"security" entries

Four short links: 21 May 2015

Four short links: 21 May 2015

Font Design, Pro Go, ICANN Foolishness, and Bad Organisations

  1. On Font Design (Kris Sowersby) — The many pairs of hands and eyes involved have made this typeface special for me. For the first time I don’t feel I have ownership of a typeface I have ostensibly “created.” Lovely to read about the design journey for a font.
  2. Why We Use GoWe use Go because it’s boring. Previously, we worked almost exclusively with Python, and after a certain point, it becomes a nightmare. You can bend Python to your will. You can hack it, you can monkey patch it, and you can write remarkably expressive, terse code. It’s also remarkably difficult to maintain and slow.
  3. Unfortunately We Have Renewed Our ICANN AccreditationYou can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendly, disaster-prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We’re simply out of our league here.
  4. Why Good Developers Write Bad Code (PDF) — trigger warning: software development pathologies from the real world.
Comment
Four short links: 18 May 2015

Four short links: 18 May 2015

Javascript Tools, Elements of Scale, 2FA Adoption, and Empathy

  1. Tools are the Problem Tools don’t solve problems any more; they have become the problem. There’s just too many of them, and they all include an incredible number of features that you don’t use on your site –but that users are still required to download and execute.
  2. Elements of Scale: Composing and Scaling Data Platforms (Ben Stopford) — today’s data platforms range greatly in complexity, from simple caching layers or polyglotic persistence right through to wholly integrated data pipelines. There are many paths. They go to many different places. In some of these places at least, nice things are found. So, the aim for this talk is to explain how and why some of these popular approaches work. We’ll do this by first considering the building blocks from which they are composed. These are the intuitions we’ll need to pull together the bigger stuff later on.
  3. Estimating Google’s 2FA AdoptionIf we project out to the current day (965 days later), that’s a growth of ~25M users (25,586,975). Add that to the ~14M base number of users (13,886,058) exiting the graph and we end up at a grand total of…nearly 40 million users (39,473,033) enrolled in Google’s 2SV. NB there’s a lot on the back of this envelope.
  4. Empathy and Product DevelopmentNone of this means that you shouldn’t A/B test or have other quantitative measure. But all of those will mean very little if you don’t have the qualitative context that only observation and usage can provide. Empathy is central to product development.
Comment: 1
Four short links: 12 May 2015

Four short links: 12 May 2015

Data Center Numbers, Utility Computing, NSA Art, and RIP CAP

  1. We Used to Build Steel Mills Near Cheap Sources of Power, but Now That’s Where We Build DatacentersHennessy & Patterson estimate that of the $90M cost of an example datacenter (just the facilities – not the servers), 82% is associated with power and cooling. The servers in the datacenter are estimated to only cost $70M. It’s not fair to compare those numbers directly since servers need to get replaced more often than datacenters; once you take into account the cost over the entire lifetime of the datacenter, the amortized cost of power and cooling comes out to be 33% of the total cost, when servers have a three-year lifetime and infrastructure has a 10-15 year lifetime. Going back to the Barroso and Holzle book, processors are responsible for about a third of the compute-related power draw in a datacenter (including networking), which means that just powering processors and their associated cooling and power distribution is about 11% of the total cost of operating a datacenter. By comparison, the cost of all networking equipment is 8%, and the cost of the employees that run the datacenter is 2%.
  2. Microsoft Invests in 3 Undersea Cable Projects — utility computing is an odd concept, given how quickly hardware cycles refresh. In the past, you could ask whether investors wanted to be in a high-growth, high-risk technology business or a stable blue-chip utility.
  3. Secret Power — Simon Denny’s NSA-logo-and-Snowden-inspired art makes me wish I could get to Venice. See also The Guardian piece on him.
  4. Please Stop Calling Databases CP or AP (Martin Kleppman) — The fact that we haven’t been able to classify even one datastore as unambiguously “AP” or “CP” should be telling us something: those are simply not the right labels to describe systems. I believe that we should stop putting datastores into the “AP” or “CP” buckets. So readable!
Comment
Four short links: 7 May 2015

Four short links: 7 May 2015

Predicting Hits, Pricing Strategies, Quis Calculiet Shifty Custodes, Docker Security

  1. Predicting a Billboard Music Hit (YouTube) — Shazam VP of Music and Platforms at Strata London. With relative accuracy, we can predict 33 days out what song will go to No. 1 on the Billboard charts in the U.S.
  2. Psychological Pricing Strategies — a handy wrap-up of evil^wuseful pricing strategies to know.
  3. What Two Programmers Have Revealed So Far About Seattle Police Officers Who Are Still in Uniformthrough their shrewd use of Washington’s Public Records Act, the two Seattle residents are now the closest thing the city has to a civilian police-oversight board. In the last year and a half, they have acquired hundreds of reports, videos, and 911 calls related to the Seattle Police Department’s internal investigations of officer misconduct between 2010 and 2013. And though they have only combed through a small portion of the data, they say they have found several instances of officers appearing to lie, use racist language, and use excessive force—with no consequences. In fact, they believe that the Office of Professional Accountability (OPA) has systematically “run interference” for cops. In the aforementioned cases of alleged officer misconduct, all of the involved officers were exonerated and still remain on the force.
  4. Understanding Docker Security and Best Practices — explanation of container security and a benchmark for security practices, though email addresses will need to be surrendered in exchange for the good info.
Comment
Four short links: 5 May 2015

Four short links: 5 May 2015

Agile Hardware, Time Series Data, Data Loss, and Automating Security

  1. How We Do Agile Hardware Development at MeldIn every sprint we built both hardware and software. This doesn’t mean we had a fully fabricated new board rev once a week. […] We couldn’t build a complete new board every week, and early on we didn’t even know for sure what parts we wanted in our final BOM (Bill of Materials) so we used eval boards. These stories of how companies iterated fast will eventually build a set of best practices for hardware startups, similar to those in software.
  2. Recording Time Series — if data arrives with variable latency, timestamps are really probabilistic ranges. How do you store your data for searches and calculations that reflect reality, and are not erroneous because you’re ignoring a simplification you made to store the data more conveniently?
  3. Call Me Maybe, ElasticSearch 1.5.0To be precise, Elasticsearch’s transaction log does not put your data safety first. It puts it anywhere from zero to five seconds later. In this test we kill random Elasticsearch processes with kill -9 and restart them. In a datastore like Zookeeper, Postgres, BerkeleyDB, SQLite, or MySQL, this is safe: transactions are written to the transaction log and fsynced before acknowledgement. In Mongo, the fsync flags ensure this property as well. In Elasticsearch, write acknowledgement takes place before the transaction is flushed to disk, which means you can lose up to five seconds of writes by default. In this particular run, ES lost about 10% of acknowledged writes.
  4. FIDO — Netflix’s open source system for automatically analyzing security events and responding to security incidents.
Comment
Four short links: 29 April 2015

Four short links: 29 April 2015

Deceptive Visualisation, Small Robots, Managing Secrets, and Large Time Series

  1. Disinformation Visualisation: How to Lie with DatavisWe don’t spread visual lies by presenting false data. That would be lying. We lie by misrepresenting the data to tell the very specific story we’re interested in telling. If this is making you slightly uncomfortable, that’s a good thing; it should. If you’re concerned about adopting this new and scary habit, well, don’t worry; it’s not new. Just open your CV to be reminded you’ve lied with truthful data before. This time, however, it will be explicit and visual. (via Regine Debatty)
  2. Microtugsa new type of small robot that can apply orders of magnitude more force than it weighs. This is in stark contrast to previous small robots that have become progressively better at moving and sensing, but lacked the ability to change the world through the application of human-scale loads.
  3. Vaulta tool for securely managing secrets and encrypting data in-transit.
  4. iSAX: Indexing and Mining Terabyte Sized Time Series (PDF) — Our approach allows both fast exact search and ultra-fast approximate search. We show how to exploit the combination of both types of search as sub-routines in data mining algorithms, allowing for the exact mining of truly massive real-world data sets, containing millions of time series. (via Benjamin Black)
Comment
Four short links: 22 April 2015

Four short links: 22 April 2015

Perfect Security, Distributing Secrets, Stale Reads, and Digital Conversions

  1. Perfect Security (99% Invisible) — Since we lost perfect security in the 1850s, it has has remained elusive. Despite tremendous leaps forward in security technology, we have never been able to get perfect security back. History of physical security, relevant to digital security today.
  2. keywhiz a system for managing and distributing secrets. It can fit well with a service oriented architecture (SOA).
  3. Call Me Maybe: MongoDB Stale Reads — a master class in understanding modern distributed systems. Kyle’s blog is consistently some of the best technical writing around today.
  4. Users Convert to Digital Subscribers at a Rate of 1% (Julie Starr) — and other highlights of Jeff Jarvis’s new book, Geeks Bearing Gifts.
Comment
Four short links: 20 April 2015

Four short links: 20 April 2015

Edtech Advice, MEMS Sensors, Security in Go, and Building Teams

  1. Ed Tech Developer’s Guide (PDF) — U.S. government’s largely reasonable advice for educational technology startups. Nonetheless, take with a healthy dose of The Audrey Test.
  2. The Crazy-Tiny Next Generation of Computers — 1 cubic millimeter-sized sensors are coming. The only sound you might hear is a prolonged groan. That’s because these computers are just one cubic millimeter in size, and once they hit the floor, they’re gone. “We just lose them,” Dutta says. “It’s worse than jewelry.”
  3. Looking for Security Trouble Spots in Go — brief summary of the known security issues in and around Go code.
  4. The New Science of Building Great Teams (Sandy Pentland) — fascinating discussion of MIT’s Human Dynamics lab’s research into how great teams function. The data also reveal, at a higher level, that successful teams share several defining characteristics: 1. Everyone on the team talks and listens in roughly equal measure, keeping contributions short and sweet. 2. Members face one another, and their conversations and gestures are energetic. 3. Members connect directly with one another—not just with the team leader. 4. Members carry on back-channel or side conversations within the team. 5. Members periodically break, go exploring outside the team, and bring information back.
Comment
Four short links: 14 April 2015

Four short links: 14 April 2015

Technical Debt, A/A Testing, NSA's Latest, and John von Neumann

  1. Pycon 2015: Technical Debt, The Monster in Your Closet (YouTube) — excellent talk from PyCon. See also slides.
  2. A/A TestingIn an A/A test, you run a test using the exact same options for both “variants” in your test. That’s right, there’s no difference between “A” and “B” in an A/A test. It sounds stupid, until you see the “results.” (via Nelson Minar)
  3. NSA Declares War on General-Purpose Computing (BoingBoing) — NSA director Michael S Rogers says his agency wants “front doors” to all cryptography used in the USA, so that no one can have secrets it can’t spy on — but what he really means is that he wants to be in charge of which software can run on any general purpose computer.
  4. John von Neumann Documentary (YouTube) — 1966 documentary from the American Mathematical Association on the father of digital computing, who also is hailed as the father of game theory and much much more. (via Paul Walker)
Comment
Four short links: 30 March 2015

Four short links: 30 March 2015

Philosophical Research, Reading Turing, Security Exercises, and Golang Madness

  1. The Trolley and the PsychopathNot only does a “utilitarian” response (“just kill the fat guy”) not actually reflect a utilitarian outlook, it may actually be driven by broad antisocial tendencies, such as lowered empathy and a reduced aversion to causing someone harm. Questionably expanding scope of claims in the behavioural philosophy research. (via Ed Yong)
  2. Summary of Computing Machinery and Intelligence (1950) by Alan Turing (Jack Hoy) — still interesting and relevant today. cf Why Aren’t We Reading Turing
  3. Exploit Exercisesa variety of virtual machines, documentation, and challenges that can be used to learn about a variety of computer security issues, such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.
  4. GopherJS — golang to Javascript compiler so you can experience the ease of typed compiled languages in the security and stability of the browser platform.
Comment