Monday, December 30, 2013

The NSA iPhone

If the NSA had complete control of the iPhone then what would the manufacturing costs be for intercepting the manufacture of every iPhone or hacking into apple's infrastructure or simply get apple's cooperation. 

What does NSA hardware intercept really mean?

(1) the audio (badbios)virus Is likely

(2) other countries might be doing the same thing. 

Friday, December 27, 2013

Blog this != value or skills

Ryan Hoover writes that 'blogging is the next resume'. The problem with this hypothesis is wrong. Blogging is just as gamable as the github reputation, dead tree resume and linkedin endorsements. Blogging more so as I have acquaintances that pay people to write for them. Of course this is no different than artist mills but that's a different level of engineering socialization. 

Wednesday, December 25, 2013

Blackberry is alive

I saw someone using a blackberry the other day. He was also using lotus notes. Next i was waiting for some punch cards, flow chart template, pocket protector and COBOL printouts. 

Sage advice

The main thing is to keep the main thing the main thing -- Pat Reilly 

... just because you can do a thing does not mean you do do a thing -- President Barack Obama

Tuesday, December 24, 2013

ASAP is not always ASAP

A few days ago I read a post with a similar assertion. When everything is labeled ASAP nothing is will actually be expidited. Currently I'm looking at the SouthWest website. They have options for EarlyBird and Business class tickets.

If you purchase your tickets early enough you get a nice discount. With a few extra bucks you can get an early bird ticket which means that your position in line is selected prior to everyone else but most likely in chronological order that this feature was purchased by all passengers. (beginning at row A-16)

If your not lucky enough to get a discount ticket then you have to pay full fair. You can also purchase the EarlyBird option or you can elect to purchase the business class which will get you inline in positions A-1 to A-15.

The only way to win the lottery here... buy your tickets early and get what you want. If you do not purchase the earlybird and you forget to check-in on time you're going to be the last to board. (unless you have kids or need assistance).

Monday, December 23, 2013

Reposting or linking on Facebook

Here is a word of caution that is obvious to most security professionals but average Facebook-er doesn't typically know about. When you repost, link, or like an article you are essentially creating a social graph between all of your users and the users that came before and after your connection. So before you link to that next latest lost puppy article you might want to verify the fax from a legitimate source otherwise you're just creating a social graph for this spamster is to attack.

Quote of the day

I do not remember who first uttered this quote or where I heard it.....


"do not let a blind man paint your house".


There are so many different layers to this quote that should make you pause.



Sunday, December 22, 2013

iPad mini versus Kindle paperwhite

There can't be more of a apples and oranges comparison then when comparing the iPad mini to the Kindle paperwhite. They both perform well as readers however the Kindle is a much lighter platform. On the other hand Apple's iBook has many more features and makes reading in a stream a lot easier. One serious advantage that the iPad mini has is the audio. Listening to music on the iPad while reading is a great combo which the Kindle does not offer.

There are a few stability questions related to the iPad however. My iOS devices have been crashing. Furthermore the music player on the iPad has network issues when attaching an reattaching the local network.

It's still a tough choice when trying to decide which tool is going to end up in my briefcase.


I wish someone who give a good argument for all the different messaging platforms if they are all equal. 

Is it hijacking or good security?

I have come to expect that Google is going to protect me from malware and the websites of evildoers. Whether Google his big brother or an agent for big brother is irrelevant. Clearly I have sacrificed a little bit of privacy for some amount of security. One has to realize that without search engines it would be impossible to navigate the web without someone having given you the proper hostname in order for you to navigate the web. And once individuals started curating websites they become just as the Facteau Google like.

So if Google is going to redirect my browser because some legitimate website has permitted some malware advertising to be promoted through their website I would hope that Google would protect me. The same can be said for larger scale projects like that coin if in fact it were illegal or nefarious. 

As an enterprise user my IT department is constantly scrubbing the URLs that the users attempt to access. Every once in a while I get a pop-up in my browser that says that the requested website is not trusted and it will refuse to allow me to proceed.

In my day today computing needs I simply no longer have the time to maintain my computer and/or browser and a secure fashion. I have to rely on the abilities of others whether it's my internal IT department or Google.

So if not going is going to be swept up in that. So be it.

As to whether or not bit coin or net coin or any other Internet currency has any value is to be determined by the people who are willing to trade in it. I'm reminded of economics 101... These network currencies are not good for us.

The case for stored procedures

In a previous post I proposed using a database connection proxy in order to improve security. Is included the notion of using stored procedures in order to secure the DB from SQL injection. 

Another side effect or benefit is that by putting the SQL in direct proximity to the data one emulates an object oriented approach to database development. The code and the data and the data model are all in proximity. So when the database is backed up and restored maintaining consistency to the upstream or upgrading applications are less critical providing a more loosely coupled approach.

Message queue, SOA, and TTL

In a previous post I proposed using a database connection proxy in order to improve security. There are a number of other reasons why this is a good approach.

First line of defense routing transactions - if the application is connected directly to the DB then the application needs to add software that allows it to switch from primary to alternate DBs. This would essentially add unnessary complexity to the application. (simple is better). By creating a proxy the ability to switch traffic in a coordinated fashion will have many benefits.

Capacity and monitoring - Most databases do a lot to queue transactions from the client. That capacity is typically wellknown to the DB vendor, however, they never take into account the amount of other production events. For example there might be some extra disk I/O taking place on the DB server that the vendor would not be able to account for. Furthermore monitoring is limited to the vendors tools and nothing that you'd be able to improve upon. Using the proxy as a funnel it makes monitoring and metrics easier.

TTL (time to live) - One complication is the TTL. When transactions are queued and the DB server is busy certain transactions may appear to timeout. Therefore measuring the TTL will be important. Most DB servers provide a deadlock timeout, however, that is different than the customary TTL.

Supplementing or replacing stored procedures - in addition to stored procedures many transactions need more compute power but since the dataset is too large or the number of roundtrips is too high then putting the "transaction" in the proxy would provide many benefits of running the full application on the DB server.

Queues can help SLA When restarting DB - from time to time the DB server needs to be restarted.  This is terrible. In some cases the DB Server can be restarted in very few seconds but since the proxy has an incoming queue those transactions can be suspended while the DB connectivity is restored.

Impeadance options - when transitioning from DB vendor to another there are always a number of complications as the impeadence changes during the switch. There is also a disconnect between the code and the data. Proper implementation in the proxy layer gives you more choices.

Saturday, December 21, 2013

Unsurprising FreeBSD

I was surprised to find that Netflix uses FreeBSD. I was not surprised that Netflix is using freeBSD as FreeBSD is the core operating system used in the secure computing's switches. I have also deployed a number of applications using FreeBSD. I found it to be responsive and very capable. The only thing that I did not like about it was that in order to get full coverage of the applications that you need for a normal installation you needed to include the llonux compatibility later.

FreeBSD represents the little engine that could when it comes to free operating systems.

Simple and Precise Security

This is just a list of ideas that could be used to secure your important enterprise data.

a) use a ring-like approach to network security with the database toward the inside(less public) and the applications toward the outside(more public).

b) encrypt the drives. If performance is an issue then use SSDs.

c) encrypt the column data of the database and use an external crypto strategy. The HSM should use PCI compliant crypto appliances and algorithms with rotating keys and keys with a TTL. This can get a little tricky when dealing with data that would not be searched on in O(1) time or aggregated; but not impossible.

d) Store the SQL or other queries directly on the database server or db server proxy.

e) instead of exposing the DB connection directly use an agent or proxy. Create a simple DSL between the application and the proxy that would NEVER be executed by the DB directly. Let the proxy work like a stored procedure. This way if the application server is compromised that it would not be able to start throwing SQL directly at the DB server.

f) Harden the application server. Make sure that you implement something like SE Linux. You should know when the system has changed and what it represents. It would not be unreasonable to embed certain encrypted elements during the build process that could only be validated during the authentication process.

g) Harden the network. Building on (a) make sure that the network only allows connections between known systems and that communications cannot be made by adhoc networks or computers.

h) computers can only communicate with the ring above or below.

i) Finally, make sure that you're always using SSL for communication and that anything writtent to disk, as in an SOA persistent queue, is also encrypted.

It takes a village to implement a safe environment. Good luck.

Friday, December 20, 2013

Why Command + Shift + D?

Apple has been supporting "Command+Shift+D" in it's email programs (OSX and IOS) for quite a while. I cannot whether this predates OSX but my intuition tells me no.  That the command was/is an homage to earlier email systems that would connect to SMTP.  The SMTP protocol expects a Control+D to close the session, as to many Unix programs that accept console input.

(unfortunately it's not consistent... like Blogger for IOS(not an Apple product), iMessage(Apple) and I'm certain many others.

Between the dollar and bitscoins. A higher standard

Before the invention of the bit corn the Internet elite traded on a different commodity.

Services like Facebook are not free. The currency that they extract from us while not immediately financial. They are trading on us.

Advanced software systems evaluate our words, our pictures, our social networks, and they try to connect us to other wheel world events or activities, and they advertise to us.

Marketing and advertising technologies are so completely misunderstood and inflated that if the average person understood what their commercial value was to a company like Google or Facebook they would demand a lot more for the price.

Wednesday, December 18, 2013

Why do consultants like pair programming?

Is it because they can bill at 4x instead of 2x per resource?

Is it because they can justify a head count equal or near the full time staff?

Is it because the transfer of subject matter or domain knowledge actually flows in a bias that favors the consultant?

Arbitrary API interface

Most APIs are implemented through a formal interface meaning that there is a signature between caller and the receiver. That interface can be tightly coupled in a fashion similar to SOAP or loosely coupled as in JSON RPC. 

A very gray area is achieved when using mechanisms like log files to feed external processes. Log files are not meant to be arbitrary however they don't typically adhere to the same contract that one would implement when calling functions. Log file bugs don't typically show up till the last stages of integration test when they can do the most damage.

Tuesday, December 17, 2013

Thank you Timothy Ferriss

“Whenever you find yourself on the side of the majority, it is time to pause and reflect.

Excerpt From: Ferriss, Timothy. “The 4-Hour Workweek, Expanded and Updated.” Crown Publishers, 2012-05-16. iBooks. 
This material may be protected by copyright.

Check out this book on the iBooks Store:

Monday, December 16, 2013

Google plus for iPhone

Google+ for iPhone has crashed my iPhone twice now.

Proof that Agile is waterfall.

Here is an image that I lifted from a presentation ( I have written about this in the past so having this is a win.

Update: I came upon this ( post today. It describes extreme programming some number of years later. What is amazing is that it's almost exactly the agile process.

Are you more evolved if you're easily relocated?

The question of evolution keeps coming around. 

Might be the last laptop day

I like this setup better than my MacBook Air. 

Sunday, December 15, 2013

On resumes

Anyone who says 'resumes are ridiculous' simply does not know how to interview or does not understand the hiring process or the dating game for that matter. 

Resumes are strictly a fuzzy filter and a launching point for the screening and interview process. That's it. It's up to the hiring manager to access the candidate. 

If anything is flawed it's the practice of social hiring like github reputation. 

Building a shadow company to test ideas

About 10 or 15 years ago the Blockbuster Corporation acquired a lower end retail video enterprise. I don't remember the name exactly except that it was something like 10,000 videos. What was interesting about this acquisition was that blockbusters executives used it to test various promotional ideas and product ideas. In this way they could be highly experimental with the public and not affect their core brand.

I find myself wondering whether or not this is happened in the software business. In a way when Steve Jobs left Apple to start the Next company the operating system that he built Became the precursor to modern OS X.

This strategy has a number of business and technology advantages.

Agile and the millennial's

One outcome of the agile process in the workplace seems to be the flattening of the chain of responsibility. Individuals are no longer held accountable teams are. Teams are no longer held accountable departments are. Departments are no longer held accountable divisions are. At the end of the day everyone seems to have plausible deniability.

Now if you add the entitlement factor that millennial's believe in you get a different type of cocktail. On the one hand millennial's don't generally believe in accountability. They engage the notion of group think. So it seems natural that they would gravitate towards the agile process.

The agile manifesto and the agile process was not designed by millennial's. It was designed by a group of highly functional consultants and contractors who have been in the industry for 20+ years before endeavoring to define this model of success.

The implementation of the agile model in today's corporate environment usually leaves the organization in a very shallow structure where majority of the actors are at the bottom. Sprinkle in some millennial's and promotion based on merit is easily discarded. 'Time in' is not a valid measure for promotion!

Saturday, December 14, 2013

Clam Case for iPad mini

Clam case is set to go online and sell their pro product in December of this year. Granted there are still a few weeks left in 2013 but they have yet to deliver their product. What is also curious is the absence of any view of the keyboard. The mini is a relatively small iPad one can only imagine that the keyboard will be small also. I have been using my Apple Bluetooth keyboard with my mini and it is working wonderfully given the size of the keyboard.

App abuse

We are now in a period of software development history future of application abuse.

Network applications used to be custom one-off built applications that included a client and server over some sort of network connection. This network connection could have been over the World Wide Web or just over a local intranet. It might have even been a token ring network or something even older than that.

Then came the browser and the URL and general-purpose websites. This meant that with a simple bookmark one could access the library of applications. Updating the application was the prerogative of the application provider. Other than compatibility issues on the client side there was nothing for the user to do.

Now that Internet notables are starting to profess that URLs should be limited to a fixed domain for humans and variable URLs for applications.

This is paving the way for application providers provide desktop applications that's nearly wrap a browser component. This is causing the user to feel captive.

And so everything is coming full-circle. 

Desktop and tablet applications require constant maintenance in place. This anti pattern of continuous integration continuous deployment. These application upgrades are not always compatible with end-of-life hardware or operating systems. As evidenced by a number of application no longer work on my first and second generation iPads. Also as I look at my children's iPads I see that they each require at least 40 updates this month alone.

Applies to the software design process

“Walt Stanchfield, famed drawing instructor for Walt Disney Studios, used to encourage animators to “forget the detail” at first. The reason: Detail just doesn’t buy you anything in the early stages.*”

Excerpt From: Jason Fried & David Heinemeier Hansson. “Rework.” Random House Inc., 2010-03-09. iBooks. 
This material may be protected by copyright.

Check out this book on the iBooks Store:

Friday, December 13, 2013

moving in the same direction - failing fast

I was looking for the quotre that Timothy Ferriss used about when everyone is moving in the same direction then check the other direction; or something like that. 

There are nearly 2300 quotes with the meaning or spirit of "direction" on the site. Reading myself dizzy I realized that there are as many half full quotes there are half empty. As many quotes about moving in the same direction there are an equal number about going against the grain.

So while I'm reading the book "Rework" the author makes a great point. "failing fast" is for the other guy not you or your project. This can be seen as going in the other direction because "failing fast" seems to be in vogue. 

Personally I hate the idea of failing fast. You do not go to the World Cup finals, get scored on in the first 5 minutes and then just stand there for the next 85 minutes. That would be a lot more than a failure and plenty of people would be losing their jobs.

Hacker News is reporting the DBA is dead

I'm not a DBA butwhen pressed into service I can perform the function adequately.That, by no means, makes me a DBA nor do I want to be one but I value the function dearly. Sadly, when I'm staffing a project it's one of the last positions posted... along with the tech writer.

I suppose the real challenge is that the definition of a DBA varies from company to company. In my mind the DBA performs the care and feeding of the database. That means backups, replication, integrity checks, performance and bottlenecks, normalization, and query optimization. One function that is in the DMZ is stored procedures. This could be a developer function or a DBA's.

No current SQL, NoSQL, or datastore can function properly without a competant DBA.

Thursday, December 12, 2013

Can containers and configuration management coexist?

This question was posited by puppet labs. Without knowing the background or motive of the person asking the question given the source; Anyone having spent the shortest amount of time testing Docker would know the answer. The real question puppet labs should have asked is whether or not there was an opportunity for tools like puppet, chef, salt etc. and the container?

While docker's dockerfile does provide some configuration management syntax it is not a complete mechanism as it is missing the orchestration component. One only needs to look at open stack in order to find much of the linkage that is otherwise missing.

Puppet and chef and the other like tools have much more to fear than simple containers. These configuration management tools are attempting to homogenize the many operating systems that are out there today. This is a difficult task given the many differences in the systems.

Wednesday, December 11, 2013

Chromebook for education

what does it mean when a computer manufacturer produces a chromebook for education?

Is this just an excuse to under power the computer? Is this just an excuse to limit the use to students? Is this a marketing ploy? Or is it to just set expectations a little lower on the throughput and overall performance?

Tuesday, December 10, 2013

Code performance and optimization checklist

Inspired by hadoop's latest performance improvement announcement. Here is a checklist of things to consider when looking to improve the performance of your application:

Network contention
Hard disk I/O contention
Memory requirements and swap usage
Mutex and semaphores

All things being equal; Once you get past this list of (hardware) optimizations what remains is strictly CPU bound by the number of lines of code that executes per task. 

Sunday, December 8, 2013

Embed all your artifacts

Taking yet another lesson from fossil there is merit in embedding all of your artifacts in your executable.

First of all in this scenario where one might cash static artifacts those artifacts still need to exist on disk and be loaded into memory for usage a short time later. This is clearly inefficient.

Secondly the code used to import these artifacts has a latency all its own that too is an efficient and is basically a one time use feature when the application is started.

Thirdly as the artifacts exist as static files that are processed during initialization of the application those artifacts can be changed or become corrupt as is. If the files become altered prior to the next restart the entire presentation to the end-user or use cases could be corrupted.

Having a single artifact representing the executable is a much more robust mechanism for reliable distribution and execution. One very strong improvement might be if the single executable could be signed and verified by the kernel prior to launching.

do version numbers matter in the world of CI/CD?

I believe that we do not need version numbers anymore (in the traditional sense).  We simply need a build number that indicates when the version was built. Of course there is a novelty associated with calling something "Version 10" but the awful truth is that now *we* have to keep a map of the what and when. This becomes particularly sticky when there are multiple releases per day. One can even argue that when complex applications or environments have to deal with dependencies and such ... dates are just so much better to deal with.

In my latest build app I do the following when the BOT is building:

BUILDVER=`date +%y.%j.%H%M`
fossil open ${frepo} 2>&1 | tee -a ${WORKDIR}/buildlog
fossil update
LASTCOMMIT=`fossil status|grep "^checkout"|awk  '{print $2}'`
fossil tag add ${BUILDVER} ${LASTCOMMIT}

fossil close 2>&1 | tee -a ${WORKDIR}/buildlog

Facebook retried requests

After reading a 2600 article I have even more reasons to hate Facebook. Scammers are using new attack vectors by hijacking Facebook identities. The social graph makes a target rich environment. The rule is if someone refriends you; you better confirm via some third-party mechanism like email. 

Saturday, December 7, 2013

Fossil SCM - work flow

I have really started to take a liking to Fossil. I have been using it for a current project and while I could have easily use BitBucket or GitHub this is not the sort of project I want to risk sharing until it's time. And while I could have self hosted BB and GH it's a lot more trouble than it's worth.

Fossil is produced by the same developers that are responsible for SQLite. In fact SQLite is embedded. One of the better references is the Concepts page.

What follows is a loose list of ordered commands for setting up your distributed environment for multiple users.

Install fossil on the server and the local machine(s)
In most cases it is a matter of copying the executable to a folder in the user's path. In my case I have a bin directory off of my HOME.

Initialize the repo on the remote server
(login to the remote server)
mkdir ${HOME}/fossil-repo
${HOME}/bin/fossil init ${HOME}/fossil-repo/mydemo.fossil

Clone the remote repo to the local repo
mkdir ${HOME}/fossil-repo
~/bin/fossil clone ssh://user@server//path_to_repo?fossil=path_to_fossil path_to_local_repo

Open the repo locally
mkdir ${HOME}/demo
cd ${HOME}/demo
${HOME}/bin/fossil open ${HOME}/fossil-repo/mydemo.fossil

Create a small file; add it to the repo and commit... just so there is something in the project
touch README
${HOME}/bin/fossil add .

${HOME}/bin/fossil commit -m "initial import"

Perform an update before comitting new updates in order to import changes made by others
${HOME}/bin/fossil update

**One thing I noticed was that when I installed fossil on my OSX machine I was getting a strange error "killed by signal 2". Since the error was being written to STDOUT by SSH I discovered that this command would prevent it from being displayed. It's possible that the event is being generated on all ssh versions - only OSX is displaying it. So to suppress the message:

~/bin/fossil setting ssh-command 'ssh -q'

Adding a Kindle to my toolbox

Playing with the fossil source code manager I noticed a feature that surprised me. The authors of fossil included the documentation inside the source code. Documentation can be fed directly from the application. At the same time I've been thinking about continuous delivery deployment and cogeneration as part of that process. My latest project generates directed graphs which represent the code. It would seem logical to generate documentation too. 

Sunday, December 1, 2013

A completely self-contained framework

One of the strongest properties of Gollang and the Goldline ecosystem is that your project can be completely self-contained without the need for containers such as doctor or virtual machines such as VMware or virtualbox. Better still since the ecosystem is common across most platforms it's not necessary to include chef or puppet to install dependencies.

One potential addition to the Goldline framework could include mesos and marathon as they are a different level of container. 

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...