Bit of a rant here, so be warned…
Caught two threads today with the general gist of “why don’t people just…” –specifically, why haven’t people learned from Twitter or just sucked it up and started using 2FA, no matter what level of computer literacy they might be at.
Why don’t open source projects just stand up Mattermost instead of Discord? Why haven’t users finally learned and started adopting 2FA?
In the first instance, I think people just imagine standing up a service and don’t think about the long-term implications of offering a service like Mattermost for a project. There’s a ton of work, and potentially a fair amount of money, involved in offering up a service that’s going to be used by a lot of users 24/7.
There’s the scaling. There’s the need to apply security fixes whenever they may arise. Not just the service like Mattermost, but all its dependencies, the operating system, the database…
Oh, and if it’s a non-vendor project, somebody has to pay for hosting day in and day out. Make sure the SSL certs don’t expire. And domain name. And people like to take vacations, get busy, get new jobs, have kids… so you need a reasonable bench to really maintain continuity and institutional knowledge. And make sure access is distributed so if Bob is on a flight to Alaska, Alice can still log in if something goes haywire.
If it’s a vendor-sponsored project, you might need a ton of approvals to set up a service. Everything from the OK to spend money to legal sign-off and infosec approval. And will this be available in Europe? Better let our GDPR experts look this over…
It’s true we do need a better system than “just trust a single-vendor service.” But the current sets of offerings don’t come without problems, they just come with a different set of more immediate problems.
Oh, and people already have accounts on the centralized systems and are reluctant to have to create new accounts.
Just Effing Do It
The other comment I ran into on Hacker News and was basically complaining that by now, everybody should’ve adopted 2FA and the commenter couldn’t understand why everybody hadn’t just gotten with the program by now. (I’m paraphrasing.)
My guess is this person only talks to other people who are really into computers.
There’s a whole world of people out there who are just not that into or comfortable with computing. They may own a laptop or PC or Chromebook, but they use it sparingly to do a few things. Maybe just by rote.
Not because they’re dumb, but because computing isn’t in their wheelhouse or a big part of their day to day life. It’s so easy to take computer literacy for granted and assume everybody just needs to take the time and get over this or that hump. Just buckle down and learn Linux and the CLI, it’s easy.
Seeing Real Problems
What ties these things together is not seeing the real problems, or being willing to deal with them.
Mattermost isn’t going to overtake Slack and Discord, even for open source projects, without solving the problems that those services solve. A big problem they solve isn’t just the software: It’s the people and infrastructure keeping them running.
Projects could (and maybe should) be using the free hosted version of Mattermost, for example, but it’s subject to the same problems as any single-vendor project. It does have a possible escape pod if the company is acquired or otherwise goes south, but it’s still a “single point of success” as a former boss of mine used to say.
And saying users should “just learn already,” glosses over the fact that when you really look at it, dealing with credentials as a casual computer user can be confusing and intimidating. And a moving target!
I would love to see everybody using open source systems for everything. We need to solve an enormous number of business problems to get there. How software gets maintained and maintainers get paid. How infrastructure gets managed and all that good stuff. Software alone won’t do it. Love of freedom alone ain’t gonna do it.
And I want to see people being more secure with their online banking, etc. But in addition to user education there’s a lot of work that needs to be done to make good security accessible to folks with minimal computer literacy. Wish I had better answers, but I know blaming users and saying “just learn already” is a non-starter.