This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
My read is that they literally just need to fill in that table that I mentioned on page 32. That's not a lot of reams.
I am most decidedly not a Real Engineer.
Like I mentioned, we will see if the economy of bits will grind to a halt... or if they'll take the couple days necessary to not have a default password and to write "Yes, we don't have a default password" in the table on page 32. Perhaps you could formulate your prediction in numerical terms? Maybe something about growth rates in the tech sector over the next ten years? Maybe something about stock prices and how they'll reflect this immense stagnation? Or maybe an explanation for why the market hasn't already priced this in and had a massive drop in valuations in the past week in response to oppressive new regulation?
I don't think you understand how this works if you think that this is the only necessary step once this becomes an obligation by law.
Since this is a potential liability, someone will have to be responsible for filling that form, and they'll also have to have sufficient means to enforce that the form is true. That person is most likely a lawyer and not technical themselves, which means they'll have to rely on auditors, which means not only that you'll have to pay money to get those audits done, you'll also have to find a company that will do them on the tech stack that you are running and is familiar with the intricacies of the particular legislation you're trying to abide by.
And once the bureaucratic machine gets started like this it doesn't stop, standards will get more complex, there will be people whose whole job is to ensure that they are followed and the costs will balloon accordingly.
Compliance is a huge industry. If following the law was that simple, it would not be.
Like Bastiat says, there is what is seen and what isn't seen.
What is seen is the valuation of established companies that have compliance departments and who'll be able to integrate regulation with a marginal cost change they can pass on to the consumer. What isn't seen is how much harder it is or will be to get funding for a startup that designs novel appliances because the costs to enter the market are now higher.
Weird. I hear about that from my friends in literally every other industry ever. They still seem capable of operating.
I'm always sympathetic to concerns of regulatory capture putting barriers to entry in front of small businesses. Totally agree that this is the single strongest argument against these types of requirements. I just doubt that these particular requirements are that onerous. Plenty of smaller shops that actually care about not being a security clusterfuck already do these kinds of things, and you can do most of them without too much difficulty as a hobbyist. In any event, if you're a start up that can't figure out how to not have a default password on all your devices, I actually kind of don't want you selling stuff, anyway.
Where is the innovation in any other industry over the past decades exactly? You know, since they brought these in.
How expensive is it to build a bridge now, versus a hundred years ago, adjusted for inflation? "capable of operating", what a joke.
As Kulak is fond of saying, the reason we don't have flying cars isn't that they haven't been invented, it's that they've been made illegal. They were commonly flown (and shot down) by teenagers in the 1910s.
This is the tired same equivocation that motivates all such regulatory barriers. I complain about having to fill forms, you retort about the justifications for the form existing as if I didn't also have such a concern.
There are other answers to the problems of humanity than increasing the size of the bureaucracy. Just no other that fits into managerialism.
Let's go with a simple one - the shale fracking revolution in the oil/gas industry. But nobody is actually going to go counting these things, because no one really has any sort of consistent argument for which sorts of regulations stifle innovation. Again, I totally realize that they do sometimes, in some ways. But what sort of massive innovation is going to be stifled by requiring devices to not have default passwords? Like, surely we can agree on that one. We could at least leave open arguments for other requirements, and I would welcome a wide-ranging debate on them. But if we're stuck with just theoretical arguments, totally disconnected from any specifics, in a way that can't capture basic truths like, "Being forced to not have default passwords is not a significant barrier to innovation," then we're not going to get anywhere.
Ok, so you also have a concern about default passwords. What are you going to do about your concern?
That is a fair one, but It's also a very good example of just what I'm saying. I was part of the few people on the quite unpopular side of the oil industry here in Europe in the 10s when it was banned, for the same reason I'm on this side of this issue now.
If the UK wants to make such regulations it will reap the same sort of benefits: no toxic chemical pollution or chinese crap botnets, but also no innovation in these respective sectors.
It's a choice.
You can not like that enforcing common sense rules to an industry through state mandates is a barrier to innovation all you want. It's not going to stop being true. The debate is only on the magnitude of the effect.
I don't buy chinese crap that spies on you, I tell people not to buy chinese crap that spies on you and I shame people who do so in my social circles.
Hell, I've spent years of my life writing symbolic execution software used specifically to make edge devices secure, some of which you may be using right now. What have you done?
So, will you then make a prediction along the lines of what I asked for in the OP? Are you predicting that tech companies will pull out of the UK rather than either upgrayyyeding their security practices for the world market or going with a dual product (one version that doesn't make absurdly basic mistakes for the UK market and one that does make those mistakes for the world market)?
And I claimed that being forced to not have default passwords will have an incredibly low magnitude effect on innovation. Do you actually disagree with this, or do we agree?
I do the same, but clearly that is not changing much about the world. Have you succeeded in changing the world through your evangelism?
Then I'm sure you will be pleased that this work won't be going to waste by someone shaving a few cents off of the cost of your product by putting a default password on it. Honestly, hearing this, I'm really not sure what your concern is. Is it that your company's "We're Actually Secure" marketing is going to be slightly less effective, now that the floor has been raised? Did you really think that such marketing was really of all that much value in the first place? @The_Nybbler thinks that it's completely a waste and that no one would spend one red cent more for your secure product. Do you think he's wrong?
I can easily commit to saying that no major IoT startup success is likely to be based in the UK any time soon. But that's saying nothing given they're pretty much all American already for many other reasons.
Maybe some guy at Arm will have to add one more form to some pile or something.
Europe at large is a dying crab bucket that everybody who can make things is leaving because if you try you reap only taxes and lawsuits.
That's my concern. John Galt is my concern.
Yes and no. No chinesium lightbulb maker is ever going to bother with formally proving their code is correct because they don't care. But some connected things actually need to be secure so that you don't explode, catch on fire or get robbed.
I find the actually useful non gimmicky applications of IoT are in this latter category, and that for those the customer and the manufacturer usually know better than to cheap out.
Bruce Schnier noted that California had already implemented at least the number one item. Do you think that this is enough to also say that no major IoT startup success is likely to be based in California any time soon?
I don't believe anything in this requirement is aimed at formal code verification methods. I don't think that's a requirement that is on the table anywhere, except for perhaps some niche customers (e.g., military/space). Probably not even at most "critical infrastructure" places that could blow up or whatever.
I mean, honestly, if that's about all you have to say for what results from this, that no chinesium lightbulb maker is going to meet a standard that hasn't been proposed and that some critical application spaces are going to pay for good stuff anyway, that's kind of a nothingburger? Like, abstract senses about Europe (not even the UK) and wild references to John Galt aren't really "concerns" that can be addressed in context of the very specific document that we have in front of us. It really seems like you just don't have any meaningful concern that we can investigate.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link