of men and women who very blatantly refuse to use their eyes- but there's no obvious observable demonstration of "input A results in desired state 1", and that's coupled with "input B-Z results in undesired states 2 through 2000 and there's no easy way to go back to before making that input". So yes, "basic stupidity" is a thing that keeps people from understanding these devices, but I don't think it's the primary cause.

Speaking of physical interfaces... you ever seen what PLC programming interfaces look like? Ladder logic is arguably the most intuitive programming environment ever invented and most software developers have no idea it exists; its entire design goal is to make it as obvious as possible what input will result in what output. The only real thing you have to deal with there is the logic; more advanced things like functions become much more obvious when you can physically [or at least, as close to physically as possible- in this case, tracing a line with your eyes or finger] see what's happening and why.

No one looking at a lot full of cars doesn’t make sure the car has airbags and seatbelts and antilock brakes.

Since they're all mandated now, no one bothers. And when they weren't, people indeed chose cars without them. But those are a different issue; those are safety, and what we're talking about with IoT devices is security. Think door locks and immobilizers, not airbags and seat belts.

I think it’s a distinction without much of a difference. Security in IOT is safety from crime and hacking and so on. The point being that because of the fact that people learned about those features and why they were important, people did due diligence on making sure that those features were in the cars they bought. Sure some poorer people had to do without airbags in the early 1990s, but that was a cost issue.

I still think that it’s better to educate and demand due filling simply because the law moves much too slowly to keep up with technology and even then people making the rules often have no idea what the dangers are or how the things being regulated actually work. Having an octogenarian who has trouble with emails try to anticipate the issues of an IOT camera in your kids bedroom isn’t going to work well. Teaching parents to make sure their devices have strong password protection, good encryption, and virus protection is easier and would keep up with the field.

I also suspect that even someone who intentionally chose a car based on it having airbags and seatbelts would be incompetent at deciding which cars had better airbags and seatbelts and which cars had worse airbags and seatbelts.