rc3.org

Strong opinions, weakly held

Author: Rafe (page 50 of 989)

Security is a cost

At work, we’re switching things to encrypt a lot of information in our databases for security reasons. The project has been time consuming and painful, and in the end, our database is far less usable from a developer’s standpoint than it was before. Soon the days when I can quickly diagnose issues on the production system with a few well-placed SELECT statements will be a thing of the past.

As far as the implementation goes, I’ll tell Hibernate users who want to implement an encryption system that there’s only one way to go — UserTypes. Don’t bother with anything else.

What this project really has me thinking about, though, is the high cost of security. It ties into something from the Bill James interview that I linked to the other day. Here was his response to the question of whether we overestimate or underestimate the importance of crime:

We underestimate it, because it’s our intent to underestimate it. We only deal with it indirectly. We all do so many things to avoid being the victims of crime that we no longer see those things, so we don’t see the cost of it. Just finding a safe place for us to have this conversation, for example — we needed a quiet place, but before that, we needed to find a safe place. A hotel lobby is what it is because of the level of security. I’ve checked out of this hotel, but I’m still sitting here in the third-floor lobby, because it’s safe. When you buy something, it’s wrapped in seven layers of packaging in order to make it harder to steal.

I think that people are generally excessively afraid of crime but underestimate the day to day costs that crime imposes. In software engineering, we spend a lot of time and effort on security. If everyone were honest, we wouldn’t need passwords, encryption, or any of the other stuff that occupies a lot of time on every project. We’d still need to take precautions against damage caused by user error, but most of the hours we spend on security could be spent on other things.

The other cost of security, beyond implementation time, is the ongoing cost related to the inconvenience of security. Whether it’s the time we take to unlock our screen or set up SSH tunnels or deal with the fact that we have to decrypt data in the database in order to see it, it all counts. Security is almost always a form of technical debt.

In many cases security precautions are necessary (or even mandated by law), but it’s important to be vigilant and not add more of it than is necessary, because it’s almost always painful in the moment and forever thereafter.

The tradeoffs involved in personal web publishing today

Marco Arment breaks it down:

In many ways, we’re better off now: publishing online is far easier, less time-consuming, and more accessible than it has ever been, which has brought content, voices, and consumers online that wouldn’t have been otherwise.

But all of these proprietary networks that want to own and hold in your content are reversing much of the web’s progress in some other areas, such as the durability and quality of online identity.

This is why I prefer people write on Tumblr, or Posterous, or WordPress.com rather than on Facebook or some other walled garden. And if you’re going to be on one of those sites, be sure to grab your own domain.

Related: The Fred Wilson school of blogging. I don’t have a blogging strategy, but I do have online habits, and Fred’s mirror mine pretty closely.

Bill James on the human capacity for evil

In an interview with Chuck Klosterman on the subject of crime, baseball analyst Bill James talks about how a person becomes a murderer:

It is not as if we walk through one doorway and decide that murder is acceptable. You have to walk through many doorways. The first doorway leads to a party, where people are doing drugs and having fun. The second doorway leads to more partying. It’s a long, long series of doorways, until you end up in a room where a terrible thing happens. So the question is, “How many doorways away are you?” It’s not a question about a person’s capacity to commit a murder. It’s a question of how many doorways we keep between ourselves and that situation.

The whole interview is really interesting.

Why people are returning to Java

I am a huge fan of Ruby on Rails, but I was not terribly surprised to read that as Twitter’s code base has grown, they’ve found it more amenable to move to JVM-based languages for reasons having mostly to do with encapsulation. InfoQ interviews Twitter engineer Evan Weaver about how the company’s stack is evolving as they get bigger.

On one hand, they’re moving more services to the JVM for performance reasons. When they extract components from their main code base to optimize them, they generally migrate them to the JVM:

The primary driver is honestly encapsulation, so we can iterate faster as a company. Having a single, monolithic application codebase is not amenable to quick movement on a per-team basis. So when we decide to encapsulate something, then because of our performance concerns, its better to rewrite it in the JVM for most systems, than to write a new Ruby system.

They’re also finding the rigidity of the JVM useful for productivity reasons:

And the other half is that, as search has moved into a Service Oriented Architecture and exposes various APIs, static typing becomes a big convenience in enforcing coherency across all the systems. You can guarantee that your dataflow is more or less going to work, and focus on the functional aspects.

Those are the kinds of reasons why I could not imagine rewriting the main application I work on as a Ruby on Rails application. I’m surprised he doesn’t also mention the maturity and power of the tools on the Java side. Text editors like TextMate and Vim are great, but when it comes to navigating through a large, complex code base, you cannot beat the state of the art Java IDEs like Eclipse and IDEA.

Update: Edd Dumbill lists seven reasons you should use Java again.

Fifteen years of missing the point

Last week I just happened to read a piece of media criticism by James Fallows that was published in The Atlantic in February, 1996. It didn’t surprise me to see that very, very little has changed.

Here’s Fallows, writing about 1995:

In January of last year there was a chance to see how well the lesson had sunk in. In the days just before and after Bill Clinton delivered his State of the Union address to the new Republican-controlled Congress, he answered questions in a wide variety of forums in order to explain his plans.

On January 31, a week after the speech, the President flew to Boston and took questions from a group of teenagers. Their questions concerned the effects of legislation or government programs on their communities or schools.

Earlier in the month the President’s performance had been assessed by the three network-news anchors: Peter Jennings, of ABC; Dan Rather, of CBS; and Tom Brokaw, of NBC. There was no overlap whatsoever between the questions the students asked and those raised by the anchors. None of the questions from these news professionals concerned the impact of legislation or politics on people’s lives. Nearly all concerned the struggle for individual advancement among candidates.

Today, President Obama answered questions posted on Twitter. The Boston Globe compared the topics of questions put to the President on Twitter to those asked by the White House press corps over the past two weeks. Two percent of the questions asked on Twitter were about negotiations with Congress, compared to 24% of the questions asked by the pro journalists.

I think the good news, though, is that when it comes to getting information about how government policies affect people’s lives, we have a lot more alternative outlets today than we did in 1996. Sure, we have several terrible 24 hour cable news networks that devote more hours than ever to horse race coverage of what’s going on in Washington, DC, but we also have plenty of online outlets that dig deep into the actual results of government policy. That’s a big improvement.

By the way, you should read the article mentioned above, Why Americans Hate the Media. It’s completely relevant and interesting. The footage from the Ethics in America television show mentioned in the article is available on YouTube.

Abelardo Morell’s camera obscura

Last month’s National Geographic has a feature on Boston-based photographer Abelardo Morell, who sets up a room-size camera obscura and then photographs the results, which are astounding.

Camera12 Manhattan South

The National Geographic article has a few examples of his work, and his official site has many more.

Apple’s labor costs should be higher

I don’t really know what conditions are like in the factories where Apple’s products are assembled in China. On one hand, you have Apple’s supplier responsibility page. On the other hand, you have suicides at Foxconn factories where Apple products are assembled.

Today I noticed some manufacturing estimates for the iPhone 5. Apple is rumored to have placed an order for 15 million iPhone 5s from Pegatron, a manufacturer with factories in China. Apple sold 18.65 million iPhones last quarter. I can’t help but wonder how much better working conditions would be if Apple spent $5 more per iPhone on labor costs. Apple has at least $60 billion in cash and had profits of around $6 billion last quarter. Spending $5 more per iPhone would cost them less than $100 million per quarter.

I realize that Apple doesn’t set the pay rates in its suppliers’ factories, but of course they can put anything they want in their supplier compliance agreement. They could limit hours per week worked or require manufacturers to offer paid vacation. I wonder what Apple’s costs would look like if they required overseas manufacturers to comply with all U.S. labor laws except our minimum hourly wage?

The excuse has often been made that low margins in the electronics business lead to the poor working conditions in overseas factories. Apple’s margins aren’t low — I’d like to see them do even more in terms of helping out the people who assemble the gadgets we all love so well. And to be fair, I’d be glad to pay a bit more for gadgets if the money were going directly to the people on the assembly lines.

Quotable: Matthew Yglesias on patents

Here’s Matthew Yglesias on the acquisition of the Nortel patent portfolio by a consortium that includes Apple, Microsoft, and RIM:

I think the basic dynamic to keep in mind here is that insofar as rich high tech companies dedicate resources to hiring engineers to compete with one another by building better products, the consumer ends up winning. But insofar as rich high tech companies dedicate resources to hiring patent lawyers to sue each other or hire investment bankers to help evaluate patent-based acquisition strategies, almost all the surplus is accruing to the lawyers and bankers.

Robert Morris, RIP

Computer security pioneer and original Unix hacker Robert Morris has passed away at age 78. My favorite part of his obituary is the first sentence:

Robert Morris, a cryptographer who helped developed the Unix computer operating system, which controls an increasing number of the world’s computers and touches almost every aspect of modern life, died on Sunday in Lebanon, N.H.

It’s amazing and delightful to think that after all of these years that no operating system has surpassed Unix as a network server. It seems like a long time ago now, but it was widely believed that eventually Windows NT would kill off Unix. I’m glad that didn’t happen.

Most people recognize his name thanks to his son’s worm that essentially crashed the Internet back in 1988:

As chief scientist of the National Security Agency’s National Computer Security Center, Mr. Morris gained unwanted national attention in 1988 after his son, Robert Tappan Morris, a graduate student in computer science at Cornell University, wrote a computer worm — a software program — that was able to propel itself through the Internet, then a brand-new entity.

Relinquishing our own rights via tort reform

Last night, I watched Hot Coffee, a documentary that’s extremely critical of the tort reform movement. It occurred to me a long time ago that the civil court system is one of the few avenues by which regular people can seek redress against the rich and powerful, especially against corporations. The others are by voting for politicians who are pro-regulation and consumer rights, through organized labor, and in more recent times, by publicizing your cause on the Internet.

Corporate interests consistently work to undermine those channels to insulate themselves from being held accountable by regular people. Hot Coffee makes it clear exactly how business interests have spent tons of money to weaken the court system and even eliminate it entirely through binding arbitration clauses in contracts.

These practices are fundamentally undemocratic, and the money that has been spent on them has an effect that distorts the legal system in a way that is profoundly negative for regular citizens. Businesses spend huge sums to elect judges who will rule in their favor in civil cases and more importantly, will uphold state legislation that caps the damages that can be awarded in civil trials. Those same judges are consistently right wing on every social issue imaginable, and tend to take a narrow view of civil rights as well. Corporations spending money to expand and protect damage caps for plaintiffs are keeping people like Radley Balko in business when it comes to the rights of defendants in criminal proceedings as well.

Most importantly, the documentary shows how the corporations built public support for laws that almost nobody would be in favor of if they actually understood how they worked. It’s a must-watch. It’s airing on HBO now, and will be available on Netflix sometime in the future, I guess.

Older posts Newer posts

© 2024 rc3.org

Theme by Anders NorenUp ↑