Conversation

Notices

1. Embed this notice
   mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:17 JST mhoye

   Everyone _says_ they want choices, but to a first approximation the number of people who change the defaults in any computer program is so close to zero that if the numbers were the only thing that mattered, user choice - provably, measurably - would not matter. But it does matter.

   Furthermore: if people depend on your product - not just use but _depend_ on it - then you need to know how that product operates or fails in real-world use.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:15 JST mhoye

     in reply to

     Way, way back in the day, there were two ideological camps at Moz on the topic of software updating.

     One camp believed in the idea of positive obligations of user protection; that developers had an obligation to proactively keep users protected from an increasingly dangerous and growing web.

     The other camp saw any less-than-consensual changes to somebody's computing environment as a personal violation, akin to a physical violation.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:15 JST mhoye

     in reply to

     This difference of views, decades ago now, culminated with a screaming fistfight in San Jose parking lot.

     The "winning" camp of this altercation stayed at Mozilla, and Firefox couldn't auto-update for another... twelve years? Fourteen?

     The "loser" left Mozilla and went to Google to become one of the earliest members of the Chrome team.

     You don't know what version of Chrome you're using right now. You don't care. It's just 'Chrome'.

     Matthew Lyon repeated this.
   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:15 JST mhoye

     in reply to

     And let's be 100% real about this, "Chrome auto-updates itself" is probably the most important single development in software security this century, a tectonic change in not just infosec but in how software everywhere is developed and deployed at all.

     And they don't worry about the burning tightrope problem at all, because whatever they say, Google doesn't give a single fuck about your privacy beyond protecting your data as an asset.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:16 JST mhoye

     in reply to

     And the combination of those two things means that if you are a big enough, important enough software project, then you can't rely on bug reports or random ragesite comments to tell you when your product is failing. You have to have telemetry. It can't be opt-in because in any scale that matters _opt-anything doesn't exist_.

     And if you also care about protecting privacy, then you start walking a burning tightrope.

     That's the job.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:16 JST mhoye

     in reply to

     These same conversations happened when Mozilla introduced in-product telemetry; nobody even remembers it now, but the arguments then were exactly the same.

     And then, like now, I think that the naive absolutism of free software culture, the refusal to engage with questions like this, are one of the root-cause reasons that the FSF/OSI crowd have sat out this century's most important software engineering conversations.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:16 JST mhoye

     in reply to

     To give you a sense of the ground that's been lost in that absolutism, I'd like to tell you a story about Early Mozilla.

     I'm going to elide some names and embellish it a bit, partly because I've only heard myself second- or third-hand and partly because like telling a good story, but as parables go I think it's informative.

     It's about automatic in-product updates, before those existed anywhere.

   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Wednesday, 17-Jul-2024 00:07:17 JST mhoye

     in reply to

     If you have a large enough user base that people depend, for whatever personal, safety or security reasons, on your product, then I believe you have a positive obligation to those people to protect them from risks and failures they might never see or understand.

     Not because anyone's dumb or incompetent, but because those threat actors make every effort to be invisible to their victims and impossible to understand to defenders.

   • Embed this notice
     Alexandre Oliva (lxo@gnusocial.net)'s status on Friday, 19-Jul-2024 06:34:32 JST Alexandre Oliva

     in reply to
     > auto-updates itself" is _the most important single development_ in software security this century
     
     a small step for a program, a huge leap for software enshittification
     
     https://www.fsfla.org/~lxoliva/#Unshittify
   • Embed this notice
     Alexandre Oliva (lxo@gnusocial.net)'s status on Friday, 19-Jul-2024 08:23:38 JST Alexandre Oliva

     in reply to
     one of the issues that seems to be disregarded about choices is that, as software changes over time, some people who started at older versions may prefer to stick to the way the software worked for them instead of learning to live with the new choices suggested on them. legacy, compatibility, past knowledge are all thrown under the bus of "shiny new shit". it gets worse when users are powerless to avoid the changes pushed onto them.
   • Embed this notice
     Alexandre Oliva (lxo@gnusocial.net)'s status on Saturday, 20-Jul-2024 03:36:23 JST Alexandre Oliva

     in reply to
     would you like to revisit your statement about the wonders of auto-updates in light of today's global meltdown enabled (caused?) by auto-updates?