This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
Some thoughts on the infamous OPM e-mail:
Whether the OPM e-mail asking federal employees to send a five bullet point list of what they achieved in the last week to a OPM e-mail address apparently controlled by Musk and/or @DOGE has turned into an even bigger scissor statement that is usual for US partisan politics. What is going on? (Well, it seems like it was an unconventional proof-of-liveness check on the federal employee base with no plan to read the responses, but I am more interested in the response)
First point - if this came from management, it would be a completely reasonable request. It would be odd if it came from senior management rather than your direct line manager (does a top executive have time to read all those replies?) but not necessarily irregular. It is the kind of thing I can absolutely imagine the CEO doing at a founder-mode startup with a few thousand employees. But it didn't come from management. It came from HR (literally, in the sense that the sender shows up as "HR" in Outlook, and in practice in that it came from OPM, which is effectively HR for the civilian federal government). Indeed, it came from an anonymous role account in HR. (Musk tweeted that the e-mails originated with him, but two courts have ruled, at Musk's request, that Musk is a notorious shitposter and it is legally unreasonable to take a Musk tweet seriously, so they are still legally anonymous)
If I received such an e-mail from HR in my day job at a bank (and I don't think any other large manager-mode organisation would be different), it would be unprofessional to do what the e-mail says and send a quick response cc my direct line manager. In a normal corporate (or, I assume, public sector) environment, you take at least some steps to make sure you don't accidentally become a patsy in someone else's political maneuver against your boss or department. So if I got such an e-mail, my immediate response would be to forward to my line manager* with a note saying something like "Not sure what is going on here - will hold off on replying until you are able to investigate" - and if I did eventually reply, I would agree the reponse with my manager. But the more likely outcome (unless senior management had been warned about the exercise beforehand) would be that the rapid large-scale escalation would lead to the head of the department sending an all-staff e-mail saying "Please don't respond until we have investigated what is going on here" and trying to get hold of someone in the CEO's office urgently. (And struggling to do so, because every senior manager in the organisation would be doing the same thing).
And this is just looking at the office politics perspective, From the infosec angle, this is worse. The e-mail said "don't send classified information", but if you work in a job where you are actually trying to keep secrets, there isn't a short, safe unclassified summary of what you did last week. I am not an expert on the US classification system, but I do know that producing an unclassified summary of classified information (including, for example, the classified information you worked on in the last week) is difficult work that only a few people in each department are qualified to do. The rule in corporate finance departments at banks (where almost all staff have access to market-moving non-public information such as upcoming mergers) and it is "Do not discuss live deals with anyone outside the department, even in general terms." For a corporate financier, sending a meaningful response to that e-mail would be a firing offence. The various department heads (including Trump's own political appointments like Kash Patel) in national security related departments who told their staff not to respond are doing the obviously correct thing.
tl;dr - the freakers-out are right - sending out an all-staff e-mail of this type from HR was irregular, and would have been massively disruptive to any large organisation other than a startup used to working around a hyperactive micromanaging founder-CEO.
* If the rumours are true that Musk is sending these e-mails from a jury-rigged server rather than an official secure US government system, then the e-mail would show up as external in Outlook, and my actual immediate response would be to report it to IT security as a possible phishing attack.
This is such a non-issue in my opinion. The correct analogy would be that you receive a phone call directly from the CEO's deputy, where he verifies his identity, and tells you "you're about to receive an email saying...". In such a situation, I imagine the calculus would be different. Reporting it as a phishing attack would be malicious compliance or outright disruptive and you should expect to be on the CEO/deputy's shit list.
I'm sure there are a lots of things DOGE intends to do with this special project. Identifying the most disruptive federal employees is hopefully at the top of this list. The best strategy for any fed employee is to keep their head down and get lost in the hundreds of thousands of other low level fed workers. The email is brilliant because this stuff is like catnip to the most ideological of trump's enemies. They literally cant resist fighting back and "Resisting". It's truly a brilliant move.
This is the setup to actual scams.
Not that step 2 is typically an email from HR. The usual point of these scams is to trick you into thinking you should open and respond to an external email.
More options
Context Copy link
That's not quite the analogy. The CEO announced publicly that he would be sending emails. So, sure, employees know that the CEO is sending an email and to expect one. But external phishers also know that employees are expecting an email from the CEO.
Generally speaking, at scale getting employees not to divulge sensitive information to phishing attempts is a really hard problem. Even giving very specific, clear instructions (expect it in this time interval, from this domain, from this identity) is going to fail, because it always fails, even when dealing with workers with high technological and intellectual capacity. The only thing that kind of works is "don't trust anything from external domains."
More options
Context Copy link
If that email didn't copy at least 1 person direct management chain, it would be extremely irregular.
The main reason, of course, is that if the CEO or his deputy wanted me to do something, he would want to direct my management chain to make that happen and to supervise it and to remove any roadblocks.
My guess is that part of the idea is to route around management. Presumably do-nothing employees are already known to their managers, but have been receiving some sort of protection for years.
Which is a recipe for failure.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
Depends on if the CEOs deputy is in my management chain. If the CEO asks me for a status report it's weird, but sure, he gets it. But if e.g. the VP of a division not my own sends it, that's a different question.
More options
Context Copy link
Eeeeeeh. I'm generally pro-DOGE, but I don't think you appreciate the justified paranoia of the average federal employee or contractor. Because the relentless phishing attempts are truly out of this world. And it's not beyond the capabilities of our adversaries to take whatever email DOGE is sending out, and then create a phishing template out of it. The fact that Elon tweets so damned much about everything he's doing just makes this all the easier.
Add to that the fact that they get training monthly about cyber security best practices, usually with an emphasis on phishing. Add to that the typical level of incompetence in the government.
Thankfully this had nothing to do with national secrets, but I was at a federally museum in DC once. I had to scan a QR code to pull up the webpage to pay for tickets to a specific exhibit. I had a shitty old phone with a 3rd party QR scanner. Unknown to me, since I used it so rarely, the QR scanner had been turned into malware. I scanned the code, and instead of giving me the URL it represented, an ad appeared pretending to be the link I scanned. I only know this in retrospect. It took me to a suspicious looking website asking me to sign up for something with my credit card. Doubtful, I showed the person at the desk with the QR code directing people how to buy tickets. They squinted at it for a moment, and then confidently told me it was the correct website. It wasn't, it stole my credit card, I didn't get tickets, and they just shrugged. I had even showed them the website twice thinking that it really didn't look right. I should have trusted my gut, but my wife was riding my ass to stop being paranoid and just get the tickets already before they sell out, and our kid was hungry and bored. It was a frustrating lesson in trusting my gut and ignoring everything else.
I get phishing emails as a contractor literally every day. I work at a small company. I know literally everybody in the company. I know the people in these emails are fictitious. Sometimes I get emails "from" people who actually work at the company asking for shit it's nonsensical for them to ever ask for, with a replyto that's bullshit, or some url shortening link that they'd never actually use. Or other shenanigans. It never ends. I'd say I'd seen it all, but once or twice a year they come up with something new that really gives me pause.
Eventually you just get worn down, and you start to ignore everything that isn't from a known point of contact, preferably not even over email. Slack is preferred in my organization.
Ideally this is the sort of thing cryptographic signatures are supposed to be good for. "Email from the CEO asking us to buy gift cards? Did he sign it with a valid RSA key that is signed by our CA? No? Then I'll just wait for clarification."
Even though much of the infrastructure for this exists in the large organization I work in, it doesn't get used for the broadcast emails that go to everyone (actually, a small subset are, but only one department seems to care), even though it would seemingly be useful. But I suppose the crypto dream of the '90s will always be "the future" because
normiesnon-nerds don't understand or appreciate it.More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link