Patterns All The Way Down

I’m gratified that a few people took my advice from last week to reconsider their password manager. Hopefully it makes you a little better able to deal with whatever gets broken next.

Right-to-repair moves ahead, or hits a snag, depending on how cynical you are.

ChatGPT doesn’t change the infosec threat landscape in any way that’s important, which is handy because all our cars can be pwned over the Internet.

IBM will make a bunch of money, Jack Ma will make less, and no one has any idea what Musk’s Twitter is doing, least of all Musk.

I have a 1968 paper on system design for you to read, and a column about how nothing much has changed since then but maybe we can use this information to do something useful about it.

Things to note

John Deere has graciously allowed US farmers to repair their own tractors. This looks like a last-ditch effort to avoid or delay broader right-to-repair laws getting passed. Guess who gets to define what a “trade secret” is?

cROw refuses to bow to AI overlords like ChatGPT. I’m inclined to agree. Worry less about stochastic parrots and more about getting the basics right. Like asset management, patching, and using MFA and password managers.

IBM has a new 5 year whole-of-government deal with the Australian government worth about $725 million. The previous 5 year deal was supposed to be about $1 billion, but cost more than twice that, so IBM should make a cool $1.5 billion at least out of this one. The DTA did the negotiations, so it might end up as $3 billion.

Jack Ma is no longer the boss of Alibaba/Ant Group. This has been coming for a while. Chinese regulators halted the Ant Group’s IPO in 2020, and Alibaba removed all the Ant executives in August 2022 (as covered in The Crux #5).

Logistics tech looks to be booming as the pandemic exposed how brittle everyone’s supply chains were. I’m old enough to remember when Electronic Data Interchange (EDI) was going to fix everything forever. (h/t to a reader for bringing this one to my attention)

GigaOm have published a research report I did on Data Processing Units (DPUs). Looks like GigaOm are still running a 3-month trial subscription if you want to check it out.

CircleCI have published a detailed incident report on their recent data breach. The attacker breached an employee with privileged access, waited for them to log in, and then copied their session cookie to a remote system. The authenticated cookie meant they could pretend to be the employee. Kudos to CircleCI for publishing all this detail and clearly explaining what happened and how they responded. Lots of other companies could learn from this example (coughOptuscough).

It looks like the tech in everyone’s cars is full of security flaws. Some are better than others, but maybe connecting a car’s control plane to the Internet isn’t such a great idea?

Twitter deliberately cut off third-party client access with no warning and no explanations. It’s still broken when I checked Tweetbot just now. I don’t really look at Twitter any more and now I have even less reason to.

Longer reads

You might know of Conway’s Law: “Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization’s communication structure.”

It’s sometimes abbreviated to “software companies ship their org chart”.

The idea is from a 1968 paper by Dr Melvin E. Conway titled How Do Committees Invent?

The paper was cited by Fred Brooks in his excellent book The Mythical Man-Month: Essays on Software Engineering, and Brooks first called it Conway’s Law.

Conway’s Law applies to all systems, though, not just software systems. It’s worth reading the actual paper and absorbing this broader point.

Weekly tip: Rhyming with history

Allegedly Mark Twain once quipped that “history doesn’t repeat itself, but it often rhymes.” The older I get, the truer this seems. Possibly because I have more direct experience of history to compare with the present day.

Another of my favourite quotes (I have a list) is attributed to Aldous Huxley: “That men do not learn very much from the lessons of history is the most important of all the lessons that history has to teach.”

If we combine these two observations, we note that the same things keep happening, and most people don’t notice or don’t care. An optimist might see opportunity here.

As the above paper by Conway from 1968 illustrates, human nature and its effect on system design hasn’t really changed in at least the last 50 or so years. It is unlikely to change before your next project is finished. You can learn from this, and use that information to your advantage.

Even if—and this is important—other people don’t learn the lessons of history and insist on shoving beans up their nose, despite the abundant historical evidence that it doesn’t help. Unless your goal is to have a nose full of beans, which is less rhyming and more of a cover version or homage, only with more snot. But I digress.

Knowing that a bunch of people will embrace the nose-beans lifestyle is also information you can take advantage of. You can know that people will feel better about approving a report if they’ve found a mistake you deliberately inserted for them to find and correct. You can know that people will spend a breathtaking amount of time arguing about specific words in the fifth paragraph of a press release that no one will bother reading and budget accordingly.

How we approach system design should take into account how little about system design has actually changed in the past 50 years, and why that is. If we don’t take it into account, we’re really just shoving beans up our own nose.

What we choose to do with this information is quite another thing, however. As the saying goes, if you can’t be part of the solution, there’s good money to be made in consulting.

Or we could anticipate what people usually do when we try to change things to make change more likely. Maybe getting an external consultant to write down what internal employees have been saying for years is how you get senior executives to listen to them? Maybe starting to fix things is more useful than arguing about who has the crappiest job?

This knowledge can be used for good or for evil, of course. But it can also free us from worrying unduly about the nose-beans people and concentrating on finding our collaborators and partners-in-crime. We can find people who help rather than hinder, and spend more of our time with them. Even if nothing changes, at least it was a more pleasant way to spend our limited time on this Earth.

A paranoid person might note that by writing about this human nature stuff in this column, I obviously know about it and probably took it into account when writing the column. They might then wonder what I was trying to make them think.

I also know you know that, so I guess we’ll just have to trust one another and hope for the best.

See Also

Related items

Commvault Releases Metallic ThreatWise To Detect Threats To Your Data Early

21 September 2022

Data protection vendor Commvault has released Metallic Threatwise, a SaaS add-onfor Metallic that detects intruders when they first enter the environment.

Rearranging Deckchairs

11 July 2022

Lots of (in)security news, valuation shenanigans, and a smidgen of antitrust.

Fungible Can Be Anything But What Is It Today?

21 April 2022

Fungible believes the future of infrastructure is composable and scale-out based on DPUs. But what is it today?