Friday, September 30, 2016

Old Geeks

Inspired, apparently, by a James Gosling post on Facebook, Tim Bray penned a barn-burner of an essay on his blog: Old Geek.

To be fair, not ev­ery­one wants to go on pro­gram­ming in­to their life’s sec­ond half. To start with, man­agers and mar­keters make more mon­ey. Al­so, lots of places make de­vel­op­ers sit in rows in poorly-lit poorly-ventilated spaces, with not an atom of peace or pri­va­cy. And then, who, male or fe­male, wants to work where there are hard­ly any wom­en?

...

Bay Area tech cul­ture to­tal­ly has a blind spot, just an­oth­er part of their great di­ver­si­ty suck­age. It’s hurt­ing them as much as all the de­mo­graph­ics they ex­clude

It's true, it's real, it's sad.

I know it sounds like sour grapes, like weepy nostalgia, like, yes, old bitterness, but the computing industry I'm part of nowadays is nothing like the joyous, optimistic, and welcoming world it was back in the late 1970's and early 1980's.

Is it just "money spoils everything?" Perhaps, and perhaps even more it's because of the cult of the celebrity superstar startup founder rock star.

Another interesting theory I've seen tossed around is that this is wreckage from the Great Recession of 2008: when all the Type A over-achievers abandoned Wall Street because there were no longer empires to build there, they ended up in Silicon Valley forming Unicorn startups instead.

Regardless, people today seem to be in it just for power, and don't even seem to care if they're building something worthwhile, lasting, useful, and helpful to others.

Computers are tools. We're supposed to be using them to make the lives of humans easier.

Not cheaper, meaner, and nastier.

Bonus links:

Monday, September 26, 2016

It's not just a game, ...

... it's going to be a movie, too?

Good Universe, Campo Santo Team Up for Video Game, Movie Slate

The companies will create a home for talent to develop projects that can bridge both the video game and feature film worlds. Their first project with be a film adaptation of Campo Santo’s first video game, Firewatch.

Of course, I think I wish they would just keep making more amazingly-wonderful video games instead ...

Sunday, September 25, 2016

Stuff happens outside the world of computer science, too

All kinds of stuff.

  • Truth, beauty and annihilation: my quest for chess mastery
    At the outset of my odyssey, I had hoped chess would be good for me – that it would make me a better, more complete, more focused person, able in some way to engage with life in a less superficial manner than in my first five decades. I had largely been disappointed. I had become a marginally better chess player, but there was no great evidence I had become a better, more focused person. I was still overweight – my dietary and gym regime, designed to back up my assault on this chess Everest, had never quite clicked into place; my commitment to work, in both chess and my rather understated career, remained uneven; I still felt I was underachieving and too inclined to drift along.

    Chess was supposed to change all that – to make me a more driven, purposeful individual, and teach me the life lessons espoused by Kasparov. Some hope! Siegbert Tarrasch said “chess has the power to make men happy”, but I thought that the former British champion James Plaskett’s observation that “the pure and solitary nature of chess attracts some fragile minds and helps hold them together” was nearer the mark.

  • A Nonfiction Literary Map Of The United States
    And what better way to do that than by reading? While Welty was referencing the importance of place in fiction, there is little doubt that its importance in nonfiction is similarly essential. The very best writing about a place can bring the reader a whole new understanding of a life different than their own, as well as, per Welty, a better grasp of their own place in the world. Here then, are some of the best pieces of nonfiction from every state in America. (Plus D.C., naturally; and with a special shout-out to New York City, because, obviously.)
  • John McPhee Burps Toothpaste: Stop what you’re doing and read his blog post
    Just look at that title. Could anyone else get away with that? No, because John McPhee is a drop-everything-and-read kind of writer, and for all I care he could title his blog post “This Is My Blog” and it would be perfect. Go forth and click, my friends. Everything out there in the world is bad and gloomy, but it doesn’t have to be that way because now you have a delightful morsel to read.
  • The Making of Lemmings: How DMA Design created a classic, and what happened next
    Very early in development the team knew killing lemmings was entertaining, with traps already including hands that squashed the unfortunate creatures together and fans that chopped them up. As work progressed, they implemented even more dastardly devices: mincers, flamethrowers, horrible nooses. ‘We liked to kill lemmings in funny ways, and this was the comedic nature of the game coming through,’ says Dailly. ‘Lemmings were expendable. [The traps] really were there to just help guide the player around, otherwise many levels would have been dreadfully dull.’

    But it was never a game about killing lemmings. ‘You always had to save them,’ says Dailly, ‘And the nuke was always a way to abort the level. It’s one of the few original games I’ve worked on where the core idea never changed much.’ This hints at one of the quieter revolutions involved in the development of Lemmings. At the time, a developer would typically code their game, then export it to an editor to check it worked. But for Lemmings DMA created an integrated tool for designing the levels, based on the interface of the Amiga’s Deluxe Paint program, which allowed anything built or changed to be tested immediately. This made the construction of Lemmings’ levels a much faster, more iterative process.

  • Myst connection: The rise, fall and resurrection of Cyan
    As the Obduction Kickstarter campaign was fond of reminding people, Cyan's CEO, co-founder and Myst co-director Rand Miller is still in charge. What a lot of people don't realise is that Miller never left. Neither did Cyan, for that matter, despite serious financial woes nearly killing the company off 11 years ago.

    So where was he? Where did the money go? How did the developer of one of history's most popular computer games fade into relative obscurity?

    To understand Cyan's troubled history I spoke to Rand Miller on Skype last Wednesday, the very day the studio launched Obduction. His story is a tragic one of ambition, bum luck, and a woeful miscalculation of where the gaming zeitgeist was heading. At a distance it may seem like Cyan withdrew from society after Myst's sequel, Riven, but really the opposite is true: Cyan didn't leave the world, the world left Cyan.

  • This map of London's tube shows disused stations, track layout and more
    Actually, this one isn't really new: it's dated 2009, and emerged from a Freedom of Information request sent in 2013. But it's
    1. geographically accurate,
    2. fascinatingly detailed, and
    3. genuinely interesting and informative if you're a nerd, which – let's be honest – you are.
  • The Math Inside the US Highway System
    This is thinking mathematically. It's not about doing arithmetic quickly, or memorizing formulas, it's about connecting patterns. Math is a zoo of made-up objects that we relate to ones in the real world. The "usefulness" of the made-up objects depends on our imagination.
  • Are social security numbers recycled? What do the numbers mean?
    Prior to 1973, the first three digits indicated the state of the issuing Social Security office. Since 1973, the first three digits "are determined by the ZIP Code of the mailing address shown on the application for a Social Security number," it says here. But it's still basically done by states.

    The remaining digits are simply a serial number. To date recycling hasn't been necessary, but more on this in a moment.

  • The SSN Numbering Scheme
    One should not make too much of the "geographical code." It is not meant to be any kind of useable geographical information. The numbering scheme was designed in 1936 (before computers) to make it easier for SSA to store the applications in our files in Baltimore since the files were organized by regions as well as alphabetically. It was really just a bookkeeping device for our own internal use and was never intended to be anything more than that.
  • Social Security Number Randomization Frequently Asked Questions
    The nine-digit SSN will eventually be exhausted. The previous SSN assignment process limited the number of SSNs that were available for assignment to individuals in each state. Randomization affords the SSA the opportunity to extend the number of SSNs available for assignment for many years.
  • E-Books Die
    E-books used to be under ten bucks. Now, in some cases, they cost more than the physical iteration. That makes no sense, with no printing and shipping. The book business is making the same mistake the record business once did. Believing it was entitled to profits. That it was all right to sell an overpriced CD with one good cut, that the public didn’t mind, but that proved untrue.

    But at least people wanted to steal music. They don’t seem to want to steal books, they just want to ignore them, that’s the real disaster, how the book business has marginalized itself.

  • The Librarian's Bequest
    The university has sought to bridge the gap between the image of the tweed-wearing librarian and that of the macho athletic donor by saying Morin was a football fan by the end of his life. He started watching football games on television while living in an assisted living center in the 15 months before he died, university officials said, learning the rules and names of players and teams. University officials have also pointed out that Morin specifically did not give them instructions on how to spend most of his gift, except for the $100,000 for the library, trusting them and their priorities.
  • Investing For Geeks
    You can read a lot of books and waste a lot of time on these topics, but they have Right Answers. There are exactly two things you should consider here.
  • Music theory for nerds
    A few days ago, some of it finally clicked. I feel like an idiot for not getting it earlier, but I suppose it doesn’t help that everyone explains music using, well, musical notation, which doesn’t make any sense if you don’t know why it’s like that in the first place.

    Here is what I gathered, from the perspective of someone whose only music class was learning to play four notes on a recorder in second grade. I stress that I don’t know anything about music and this post is terrible. If you you so much as know how to whistle, please don’t read this you will laugh at me.

  • Iconic Death Valley landmark vandalized
    The Racetrack Playa at Death Valley National Park is named for an incredible natural phenomenon in which rocks appear to move across the surface of the dry lake bed completely of their own accord.

    But someone (or someones) thought the Racetrack was for their own amusement, and have badly vandalized the precious region as a result.

  • The California Ballot Is an Epic Joke
    I’m talking about the California November voter guide, which this year clocks in at 224 pages, thanks to 17 statewide ballot propositions—the longest ballot in a quarter-century. This morass includes multiple initiatives on the same issue, proposals to extend deadlines that the legislature has routinely extended itself, and ballot measures that force future policies to be decided by other ballot measures. In 2016, the Golden State’s experiment with direct democracy has imploded, producing little more than outsized salaries for a handful of political consultants. Somebody needs to tranquilize this beast and end our misery.
  • Meet the California Couple Who Uses More Water Than Every Home in Los Angeles Combined
    Lynda Resnick and her husband, Stewart, also own a few other things: Teleflora, the nation's largest flower delivery service; Fiji Water, the best-selling brand of premium bottled water; Pom Wonderful, the iconic pomegranate juice brand; Halos, the insanely popular brand of mandarin oranges formerly known as Cuties; and Wonderful Pistachios, with its "Get Crackin'" ad campaign. The Resnicks are the world's biggest producers of pistachios and almonds, and they also hold vast groves of lemons, grapefruit, and navel oranges. All told, they claim to own America's second-largest produce company, worth an estimated $4.2 billion.

    The Resnicks have amassed this empire by following a simple agricultural precept: Crops need water. Having shrewdly maneuvered the backroom politics of California's byzantine water rules, they are now thought to consume more of the state's water than any other family, farm, or company. They control more of it in some years than what's used by the residents of Los Angeles and the entire San Francisco Bay Area combined.

  • Alabama Shakes - Brittany Howard Tours Vinyl Plant
    Brittany tours the United Record Pressing plant in Nashville, TN
  • Highlining 2800m in winter.
    Before walking a 52 meter highline at 2800 altitude in midst winter, I asked Hayley about fear. She replied with her favorite quote from Frank Herbert's "Dune". A short film about Hayley Ashburn, filmed in the Torri del Vajolet, set to the hypnotizing soundtrack Tristana by Nils Frahm.

Stuff I'm reading, Harvest Festival edition

Take a week or two off from the Internet, and look what happens...

  • Postmortem of the Firefox (and Tor Browser) Certificate Pinning Vulnerability Rabbit Hole
    Certificate Pinning is the process of forcing a browser to only use certain certificates in the validation of a TLS connection to a certain domain. This is done by either a static certificate pin list included with the browser or using a standard called HTTP Public Key Pinning (HPKP) which allows a site to push down its own pins on the first connection to it.

    Mozilla uses Certificate Pinning to protect connections to addons.mozilla.org (AMO), which is used for the updates of most Firefox extensions. The purpose of pinning this domain is to prevent a rogue CA from being able to generate a certificate for AMO that could then be used to perform a man-in-the-middle (MiTM) attack on the extension update process.

    ...

    The vulnerability here is that Mozilla failed to set the expiration date for the static pins and HPKP pre-load list long enough into the future to last until the next release of Firefox.

  • Someone Is Learning How to Take Down the Internet
    Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state.
  • KrebsOnSecurity Hit With Record DDoS
    The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.

    Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.

    In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices.

  • DDoS Mitigation Firm Has History of Hijacks
    In my follow-up report on their arrests, I noted that vDOS itself had gone offline, and that automated Twitter feeds which report on large-scale changes to the global Internet routing tables observed that vDOS’s provider — a Bulgarian host named Verdina[dot]net — had been briefly relieved of control over 255 Internet addresses (including those assigned to vDOS) as the direct result of an unusual counterattack by BackConnect.
  • "Defensive" BGP hijacking?
    After the DDoS attacks subsided, the attackers started to harass us by calling in using spoofed phone numbers. Curious to what this was all about, we fielded various calls which allowed us to ascertain who was behind the attacks by correlating e-mails with the information they provided over the phone. Throughout the day and late into the night, these calls and threats continued to increase in number. Throughout these calls we noticed an increasing trend of them bringing up personal information of myself and employees. At this point I personally filled a police report in preparation to a possible SWATing attempt. As they continued to harass our company, more and more red flags indicated that I would soon be targeted. This was the point where I decided I needed to go on the offensive to protect myself, my partner, visiting family, and my employees. The actions proved to be extremely effective, as all forms of harassment and threats from the attackers immediately stopped. In addition to our main objective, we were able to collect intelligence on the actors behind the bot net as well as identify the attack servers used by the booter service.
  • An Important Message About Yahoo User Security
    Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.
  • How Dropbox securely stores your passwords
    We rely on bcrypt as our core hashing algorithm with a per-user salt and an encryption key (or global pepper), stored separately. Our approach differs from basic bcrypt in a few significant ways.

    First, the plaintext password is transformed into a hash value using SHA512. This addresses two particular issues with bcrypt. Some implementations of bcrypt truncate the input to 72 bytes, which reduces the entropy of the passwords. Other implementations don’t truncate the input and are therefore vulnerable to DoS attacks because they allow the input of arbitrarily long passwords. By applying SHA, we can quickly convert really long passwords into a fixed length 512 bit value, solving both problems.

    Next, this SHA512 hash is hashed again using bcrypt with a cost of 10, and a unique, per-user salt. Unlike cryptographic hash functions like SHA, bcrypt is designed to be slow and hard to speed up via custom hardware and GPUs. A work factor of 10 translates into roughly 100ms for all these steps on our servers.

  • Introducing the GitHub Load Balancer
    We set out to design a new director tier that was stateless and allowed both director and proxy nodes to be gracefully removed from rotation without disruption to users wherever possible. Users live in countries with less than ideal internet connectivity, and it was important to us that long running clones of reasonably sized repositories would not fail during planned maintenance within a reasonable time limit.

    The design we settled on, and now use in production, is a variant of Rendezvous hashing that supports constant time lookups. We start by storing each proxy host and assign a state. These states handle the connection draining aspect of our design goals and will be discussed further in a future post. We then generate a single, fixed-size forwarding table and fill each row with a set of proxy servers using the ordering component of Rendezvous hashing. This table, along with the proxy states, are sent to all director servers and kept in sync as proxies come and go. When a TCP packet arrives on the director, we hash the source IP to generate consistent index into the forwarding table. We then encapsulate the packet inside another IP packet (actually Foo-over-UDP) destined to the internal IP of the proxy server, and send it over the network. The proxy server receives the encapsulated packet, decapsulates it, and processes the original packet locally. Any outgoing packets use Direct Server Return, meaning packets destined to the client egress directly to the client, completely bypassing the director tier.

  • Oracle's Cloudy Future
    Consider your typical Chief Information Officer in the pre-Cloud era: for various reasons she has bought in to some aspect of the Microsoft stack (likely Exchange). So, in order to support Exchange, the CIO must obviously buy Windows Server. And Windows Server includes Active Directory, so obviously that will be the identity service. However, now that the CIO has parts of the Microsoft stack in place, she is likely to be much more inclined to go with other Microsoft products as well, whether that be SQL Server, Dynamics CRM, SharePoint, etc. True, the Microsoft product may not always be the best in a vacuum, but no CIO operates in a vacuum: maintenance and service costs are a huge concern, and there is a lot to be gained by buying from fewer vendors rather than more. In fact, much of Microsoft’s growth over the last 15 years can be traced to Ballmer’s cleverness in exploiting this advantage through both new products and also new pricing and licensing agreements that heavily incentivized Microsoft customers to buy ever more from the company.

    As noted above, this was the exact same strategy as Oracle. However, enterprise IT decision-making is undergoing dramatic changes: first, without the need for significant up-front investment, there is much less risk in working with another vendor, particularly since trials usually happen at the team or department level. Second, without ongoing support and maintenance costs there is much less of a variable cost argument for going with one vendor as well. True, that leaves the potential hassle of incorporating those fifty different vendors Ellison warned about, but it also means that things like the actual quality of the software and the user experience figure much more prominently in the decision-making — and the point about team-based decision-making makes this even more important, because the buyer is also the user.

    Oracle’s lock on its existing customers, including the vast majority of the largest companies and governments in the world, remains very strong. And to that end its strategy of basically replicating its on-premise business in the cloud (or even moving its cloud hardware on-premise) makes total sense; it’s the same sort of hybrid strategy that Microsoft is banking on. Give their similarly old-fashioned customers the benefit of reducing their capital expenditures (increasing their return on invested capital) and hopefully buy enough time to adapt to a new world where users actually matter and flexible and focused clouds are the best way to serve them.

  • Neither Uber nor Lyft believe sharing is the future
    Last January, Lyft announced a partnership with General Motors to launch an on-demand network of autonomous vehicles. If you live in San Francisco or Phoenix, you may have seen these cars on the road, and within five years a fully autonomous fleet of cars will provide the majority of Lyft rides across the country.

    Tesla CEO Elon Musk believes the transition to autonomous vehicles will happen through a network of autonomous car owners renting their vehicles to others. Elon is right that a network of vehicles is critical, but the transition to an autonomous future will not occur primarily through individually owned cars. It will be both more practical and appealing to access autonomous vehicles when they are part of Lyft’s networked fleet.

    See that? No individual ownership. No sharing. Lyft’s vision is for large fleet ownership. Explicitly corporate. Explicitly non-sharing.

  • The Art of a Pull Request
    Code review is almost always performed by a couple (or more) of Kibana core engineers, but it’s important to have our review process out there so that there are no surprises. We follow these guidelines both when creating a Pull Request ourselves, as well as when someone external to the organization submits a PR. Having a single process for everyone results in better quality and more consistency across all Pull Requests. Sometimes this can be a problem when you’re trying to be friendly with an external PR, as you may feel inclined to lower the bar just for that one PR so that the contributor is happier, but being clear on the rules benefits everyone in the end.
  • Oracle Announces Jigsaw Delays Push Java 9 Launch Date to 2017
    it’s still on the roadmap for Java 9. The bad news is that we’ll have to wait to 2017. Originally targeting September 2016, the target date for general availability is now set to March 2017.

    Project Jigsaw’s goal is to make Java modular and break the JRE to interoperable components. Once it’s finished, it would allow creating a scaled down runtime Jar (rt.jar) customised to the components a project actually needs. The JDK 7 and JDK 8 rt.jars have about 20,000 classes that are part of the JDK even if many of them aren’t really being used in a specific environment. The motivation behind this is to make Java easily scalable to small computing devices, improve security and performance, and mainly make it easier for developers to construct and maintain libraries.

  • IMF: An Open Standard with Open Tools
    A few years ago we discovered the Interoperable Master Format (IMF), a standard created by the Society of Motion Picture and Television Engineers (SMPTE). The IMF framework is based on the Digital Cinema standard of component based elements in a standard container with assets being mapped together via metadata instructions. By using this standard, Netflix is able to hold a single set of core assets and the unique elements needed to make those assets relevant in a local territory. So for a title like Narcos, where the video is largely the same in all territories, we can hold the Primary AV and the specific frames that are different for, say, the Japanese title sequence version. This reduces duplication of assets that are 95% the same and allows us to hold that 95% once and piece it to the 5% differences needed for a specific use case.
  • The GitHub GraphQL API
    GraphQL is a querying language developed by Facebook over the course of several years. In essence, you construct your request by defining the resources you want. You send this via a POST to a server, and the response matches the format of your request.

    ...

    You can see that the keys and values in the JSON response match right up with the terms in the query string.

  • Fine-grained Language Composition
    Programming languages therefore resemble islands: each language defines its own community, culture, and implements its own software. Even if one wants to travel to another island, we often find ourselves trapped, and unable to do so. The only real exception to this are languages which run on a single Virtual Machine (VM), most commonly a Java VM. These days, many languages have JVM implementations, but it can sometimes seem that they've simply swapped their expectations of an FFI from C to Java: non-Java JVM languages don't seem to talk to each other very much.

    We're so used to this state of affairs that it's difficult for us to see the problems it creates. Perhaps the most obvious is the huge effort that new languages need to expend on creating libraries which already exist in other languages, an effort far greater than the core language or compiler require. Less obvious is that the initial language used to write a system becomes a strait-jacket: we almost always stick with our original choice, even if a better language comes along, even if no-one is trained in the original language, or even if it simply becomes difficult to run the original language.

  • Zero-Knowledge: Definitions and Theory
    You can’t understand where the following definitions come from without the crucial distinction between information and knowledge from the computer scientist’s perspective. Information concerns how many essential bits are encoded in a message, and nothing more. In particular, information is not the same as computational complexity, the required amount of computational resources required to actually do something. Knowledge, on the other hand, refers to the computational abilities you gain with the information provided.

    Here’s an example in layman’s terms: say I give you a zero-knowledge proof that cancer can be cured using a treatment that takes only five days. Even though I might thoroughly convince you my cure works by exhibiting patients with vanishing tumors, you’ll still struggle to find a cure. This is despite the fact that there might be more bits of information relayed in the messages sent during my “zero-knowledge proof” than the number of bits needed to describe the cure! On the other hand, every proof that 1+1=2 is a zero-knowledge proof, because it’s not computationally difficult to prove this on your own in the first place. You don’t gain any new computational powers even if I tell you flat out what the proof is.

  • How I learned to program
    When I look at the bad career-related stuff I’ve experienced, almost all of it falls into one of two categories: something obviously bad that was basically unavoidable, or something obviously bad that I don’t know how to reasonably avoid, given limited resources. I don’t see much to learn from that. That’s not to say that I haven’t made and learned from mistakes. I’ve made a lot of mistakes and do a lot of things differently as a result of mistakes! But my worst experiences have come out of things that I don’t know how to prevent in any reasonable way.

    This also seems to be true for most people I know. For example, something I’ve seen a lot is that a friend of mine will end up with a manager whose view is that managers are people who dole out rewards and punishments (as opposed to someone who believes that managers should make the team as effective as possible, or someone who believes that managers should help people grow). When you have a manager like that, a common failure mode is that you’re given work that’s a bad fit, and then maybe you don’t do a great job because the work is a bad fit. If you ask for something that’s a better fit, that’s refused (why should you be rewarded with doing something you want when you’re not doing good work, instead you should be punished by having to do more of this thing you don’t like), which causes a spiral that ends in the person leaving or getting fired. In the most recent case I saw, the firing was a surprise to both the person getting fired and their closest co-workers: my friend had managed to find a role that was a good fit despite the best efforts of management; when management decided to fire my friend, they didn’t bother to consult the co-workers on the new project, who thought that my friend was doing great and had been doing great for months!

    I hear a lot of stories like that, and I’m happy to listen because I like stories, but I don’t know that there’s anything actionable here. Avoid managers who prefer doling out punishments to helping their employees? Obvious but not actionable.

  • The MIT License, Line by Line
    If you’re involved in open-source software and haven’t taken the time to read the license from top to bottom—it’s only 171 words—you need to do so now. Especially if licenses aren’t your day-to-day. Make a mental note of anything that seems off or unclear, and keep trucking. I’ll repeat every word again, in chunks and in order, with context and commentary. But it’s important to have the whole in mind.

    ...

    To fill the gap between legally effective, well-documented grants of rights in contributions and no paper trail at all, some projects have adopted the Developer Certificate of Origin, a standard statement contributors allude to using Signed-Off-By metadata tags in their Git commits. The Developer Certificate of Origin was developed for Linux kernel development in the wake of the infamous SCO lawsuits, which alleged that chunks of Linux’ code derived from SCO-owned Unix source. As a means of creating a paper trail showing that each line of Linux came from a contributor, the Developer Certificate of Origin functions nicely. While the Developer Certificate of Origin isn’t a license, it does provide lots of good evidence that those submitting code expected the project to distribute their code, and for others to use it under the kernel’s existing license terms.

  • Palmer Luckey denies writing blog posts slamming Clinton, says he's not voting for Trump
    The posts by "NimbleRichMan" — which Luckey now says he didn't write, but he specifically confirmed with The Daily Beast as his — were mostly found on Reddit's meme-centric unofficial Donald Trump subreddit, dubbed "The Donald." Many have been deleted (which Luckey also claims to not have done), but can still be found archived elsewhere.
  • The Era of Consumer Deception: Why Do We Tolerate Such Price Opacity?
    just the other day, while I was in the midst of congratulating myself for avoiding the Hertz $10/gallon refueling fee, I looked on the receipt and saw a per-mile fee that nearly doubled the cost of my rental — when was the last time a rental car didn’t have unlimited miles?

    It’s a cat-and-mouse game and companies keep getting better at playing it.

  • A conversation with Aston Motes, Dropbox’s first employee.
    Drew and Arash are super, super smart and great engineers. To this day, I’ll hold Drew as one of the best Windows programmers I have ever met. And Arash is just sick at all things backend. They were this perfect pairing. So, as far as the team went, I was certain that these guys were going to be great people to work with.

    For the longest time I had seen product demos that were just video. But once I played with the product I was like, “Oh, this thing works. I really like this product and it would be awesome to get a chance to work with these guys, on this thing.” It was a product that, as an MIT student, it matched my expectations for how something should work.

  • The Clean Architecture
    The overriding rule that makes this architecture work is The Dependency Rule. This rule says that source code dependencies can only point inwards. Nothing in an inner circle can know anything at all about something in an outer circle. In particular, the name of something declared in an outer circle must not be mentioned by the code in the an inner circle. That includes, functions, classes. variables, or any other named software entity.

    By the same token, data formats used in an outer circle should not be used by an inner circle, especially if those formats are generate by a framework in an outer circle. We don’t want anything in an outer circle to impact the inner circles.

  • The cypherpunk revolution: How the tech vanguard turned public-key cryptography into one of the most potent political ideas of the 21st century.
    Public-key cryptography made it possible to keep a message private: The sender would scramble the clear text with a key that the recipient had “publicly revealed.” Then the recipient, and only the recipient, could use the matching private key to unscramble the message’s ciphertext. But the new technique could do even more. Public-key cryptography made it possible to “sign” a message electronically, by doing exactly the opposite: having the sender encipher a signature with a privately held encryption key, thus enabling the recipient to verify the message’s origin by deciphering that signature with the sender’s publicly revealed key, thereby proving that only one party, the legitimate sender, could have scrambled the message’s signature. Everybody could decipher and read the signature, but in only one way: with the sender’s public key.
  • N+1 queries are hardly a feature
    In a word, the idea that having a larger amount of simpler queries is better is nonsense. In particular, it completely ignores the cost of going to the database. Sure, a more complex query may require the database to do additional work, and if you are using caching, then you’ll not have the data in the cache in neat “cache entry per row”. But in practice, this leads to applications doing hundreds of queries per page view, absolute reliance on the cache and tremendous cost at startup.
  • Building Sourcegraph, a large-scale code search & cross-reference engine in Go
    Our goal, based on our experience with similar systems, was to avoid complexity and repetition. Large web apps can easily become complex because they almost always need to twist the abstractions of whatever framework you’re using. And “service-oriented” architectures can require lots of repetitive code because not only do you have a client and server implementation for each service, but you often find yourself representing the same concepts at multiple levels of abstraction.
  • p-values in software engineering
    A commonly encountered cut-off value is 0.05 (sometimes written as 5%).

    Where did this 0.05 come from? It was first proposed in 1920s by Ronald Fisher. Fisher’s Statistical Methods for Research Workers and later Statistical Tables for Biological, Agricultural, and Medical Research had a huge impact and a p-value cut-off of 0.05 became enshrined as the magic number.

    To quote Fisher: “Either there is something in the treatment, or a coincidence has occurred such as does not occur more than once in twenty trials.”

    Once in twenty was a reasonable level for an event occurring by chance (rather than as a result of some new fertilizer or drug) in an experiment in biological, agricultural or medical research in 1900s. Is it a reasonable level for chance events in software engineering?

  • Converting between IFPUG & COSMIC function point counts
    Replication, repeating an experiment to confirm the results of previous experiments, is not a common activity in software engineering. Everybody wants to write about their own ideas and academic journals want to publish what is new (they are fashion driven).

    Conversion between ways of counting function points, a software effort estimating technique, is one area where there has been a lot of replications (eight studies is a lot in software engineering, while a couple of hundred is a lot in psychology).

  • The wind is not yet blowing in software engineering research
    An article by Andrew Gelman is getting a lot of well deserves publicity at the moment. The topic of discussion is sloppy research practices in psychology and how researchers are responding to criticism (head in the sand and blame the messenger).

    I imagine that most software developers think this is an intrinsic problem in the ‘soft’ sciences that does not apply to the ‘hard’ sciences, such as software; I certainly thought this until around 2000 or so. Writing a book containing a detailed analysis of C convinced me that software engineering was mostly opinion, with a tiny smattering of knowledge in places.

    The C book tried to apply results from cognitive psychology to what software developers do. After reading lots of books and papers on cognitive psychology I was impressed with how much more advanced, and rigorous, their experimental methods were, compared to software engineering.

    Writing a book on empirical software engineering has moved my views on to the point where I think software engineering is the ideal topic for the academic fraudster.

  • I Used to Be a Human Being
    If the internet killed you, I used to joke, then I would be the first to find out. Years later, the joke was running thin. In the last year of my blogging life, my health began to give out. Four bronchial infections in 12 months had become progressively harder to kick. Vacations, such as they were, had become mere opportunities for sleep. My dreams were filled with the snippets of code I used each day to update the site. My friendships had atrophied as my time away from the web dwindled. My doctor, dispensing one more course of antibiotics, finally laid it on the line: “Did you really survive HIV to die of the web?”

    But the rewards were many: an audience of up to 100,000 people a day; a new-media business that was actually profitable; a constant stream of things to annoy, enlighten, or infuriate me; a niche in the nerve center of the exploding global conversation; and a way to measure success — in big and beautiful data — that was a constant dopamine bath for the writerly ego. If you had to reinvent yourself as a writer in the internet age, I reassured myself, then I was ahead of the curve. The problem was that I hadn’t been able to reinvent myself as a human being.

  • The Free-Time Paradox in America
    Erik Hurst, an economist at the University of Chicago, was delivering a speech at the Booth School of Business this June about the rise in leisure among young men who didn’t go to college. He told students that one “staggering” statistic stood above the rest. "In 2015, 22 percent of lower-skilled men [those without a college degree] aged 21 to 30 had not worked at all during the prior twelve months,” he said.

    "Think about that for a second,” he went on. Twentysomething male high-school grads used to be the most dependable working cohort in America. Today one in five are now essentially idle. The employment rate of this group has fallen 10 percentage points just this century, and it has triggered a cultural, economic, and social decline. "These younger, lower-skilled men are now less likely to work, less likely to marry, and more likely to live with parents or close relatives,” he said.

  • There was a bomb on my block
    I grew up on the internet. I grew up with the mantra “don’t feed the trolls.” I always saw this as a healthy meditation for navigating the internet, for focusing on the parts of the internet that are empowering and delightful. Increasingly, I keep thinking that this is a meditation that needs to be injected into the news ecosystem. We all know that the whole concept of terrorism is to provoke fear in the public. So why are we not holding news media accountable for opportunistically aiding and abetting terroristic acts? Our cultural obsession with reading news that makes us afraid parallels our cultural obsession with crises.

    There’s a reason that hate is growing in this country. And, in moments like this, I’m painfully reminded that we’re all contributing to the culture of hate. When we turn events like what happened this weekend in NY/NJ into spectacle, when we encourage media to write stories about how afraid people are, when we read the stories of how the suspect was an average person until something changed, we give the news media license to stoke up fear. And when they are encouraged to stoke fear, they help turn our election cycle into reality TV and enable candidates to spew hate for public entertainment. We need to stop blaming what’s happening on other people and start taking responsibility.

Thursday, September 22, 2016

A Quebec City weekend

We had the chance to spend a long weekend in Quebec City, visiting my parents there, and seeing the town.

It turns out that, if you're going to spend a long weekend in a place you've never visited before, Quebec City is one of the nicest possible such places on the planet.

Especially when the weather is beautiful, as it can be in mid-September in Quebec.

The time went by so fast, and we did so much, that it seems ridiculous to try to re-tell it all. Instead, I thought I'd remark on just a few themes, such as: the town, the culture, the food, the arts, and the area.

Quebec City is simply a gorgeous town to visit. It's not too big, but it's big enough to be interesting. It's compact enough to explore on foot, but it's spread out enough that there is much to discover during your meanderings.

Quebec City is a UNESCO World Heritage Site, and also lays claim to being the oldest city in North America. It's certainly quite old for these parts, having had some sort of semblange of city government since 1608.

The old city (Vieux Quebec) is beautiful, full of old houses, churches, and stores, connected by narrow, cobblestone streets, nestled within the city walls, high atop the Cap Diamont overlooking the Saint Lawrence River.

And, of course, the Chateau Frontenac, famously "the most-photographed hotel in the world".

You can easily spend days just walking up and down the streets, sticking your nose into the cafes and stores and churches and galleries.

And it's just as beautiful at night-time!

As befitting a city that's been present, in a very desirable location, for a very long time, there have been numerous cultures that influenced the city over the years: First Nations, French explorers, trappers and traders, Jesuit missionaries, British soldiers, sailors from many countries.

Although Quebec is solidly part of Canada, which overall have a very British Isles background, Quebec is nowadays the center of French-speaking Canada and is a very French place. 95 percent of Quebec City residents consider French to be their primary language.

The net result, I'd say, is that Quebec City is a very mixed and multi-faceted place, with lots of different folk from lots of different backgrounds, even if everyone living there now speaks French.

As befitting a place with such a Francophile culture, food is a big part of life in Quebec. At first, particularly when I saw what a tourist magnet Quebec City is (three enormous cruise ships were docked there during our visit, probably by themselves more than doubling the population of Quebec City), I was worried that we'd have to be very careful about where we ate.

But every place we tried, from the plainest and simplest breakfast cafes and diners, to the country restaurants, to the fine gourmet feasts that we treated ourselves to, was delightful! Fresh ingredients, nicely prepared, quickly and yet gracefully served, with good cheer in all cases.

Beware, though: the portions are enormous! Quebec residents must certainly love to eat. I ordered the "small" crepe for breakfast one morning; it completely filled my plate!

Among the restaurants and bistros that I can particularly recommend are these: Le Hobbit on Rue St Jean; Apsara restaurant just inside the Porte St Louis; down-home cooking (with live accordion music!) at Les Relais des Pins on Ile d'Orleans; Restaurant Copas, a tapas place on Grande-Allee; Le Buffet de l'Antiquaire (delicious food at a hole-in-the-wall diner in the Lower Town); and, perhaps a bit surprisingly, the cafe inside the Musee National des Beaux-Arts, which was just superb.

And how could I forget about High Tea at the Champlain Restaurant in the Chateau Frontenac, even if it was mostly about the ambiance, not so much about the food?

Although Quebec City is perhaps not as "arty" a city as, say, Montreal, it is still home to a very active arts scene. There are museums, studios, and galleries everywhere. Pretty much every restaurant or bistro near downtown features live music most nights of the week. There are statues, fountains, murals, and other public artwork throughout town.

There are street musicians out performing on the corners. While we were there, the Quebec City Film Festival was underway, and people were seated at an open-air theater in Place d'Youville watching a French comedy I didn't recognize, while just a few blocks away a pair of street musicians were singing their hearts out as a group of a dozen fans danced happily on top of the city wall.

And, tucked away in a corner, a little shop housed a master violin-maker (luthier), who trained in Cremona before opening his Quebec City shop.

If, somehow, you get bored of Quebec City proper, you can get out of town, and still find lots to do.

One fine afternoon, we went and toured Ile d'Orleans, which offers a delightful agri-tourism experience. We stopped at a Creme de Cassis maker, a cheese maker, and a winery which made a very interesting "ice wine", among other things.

Another day, we drove up to visit the recreated Huron village on the Huron-Wendat reserve, which was quite interesting.

(By the way, if you're at all interested in the First Nations history of Quebec, you simply must, must, must read Joseph Boyden's The Orenda. You won't read a more powerful book this year, I promise you.)

At on yet another day, we found our way to the delightful park at the hydro-electric power site at Parc des Chutes de la Chaudiere in Levis. Not only are the waterfalls beautiful, the park has miles and miles of trails to walk, not to mention a completely unexpected and exhilarating pedestrian-only suspension footbridge over the river.

As you can see, I could just go on and on and on.

But that's probably enough to give you a feel of just how much fun it was to visit Quebec City.

So, make your plans now: September 2017 isn't that far away!

Tuesday, September 13, 2016

A significant achievement for the U.S. Chess program

Here's the latest from Baku, Azerbaijan (home of the greatest chess player of all time): USA and China take gold in Baku Chess Olympiad

The United States of America have won their first Olympic gold medals since 1976 after a grueling and exciting last round. Despite clearly outrating opponents and neighbors Canada, they could only manage a 2.5-1.5 win, APA reports .

This gave rivals Ukraine a chance to overtake them on tie-breaks; they did put in a spirited performance, culminating in a 3.5-0.5 win against Slovenia, but it turned out not to be enough.

As Dana MacKenzie observes:

This is the first time that the United States has ever won an Olympiad in which Russia (or the Soviet Union) has participated. Caruana, Nakamura, So, Shankland, and Robson have etched their names in immortality. And coach John Donaldson, too!

Congratulations to all!

Carl Malamud article on BackChannel

Don't miss this wonderful biographical article about the fascinating Carl Malamud on BackChannel: The Internet’s Own Instigator

Do not yawn. True, the legality of electronically publishing building codes, plumbing regulations, and product safety rules for baby seats probably won’t be the subject matter for Andrew Lloyd Webber’s next musical. The lawyers in the American Bar Association’s House of Delegates might be excused for thinking that this would be one of the more obscure resolutions they would consider at their annual meeting. But such thinking doesn’t take Carl Malamud into account. With an endless supply of energy and a wacky bag of tricks, he has singlehandedly elevated the subject to the most contentious issue of the event, a parliamentary prizefight. If nothing else, Malamud is determined to make the barristers understand that the publication of these standards is a core American value, and allowing anything but totally free and open publication would leave a dark constitutional stain on the shag rug of liberty.

Thursday, September 8, 2016

BART congestion

I stumbled upon this: BART Will Pay Cash Rewards for Changing Your Commute Hours.

On Tuesday, BART announced a new program offering cash to riders who will commute to work outside of rush hour—sort of like when you get free flight vouchers on Southwest for giving up your seat. The BART Perks program will award points for each mile traveled on BART during off hours, and commuters can earn up to six times as many points by starting their trip during the morning bonus hours, from 6:30 to 7:30am and 8:30 to 9:30am. The points can then be traded for small cash rewards sent via PayPal or used to play the "Spin to Win" game, where players can earn even more points or cash.

If those hours don't work for you, BART wants to persuade your employer to let you shift your work schedule and hopes to see 10,000 perks program signups and 1,200 people shift their commute. Think 1,200 people isn't that many? Actually, it's the equivalent of an entire 10-car train.

"Our goal is to see if we can shift riders to less crowded times, which will improve everyone's experience on BART," said director Gail Murray in a statement. "It can also improve BART's on-time performance during the rush since trains will have shorter dwell times at each station due to less crowding."

I'll be honest and say that I don't know what the ideal answer to BART congestion is.

But I'm pretty sure this ain't it.

Wednesday, September 7, 2016

Oakland declares that the OPD investigation is complete.

There are lots of publications covering tonight's press conference by Oakland Mayor Libby Schaaf, including: Oakland fires 4 officers in police sex scandal.

Schaaf tried to use the occasion to look to the future:

“This investigation has not only been about holding people accountable, it has also tried to prevent these actions from ever happening again,” Schaaf said.

Schaaf added her intent is “to increase officer awareness and ability to recognize the signs of sexual abuse and exploitation.”

“We are tightening our controls to access to our criminal databases and instilling policies on use of social media,” Schaaf added.

The Oakland mayor said the police department will be changing several policies and help victims of sexual violence seek help.

Although the Oakland city investigation may be complete, other wheels continue to turn:

Schaaf said District Attorney Nancy O’Malley is still completing her criminal investigation into the case and said “we have reason to believe she will be making determinations relatively soon.”

OPD is full of complicated problems, many of them very hard to solve. I wish Mayor Schaaf all the best as she works her way through the morass.

Signage advice from the CAA

Here's a great article covering something that I've wondered about for a number of years: Apartment, building industries fight diarrhea-sign requirement for recently built multifamily pools

“In addition to being the focus of public bewilderment, these signs have become the object of theft,” the petition points out. “These specific signs have become the focus of young vandals seeking to collect them. … We suspect this is a problem not considered by DPH during the initial development of these regulations.”

Note, too, the great disclaimer which appears near the top:

Editor’s note: This is a real article. It is not copied from The Onion.

Thankfully, it's apparently only the young vandals we have to worry about, which I guess rules me out.

Tuesday, September 6, 2016

Far Cry 3: A very short review

"what?"

"Oh! I'm sorry."

"I had no idea I was on that computer for almost 4 hours."

"It felt like twenty minutes."

Sunday, September 4, 2016

Anatomical envy of the Nor-Cal / So-Cal sort

As everyone knows, the Salesforce Tower continues to rise in downtown San Francisco.

You can stay quite up to date on the progress via the web-cam.

For a while, it seemed like the biggest controversy about the Salesforce Tower was whether its construction was causing the sinking of neighboring buildings, but now there is news of a controversy of a different sort.

A few hundred miles to the south, another mammoth tower is nearly complete: The soaring crown on L.A.'s new tallest skyscraper points to the future of the skyline, and it turns out that they, too, have their eyes on the Salesforce Tower.

One of the first skyscrapers downtown — the Union Bank building, completed in 1967 — was 516 feet tall. Since then, a half-dozen high rises have pushed into the 700- to 1,000-foot range, including the US Bank Tower at 1,018 feet. The Wilshire Grand was “a tree in a forest of tall trees,” as they explained to FAA officials in their early conversations.

But last November — with the engineering for the sail and the spire finalized at 1,100 feet — the FAA issued what seemed to be its final report. If “reduced in height so as not to exceed 1,065 feet,” it read, the Wilshire Grand would not be an obstruction.

The team thought there was a mistake. The prospect of lopping off 35 feet from the spire was not just untenable; it would be “a huge embarrassment,” said Chris Martin, chief executive of A.C. Martin Partners. The city, the architects and the owner had touted the building as the tallest in the West, and they were not about to cede ground to Salesforce Tower in San Francisco, coming in at 1,070 feet.

No word yet on what sort of attachment Benioff plans to bolt on to the Nor-Cal monster to up the ante...

UPDATE: Don't miss this wonderful story (and video) about the spire at Curbed Los Angeles: Watch the Wilshire Grand get its spire, making it the tallest building in Los Angeles

The decorative piece was installed in eight segments. The top piece is an LED beacon that can be programmed to light up in varying colors. "The intention behind this is to use the Spire Tip light to celebrate special events in the city such as holiday colors in December or special events in Los Angeles such as Dodger Blue when they win the Pennant," says Chris Martin, CEO and Chairman of AC Martin, the building’s designers.

Friday, September 2, 2016

They had me at "Terrebonne Parish"

This one has everything: Cartography, Climate Change, Southern Louisiana, John McPhee.

Louisiana Loses Its Boot

Cartography, as Snead explains it, requires navigating tensions between precision and compromise. The 2000 map, he explained, is “‘official’ because there is an act of the legislature that says the Department of Transportation will produce an official map of Louisiana. And you should be aware that the legislature is full of politicians.” Elected officials, according to Snead, are not so concerned with the map depicting an accurate coast as they are with the visibility of the public works projects, like highways and canals, that signify their accomplishments. Complicating matters is the sheer expense of collecting the fresh data necessary to render a land-water interface perpetually on the move. As a consequence, the Louisiana map holds “a very generalized coastline,” according to Snead, that “is hard to draw even under ideal conditions. You have to have a very large scale to render it.”

"The legislature is full of politicians."

Who could have put that any better?

Thursday, September 1, 2016

Speed bumps on the information superhighway

Matt Levine, patient and capable as always, tries again to explain the nearly-incomprehensible: Speed Bumps Are the Hot New Thing for Exchanges

One thing to notice here is that this is the opposite of the IEX story. In the IEX story, investors were sad because they wanted to buy all the stock at the price that was displayed, and sent out orders to buy all that stock at the displayed price, and couldn't -- because high-speed traders reacted to trades on one exchange by pulling their sell orders from other exchanges before the investors' buy orders could be fully executed. In the Chicago story, market makers are sad because high-speed traders tried to buy stock from them at the price they had displayed, and could -- because the market makers couldn't react to trades on other exchanges by pulling their sell orders from the Chicago exchange fast enough. The IEX story is about the sadness of being unable to get all the stock that you want before the price reacts to your demand. The Chicago story is about the sadness of being unable to react to demand before selling all the stock that was demanded.

As Levine observes, this is competition and innovation at work:

It was widely predicted that the approval of IEX as an exchange would create more complexity in market structure, and those predictions are coming delightfully true. Speed bumps will now be a competitive tool for exchanges, but each exchange can build its speed bump to target a different audience. Chicago's speed bump will advantage market makers who provide displayed liquidity. IEX's speed bump advantages investors who place hidden discretionary peg orders, as well as investors who want to buy all the shares on all the exchanges before the displayed liquidity can change -- exactly what the Chicago plan is meant to prevent. Nasdaq's proposed Extended Life Order targets yet another group, of traders willing to leave orders in force for a while. A thousand -- or at least a dozen -- market structures can bloom, each subtly optimized for a different type of trader. It's an innovative and competitive market, in which each exchange can figure out what sorts of traders it wants to favor, and then optimize its speed bumps to cater to those traders.

It sure is confusing, though.

Trigger Warnings and Safe Spaces at the University of Chicago

A number of people have asked me, knowing that I'm a Chicago grad, what I thought about the letter that Dean Ellison wrote to this year's incoming freshman class.

If you have no idea what I'm talking about, you can read more here, here, here, here, and here.

I found the letter itself, and the discussions and observations that I read, fascinating.

I particularly recommend the long comment threads on John Scalzi's essay.

And I'm quite pleased that the discussion is occurring, and that the University of Chicago wants to be part of the discussion.

However, I don't have anything to add.

I've spend my entire life cocooned in white male privilege; I have absolutely none of the perspective that drives people to confront issues like this, this, this, this, or this.

So good on the U of C for encouraging and continuing the discussion.

And good on the participants for joining it.

I remember my times on campus as full of passionate discussion of all sorts of topics (even if the subjects I was generally studying were far less controversial than these).

And I'm tremendously glad that tradition continues.