I dunno, if you look at the legacy of DigiNotar it seems like you're dealing with a lot of potential headaches for a couple thousand bucks that your customers hate paying you anyway.
(DigiNotar, of course, famously gave out a fraudulent * .google.com cert and is now defunct.)
As a CA you're assuming a whole lot of liability for not that much money (not that much at the scale of even a small business, anyway), and that just doesn't seem like it'd scale to a wildly profitable venture, especially considering the kinds of people who are actually well equipped to run a CA can probably make a lot more money doing basically anything else in web security. When you add up the contingency risks, the opportunity costs, and whatever actual day-to-day business expenses, it does seem like you'd be looking for other ways to make more comfortable profits.
That doesn't mean CAs should charge more or anything, just that I could accept that SSL certs for standard websites isn't what anyone with a good vision for their business is really trying to hold onto.
The answer is no. To the point where it's actually a pain in the ass for us because developing any ML-assisted capabilities for G Suite requires us to only get training data from specific subsets of customers who are under special contract conditions.
If you buy G Suite from a reseller then they might be doing shady shit but we'd terminate their reseller account if we found out about it.
I know people like to bitch about this kinda shit on HN but honestly I and my coworkers spend so much time on protecting our customers' data from literally everyone -- including ourselves -- that I want the chance to bitch back about how hard my job is.
The ironic thing is the big 4 style companies are usually labeled as being careless with user data yet they probably have some of the strictest internal rules/procedures for user data classification and handling.
It’s the startups consumers should be more worried about IMO.
"There is no advertising in the G Suite Core Services, and we have no plans to change this in the future"
etc.
Ultimately the biggest cudgel you have to wield here is in the sales contract you're signing, but my understanding is that the baseline privacy guarantees are standard for all customers at the strictest level -- people actually opt to reduce the restrictions on their data so that new features get built with their use cases in mind (otherwise we wouldn't know what those actual use cases were).
A lot of companies use G Suite and a lot of them have very strict privacy + security requirements. This is the same platform used by fintech companies, healthcare companies, MegaCorps, etc.
Sort of a thing with all non-web-search Google products: I can't fathom how people see the $5B/quarter "other revenue" line on our earnings statements and think that just doesn't matter and somehow we have to get the "real" money from ads. We definitely did ads-supported-consumer first and we've been doing it the longest and it makes the most money, but how many email providers would kill to have half of that quarter as their annual revenue? G Suite, Cloud, etc are very real businesses in their own right and that's even while being very young and coming from a company that didn't start with any inherent strengths in enterprise markets.
Hospitals of reasonable size typically have an on-site clinical engineering team that handles those kinds of situations. Important (that is, capital expense category) hospital equipment will typically emit all kinds of warnings and alarms way before anything's actually a problem, because everyone would rather rely on the on-site engineering spending a little extra time silencing false positives then leave anything to chance.
All the nursing journals are full of articles about combating “alarm fatigue”. After 1 google query and 2 minutes of link-clicking:
> “An analysis of alarms at The John Hopkins Hospital, Baltimore, Maryland, revealed a total of more than 59 000 alarm conditions over a 12-day period-or 350 alarms per patient per day.1,2”
If you spend any time in an emergency room or a hospital, you'll soon realize that there's almost always an alarm going off somewhere, usually more than one and usually for long periods of time.
It's weird to me you would treat this state of affairs as a static and universally-holding position. I think it's obvious (with several current examples coming to mind) that investors and business partners can be branded as "toxic" in a way that overwhelmingly devalues any money they could actually offer. In the same way the police will take a stolen watch from you after you buy it -- without much recourse on your part! -- you and your company can definitely be torpedoed by taking bad money if public opinion shifts that sharply.
These are the risks of working at the national and global scale; they have to be there, otherwise the rewards couldn't (sustainably) be so great. Even ignoring the moral arguments, the fact that anybody is making them changes the game theory perspective as well. The only way to truly stay on top is to make sure most people want you there.
> It's weird to me you would treat this state of affairs as a static and universally-holding position.
People are going to tend to do what everyone else does. If we were to start hearing that everyone in the fund community had decided not to take money from XYZ kind of investor, we'd probably have done the same. And the arguments would be no different. You'd decide what to do, and then all the reasons that weren't enough before would suddenly be damning and certainly enough.
As for moral arguments, I'm surprised (well not really) that people think it's so simple. Anyone who's read a bit of philosophy has come across moral dilemmas that are not clear. I mean fgs there's a guy up the thread who thinks Gaddafi is defensible, and then there are people who think a guy who hires heavies is untouchable.
These experiences also exacerbate the perception that I referred to before that can basically be summarized as "every previous attempt at making this better ended up being completely terrible". A whole slew of people want to improve things, but a lot of the time they don't take that responsibility seriously enough -- or know, fully, what that entails -- and when they bail that leaves the next would-be "disruptor" at a disadvantage.
Right, and it turns out that the devil you know is infinitely more attractive than the next helf finished buggy piece of shit that someone assures you will revolutionise your workflow.
Any theory of the current state of medicine that involves a cardio-thoracic surgeon feeling like they are not completely irreplaceable, one-in-a-trillion geniuses/minor deities, put here on this planet to spare us lesser mortals (as scheduling allows) seems... improbable.
It reminds me of Moneyball; in it, the author points out that the statisticians were frustrated by their inability to get traction within the MLB, but their pitch essentially boiled down to "you guys don't listen to statistics, you should listen to these new ones we just developed," which left unsaid that the statisticians made up new quantifiers because the old ones were ineffective. The MLB had the lived experience of those statistics being ineffective, so they knew Bill James et al were right about that, but the idea that the answer was more numbers that didn't make a lot of intuitive sense was a hard sell.
I would also add that my perception from working at a major east coast hospital has actually been that hospital IT clamps down on new tools more than anyone because of HIPAA requirements, etc, that the doctors ignore/don't care about as much as they should. It's a complicated, layered system.
I don't have the context on the "engagement industry" or whatever that I think I need to appreciate this post as the specific criticism I think it's trying to be, but I think people really are bitterly unsatisfied with their jobs and saying the engagement "number has barely budged over the last decade" despite notable corporate success is sorta missing the point?
The idea that people's engagement or happiness -- or even just their general satisfaction at work -- is strongly correlated to their employing corporations' success is a persistent myth in tech that I just don't understand. People hate "sell outs" and they hate themselves when they sell out for a reason. You start as someone dedicated to a craft, you end up working somewhere that pays you a lot of money to do it but without giving you the chance to put yourself into that work at all, and then you end up making soulless work that not even you really like. But it made money so it keeps going like that until it absolutely blows up and everyone has to "rebrand" or another company slips in as the rebranded form in your place.
Steph Curry is happy when the Warriors win because he's on a team that is winning by playing the game his way. If the team made him go to dunk every time he got the ball I bet his satisfaction would be shit too -- and it probably wouldn't keep netting the Warriors more rings.
> You start as someone dedicated to a craft, you end up working somewhere that pays you a lot of money to do it but without giving you the chance to put yourself into that work at all, and then you end up making soulless work that not even you really like. But it made money so it keeps going like that until it absolutely blows up and everyone has to "rebrand" or another company slips in as the rebranded form in your place.
This is the best summary of what matches my experience in this industry that I've seen. Favouriting.
Based on what I read about it, I agree that the way "employee engagement" is pursued is missing the point. Especially that companies typically also optimize for having employees be replaceable cogs. I don't think you can have both. Engagement comes from aligned goals, autonomy, and coworkers you can relate with. Which is opposite of what you want to have when you're building a machine, where employees are dumb parts.
There's a great book about this called Seeing Like a State. It's about the conflict between top-down planning and bottom-up development of complex systems - things like cities and forests.
One of the big points is that leaders tend to be obsessed with making the system legible to themselves, often at great cost to the effectiveness of the system itself. There's a sense that "if I can't easily model/perceive it in my head, it doesn't exist or it's worthless". Of course the reality is that the majority of what goes on in a complex system is invisible to any outsider; the system is more complex than the brain trying to model it. So management efforts that ignore or even try to reduce that illegible complexity end up destroying much of the system they're attempting to manage.
I think there's also a simpler explanation: It's unintentional gamification. People like dopamine hits they get from rising numbers, rectilinear grids, clean charts and projections. So they pursue these things as an end goal, imagining somehow that this is the same as pursuing success. Of course a really well-working complex system (like a company or city or forest) is too complex to model with such tools. But the manager isn't playing to make a good complex system, he's playing a little game of graphs on his computer screen. The chart went up and to the right - you win today!
To be honest I don't think the typical corporate strategy is irrational, either, because employees can be wrong about product and business decisions in exactly the same way that executives can be, and, ultimately, the construct of the corporation exists specifically so a pursuit can outlive any contributor to it. Endless discussion and fretting over every single thing hinders productivity, also.
But why am I supposed to feel good about being part of that system? And who decided that was the best we could possibly do?
19 years out from the release of Black On Both Sides and still all anyone wants is to tell me to try to have some fret in my heart behind the things that they do. I mean, I guess...
People who get paid in RSUs definitely want to see their company succeed. I bet the Amazon employees who have seen their shares go up 500% over the past few years are pretty happy about it.
> People hate "sell outs"
No one other than characters in 80s teen movies goes around unironically complaining about "sell outs".
Stock goes up because a company does better than the market currently thinks it will, not because it does well. RSU issuing unicorns tend to have an extreme level of hype priced in already. In the best of all possible worlds, the stock might stay flat.
The great part about RSUs is you still get paid if the stock goes down (as long as it still exists). Sure, it's nice if it goes up a lot, but then you have a feeling of being stuck while you wait for those RSUs with nice gains to vest, and then a feeling of getting less when the next round of RSUs is much smaller. (Unless it keeps going up)
I should have clarified this a bit more in my post. I think it's possible for people to perform at a high-level and be "engaged" at work, even if the company isn't constantly winning like the warriors.
The only analogy I can think of is another sports one. I used to do track & field. I wasn't the fastest guy running, but I still pushed myself to beat my previous records. I felt a sense of progress/fulfillment when I ran faster than the past.
I think this can exist inside a company as well. It's highly unlikely that people find fulfillment by the mission of a company, but they can find some sense of fulfillment (at least in a work context), by "playing the game their way" and continuously improving.
The problem with sports analogies is that athletes typically actually matter to the success or failure of their organization, and that's both immediately visible to and recognized by everyone involved.
Even for athletes, though, you see more simple name recognition for NBA players than for, say, NFL players, simply because basketball teams are smaller and the individual players are so much more pivotal to the team's success.
It can exist in a company, but I think the likelyhood of encountering such an environment is inversely proportional to the size and growth rate of the company... rapid growth in a large corporation leads to metric-driven management as established leaders try to retain control over broader business areas, disconnects between budgets and requirements arise due to increased organizational depth, and there's a loss of individual "freedom" in execution as managerial roles multiply to offset lower hiring standards of ICs. All of which have tertiary consequences, collectively strangling the freedom required for pride in work.
To use your analogy, it's like running if you were following a cart that laid out every foot step and were followed by another cart with a whip. There's no incentive or freedom to engage.
(DigiNotar, of course, famously gave out a fraudulent * .google.com cert and is now defunct.)
As a CA you're assuming a whole lot of liability for not that much money (not that much at the scale of even a small business, anyway), and that just doesn't seem like it'd scale to a wildly profitable venture, especially considering the kinds of people who are actually well equipped to run a CA can probably make a lot more money doing basically anything else in web security. When you add up the contingency risks, the opportunity costs, and whatever actual day-to-day business expenses, it does seem like you'd be looking for other ways to make more comfortable profits.
That doesn't mean CAs should charge more or anything, just that I could accept that SSL certs for standard websites isn't what anyone with a good vision for their business is really trying to hold onto.