a reckoning for tech by the humans that work with it

Game over, man. Game over. TR Dispatch v2n12

The TechReckoning Dispatch. Vol. 2. No. 12. August 24, 2015. In this issue: I don’t shut up about The Reckoning; Security, Game Over edition; Amazon eats its own; Post-AWS World; Web Ads Still F’d; Apple Watch; Why Windows? QotW: VMworld vs something else? Good news, everybody: this newsletter contains only a homeopathic amount of Docker. [View in Browser]

The Reckoning

The Reckoning is heating up.  Some of the talks you’ll see: Keith Townsend (ex-PwC) talking about how to talk to execs about IT-business alignment. Melina McLarty (VMware UX) about customer-driven design. Karen Lopez on being an independent consultant. Francine Hardaway on leadership and entrepreneurship. And Jim Colwick with an interactive exercise about how to get from where to are to where you want to be. Amy Lewis, Matt Brender, and Kat Troyer are also cooking up some experiences for us. We’ve already talked about Alessandro and Storagezilla. And Scoble will be wrapping it up. I’m pretty sure Code for America is going to come, and we’ll also hear from the non-profit NGO-enabler TechSoup.

If any of this piques your interest, I encourage you to invest in yourself and come to The Reckoning. Ticket prices are $399 + fees, and that includes great meals and drinks. (Don’t be too hungover – the content is that good.) I’m not going to high pressure anybody and imply you’re going to get a raise or a promotion because of the conference, but it will put you closer than if you re-binge-watched Mr. Robot that weekend looking for all the times nobody was quite looking at Christian Slater.

If finances are an issue, Angelo Luciani and Patrick Kelso have generously contributed towards one person’s travel stipend and I’ll throw in a free ticket. Email me if you (a) really want to come and (b) would be willing to accept our gift.

Internet of Hacked Things

It seems clear that we, as a species, are incapable of securing ourselves against unwanted action. In the physical realm, this has long been known – just ask a locksmith. Locks are there to keep out the curious, not the determined. Or I suppose to a greater degree ask the police or the military or Thomas Hobbes: security is a result of more a mindset and a social agreement than some absolute law of the universe.

So if we’re comfortable with the notion that our deadbolt mostly makes us more comfortable sitting on our couch but does little to secure our jewelry and iPhones, why on earth do we think anything electronic is secure?

We’re just past DEF CON and Black Hat, and we’ve had a series of 0-days and breaches in the headlines. After considerable research, I have come to the following conclusion:

Just like Bill Paxton in Aliens, it’s game over and I don’t know what the fuck we’re supposed to do.

The Internet of Things means that every object on the planet now is going to have a chip and an Internet connection, and they’re all going to be hacked, including medicine delivery pumps and running jeeps.

I read articles like this just like I look at pictures of spiders on reddit. Ten scary hacks I saw at Black Hat and DEF CON by Lucian Constantin at Network World. The ten hacks are:

  1. Hacking your car. See above. 1.4 million Chryslers recalled. Been talked about for 10 years. He doesn’t even mention the guy that implied he can do the same thing to airplanes. (Entertainment & control systems on the same network!?! It’s like they’re not even trying.). Oh, and if your insurance offers you a monitoring box? Can be hacked to take out your brakes. Lots of Uber drivers are using this.
  2. Rootkits on our CPUs. This one may not have been fixed in 2011. However, Intel is also doing something similar on purpose — OEM crapware in the firmware so that it survives a full clean Windows install. They broke it deliberately.
  3. Tons of Android exploits. There was a new one this month.
  4. Rifle scopes (it had Wi-Fi)
  5. Active Directory credentials being pulled off cloud servers by exploiting an SMB feature
  6. Car key and garage door opener replay attacks
  7. Safe cracking (said safe runs Windows, Flash, and has a USB port. OMG. It’s like they’re not even trying. I always thought the safecracking gadgets in the movies were fiction. Turns out, nope.)
  8. LTE modem rootkits. OMFG. Everything is going to have LTE unless it has Wi-Fi.
  9. Drones. Duh. (Wi-Fi with an open telnet port)
  10. Twenty-five different IoT zero-days, including fridges, scales, home automation devices, cameras, thermostats, baby monitors.
Let alone misbehaving robot vacuums that eat your hair.

It’s not like we’ve got the regular Internet figured out either. Mary Ann Davison, Chief Security Officer of Oracle, posted a ranting blog post one recent night that was pulled down the next morning. It was dripping with condescension against security researchers and Oracle customers for doing any security testing or reporting, with the excuse that the customers were violating their EULA. Most security types immediately hooted and thew Twitter poop, which actually was the appropriate response, but Chris Wysopal from Veracode laid out the reasonable response at Recode: Software Security: On the Wrong Side of History. Oh, I can’t resist, just read some of the crazy stuff. I am a fan of execs being straight shooters in blog posts, but you do expose what you’re really thinking when you do that. “Don’t worry your pretty little head about security. We’ve got it covered.”

Q. Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why wouldyou try to restrict the behavior of customers with good motives?

A. Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts toscan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to findsuspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our  job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.

It keeps going: Malware on your home router from Jeff Atwood. Welcome to the Internet of Compromised Things and on your work router — here’s a nasty Cisco Hack noted by Bruce Schneier on his blog. He implies that state actors appear to be rooting device firmware.

Here’s a really interesting article on the hacking group that took out Xbox Live and the Playstation Network on Christmas a few years back. Turns out it was good business. The year of the Lizard Squad by William Turton at the Kernel.

“Microsoft and Sony are fucking retarded, literally monkeys behind computers,” Omari, who—contrary to previous reports—operates under his real name and serves primarily as the group’s spokesperson, told me shortly after the attack. “They would have better luck if they actually hired someone who knew what they were doing. Like, if they went around prisons and hired people who were convicted for stuff like this, they would have a better chance at preventing attacks.”
Early Notes on the Ashley Madison Hack by John Herrman at The Awl.
This, on the other hand, is basically unprecedented? Most leaks of this size don’t implicate people in anything aside from patronizing major companies. This is new territory in terms of personal cost. The Ashley Madison hack is in some ways the first large scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible—likely?—that you will know someone in or affected by this dump.

Amazon is a great? horrible? place to work?

The NYT article on Amazon is worth reading if you haven’t yet. Skip over the orientation stuff – I read it as standard corporate culture happy times – and check out the crying at desks, the “why did you turn off your phone over the weekend” questions, and the (illegal?) “you may not be cut out for this job if you’re having kids or getting cancer”. If you haven’t been following the story, here’s a good explainer from Vox. Why the New York Times’s Amazon story is so controversial, explained by Ezra Klein.
The employee LinkedIn rebuttal is really sort of crazy-town in its lack of empathy to any system problems that might be happening. Also (a) it was written over the weekend, (b) it talks about data a lot but mentions none, and (c) from my reading is slightly creepy/culty.

There was a lot of pearl-clutching from other techie types, almost as if they thought the article was about them and the meritocracies they run. Silicon Valley Thinks Amazon Sounds Like a Great Place to Work by Peter Kafka at Recode.

This is one of those stories where this whole modern online/social thing works, because many places still have comments. I spent a few hours reading the comments, so you don’t have to (but feel free to skim: Hacker News, Seattle pub GeekWire, Jeff Jarvis’s BuzzMachine apologia, Scoble’s Werner-is-a-good-guy comment on Facebook, and a compilation of Amazon employees writing to Gawkerover the years.

From reading the comments, many from ex-employees and Seattle residents, and using Occam’s razor, I deduce:

  1. There are at least three Amazons — the engineering side, the retail/business side, and the warehouse side. Look critically at the personal experiences you hear, and where they’re coming from. The engineers seem to be treated well. The business side is a white collar high-pressure cooker, and the warehouse jobs seem right out of The Jungle.
  2. The high-pressure stuff is real. Anecdotes from former employees, their families, neighbors, landlords, and recruiters seem to be consistent, as are what stats we have on length of employee tenure. There are many people who will warn you away from working there, and many people burn out faster than they vest or even past their relo package payback period. It may have gotten better recently.
  3. The number of people who commented that they think Amazon is 100% evil based on a single article and 100% good based on the employee’s rebuttal is Too Damn High. People need a media literacy elf, who, like a Laputan servant in Gulliver’s Travels, would stand by their master with a bladder filled with small peas or pebbles, and smack them upside their head each time they read a one-sided media article to remind them to think critically.
  4. Let’s also not forget the warehouse situation is horrible, as is a lot of retail and warehouse work in the US right now. Scheduling your hours under full-time hours so you have no benefits, swing shifts, split shifts, keeping you mandatory extra hours that you’re not on the clock. Also the blue collar folks have a lot less mobility than the white collar folks. This is Amazon’s problem but it’s also a broader US problem.
  5. I don’t think I want to work there.
There’s some stuff here to say about denial, projection, Silicon Valley self-image, some geek manager fantasy-world where people don’t get sick or have babies, and an ignorance of how real-world power dynamics work (e.g., asking why don’t people report it? Or leave? It’s never that simple.) There is also some invisible stuff packed in here about the following scenarios are all treated different inside people’s heads:
  • Nutanix and Pure Storage sprinting at an IPO, and people signing up for 4 years of sprinting and IPO upside. (Disclaimer: VMW IPO helped us buy our house.)
  • The work culture at big law, consulting firms and Wall Street, especially for junior people (up or out has been around for a long time there, but also associated with big paychecks).
  • Amazon requiring the same sprint at 150,000 people (and a much lower comp package, even wtih RSUs)
  • HP or Microsoft being made fun of for being slower and sleepier, despite having better work-life balance and benefits.
What do we sign up for when we sign up with a company? How much pressure is “normal”? Mix that all in with a culture where women throw up their hands when they can’t do it all (great essay by Georgetown professor Rosa Brooks: Why “leaning in” is killing us) and the general stinginess of paternity/family/disability leave in the US, and I’m starting to think our work culture might not be entirely healthy.

Worth A Click

What if the thing that disrupts AWS isn’t something that looks like AWS at all? What if it’s PaaS-ish or Mesos/Kubernetes-ish or at least means you don’t have to Care about G-D flaky crashy noisy virtual servers that suck? What if “designing for failure” is actually too hard for mere mortals? Lessons from the cloud bunkerby Subbu Allamaraju
Here is the net lesson. Having things that fail as the primary interface to cloud may have been an acceptable cloud strategy in 2005, but not anymore.
There was a second article that I lost somewhere that was in the neighborhood talking about PaaS to replace AWS, so I hereby declare a post-AWS trend is coming. Watch for it.

This just in; web still sucks; pundits are stating to say that it’s ok to turn on your ad blocker.  The ethics of modern web ad-blocking from Marco Arment.

I’ve never been tempted to run ad-blocking software before — I make most of my living from ads, as do many of my friends and colleagues, and I’ve always wanted to support the free media I consume. But in the last few years, possibly due to the dominance of low-quality ad networks and the increased share of mobile browsing (which is far less lucrative for ads, and more sensitive to ad intrusiveness, than PC browsing), web ad quality and tolerability have plummeted, and annoyance, abuse, misdirection, and tracking have skyrocketed.
Last time I opined that Facebook was the winner in this thing. But Media Literacy Elf also muses on the fact that iOS 9 is coming out soon, and Apple has a vested interest in screwing with Google and web ads. q.v.
What The Ad Blocker Debate Reveals by Jean-Louis Gassée at Monday Note.

TechReckoner Michael White on why he likes his Apple Watch. A nice detailed list of what works and what doesn’t if you still wanted to drill down on this version one product. (BTW, Michael’s newsletter continues to be excellent for the vSphered amongst us. Recommended.)

Who is the Enterprise Perez Hilton?

If we wanted to go there, we could talk about Pure Storage caught with its pants on fire or Nutanix and Storage Review fighting or the executive revolving door at theEMC Federation, but I’m pretty sure you can get all those stories by the grocery store checkout. Also by this time next year, none of that will matter. All we are is dust in the wind.

Always Read The Comments

Last time we asked why on earth you’d build a Windows app in 2015. Looks like there is no reason. Damien Karlson came in with this:
I have no idea. In fact, just the other day I was using Google Docs to make a spreadsheet and it occurred to me how functional that damn thing is. Why do I need excel, except for the whole passing docs back and forth thing? I don’t think I’ve ever seen an app on either Windows or OSX that allows live collaboration on a shared document. We’re living in the future and don’t even know it.

Catching Up with John

I will be at VMworld with a press pass. Love love love to catch up. Sept 13-14 is The Reckoning 2015, Sept 23-25 is SpiceWorld, and November 19 I’ll be at the UK VMUG UserCon (nice writeup from @Rimmergram) with the lovely Kat.

Recent Geek Whisperers: Bringing people together is Not Marketing with Amy Hermes – Ep 93 and We Need to Speak Differently – Technical Marketing with Tyler Hannan – Ep 94.

Just Hit Reply

I’ve heard from lots of regulars that are not going to VMworld this year. So our question: If you are going to VMworld, what are you looking for? And if you are not, what is the new “It” conference? (The correct answer is AWS re:Invent but let’s see what you think.)

The TechReckoning Dispatch. ArchiveSubscribeEmail meThe Reckoning 2015. Thanks so much. Really appreciate all the kind words that get mailed to me, and  I”m glad you like the newsletter. “These ambiguities, redundancies and deficiencies remind us of those which doctor Franz Kuhn attributes to a certain Chinese encyclopaedia entitled ‘Celestial Empire of benevolent Knowledge’. In its remote pages it is written that the animals are divided into: (a) belonging to the emperor, (b) embalmed, (c) tame, (d) sucking pigs, (e) sirens, (f) fabulous, (g) stray dogs, (h) included in the present classification, (i) frenzied, (j) innumerable, (k) drawn with a very fine camelhair brush, (l) et cetera, (m) having just broken the water pitcher, (n) that from a long way off look like flies.”