In chapter 5 of the book, “People Before Things,” the author tells the story of an “automatic toilet” that has written instructions next to it. He (correctly) notes that, “”If I have to do anything to make the toilet flush, it isn’t automatic! And, if I have to take any action, I’d rather grab a handle than touch part of the seat!” Here’s where it relates to ineffective phishing: “The thing I find remarkable about this situation is instead of having a plumber replace the toilet with a model that has a better automatic-flush design, the restaurant offers a training and communication solution.”

That about fits my experience with corporate security folks: don’t address the real problem, just throw more training, communication, and now add punishments.

Going to Cloud with an on-prem mindset and legacy apps is definitely going to cost you more, and there is no reason for anyone in 2024 for be surprised by this.

However, this discussion forgets what Cloud is about. Some of the reasons for widespread Cloud adoption were driven by business because the on-prem model wasn't working for them. These include click-of-a-button provisioning in regions around the world, the ability to quickly standup clones for testing, easy cross-region data replication, and high availability that most couldn't even dream about. Oh, and on-prem data centers are stupid expensive to build, maintain, and operate. Companies would also rather spend money on developers who can create new features (income) than IT and facilities staff (costs).

In my experience, many companies end up paying more for Cloud not because of ignorance but because they're leveraging features that were unavailable on prem. Similarly, the on-prem model had no cost controls or bill-back/blame-back mechanisms, and those that moved quickly to Cloud without configuring those controls in Cloud were giving carte blanche to every team that had access with no accountability. When you put all-you-can-eat in front of people, they tend to eat all they can. So if it's costing more, then that's partly on those of us who are (or have been) admins and who should have been out in the front of this instead of whining, "I told you so."

It seems to me that concepts like infrastructure as code, immutable infrastructure, build pipelines, automated deployment, and more took off precisely because working in Cloud meant doing things differently, at a scale and with flexibility that on prem wasn't matching. Good luck convincing an old-school VMware admin to give a development team access to standup and tear down their own virtual servers. Why? Because those same admins were protecting sunk-cost, scarce resources. People complain about the cost of Cloud but what they're forgetting is that the inflexible on-prem model was hobbling business.

There will be those who argue that you can now have 80+% of Cloud in your own data center, but I'd argue that you wouldn't have those features if it weren't for Cloud and the features it has made the norm in our industry.

It seems to me the primary reason so many people turn to CrowdStrike is that virtually no one trusts MS on security*. That MS points the figure at CrowdStrike for the fault (technically correct) misses the point that CrowdStrike would be unnecessary (or at least far less popular) in a world where MS had a better reputation.

While we're playing the blame game, we have to point out that (in hindsight) the affected companies failed to have sufficient resilience in their systems and architecture. IMHO businesses that continue to use MS products in spite of its long history of security flaws have no right to be surprised that this happened. They tried to paint over it by using CrowdStrike to provide security, but clearly that didn't work, instead creating another layer of complexity and single point of failure. It's a reflection of bad technology decisions, and I'm amazed to see people just shrug this off as, "well, MS is everywhere. What are we supposed to do?"

I'm OK with the accusation that I'm unfairly kicking everyone involved while they're down, or with being reminded that hindsight is 20/20 (and often rose colored), but what is not OK is for everyone to just keep doing what they've been doing.

To be fair, there will always be bugs, flaws, and zero-day problems, but that should compel us to revisit what it means to be both resilient and secure (since they're different things). I'm not suggesting every app needs to be minimized, containerized, multi-cloud or multi-OS to be resilient, but when we combine an increasingly complex tech stacks with poor planning and execution, it's not a bad idea. And maybe it also makes you less of a hostage to a particular vendor.

* so many articles, but perhaps one of the more ironic is CrowdStrike's CSO taking a swipe at MS.

Well said!

Except SpaceX is in Los Angeles, in a state where the Democrats have a super majority.

As Mark Twain aptly put it, no oneâ(TM)s life, liberty, or property is safe while congress is in session. All political parties are out for power.

I think a lot of politics is so much more explainable once you realize that itâ(TM)s all about power.

I don't get it. Microsoft has been doing the same thing forever, bundling software and services customers don't necessarily need or want. It's how they suck you into their ecosystem. Other companies also do bundling and lost leaders are also common in sales. How is this significantly different?

It seems to me this is a prime example of a single point of failure. At least there were (and are) alternatives to Southwest. Not so with the FAA.

An ISP might be able to handle a handful of complaints but hundreds of thousands? I doubt any ISP is configured to handle that scale and the entity making the request not only represents zero income but actually a significant labor and materials cost to the ISP.

I remember decades ago someone posed a similar question along the lines of, "if you could identify a gene for alcoholism, would you remove it?" Most people would answer in the affirmative. Then the follow-up question, "knowing a significant number of the best poets, authors, and musicians have been alcoholics, would you still risk it?"

I think there's an assumption here that I find disturbing, namely that people with undesirable traits (that we call defects) don't have value and will be altered by those who decide the level of their undesirability. That's terrifying to me.

I dumped Firefox once they got all political about the CEOâ(TM)s private life. I donâ(TM)t want a company telling anyone what they can and canâ(TM)t do on their own time.