flwyd: (transparent ribbon for government accoun)
The New York Times published a set of articles this week about U.S. military efforts to hack North Korean weapon systems to stymie the regime's goal of demonstrating an ICBM which could deliver a nuclear bomb to a city in the United States. The attempts so far seem to have been fairly successful, causing failures in most launch attempts of the current generation of North Korean rockets.

While the political and military tactics in this particular case and how the North Koreans may react or retaliate are fascinating, I'd like to take a step back and look at the bigger picture. The U.S. military is using "cyberweapons" and committing what one might term "cyberwarriors" in an offensive operation attacking infrastructure developed by a foreign state. This is also not a new policy: ample evidence indicates that U.S. and Israeli intelligence agencies built and deployed the Stuxnet worm to cause physical damage to nuclear centrifuges at Natanz in Iran, setting the Iranian government's nuclear ambitions back by a few years (and driving them batty in the process). The Stuxnet attack was authorized by George W. Bush and reauthorized by Barack Obama. The North Korean attacks were authorized by the Obama administration (probably the president himself) and is now under the direction of the Trump administration.

In many ways a "cyberweapon" is just a collection of software vulnerabilities packaged in a way that helps the attacker obtain information from or disrupt the operations of a particular network or computer system run by a target. A cyberwarrior and a common hacker use, by and large, the same tools–they differ primarily in motives and focus. The same vulnerability in, say, Microsoft Windows can be exploited to steal bank account credentials or to further infect an industrial control system and disrupt a nuclear fuel operation. The Stuxnet attack on Natanz and the current North Koraen attacks have had significant physical-world effects: large and dangerous objects were destroyed. Criminal and ideological hackers have thus far focused on digital payloads–stealing data, transferring money–but there's nothing preventing non-government attackers from creating havoc in the physical world, from disabling the power grid to releasing a flood of water from a dam to potentially triggering a nuclear meltdown.

Unlike the military hardware of the last century, governments, businesses, and individuals around the world generally use the same software and hardware from a small group of companies with worldwide scope. The Microsoft Windows on laptops, Android on smartphones, and firmware in Cisco routers is code that's used by people in every country. By and large, there's no "Iranian software," "North Korean software," or "American software"–with the Internet, it's all "world software." Every security bug that a military or intelligence agency discovers but doesn't disclose is one that goes unpatched by the vendor and could be exploited by another government or crime gang, harming the citizens, businesses, and government agencies that the military and spy agencies are tasked with protecting. This presents a particular problem for an organization like the NSA which have an explicit commitment to both defend American computer and communication networks while intercepting foreign communications of interest.

Physical war and military operations are, in large part, studied and debated in the open. The public and our elected representatives don't know the details of all military plans and technologies, but we're broadly aware of where military force is being used offensively and defensively and what sorts of tools and tactics we're comfortable with the military using. The country is able to have a public debate about topics like whether we should invade a country, how much money we're willing to spend to achieve military objectives, and whether we consider torture or cluster bombs to be acceptable tools of war making. (The pro-war advocates are often able to start their framing of the issues well before the public starts to engage in the debate, so we tend not to have a very effective public debate, but the opportunity is still there.)

"Cyberwar" and offensive security compromises by the government, by contrast, have been conducted under a thick veil of government secrecy. The people of the United States and our representatives in Congress have not had an opportunity to have a public debate about whether we're comfortable with the military, without declaring war, instigating digital battles with sovereign states. We haven't had a proper conversation about what sorts of cyberattacks we're comfortable and which are beyond the pale. We haven't effectively discussed the balance between concealing and weaponizing computer vulnerabilities for attack and defending our country's digital infrastructure by helping companies patch software when intelligence agencies find bugs. And we really haven't come to grips with what we'll do when a "cyberweapon" targeted at a narrow military objective is too effective and causes unintended damage elsewhere on the Internet, including to American assets. We also haven't taken an opportunity to establish treaties governing digital offensive activities, so other nations may take a cue from U.S. operations and decide that hacking is a legitimate tactic and invest in their own "cyberarmies" which attack and hurt American computer networks.

There are reasonable arguments both in favor of and opposed to offensive military hacking. Proponents can point out that a well-executed cyberattack has the potential to achieve its objective cheaper and with a lot less loss of life than a conventional military operation. Opponents can point out that a hacking operation that gets out of hand–as the Stuxnet worm did, infecting millions of computers around the world–it's a lot more work to halt than just calling off the bombers and withdrawing the troops. But so far these debates have been held quietly behind closed government doors and in memoranda stamped Top Secret. The public doesn't know what conclusions were reached and their interests were not well represented. Once Congress is done with their current project of attacking affordable health care and defunding public agencies, it would be great if they could demand that military, intelligence, and executive agencies include the American people in the conversation about the rules of engagement for offensive hacking. I'm not holding my breath, though.

Anyone interested in this topic should watch the fantastic documentary Zer0 Days. It features a detailed technical explanation of how the worm works from the security researchers who studied it (and impressive cinematic techniques to make this explanation engaging), insights from anonymous NSA employees, and some remarkably frank on-the-record interviews with government officials. I'd read the initial reporting on Stuxnet in 2010, but the movie exposed several fascinating facets of the story of which I was unaware. The interviews with government-associated figures help shape the views I expressed above, and some of the officials seem to share my position.

Bruce Schneier often writes well about this subject, too.
flwyd: (mail.app)
As a result of a few conversations and a whiteboard session, my name has been enshrined in history in United States Patent number 9,430,578, System and Method for Anchoring Third Party Metadata in a Document.

I can only recommend reading this document if you need help falling asleep, or if you would find it educational to read a seemingly spurious list of components which might be found in a computer system.
flwyd: (daemon tux hexley)
There's been a lot of noise in developer circles recently about Apple's new unusual iPhone developers agreement, particularly section 3.3.1. Briefly, Apple declared that you're not allowed to write iPhone/iPad/iPod software unless you use their tools to do it. Specifically, you're not allowed to write it using a level of abstraction that lets the application easily run on other devices like Androids, Windows Mobile phones, and BlackBerries.

A lot of people said this new change was targeted at Adobe, creators of Flash, a system for creating multimedia content that will work the same on any browser with their plugin installed. While the sorts of folks who comment loudly on this sort of thing have no love lost for Flash, being told how not to write software is a good way to rile up whole nests of developers.

Steve Jobs recently wrote an explanation of why he doesn't want Flash on the iPhone. He starts by painting Flash as a closed system -- Adobe controls the authoring tools and the play environment. He contrasts this with the open standards of HTML5, CSS, and JavaScript, the technologies at the front of most websites. The great thing about HTML is that anyone can create stuff in it and anyone can access it with a browser tailored to their device's peculiarities. So far, so good.

But then Jobs completely undermines his discussion of the openness of the web by saying the most important reason they don't want Flash is that they think the applications with the best user experiences were written to take advantage of everything the iPhone (or Mac or whatever) offers. He suggests that it's best for the users if all iPhone apps are developed using Apple's tools:
Our motivation is simple – we want to provide the most advanced and innovative platform to our deAvelopers, and we want them to stand directly on the shoulders of this platform and create the best apps the world has ever seen.
In other words, you can stand directly on Apple's shoulders, but you'd better not stand on the shoulders of someone standing on Apple's shoulders. If some clever company invents a new way of writing really great apps, the only way iPhone users will get the benefit of that innovation is if Apple deigns to adopt it.

Yet when you visit a website on the iPad, Apple doesn't stop you because the site's designers didn't adhere to Apple's user interface guidelines or because they used a tool like GWT to make the JavaScript work for all browsers. So if somebody wants to write an app that can run on iPhones, Androids, BlackBerries, and who knows what else, their choices are to write it twice: once for the iPhone and once for everything else. Or they can take Steve Jobs's advice and write it once for the web and bypass Apple's restricted platform. If they do the latter, they don't have to wait in App Store limbo, they can include porn if they want, and Apple doesn't take a cut of their profits. What's the down side?

So which is it, Steve? Are open standards the key to a good development environment and a good software ecosystem? Or is a single company controlling the platform the way to go?

Personally, I'm happy with my Android device which allows you to stand on as many shoulders as you like. It's shoulders all the way down.
flwyd: (xkcd don quixote)
It's not simple to look for a job with narrow domain constraints (my main interests are a pretty small subset of the total programming work) but wide geographic flexibility (I'd enjoy most places on either coast plus much of the interior west). Keyword searches on major job sites can find some good matches, but some of my interests are broad enough that words or phrases might not be shared. For instance, I'm interested in geography, but that word might not appear in a job posting for a company making location-based mobile apps. And even if a word with "geo" as a root is present, can I trust Monster's search algorithm to match "geography" to "geographic?" It certainly won't infer GIS from geography or vice versa. Search result pages on these sites usually don't give much context, so there's a lot of forward-and-back browser action. Further, most sites don't hide jobs you've already looked at and rejected, so search variations may give you the same lame company you've already decided against.

The most usable approach I found was to subscribe to the RSS feed for the appropriate job category in every city I thought was interesting. This included a lot of postings for positions I wasn't interested in, but with Google Reader I could quickly skip those (j/k for down/up, vi uber alles!) and not see them again. After a few passes with this approach, I got pretty good at identifying postings that don't apply by the title or a quick scan of the first paragraph. The process was still time consuming -- the SF Bay software jobs feed can generate a few hundred postings in a week -- but I gathered a sense of the general software talent market in addition to finding companies of interest in what felt like less time than weeding through a narrowed set of results on traditional sites. Note that this approach can work for any industry and can be a low time commitment if you aren't following feeds for a dozen cities. If you're looking for work, go to http://yourcity.craigslist.org/ and click on the job category you want. Copy that URL into your feed reader and let job postings come to you. You can also subscribe to a more specific keyword search.

Of course, this process didn't lead me to the job I actually landed, but I did find some companies I was interested if I couldn't reach my top target and some products I think are interesting, even if I don't want to work on them. Some of these are mature, others show promise. I haven't tried most of them, but they look cool.
  • Simply Hired job site aggregator which can apply multiple filters (location, position, skill, etc.) simultaneously. Still feels like it needs some work; I didn't find it as helpful as my Craigslist approach above. Indeed provides a more Google search-like job site aggregation.
  • RoundPegg presented at this month's Boulder New Tech Meetup. They're working on an eHarmony approach to job search. Gather data on companies and teams, then have potential hires take a personality test to see how well they would fit interpersonally. The second phase will be letting job searchers put their info in and find employment matches. OkCupid's approach to dating is how I'd really like to approach job searching, so I think (and hope) this could be really successful.
  • TouchGraph Navigator Automated data visualization.
  • Alelo combines 3D gaming with language learning. With the Department of Defense as a major client, their program focuses on cultural norms and nonverbal communication in addition to phonetics, vocabulary and grammar.
  • Outside.in provides hyperlocal content feeds. Pick a location (e.g., your house) and you can get news, blog posts, business listings, etc. They work on both natural language and geography problems and use some exciting technologies, so I was pretty interested in working with them. If I hadn't gotten a job at Google, these guys would be high on my list of interests. They use Mallet as their NLP toolkit; I'd like to check that out some time.
  • SkyGrid provides real-time personalized(?) feeds of business and financial news across many reputable sources. This would be pretty cool if the service worked on any subject the user was interested in.
  • Rosetta Stone has several personal and enterprise language learning packages. Their Boulder office has some folks from CU (including one of my teachers) and is working on cool stuff including online games where you can interact with native speakers.
  • Geodelic is a mobile app that shows places based on proximity and interest. It can figure out if you don't like Starbucks and recommend coffee shops that are further away, but not part of the famed bean empire. They seem kind of focused on providing value to advertisers, so I'm not sure I'd rely on them for unbiased information.
  • SimpleGeo is a Boulder startup that will provide an API and data cloud to make it easy for folks to write apps like the above without the expense of gathering and storing all the data first.
  • Plectix treats microbiology as a programming language. If I was into bioinformatics instead of NLP, I'd be way excited about these guys.
  • Allen Institute for Brain Science is developing atlases of the brain. Founded by Paul Allen, Bill Gates's lesser known other half.
  • Acuitus makes some pretty grand claims about their digital tutor's results. Done right, it could be a huge boon to education.
  • Language Weaver provides automatic machine translation for enterprise. I don't know what the state of the art in commercial translation is, but it's likely better than free translators like Google's. How much better, I don't know.
  • imo.im provides web-based multi-protocol instant messaging. This is a good site for chat if you're often on public computers or just borrowing a friend's. Long-term, the company wants to do a lot of cool things with communication.
  • The Experience Project a social networking site based not on who you know but who you are, with groups like "I survived cancer," "I am bisexual," and "I love bacon."
  • Topsy a search engine based on links from twitter.
  • The Game Crafter custom production of game components for homemade games.
  • Urban Mapping provides geographic data like neighborhood boundaries.
  • Open Layers is an open source platform like Google Maps. Thematic Mapping provides a JavaScript API to generate KML for Google Earth et al. FusionMaps is an open source project for creating interactive maps in Flash.

How Times Change

Monday, November 9th, 2009 11:34 am
flwyd: (dogcow moof!)
From a 1986 interview with Bill Gates for the book Programmers At Work:
Features are kind of crummy in a way, because the more features you have, the bigger the manual is. And features are only beneficial if people take the time to use them, whereas speed–if you can print the pages faster, or show it on the screen faster, or recalc it faster–that’s worth an incredible amount. If you can give the users a few simple commands and make the program efficient enough to do what they want with those few commands, then you’re much better off.

A decade later, Microsoft seemed to have abandoned this philosophy wholesale. They became synonymous with feature bloat (from my perspective, MS Office usability peaked in about 1997) and software that ran slower with every release. Gates has had one of the sharpest minds for the business of computing and presumably realized that features outsell performance, particularly in enterprise which is where the real money is.
flwyd: (java logo)
From Section 1.3.4 of GATE's manual:
After several hours struggling with badly written documentation, Fatima manages to compile the stubs and create a JAR file containing the new resources... She saves this and the version that she ran GATE on into her Oracle datastore (set up for her by the Herculean efforts of the Cyberdyne technical support team, who like GATE because it enables them to claim lots of overtime)...
flwyd: (dogcow moof!)
Installing Ubuntu updates this morning, the details included the line
Unpacking replacement wine...

Maybe the original wine turned to vinegar. Or maybe someone dropped a case and we had to scramble to have enough for the party.


Thursday, August 16th, 2007 05:36 pm
flwyd: (dogcow moof!)
Yesterday was apparently the day for departures. [livejournal.com profile] mollybzz moved to China (and I received several tasty items from her refrigerator and larder). It was the last day of work for my coworker who claimed he didn't know the name of the company he was switching to (and apparently their product is too complicated to explain). And I took a few hours out of the middle of the day to attend my great uncle's memorial service at Fort Logan military cemetery.

I'm very excited for [livejournal.com profile] mollybzz and I look forward to hearing her fantastic stories of life in the Middle Kingdom. I'm somewhat glad that my coworker departed; while he was a hard worker and often entertaining, I've wanted to strangle him over several bits of code. And I'm glad that my great uncle was able to live and geek out (genre: model trains and planes) for close to 90 years without the decade-long slide into oblivion that my grandmother experienced.

I learned today via Slashdot that another dear friend has departed. ClarisWorks (renamed AppleWorks late in life) made creating documents easy and relatively frustration-free. Unlike the bloated MicrosoftWorks that didn't, ClarisWorks was small (throughout college I would download 2.5 MB worth of AppleWorks to print my homework), seamlessly integrated (put text in a picture! put a picture in a spreadsheet! put a spreadsheet with a picture in text!), and free of hassles (when prompted for a license code, you could enter anything and it would accept it). One of ClarisWorks's creators has an insightful history of the product. It's got some interesting insights into the software development and business cycle.

I played around a little with the demo version of iWork last year, but iDid't see an easy way to do the thing iUse AppleWorks for most frequently these days: laying out a bunch of small bits of text and pictures on a piece of paper. Maybe iShould take a look at iWork '08. Maybe I should look around for other WYSIWYG document software. I should definitely make sure I open all my high school and college essays and ensure they're stored in a format that will live on.

It's important to let good things come to an end. I'll miss them all, but I won't be sad. For such is the Way.

Software Design: A Meta4

Wednesday, May 16th, 2007 12:45 am
flwyd: (java logo)
Software design is the art of placing rugs about your house in such a way that nobody notices what's been swept underneath them.

Late Pun

Wednesday, March 21st, 2007 06:04 pm
flwyd: (daemon tux hexley)
Quite a few people have already thought of the phrase "Open Sourcerer." But I still like it
flwyd: (java logo)
If a poor and despised Indian tried to get a job at a company testing Java software they would throw him out with a ClassCasteException.


Monday, January 8th, 2007 11:57 pm
flwyd: (Vigelandsparken goat stone)
The big excitement at work today was that Cedar's desk was very clean and organized, replete with desk organization devices. Eating dinner, some of us speculated on the reasons. Did he come in on the weekend to clean his desk? Did his wife make him do it? One person said "I think she might take issue with that." I responded "That wouldn't hurt very much; she wears Crocs." It was at least fifteen seconds before I realized the phrase was "take issue," not "take a shoe." But I think I like my version. Your task, should you choose to accept it, is to spread the phrase

"I take a shoe with that." Complete with a menacing grab for your foot and a shake with your fist. Extra points if you wear mithril-spiked high heels.

It must be interesting to work on a project like writing MS Office for Windows XP. Not only would you find bugs in your project, you'll also find bugs in the operating system/core libraries. Unlike an end user who might blue screen once in a while, you'd encounter bugs that never get to market and have to be able to distinguish them from the bugs in Office that never get to market. And in an organization like Microsoft, you can't stick your head over the cubicle wall and find someone to fix your bug.

I wonder what percentage of the code in MS Office are workarounds for problems in other Microsoft products. I wonder what percentage are workarounds for problems which have since been fixed.

Update, day next: I meant Windows Vista, not XP, but Microsoft stopped naming their releases in sequential order so I can't keep track late at night.
flwyd: (dogcow moof!)
Microsoft PowerPoint is a curious program chock full of features to make your presentation look absolutely ridiculous.
March 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 2017

Most Popular Tags

Expand Cut Tags

No cut tags


RSS Atom
Page generated Saturday, March 25th, 2017 01:42 pm
Powered by Dreamwidth Studios