-
Now they've resorted to trying to scare people into upgrading for "Security" reasons...
As there are veritable and independently discovered vulnerabilities in the software it's not "scaring".
IT is becoming / has become a commodity product. The "IT fan boys" that experiment and learn lots of applications, graphic arts, programming, etc., are now a tiny minority.
The mass adoption of IT by everyone and their grandmother means they just want to be able to to do their everyday shopping and other errands online with as little confusion and hassle as possible. So, we end up with massive whiteout on the whole monitor, with a single checkbox in the middle: "Would you like fries with that?" -
Well, at least we own our terminals, a nice shinny glass back smart phone... and, we no longer need an acoustic coupler to use the phone line for data.
How many of us actually own even that... how many are on some kind of monthly paid plan?
You are right, I stand corrected.
Perhaps too many do not have the math skill to determine the cost of that "free" phone, and too many do not have the patience to save up for a phone and save some money. I suppose that is the live-long punishment for not learning math.Most people.
And regular cash flow is what subscriptions and monthly payments are all about.
...
I came across an article about a month ago that more and more sneakers and sweaters are purchased using installment payment. There are so many that a simple search come up with "12 buy now and pay later shoes stores" (I am not putting a link here to prove my assertion- I don't like the idea and I don't want to give them free advertisement. If you don't believe me, do the search yourself.)
I suppose the idea of Personal Computer that one owns running software that one owns is indeed thing of the past.
-
I suppose the idea of Personal Computer that one owns running software that one owns is indeed thing of the past.
And in the future or even already happening (not sure), these so called Smart Medical Implants or IOT Body Implants thingy and similar stuffs, that are hooked up to the net/cloud, made me cringe and had goosebumps every time I think about it. -
I suppose the idea of Personal Computer that one owns running software that one owns is indeed thing of the past.
Fortunately there's GNU/Linux and most commodity software has an opensource version...
-
Keep in mind too, there is plenty of "vintage" software that is perfectly fine. If you have a Mac you probably are SOL as Apple doesn't care about backwards compatibility, but wintel has been quite good on backwards compatibility. Probably the most difficult problem is the x64 mode not supporting 16 bit software issue. But dosbox is pretty good in most of these cases. I'm still amazed that today's PCs still essentially have an ISA bus. It's not a bunch of card slots like before but it is there.
I still run and use "vintage" software. For much of it, the original developer isn't even in business anymore. Just this week I was playing the game Spiritual Warfare that came out in 1992. It's great fun and doesn't matter that it is old.
The sad thing is that in 10-20 years people won't be running much of today's software as vintage software. Everything has a cloud connection that won't be supported or exist anymore. There is far less emphasis on backwards compatibility than what existed in the early days of PCs. And forget about phone apps, they won't be able to download their ads / send spying data on you or run much past a few years. -
I suppose the idea of Personal Computer that one owns running software that one owns is indeed thing of the past.
And in the future or even already happening (not sure), these so called Smart Medical Implants or IOT Body Implants thingy and similar stuffs, that are hooked up to the net/cloud, made me cringe and had goosebumps every time I think about it.
(USA Federal) Food & Drug Administration Safety Communication June 27, 2019
Certain Medtronic MiniMed Insulin Pumps Have Potential Cybersecurity Risks: FDA Safety Communication
"The FDA is warning patients and health care providers that certain Medtronic MiniMed™ insulin pumps have potential cybersecurity risks. Patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.
Medtronic is recalling the following affected MiniMed pumps and providing alternative insulin pumps to patients.
...
..."
Link to article: https://www.fda.gov/medical-devices/safety-communications/certain-medtronic-minimed-insulin-pumps-have-potential-cybersecurity-risks-fda-safety-communication
That is one of the many reasons I am a strong believer that IoT is not advisable except in limited cases. Oh, by the way, FDA recommends "do not share the Serial Number... ...". -
Now they've resorted to trying to scare people into upgrading for "Security" reasons...
As there are veritable and independently discovered vulnerabilities in the software it's not "scaring".
[...]
Fair point, but are there any products, systems, services, or beings with no vulnerabilities?
We know our cars or front door locks are not 100% invulnerable to theft. Yet we still use them - we accept a degree of imperfection.
Is it totally wrong to take the same approach with software, in the right circumstances? -
Now they've resorted to trying to scare people into upgrading for "Security" reasons...
As there are veritable and independently discovered vulnerabilities in the software it's not "scaring".
[...]
Fair point, but are there any products, systems, services, or beings with no vulnerabilities?
We know our cars or front door locks are not 100% invulnerable to theft. Yet we still use them - we accept a degree of imperfection.
Is it totally wrong to take the same approach with software, in the right circumstances?
Yes, because a thief has to be physically where your car or your front door is to try out different ways of picking your lock. Being physically there exposed, the thief is taking a much higher risk of being caught. With software thief (on any network connected machine), he/she can do that in the privacy of his/her home or somewhere with unsecured WiFi open to welcome or unwelcome guest.
The scale is also different. Capital One, Sony, etc, the hecker just had to break into a database once, and she got millions of credit card and personal information records. -
We know our cars or front door locks are not 100% invulnerable to theft. Yet we still use them - we accept a degree of imperfection.
Is it totally wrong to take the same approach with software, in the right circumstances?
It is not wrong as long as the software is not connected to a network.
If the software is connected to a network, then yes, it is totally wrong (for the reasons already given by Rick Law).
-
Yes it’s about “attack surface”. The attack surface needs to be minimised and that is extremely difficult on cloud platforms even with proper architectural design. All it takes is one fuck up on an S3 bucket policy and you’re screwed. There is no isolation late r in front of that, no physical separation, even if you use the subnet endpoints only because the S3 API is exposed everywhere. You are instantly up shit creek.
Eventually as customers learn to fear this they pay for people, processes and software to manage this and then the cost savings shrivel up.
But most of the time, mid size enterprises actually cost more up front in “the cloud” on operational expenditure. It’s easier writing off a monthly credit card bill than a capital expenditure though. And this isn’t helped by the cloud proponents and sales folk constantly buzzing around like flies around shit selling the overall cost savings lie.
One comedy thing here I experienced recently is a £165k SQL server box that lasts 3 years costs £890k a year to run in AWS without any other infrastructure considered. There’s enough cash left over by not using AWS to fix the rest of the company’s problems but you know, death march... -
Yes it’s about “attack surface”. The attack surface needs to be minimised and that is extremely difficult on cloud platforms even with proper architectural design. All it takes is one fuck up on an S3 bucket policy and you’re screwed. There is no isolation late r in front of that, no physical separation, even if you use the subnet endpoints only because the S3 API is exposed everywhere. You are instantly up shit creek.
AWS provided late last year an additional isolation layer to help customers from making that particular mistake (because it was a common one, as you observed). Sort of a set of suspenders to go with the technically OK, but sometimes misused, belt that was always there.
https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/Eventually as customers learn to fear this they pay for people, processes and software to manage this and then the cost savings shrivel up.
For my day job, we're in the cloud for development speed and agility, not cost savings. It costs slightly more in total, but I also know damn well that our dev teams can launch services to the public in days not months, no one has to negotiate queueing up to get their project delivered, and we've more or less eliminated the annual "scale up for next holiday" project that we used to start in Feb and run through September each year. Our monthly AWS bill has two commas and it's totally worth it.
But most of the time, mid size enterprises actually cost more up front in “the cloud” on operational expenditure. It’s easier writing off a monthly credit card bill than a capital expenditure though. And this isn’t helped by the cloud proponents and sales folk constantly buzzing around like flies around shit selling the overall cost savings lie.
For my own personal work, I also mostly host in AWS on my own nickel. Not having to think about a lot of the randoms ops tasks is freeing.One comedy thing here I experienced recently is a £165k SQL server box that lasts 3 years costs £890k a year to run in AWS without any other infrastructure considered. There’s enough cash left over by not using AWS to fix the rest of the company’s problems but you know, death march...
I tried to find the comparison server you're talking about. I think you've chosen an example which is apples to watermelons by choosing a high-availability multi-AZ server (which your single box obviously is not) and by not contemplating/comparing the purchase of the AWS box as a reserved instance (which is financially analogous to buying your own 3 year hardware), and not counting any of the ping, power, cooling, security, and maintenance costs to run the on-prem server.
I have no AWS financial interests (other than owning mutual funds, so I own some Amazon shares indirectly). They are simply the best game in town in cloud computing and likely to remain that way for the next half-decade. If you're moving an existing operation into the cloud solely to save costs, you're probably going to be disappointed. How much could you possibly be saving over whatever you're doing that's already working? Why spend the effort, dollars, and risk to move something that works?
If you're going to the cloud for speed and agility, you're much more likely to achieve your goal. -
Yes it’s about “attack surface”. The attack surface needs to be minimised and that is extremely difficult on cloud platforms even with proper architectural design. All it takes is one fuck up on an S3 bucket policy and you’re screwed. There is no isolation late r in front of that, no physical separation, even if you use the subnet endpoints only because the S3 API is exposed everywhere. You are instantly up shit creek.
AWS provided late last year an additional isolation layer to help customers from making that particular mistake (because it was a common one, as you observed). Sort of a set of suspenders to go with the technically OK, but sometimes misused, belt that was always there.
https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
Aware of that. However that's a simple soft control which depends both on (a) human competence and (b) amazon's competence and (c) that none of your AWS account infrastructure via IAM is compromised. It makes a mockery of layered security models.Eventually as customers learn to fear this they pay for people, processes and software to manage this and then the cost savings shrivel up.
For my day job, we're in the cloud for development speed and agility, not cost savings. It costs slightly more in total, but I also know damn well that our dev teams can launch services to the public in days not months, no one has to negotiate queueing up to get their project delivered, and we've more or less eliminated the annual "scale up for next holiday" project that we used to start in Feb and run through September each year. Our monthly AWS bill has two commas and it's totally worth it.
But most of the time, mid size enterprises actually cost more up front in “the cloud” on operational expenditure. It’s easier writing off a monthly credit card bill than a capital expenditure though. And this isn’t helped by the cloud proponents and sales folk constantly buzzing around like flies around shit selling the overall cost savings lie.
For my own personal work, I also mostly host in AWS on my own nickel. Not having to think about a lot of the randoms ops tasks is freeing.
I'm using it for development agility as well. In fact I have built entire integration environments which quite happily fire themselves up using CloudFormation and then are destroyed. That's a great use case. But the issue is when it comes to production, there are almost always different security and performance requirements which are not cost effective to apply.One comedy thing here I experienced recently is a £165k SQL server box that lasts 3 years costs £890k a year to run in AWS without any other infrastructure considered. There’s enough cash left over by not using AWS to fix the rest of the company’s problems but you know, death march...
I tried to find the comparison server you're talking about. I think you've chosen an example which is apples to watermelons by choosing a high-availability multi-AZ server (which your single box obviously is not) and by not contemplating/comparing the purchase of the AWS box as a reserved instance (which is financially analogous to buying your own 3 year hardware), and not counting any of the ping, power, cooling, security, and maintenance costs to run the on-prem server.
I have no AWS financial interests (other than owning mutual funds, so I own some Amazon shares indirectly). They are simply the best game in town in cloud computing and likely to remain that way for the next half-decade. If you're moving an existing operation into the cloud solely to save costs, you're probably going to be disappointed. How much could you possibly be saving over whatever you're doing that's already working? Why spend the effort, dollars, and risk to move something that works?
If you're going to the cloud for speed and agility, you're much more likely to achieve your goal.
Look at multi-AZ db.m5.24xlarge which is quite frankly shit. Reserved instance $954,720 pa. Over 3 years that's $2.864M.
Bear in mind: Please note that Reserved Instance prices don't cover storage or I/O costs. We priced up total at around $4.2M when you add that.
I can get a couple of rather cheaper mid-high end HP machines provisioned in two separate DCs as an active-passive cluster, with 10GBps inter-site link for half that TCO over 3 years all costs inclusive including the rack space/plumbing. They have a lot more RAM, they have a lot more storage bandwidth, lower storage latency with DAS Enterprise SSD. Transaction throughput is nearly 3x for half the cost. So I can now afford a DBA to look after it, pay for SQL Sentry etc so actual application performance gains can be made.
And then you have to consider where the consumer of the server is. AWS Direct Connect is not a whole load of fun to deal with.
I'm not going to even go into the hell that is debugging their black box services which do have bugs and do go wrong and the vendor's answer is "talk to AWS - they modified it and we dont support it" who aren't as good as people say they are even if you have enterprise support.
AWS can, to use the Scottish term, "get tae fuck".
Note I'm an AWS CSA and even I think it's a load of bollocks for a huge chunk of use cases. -
I suspect over beers that we'd agree a hell of a lot more than disagree...
The only remotely sane reason to run that large a SQL server in AWS is if you can't port your solution to be more cloud native, but you want to run the rest of your stuff in the cloud.
It's madness indeed to try to run that RDS server in AWS for the primary purpose to connect from your on-prem clients.
(I'd go the other way: keep your on prem large DB cathedral and use direct connect to connect your cloud services onto your on prem DB. If you're already setting up direct connect, definitely keep your large DBs on your side of the moat.)
Our Enterprise support experience has been occasionally marred by someone less than competent, but we've had generally quite good results on first contact and aren't shy about "OK, try again; give me someone who knows what they're doing this time!" on the relatively rare occasions when needed. -
Probably likely
I completely agree. The issue is primarily “how do you migrate on prem to AWS” which is stuff I’ve been doing for about five years and seen some hell holes. Migrate high latency services over to native AWS services. Easy enough. Move ancillaries over such as static content and message bus. Easy enough. Fire up direct connect. Easy enough. Migrate front end caches to cloud front. Easy enough. Migrate smaller data stores to RDS / elasicache. Ready enough. Migrate front end app servers over. Ooh things getting a little hairy. Lose 20ms due to direct connect routing latency. Now you’re paying for a DC cage with one legacy monolithic SQL server in it with 50TiB of data, 2000 tables and sprocs written 20 years ago you can’t move because RDS is to expensive, standard instances are too slow and native instances even more expensive than RDS. That’s when the paid up consultants usually disappear rapidly. Then company product marketing turns into “hybrid cloud”
Really the issue is the workload isn’t cleanly siloed and before you migrate your 20 year old piece of crap to the cloud you need to rewrite it with a different architectural model but no one wants to pay for that.
I think that support approach works for a lot of companies. Not Microsoft though. They are useless. I usually shitpost somewhere if I need attention from them
-
That's not a rare problem though. The backend gets pushed to the cloud for all the usual sales pitch reasons so move the server and database there. Now there's latency the users complain about and the client software is balking because of it too. Move the clients to the cloud too to have application and database together and let the users connect remotely. Now there's licensing and integration issues with other software on top of different but similar performance issue. People are so busy drinking the Coolaid they forget more traditional setups simplify a lot of things to the point of problems never existing in the first place. The only point seems to create a potential to keep the market moving back and forth so people stay busy and paid.
I see bd139 posted almost exactly that as I was typing.
-
If you get ten SREs/architects/consultants/operations guys in a room they all tell this story so not surprised there was some overlap on our comments. Whole industry is a giant cargo cult.
-
In the financial industry, some firms require service providers to be 100% in control of (and responsible for) sensitive data - meaning, cloud computing is off limits for these kinds of use cases.
One thing I don't get is, why is it so hard to catch some of the Internet crooks and make examples of them? They have to be leaving "fingerprints" everywhere... (Heads on spikes along Tower Bridge in London sounds appropriate... assuming we can get to them for all the pocket thieves etc. that like to hang out there and pluck the tourists).
Crime is a fact of life everywhere and there is no such thing as perfect security... we are all dependent on luck, to some extent, every day. -
I still run and use "vintage" software. For much of it, the original developer isn't even in business anymore. Just this week I was playing the game Spiritual Warfare that came out in 1992. It's great fun and doesn't matter that it is old.
The sad thing is that in 10-20 years people won't be running much of today's software as vintage software. Everything has a cloud connection that won't be supported or exist anymore. There is far less emphasis on backwards compatibility than what existed in the early days of PCs. And forget about phone apps, they won't be able to download their ads / send spying data on you or run much past a few years.
I still use some DOS software written in the early 90s for the CE-232 computer interfaces I cloned and installed in a couple of my old scanner radios. It's text mode software that will run on a 8088 PC but it runs fine in DOSbox.
I have had that same thought, some day down the road a lot of people are going to be feeling nostalgic about all the mobile games and such they played when they were kids in the 2010s and most of that stuff is just going to be gone. -
One thing I don't get is, why is it so hard to catch some of the Internet crooks and make examples of them? They have to be leaving "fingerprints" everywhere... (Heads on spikes along Tower Bridge in London sounds appropriate... assuming we can get to them for all the pocket thieves etc. that like to hang out there and pluck the tourists).
I'm sure what you'd see happen is they would catch some low hanging fruit, dumb kids that did something minor that could conceivably be called internet crime and throw the book at them, ruining their lives for no real gain. Even when I was in school there were some kids who got in a lot of trouble for "hacking", ie silly and largely harmless stuff like bypassing the password on the Macs to change the screen saver to say something naughty. Meanwhile the real crooks that pull off the big stuff are mostly in other countries and largely out of reach. -
One thing I don't get is, why is it so hard to catch some of the Internet crooks and make examples of them? They have to be leaving "fingerprints" everywhere... (Heads on spikes along Tower Bridge in London sounds appropriate... assuming we can get to them for all the pocket thieves etc. that like to hang out there and pluck the tourists).
I'm sure what you'd see happen is they would catch some low hanging fruit, dumb kids that did something minor that could conceivably be called internet crime and throw the book at them, ruining their lives for no real gain. Even when I was in school there were some kids who got in a lot of trouble for "hacking", ie silly and largely harmless stuff like bypassing the password on the Macs to change the screen saver to say something naughty. Meanwhile the real crooks that pull off the big stuff are mostly in other countries and largely out of reach.
There is also one additional factor here: To the companies/corporations, they have to assess the monetary value of loss vs the cost of securing from loss.
Credit card and stores are perfect examples. Any store can fully secure itself from shoplifting. How much would that security cost vs up the price by 10% to cover "leakage". The loss while significant or even life changing to affected individuals, but that loss to the company/corporation is but a drop in the ocean. -
Quote
they played when they were kids in the 2010s and most of that stuff is just going to be gone
Not helped by mega-corps deliberately trashing the stuff. An example is Paper Defense:
https://www.microsoft.com/en-us/p/paper-defense/9wzdncrdncdl?activetab=pivot:overviewtab
Used to be a great variation of Tower Defense, but if you were hoping to redownload it for nostalgia you'd be disappointed because Microsoft bought it just so they could make it available only for Windows 10. Got W7? Won't run. They won't even let you download it, but there is no technical reason for that, just that it's a way to push hold-outs onto W10. There are many other examples of previously freely available and OS-agnostic programs which Microsoft have been quietly snapping up just to make sure you can only use them if you have W10.
Not at all off-topic. Would you trust your cloud presense to that kind of company?
-
Interesting that the word 'games' only occurs once so far in this entire thread. 'Game' a few more times.
The topic of games being shifted to subscription model, made online only, and 'killed' at the publisher's whim, is like a mirror to this whole issue.
One person who focusses on this a lot is Ross, of Ross's Game Dungeon.
https://www.accursedfarms.com/posts/dead-game-news/gaasfraud/
"Games as a service" is fraud.
https://www.accursedfarms.com/posts/dead-game-news/dgnfrance/
Dead Game News: France vs. Valve + maybe the rest of the world
https://www.accursedfarms.com/posts/rosss-game-dungeon/darkspore/?v=1
He has a whole series called 'dead game news' about games that have been deliberately killed by the publishers. -
There are also several cases of DRM servers being shut down causing users to loose access to their movies and music they paid for. Caveat emptor!
-
Another one:
https://medium.com/@hamed/github-blocked-my-account-and-they-think-im-developing-nuclear-weapons-e7e1fe62cb74
This one catalogues the stupid handling of it as well.
Edit: aaand another one:
https://www.bloomberg.com/news/articles/2019-10-22/gmail-hooked-us-on-free-storage-now-google-is-making-us-pay -
Yahoo groupds are shutting down
https://arstechnica.com/information-technology/2019/10/yahoo-is-deleting-all-content-ever-posted-to-yahoo-groups