While I am generally not pro-active in insuring my privacy (I'm quite beholden to Google services), the idea of a 3rd party deleting my data, yet keeping the information their algorithms extracted from it bothers me.
How would I prove the results they generated were wrong? What if the results have been collected over months or years, and now the Credit Agency see's me as a high risk? The data used as input to those algorithms is gone now (yay Privacy & Right to Be Forgotten). How are you going to prove that it was an error and should be removed? I'm not even sure what data they were collecting.
Moving forward, what if governments worked this way: your data is only on our systems momentarily, and then removed. Behind the scenes, you've been tagged as a high risk because of an error in the algorithm, and now you are no longer able to purchase a plane ticket.
How will you correct that situation?
It would be like an e-voting system that "recorded" the vote and then destroyed the actual input/ballot. It flipped every 3rd or 4th vote, but there's no feasible way to prove and fix it.
So, either keep both my data that you used as input and the information you generated, or keep neither.
Wednesday, May 22, 2019
Tuesday, May 21, 2019
Did your Streaming Movie Change?
While I enjoy the convenience of digital streaming - be it Movies or Music - I am struck by the potential for some unknown hand to subtly change the scenes, sounds, dialog/vocals, or even "adjust the message".
Since I've purchased a digital copy only, I would not even be able to check to see if something did change. Almost like a digital "gaslighting."
Even if there is a physical, unmodified copy available, very few would be motivated to compare. If it was truly subtle, it may be difficult to notice it.
I feel that this has been done recently - to a syndicated show in order to change the advertiser - and there being at least some discussion about it. Unfortunately, I am not able to easily dig up anything on it.
Since I've purchased a digital copy only, I would not even be able to check to see if something did change. Almost like a digital "gaslighting."
Even if there is a physical, unmodified copy available, very few would be motivated to compare. If it was truly subtle, it may be difficult to notice it.
I feel that this has been done recently - to a syndicated show in order to change the advertiser - and there being at least some discussion about it. Unfortunately, I am not able to easily dig up anything on it.
Monday, April 8, 2019
PostgreSQL JDBC + SSL
This serves as a note to myself (and anyone else) on a simple way to connect to a SSL-enable PostgreSQL (9.4+) server using the standard java SSL properties:
Add sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory to your connection string, and configure your JVM javax.net.ssl.* properties as you would for the majority of java applications.
E.g.:
jdbc:postgresql://dbhost:5432/testdb?ssl=true&sslmode=verify-ca&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory
and, if you use PKCS12 for certificate storage:
java -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStore=/path/to/cert.p12 -Djavax.net.ssl.keyStorePassword=notapassword -Djavax.net.ssl.keyAlias=mycert -Djavax.net.ssl.trustStore=/path/to/truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=notapassword
Add sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory to your connection string, and configure your JVM javax.net.ssl.* properties as you would for the majority of java applications.
E.g.:
jdbc:postgresql://dbhost:5432/testdb?ssl=true&sslmode=verify-ca&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory
and, if you use PKCS12 for certificate storage:
java -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStore=/path/to/cert.p12 -Djavax.net.ssl.keyStorePassword=notapassword -Djavax.net.ssl.keyAlias=mycert -Djavax.net.ssl.trustStore=/path/to/truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=notapassword
Wednesday, April 3, 2019
Re-framing Privacy
I really enjoy shows that guide me through various points of history, digging deeper into the day to day minutiae that your history classes in high school and college did not - and generally could not - show us.
You can also find nuggets of knowledge that can expand your understanding of the modern day. This happened recently while watching Lucy Worsley's "History Of The Home" series - I think it was the "Bedroom" episode.
While discussing the lack of intimacy in the home, she said - and I'm paraphrasing - that privacy was the ability to choose who you share yourself with. While obvious, and probably not uncommon, the quote rung in my head, echoing through the chambers. Quick aside: it's worth watching that series just to hear about the origins of "making the bed" and "sleep tight".
It clarified my mistaken presumption of privacy as a passive "something" that you had; it was, in actuality, an action that was controlled by you. It's what you do, not what you have.
Loss, or invasion, of our privacy, then, is the wrong way to think about the privacy problems we face today in technology, government, and society. When I hear about it, privacy is presented as a secondary privilege, as if it were my home.
This leads me to believe that privacy should be compared to Free Speech. In fact, privacy seems to be involved in exercising free speech: I choose to whom, of what, and how much of it, I speak. Being stripped of privacy prevents me from effectively exercising my free speech rights. Now the encroacher has not just read your journal, but has identified your personal expressions ("oh. I see you like to dance as you get into the shower").
In this way, we need to think of this as being stripped of a freedom, rather than a loss or invasion. Privacy is a choice of what you share, and how much of it you share: you choose when to stop sharing.
Unfortunately, the platforms we use are actively getting in the way of us exercising our privacy: "Look at what is going on out there. Just take a peek. Don't you want to say something about it. Perhaps do something - we can help you do that something." Kind of like having a kid around: you don't focus on their presence, you don't sense any danger of them being around while your acting out your day, then BAM! Your kid just told your friend what you bought them for their birthday - or, worse, tells your girlfriend that you bought her an engagement ring (https://money.cnn.com/galleries/2010/technology/1012/gallery.5_data_breaches/3.html).
Here's a thought: when you go into a store, you have a couple areas where you could exercise privacy (e.g. the bathroom). Where can you do that on Facebook? On any Google property? Or even Amazon or Apple? Every move you make goes directly into their internal data set, which they can parse whenever they want (in private too!)
This is definitely a topic to revisit soon.
You can also find nuggets of knowledge that can expand your understanding of the modern day. This happened recently while watching Lucy Worsley's "History Of The Home" series - I think it was the "Bedroom" episode.
While discussing the lack of intimacy in the home, she said - and I'm paraphrasing - that privacy was the ability to choose who you share yourself with. While obvious, and probably not uncommon, the quote rung in my head, echoing through the chambers. Quick aside: it's worth watching that series just to hear about the origins of "making the bed" and "sleep tight".
It clarified my mistaken presumption of privacy as a passive "something" that you had; it was, in actuality, an action that was controlled by you. It's what you do, not what you have.
Loss, or invasion, of our privacy, then, is the wrong way to think about the privacy problems we face today in technology, government, and society. When I hear about it, privacy is presented as a secondary privilege, as if it were my home.
This leads me to believe that privacy should be compared to Free Speech. In fact, privacy seems to be involved in exercising free speech: I choose to whom, of what, and how much of it, I speak. Being stripped of privacy prevents me from effectively exercising my free speech rights. Now the encroacher has not just read your journal, but has identified your personal expressions ("oh. I see you like to dance as you get into the shower").
In this way, we need to think of this as being stripped of a freedom, rather than a loss or invasion. Privacy is a choice of what you share, and how much of it you share: you choose when to stop sharing.
Unfortunately, the platforms we use are actively getting in the way of us exercising our privacy: "Look at what is going on out there. Just take a peek. Don't you want to say something about it. Perhaps do something - we can help you do that something." Kind of like having a kid around: you don't focus on their presence, you don't sense any danger of them being around while your acting out your day, then BAM! Your kid just told your friend what you bought them for their birthday - or, worse, tells your girlfriend that you bought her an engagement ring (https://money.cnn.com/galleries/2010/technology/1012/gallery.5_data_breaches/3.html).
Here's a thought: when you go into a store, you have a couple areas where you could exercise privacy (e.g. the bathroom). Where can you do that on Facebook? On any Google property? Or even Amazon or Apple? Every move you make goes directly into their internal data set, which they can parse whenever they want (in private too!)
This is definitely a topic to revisit soon.
Saturday, April 7, 2018
Agile Development: The Psychological Toll
I have a new hypothesis about Agile Software Development: it will cause a form of "Stockholm Syndrome" along with a healthy serving of Cognitive Dissonance in a significant number of developers. Many of those developers become ardent evangelists that will not even consider alternatives - or even deviations - from their Agile Methodology.
I've been working on or with teams using Agile methodologies for over a decade. It will be around for a while. Yet, there has always been a problem with those teams...there was always a feeling of tension at the end of the sprint, even though it was not acted upon by the developers; it was internalized as shame, resentment, self-loathing, and even a mild depression.
In the last 2-3 months, some on my team, and myself have waddled through such feelings. I'm fortunate to have been able to work through them, and to emerge with a bit more understanding of why I've had such a bias against Agile.
With a team using Agile Methodologies, there is an overwhelming urgency to complete your selected story/task/bug/issue within the sprint cycle - "that's what the mantra's say! That's how Agile works! Everyone else who used Agile does it, and does it better than me/us! I cannot be the slacker!"
And then it happens.
Now you've moved into the mindset of "keeping up with the team," rather than "solve a problem effectively for this domain/customer".
There it is. The start - or perhaps relapse - into a state of Cognitive Dissonance: You believe deeply that you are an excellent Software Engineer; you create solutions for problems that exceed and amaze not only your customers, but your team and even yourself. Yet you have just committed a solution to the baseline that you feel is...wrong...insufficient for the actual problem as a whole.
I've been working on or with teams using Agile methodologies for over a decade. It will be around for a while. Yet, there has always been a problem with those teams...there was always a feeling of tension at the end of the sprint, even though it was not acted upon by the developers; it was internalized as shame, resentment, self-loathing, and even a mild depression.
In the last 2-3 months, some on my team, and myself have waddled through such feelings. I'm fortunate to have been able to work through them, and to emerge with a bit more understanding of why I've had such a bias against Agile.
With a team using Agile Methodologies, there is an overwhelming urgency to complete your selected story/task/bug/issue within the sprint cycle - "that's what the mantra's say! That's how Agile works! Everyone else who used Agile does it, and does it better than me/us! I cannot be the slacker!"
And then it happens.
You've gotten a few sprints closed. You completed your tasks in time; some were close, but it was probably just the extra cycles spent on Reddit. Staying an extra couple hours made sure I kept velocity at the right level.
The next sprint was not so fortuitous. You did not finish a task. It was only 5 story points. I'm an idiot. Don't worry, I'll finish it up during the first few days of the next sprint, and still complete my typical number of points.
I'll just work a few extra (unpaid or unreported) hours.
Now you've moved into the mindset of "keeping up with the team," rather than "solve a problem effectively for this domain/customer".
We're coming up on the end of the next sprint. I've done a decent amount of work creating and coding a solution...but it feels wrong. I could really use a day to review and maybe (no...no!) rework the solution.
Nope. No reworking. What I have implements the fix/feature. It'll fly through testing.
But there's something wrong with it...I really need to know...
Ugh. Close the ticket. Now ignore it.
There it is. The start - or perhaps relapse - into a state of Cognitive Dissonance: You believe deeply that you are an excellent Software Engineer; you create solutions for problems that exceed and amaze not only your customers, but your team and even yourself. Yet you have just committed a solution to the baseline that you feel is...wrong...insufficient for the actual problem as a whole.
The show must go on, so you have to convince yourself that it must be the correct solution. Agile is good, right. It knows something you don't. Master it and you will become the master.
And if others follow it, they will see me as a master.... If others follow it, I am not wrong.
Wednesday, February 1, 2017
Security through technology?
Rambling post ahead...just an attempt to keep writing, and perhaps generate some focused topics for later posts.
I've noticed a rapid push for more and more security tools to be installed on everything from a toaster (e.g. IoT devices) to desktops, to VMs and physical servers.
This one monitors your activity (all of it? Specific actions?); this one verifies that blob of bits is benign (or, really, not known to be malicious); this one prevents you from using parts of the system (USB ports, CD/DVD drive).
Luckily...it leaves about 1/4th of the system available for those actual value-generating activities (hopefully those activities are ok, even if monitored). Hopefully we all over-purchased resources so we can handle the current - and the future - security tools that will be required on our systems.
It's not unexpected. It's a lot easier to sell a product that offers (the illusion of) control, than to be constantly vigilant, or work with those around you to improve actual security.
And it's not that these products cannot be valuable in ones goal to maintain the security, integrity, and privacy of your data, environment, and, of course, your self. They just tend to become a way to say you've done something to improve security, without actually proving it improved your - or your customers - security.
Then, there's the issue of parsing all this security data that the tools generate...which requires resources that also need to be secured...
I've noticed a rapid push for more and more security tools to be installed on everything from a toaster (e.g. IoT devices) to desktops, to VMs and physical servers.
This one monitors your activity (all of it? Specific actions?); this one verifies that blob of bits is benign (or, really, not known to be malicious); this one prevents you from using parts of the system (USB ports, CD/DVD drive).
Luckily...it leaves about 1/4th of the system available for those actual value-generating activities (hopefully those activities are ok, even if monitored). Hopefully we all over-purchased resources so we can handle the current - and the future - security tools that will be required on our systems.
It's not unexpected. It's a lot easier to sell a product that offers (the illusion of) control, than to be constantly vigilant, or work with those around you to improve actual security.
And it's not that these products cannot be valuable in ones goal to maintain the security, integrity, and privacy of your data, environment, and, of course, your self. They just tend to become a way to say you've done something to improve security, without actually proving it improved your - or your customers - security.
Then, there's the issue of parsing all this security data that the tools generate...which requires resources that also need to be secured...
Sunday, January 29, 2017
The Benefit of Not Using the Team Development Environment
I'm not a "standard"-compliant type of developer. At least, not when it comes to my development environments.
App server integrated with my IDE? Nah. I'll spin up a new VM with a packaging-compliant version, secured as close as possible to the deployed instance.
There's just something about creating your own deployment instance that helps me settle in. Now I know why Tomcat and NGINX have trouble speaking SSL to each other.
And it also uncovers trivial, yet easily hidden, deployment errors early.
Not long ago, we had an intern code up a small metrics collection component. I was on a task that had me touching just about all parts of the code, which caused me to get quite a bit out of sync with the primary development branch. Other developers were happily chugging along, pulling the new code, finishing tasks from the backlog. Happy times.
I finally reached a stable point where I could start merging in the fast moving development line (trying to avoid really intense merges). It all merged in without much trouble. I had it building a new WAR, and felt pretty confident.
Then, I tried to run it in my (non-standard) environment. Hmmm, what's this "ERROR" message? Perhaps it can be ignored as an in-progress task?
"Can't create /metrics.tmp"
What? Why is it trying to create a file in the root directory? Time to dig!
Oh. The new metrics code did not specify a directory - or offer a property to specify one - when creating a temporary file for collecting the metrics.
How did it work? Well, he was fully setup with the standard environment, which ran Tomcat from his Eclipse IDE (no, I deviate here too and use IntelliJ). The file was created without issue since the default directory was his home directory, and Tomcat ran under his identity.
Even deploying it to a development test environment did not uncover the issue, as
The failure did not stop the overall startup process. Everything ran, and Metrics was not a priority for testing a pre-MVP product. It was still using a "development" environment setup, so the creation succeeded, though put the file alongside the application installation directory.
So, the next time you start following the "New Developer Environment Setup" docs, you may want to try a few deviations. It may save some troubleshooting down the line.
So, the next time you start following the "New Developer Environment Setup" docs, you may want to try a few deviations. It may save some troubleshooting down the line.
Subscribe to:
Comments (Atom)
-
As the Agile philosophy picked up steam (and started generating consulting profits), us developers were introduced to the concept of "...
-
I really enjoy shows that guide me through various points of history, digging deeper into the day to day minutiae that your history classes ...
-
I ran into a problem a while back: I identified NGINX as the best technology to reverse proxy our Apache Tomcat instance, but there was 1 p...
