Skip to main content


Showing posts from December, 2013

The NSA iPhone

If the NSA had complete control of the iPhone then what would the manufacturing costs be for intercepting the manufacture of every iPhone or hacking into apple's infrastructure or simply get apple's cooperation.

Blog this != value or skills

Ryan Hoover writes that 'blogging is the next resume'. The problem with this hypothesis is wrong. Blogging is just as gamable as the github reputation, dead tree resume and linkedin endorsements. Blogging more so as I have acquaintances that pay people to write for them. Of course this is no different than artist mills but that's a different level of engineering socialization.

ASAP is not always ASAP

A few days ago I read a post with a similar assertion. When everything is labeled ASAP nothing is will actually be expidited. Currently I'm looking at the SouthWest website. They have options for EarlyBird and Business class tickets.If you purchase your tickets early enough you get a nice discount. With a few extra bucks you can get an early bird ticket which means that your position in line is selected prior to everyone else but most likely in chronological order that this feature was purchased by all passengers. (beginning at row A-16)If your not lucky enough to get a discount ticket then you have to pay full fair. You can also purchase the EarlyBird option or you can elect to purchase the business class which will get you inline in positions A-1 to A-15.The only way to win the lottery here... buy your tickets early and get what you want. If you do not purchase the earlybird and you forget to check-in on time you're going to be the last to board. (unless you have kids or ne…

Reposting or linking on Facebook

Here is a word of caution that is obvious to most security professionals but average Facebook-er doesn't typically know about. When you repost, link, or like an article you are essentially creating a social graph between all of your users and the users that came before and after your connection. So before you link to that next latest lost puppy article you might want to verify the fax from a legitimate source otherwise you're just creating a social graph for this spamster is to attack.

Quote of the day

I do not remember who first uttered this quote or where I heard it....."do not let a blind man paint your house".There are so many different layers to this quote that should make you pause.Take a look at my tech blog: http://richardbucker.comPosted with Blogsy

iPad mini versus Kindle paperwhite

There can't be more of a apples and oranges comparison then when comparing the iPad mini to the Kindle paperwhite. They both perform well as readers however the Kindle is a much lighter platform. On the other hand Apple's iBook has many more features and makes reading in a stream a lot easier. One serious advantage that the iPad mini has is the audio. Listening to music on the iPad while reading is a great combo which the Kindle does not offer.
There are a few stability questions related to the iPad however. My iOS devices have been crashing. Furthermore the music player on the iPad has network issues when attaching an reattaching the local network.
It's still a tough choice when trying to decide which tool is going to end up in my briefcase.

Is it hijacking or good security?

I have come to expect that Google is going to protect me from malware and the websites of evildoers. Whether Google his big brother or an agent for big brother is irrelevant. Clearly I have sacrificed a little bit of privacy for some amount of security. One has to realize that without search engines it would be impossible to navigate the web without someone having given you the proper hostname in order for you to navigate the web. And once individuals started curating websites they become just as the Facteau Google like.
So if Google is going to redirect my browser because some legitimate website has permitted some malware advertising to be promoted through their website I would hope that Google would protect me. The same can be said for larger scale projects like that coin if in fact it were illegal or nefarious. 
As an enterprise user my IT department is constantly scrubbing the URLs that the users attempt to access. Every once in a while I get a pop-up in my browser that says that th…

The case for stored procedures

In a previous post I proposed using a database connection proxy in order to improve security. Is included the notion of using stored procedures in order to secure the DB from SQL injection. 
Another side effect or benefit is that by putting the SQL in direct proximity to the data one emulates an object oriented approach to database development. The code and the data and the data model are all in proximity. So when the database is backed up and restored maintaining consistency to the upstream or upgrading applications are less critical providing a more loosely coupled approach.

Message queue, SOA, and TTL

In a previous post I proposed using a database connection proxy in order to improve security. There are a number of other reasons why this is a good approach.
First line of defense routing transactions - if the application is connected directly to the DB then the application needs to add software that allows it to switch from primary to alternate DBs. This would essentially add unnessary complexity to the application. (simple is better). By creating a proxy the ability to switch traffic in a coordinated fashion will have many benefits.
Capacity and monitoring - Most databases do a lot to queue transactions from the client. That capacity is typically wellknown to the DB vendor, however, they never take into account the amount of other production events. For example there might be some extra disk I/O taking place on the DB server that the vendor would not be able to account for. Furthermore monitoring is limited to the vendors tools and nothing that you'd be able to improve upon. Usin…

Unsurprising FreeBSD

I was surprised to find that Netflix uses FreeBSD. I was not surprised that Netflix is using freeBSD as FreeBSD is the core operating system used in the secure computing's switches. I have also deployed a number of applications using FreeBSD. I found it to be responsive and very capable. The only thing that I did not like about it was that in order to get full coverage of the applications that you need for a normal installation you needed to include the llonux compatibility later.
FreeBSD represents the little engine that could when it comes to free operating systems.

Simple and Precise Security

This is just a list of ideas that could be used to secure your important enterprise data.
a) use a ring-like approach to network security with the database toward the inside(less public) and the applications toward the outside(more public).
b) encrypt the drives. If performance is an issue then use SSDs.
c) encrypt the column data of the database and use an external crypto strategy. The HSM should use PCI compliant crypto appliances and algorithms with rotating keys and keys with a TTL. This can get a little tricky when dealing with data that would not be searched on in O(1) time or aggregated; but not impossible.
d) Store the SQL or other queries directly on the database server or db server proxy.
e) instead of exposing the DB connection directly use an agent or proxy. Create a simple DSL between the application and the proxy that would NEVER be executed by the DB directly. Let the proxy work like a stored procedure. This way if the application server is compromised that it would not be a…

Why Command + Shift + D?

Apple has been supporting "Command+Shift+D" in it's email programs (OSX and IOS) for quite a while. I cannot whether this predates OSX but my intuition tells me no.  That the command was/is an homage to earlier email systems that would connect to SMTP.  The SMTP protocol expects a Control+D to close the session, as to many Unix programs that accept console input.
(unfortunately it's not consistent... like Blogger for IOS(not an Apple product), iMessage(Apple) and I'm certain many others.

Between the dollar and bitscoins. A higher standard

Before the invention of the bit corn the Internet elite traded on a different commodity.
Services like Facebook are not free. The currency that they extract from us while not immediately financial. They are trading on us.
Advanced software systems evaluate our words, our pictures, our social networks, and they try to connect us to other wheel world events or activities, and they advertise to us.
Marketing and advertising technologies are so completely misunderstood and inflated that if the average person understood what their commercial value was to a company like Google or Facebook they would demand a lot more for the price.

Arbitrary API interface

Most APIs are implemented through a formal interface meaning that there is a signature between caller and the receiver. That interface can be tightly coupled in a fashion similar to SOAP or loosely coupled as in JSON RPC. 
A very gray area is achieved when using mechanisms like log files to feed external processes. Log files are not meant to be arbitrary however they don't typically adhere to the same contract that one would implement when calling functions. Log file bugs don't typically show up till the last stages of integration test when they can do the most damage.

Thank you Timothy Ferriss

“Whenever you find yourself on the side of the majority, it is time to pause and reflect. —MARK TWAIN”
Excerpt From: Ferriss, Timothy. “The 4-Hour Workweek, Expanded and Updated.” Crown Publishers, 2012-05-16. iBooks.  This material may be protected by copyright.
Check out this book on the iBooks Store:

Proof that Agile is waterfall.

Here is an image that I lifted from a presentation ( I have written about this in the past so having this is a win.

Update: I came upon this ( post today. It describes extreme programming some number of years later. What is amazing is that it's almost exactly the agile process.

Might be the last laptop day

I like this setup better than my MacBook Air. 

On resumes

Anyone who says 'resumes are ridiculous' simply does not know how to interview or does not understand the hiring process or the dating game for that matter. 
Resumes are strictly a fuzzy filter and a launching point for the screening and interview process. That's it. It's up to the hiring manager to access the candidate. 
If anything is flawed it's the practice of social hiring like github reputation.

Building a shadow company to test ideas

About 10 or 15 years ago the Blockbuster Corporation acquired a lower end retail video enterprise. I don't remember the name exactly except that it was something like 10,000 videos. What was interesting about this acquisition was that blockbusters executives used it to test various promotional ideas and product ideas. In this way they could be highly experimental with the public and not affect their core brand.
I find myself wondering whether or not this is happened in the software business. In a way when Steve Jobs left Apple to start the Next company the operating system that he built Became the precursor to modern OS X.
This strategy has a number of business and technology advantages.

Agile and the millennial's

One outcome of the agile process in the workplace seems to be the flattening of the chain of responsibility. Individuals are no longer held accountable teams are. Teams are no longer held accountable departments are. Departments are no longer held accountable divisions are. At the end of the day everyone seems to have plausible deniability.
Now if you add the entitlement factor that millennial's believe in you get a different type of cocktail. On the one hand millennial's don't generally believe in accountability. They engage the notion of group think. So it seems natural that they would gravitate towards the agile process.
The agile manifesto and the agile process was not designed by millennial's. It was designed by a group of highly functional consultants and contractors who have been in the industry for 20+ years before endeavoring to define this model of success.
The implementation of the agile model in today's corporate environment usually leaves the organization…

Clam Case for iPad mini

Clam case is set to go online and sell their pro product in December of this year. Granted there are still a few weeks left in 2013 but they have yet to deliver their product. What is also curious is the absence of any view of the keyboard. The mini is a relatively small iPad one can only imagine that the keyboard will be small also. I have been using my Apple Bluetooth keyboard with my mini and it is working wonderfully given the size of the keyboard.

App abuse

We are now in a period of software development history future of application abuse.
Network applications used to be custom one-off built applications that included a client and server over some sort of network connection. This network connection could have been over the World Wide Web or just over a local intranet. It might have even been a token ring network or something even older than that.
Then came the browser and the URL and general-purpose websites. This meant that with a simple bookmark one could access the library of applications. Updating the application was the prerogative of the application provider. Other than compatibility issues on the client side there was nothing for the user to do.
Now that Internet notables are starting to profess that URLs should be limited to a fixed domain for humans and variable URLs for applications.
This is paving the way for application providers provide desktop applications that's nearly wrap a browser component. This is causing the user to …

Applies to the software design process

“Walt Stanchfield, famed drawing instructor for Walt Disney Studios, used to encourage animators to “forget the detail” at first. The reason: Detail just doesn’t buy you anything in the early stages.*”
Excerpt From: Jason Fried & David Heinemeier Hansson. “Rework.” Random House Inc., 2010-03-09. iBooks.  This material may be protected by copyright.
Check out this book on the iBooks Store:

moving in the same direction - failing fast

I was looking for the quotre that Timothy Ferriss used about when everyone is moving in the same direction then check the other direction; or something like that. 
There are nearly 2300 quotes with the meaning or spirit of "direction" on the site. Reading myself dizzy I realized that there are as many half full quotes there are half empty. As many quotes about moving in the same direction there are an equal number about going against the grain.
So while I'm reading the book "Rework" the author makes a great point. "failing fast" is for the other guy not you or your project. This can be seen as going in the other direction because "failing fast" seems to be in vogue. 
Personally I hate the idea of failing fast. You do not go to the World Cup finals, get scored on in the first 5 minutes and then just stand there for the next 85 minutes. That would be a lot more than a failure and plenty of people would be losing their jobs.

Hacker News is reporting the DBA is dead

I'm not a DBA butwhen pressed into service I can perform the function adequately.That, by no means, makes me a DBA nor do I want to be one but I value the function dearly. Sadly, when I'm staffing a project it's one of the last positions posted... along with the tech writer.
I suppose the real challenge is that the definition of a DBA varies from company to company. In my mind the DBA performs the care and feeding of the database. That means backups, replication, integrity checks, performance and bottlenecks, normalization, and query optimization. One function that is in the DMZ is stored procedures. This could be a developer function or a DBA's.
No current SQL, NoSQL, or datastore can function properly without a competant DBA.

Can containers and configuration management coexist?

This question was posited by puppet labs. Without knowing the background or motive of the person asking the question given the source; Anyone having spent the shortest amount of time testing Docker would know the answer. The real question puppet labs should have asked is whether or not there was an opportunity for tools like puppet, chef, salt etc. and the container?
While docker's dockerfile does provide some configuration management syntax it is not a complete mechanism as it is missing the orchestration component. One only needs to look at open stack in order to find much of the linkage that is otherwise missing.
Puppet and chef and the other like tools have much more to fear than simple containers. These configuration management tools are attempting to homogenize the many operating systems that are out there today. This is a difficult task given the many differences in the systems.

Chromebook for education

what does it mean when a computer manufacturer produces a chromebook for education?
Is this just an excuse to under power the computer? Is this just an excuse to limit the use to students? Is this a marketing ploy? Or is it to just set expectations a little lower on the throughput and overall performance?

Code performance and optimization checklist

Inspired by hadoop's latest performance improvement announcement. Here is a checklist of things to consider when looking to improve the performance of your application:
Network contention
Hard disk I/O contention Memory requirements and swap usage Mutex and semaphores
All things being equal; Once you get past this list of (hardware) optimizations what remains is strictly CPU bound by the number of lines of code that executes per task. 

Embed all your artifacts

Taking yet another lesson from fossil there is merit in embedding all of your artifacts in your executable.
First of all in this scenario where one might cash static artifacts those artifacts still need to exist on disk and be loaded into memory for usage a short time later. This is clearly inefficient.
Secondly the code used to import these artifacts has a latency all its own that too is an efficient and is basically a one time use feature when the application is started.
Thirdly as the artifacts exist as static files that are processed during initialization of the application those artifacts can be changed or become corrupt as is. If the files become altered prior to the next restart the entire presentation to the end-user or use cases could be corrupted.
Having a single artifact representing the executable is a much more robust mechanism for reliable distribution and execution. One very strong improvement might be if the single executable could be signed and verified by the kernel prio…

do version numbers matter in the world of CI/CD?

I believe that we do not need version numbers anymore (in the traditional sense).  We simply need a build number that indicates when the version was built. Of course there is a novelty associated with calling something "Version 10" but the awful truth is that now *we* have to keep a map of the what and when. This becomes particularly sticky when there are multiple releases per day. One can even argue that when complex applications or environments have to deal with dependencies and such ... dates are just so much better to deal with.

In my latest build app I do the following when the BOT is building:

BUILDVER=`date +%y.%j.%H%M` fossil open ${frepo}2>&1 | tee -a${WORKDIR}/buildlog fossil update LASTCOMMIT=`fossil status|grep"^checkout"|awk  '{print $2}'` fossil tag add ${BUILDVER}${LASTCOMMIT}
fossil close 2>&1 | tee -a${WORKDIR}/buildlog

Facebook retried requests

After reading a 2600 article I have even more reasons to hate Facebook. Scammers are using new attack vectors by hijacking Facebook identities. The social graph makes a target rich environment. The rule is if someone refriends you; you better confirm via some third-party mechanism like email.

Fossil SCM - work flow

I have really started to take a liking to Fossil. I have been using it for a current project and while I could have easily use BitBucket or GitHub this is not the sort of project I want to risk sharing until it's time. And while I could have self hosted BB and GH it's a lot more trouble than it's worth.

Fossil is produced by the same developers that are responsible for SQLite. In fact SQLite is embedded. One of the better references is the Concepts page.

What follows is a loose list of ordered commands for setting up your distributed environment for multiple users.

Install fossil on the server and the local machine(s)
In most cases it is a matter of copying the executable to a folder in the user's path. In my case I have a bin directory off of my HOME.

Initialize the repo on the remote server
(login to the remote server)
mkdir ${HOME}/fossil-repo
${HOME}/bin/fossil init ${HOME}/fossil-repo/mydemo.fossil
Clone the remote repo to the local repo
mkdir ${HOME}/fossil-repo

Adding a Kindle to my toolbox

Playing with the fossil source code manager I noticed a feature that surprised me. The authors of fossil included the documentation inside the source code. Documentation can be fed directly from the application. At the same time I've been thinking about continuous delivery deployment and cogeneration as part of that process. My latest project generates directed graphs which represent the code. It would seem logical to generate documentation too.

A completely self-contained framework

One of the strongest properties of Gollang and the Goldline ecosystem is that your project can be completely self-contained without the need for containers such as doctor or virtual machines such as VMware or virtualbox. Better still since the ecosystem is common across most platforms it's not necessary to include chef or puppet to install dependencies.
One potential addition to the Goldline framework could include mesos and marathon as they are a different level of container.