This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
The "S" in IoT stands for Secure
Boy, looong ago now, I broached the topic of security standards for techno-mabobs. At that time, I mentioned that the UK was considering some legislative proposals on the matter. I can't find the comment where I described what I viewed as the core driver of the tension over the topic - the culture of tech folks. That is, they are so used to the 90s consensus that software is gee wiz magic that is pure and sanctified, is the solution to world peace and all of life's problems, and can never possibly be the cause of anything bad, ever. The 90s conclusion was that government absolutely can. not. touch it. Hands off. No regulation whatsoever. No liability whatsoever. No matter what happens, they must have an absolute immunity stronger than even the strongest version that Donald Trump could have ever dreamed of claiming.
Justifications for this view have shifted, but I've always felt they've had a flavor of, "We can't be regulated! We're
autistsartists! We make unique snowflake masterpieces! We have to move fast and break stuff! If we're ever held accountable for breaking anything, even for the most egregious of practices, then the entire economy will grind to a halt!" Whelp, after years of incident after incident exploiting the IoT-of-Least-Resistance, including things like ransomware takedowns of major corporate networks and huge botnets of smart refrigerators, we're about to see how true that really is.Hitting the wire last week, the UK has dropped regulation for smart devices that are sold there. In my original comments five years ago, they were proposing three items; I had only asked for one (the most incredibly basic one - don't have every bloody device have the same default password). I really feel like it's a case of, "If you resist and throw enough of a shitfit over the really simple stuff, it's going to come back around in a much stronger way that you really won't like." The full document of "Baseline Requirements" speaks to fourteen items:
● No universal default passwords
● Implement a means to manage reports of vulnerabilities
● Keep software updated
● Securely store sensitive security parameters
● Communicate securely
● Minimize exposed attack surfaces
● Ensure software integrity
● Ensure that personal data is secure
● Make systems resilient to outages
● Examine system telemetry data
● Make it easy for users to delete user data
● Make installation and maintenance of devices easy
● Validate input data
● Data protection provisions for consumer IoT
Each area is broken down into one or more specifics. There's a helpful table on page 32, detailing whether the requirement is Mandatory, Recommended, and/or Conditional. This is important to know, because a bunch of them are truly just recommendations, but even many of the ones that are Capital M Mandatory are also Conditional, which is actually displaying quite a sense of care about the diversity of devices and possible situations. For example, they acknowledge things like "constrained devices", which is a "device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use". Here, they give some explicit examples, like "The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage a security vulnerability."
I think this truly is a culture war between the culture of technokings and the culture of They Can't Keep Getting Away With This, and no culture war offensive ever comes without a counteroffensive. Will major corporations, either American or Chinese, bow the knee? Will they pull out of the UK in a weird, polar opposite anti-security stance to the position that has led other companies to pull products like Signal/Telegram from countries that threatened to make them less secure? The UK may be the sixth largest economy in the world by GDP, but that's still only about 4%. Will they go full tizzy and make separate products, where the secure versions go to the UK and the less secure versions go elsewhere? If they don't pull out and don't make different versions, than everyone in the world just got a huge security upgrayyyed. If they don't pull out and make different versions, other countries have a green light to mandate that they should also get the good stuff. So, if they're even thinking about pulling out, they've gotta rally the troops, punish any defectors, and really make the UK feel blockaded as a warning shot to the rest of the world.
My guess is that they'll bow the knee and just do this stuff for everyone. It's pretty much all stuff that everyone has known that they should be doing for quite a while now. Will it cost a little extra? Sure. Will they have to deal with some annoyed developers who feel constrained by law, as basically every other industry ever does, and eventually have to bring their culture into the Industrial Age? Sure. I doubt that having to pay $9 for a smart plug instead of $6 is going to change much about the economics of wiz bang gizmos... but it just might be a step toward not having newspapers filled with nightmare exploits causing millions in damage... at least not every week.
The cost of compliance -- which is to say, the reams of paperwork and signoffs necessary -- will make this impractical for startups. The large companies making this stuff will do it -- eventually, with the UK getting delayed releases. The Chinese knockoffs will continue to be sold unlawfully, and a lot of new stuff just won't appear in the UK at all.
Sneer all you want (I guess you're a Real Engineer), but I think a big reason bits have continued to grow while everything else has stagnated is the regulators haven't caught up with the bits yet.
My read is that they literally just need to fill in that table that I mentioned on page 32. That's not a lot of reams.
I am most decidedly not a Real Engineer.
Like I mentioned, we will see if the economy of bits will grind to a halt... or if they'll take the couple days necessary to not have a default password and to write "Yes, we don't have a default password" in the table on page 32. Perhaps you could formulate your prediction in numerical terms? Maybe something about growth rates in the tech sector over the next ten years? Maybe something about stock prices and how they'll reflect this immense stagnation? Or maybe an explanation for why the market hasn't already priced this in and had a massive drop in valuations in the past week in response to oppressive new regulation?
I don't think the "detail" required is going to fit in that table. So it's going to be a reference to some much longer document which explains each item, in language understandable to regulators. And then all this will have to be reviewed by a lawyer specializing in UK regulations. And every time a change is made to the device, the document will have to be audited to ensure there's still compliance.
Of course just this one document isn't going to do much, aside from make new IoT devices less available in the UK and other countries adopting it as mandatory. The more regulation in more countries, the more the works get gummed up.
The good news is that it reads like they're expecting that companies will just publish this document on their website along with other support documentation. So, it won't be long until we get to see some and find out whose prediction is closer to accurate. As for the prediction of availability, would you like to predict anything specific about companies pulling out of the UK market?
If it's really so easy there won't be any problems. But I'm pretty sure, given the absolute glee expressed in your original post, you know it isn't.
I don't follow your line of reasoning. Can you speak plainly, please?
Your original post expresses considerable contempt for "tech folks" and demonstrates absolute joy for us having regulation "dropped" on us "in a much stronger way that you really won't like." This really doesn't fit with an idea that you think the regulations will be anything like easy or simple to follow -- rather, you actually think they will be difficult and painful to follow and are joyfully anticipating the pain it will cause.
Yeah, regulation sucks. It's terrible that in the "real" engineering professions, you need a minimum 10 years of experience before you're allowed to do anything more than turn the crank on well-tested models to determine if some very slight variation of an existing thing meets all the requirements, and then fill in all the boxes on the paperwork to maintain traceability. Doing that has high costs; applying those costs to the software industry as a whole will cause it to stagnate.
This does not follow. It's just a non sequitur. It can be easy and simple to follow, but incredibly grating to the personality of "artists". They don't like coloring inside the lines, even if it's easy and simple to follow.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link