DEPTH FIRST SEARCH

All the Canaries are Dead

October 13, 2014

At this point, it seems clear that the basic shape of the surveillance state is well established. Our knowledge about this state of affairs has led to debate, but little else. The insider view seems to be that safeguards are sufficient, and when parallel constructions do occur, they are a justified law enforcement tactic. Any reporting or oversight should be subject to national security review, and that redactions should be used liberally to protect not just individual assets and operations, but the political climate that allows these operations to proceed. FISA court review provides a sufficient check against abuse, and the lack of any real rejections of surveillance requests brought before the court are a function of successful, rights-preserving negotiations and not indicative of a rubber stamp.

The only questions that interest me now concern the people who actually comprise the surveillance state. What do they do for fun? How do they avoid the temptation of abuse? What is the diversity of this set of people? How many are also internet trolls? How many also post to 4Chan?

Heartbleed

April 07, 2014

A major new bug has been discovered in OpenSSL. The bug lets hostile clients read 64k of memory from affected servers. It seems like the attacker can't choose to read arbitrary memory, but the exploit certainly seems to disclose private keys for https among other protocols. In principle, if your keys have been resident in memory on a vulnerable server, you should consider those keys suspect. Any SSL traffic that involved vulnerable OpenSSL was subject to attack via this exploit.

It's been in the wild for two years. Active exploits leave no trace. A couple of thoughts:

  1. This seems about as serious as the SSH-Armageddon in Debian trunk, where a poorly thought out effort to reduce valgrind warnings resulted in an easily brute-forced key space.
  2. In today's environment, the NSA is widely assumed to have known about this exploit or actively involved in creating the exploit. That this is widely believed is something of a testament to how far the NSA has fallen in esteem in the technical community.
  3. It seems like this kind of 0-day might have been used for bitcoin heists if it was discovered by black hats prior to the disclosure today. There doesn't seem to be any evidence of this, but that leads me to think that crypto-currencies are sort of a black hat bounty program, a honey pot that keeps regular banking safe by creating a rich target within easy reach. As long as bitcoin stays out of the mainstream, this might be a good thing.

Saturday Jam

July 06, 2013

Quote of the Day

March 12, 2013
Dismissive comments about new things bother me partly because there's an asymmetry that seems unfair. It's so risky to create something new, and so easy to dismiss it. At their worst, the people making such comments are like schoolyard bullies picking on someone who tries to do something different.

Quote of the Day

March 08, 2013
The explanation for the apparent insanity of this product is actually very simple. Akio Toyoda, the CEO of Toyota, loves fast cars. He fucking loves them! That’s it. That’s the big reason. It’s why the biggest car maker in the world spent ten long years and well over a billion dollars developing a car that almost no one will ever own—or even know about, for that matter.

Logo

February 28, 2013

I've been trying to morph my nascent machine learning library from haphazard research project into something more full fledged. I have a great name: pyrouette, and some repositories for code that a few other people have found useful (I get emails).

I'm not sure what it takes to make something widely used. Other projects like scikits and pybrain seem to have multiple developers from the start, or at least emerged into a small but dedicated pool of early adopters. I have a few algorithms that I couldn't find elsewhere and a lot of the coding equivalent of duct tape.

Obviously a lot of work needs to be done, and there's no guarantee that anybody will care. Plenty of great projects never get a lot of traction. I sort of wonder if branding might be the key. Towards that end I've been thinking a bit about trying to come up with a logo for my project. A futile effort, probably, but one I thought I could have fun trying.

I call pyrouette a "Pythonic Artificial Intelligence" library. My vision is that the library include lots of light-weight, highly customizable implementations of advanced AI algorithms. Given my research into reinforcement and manifold learning, there's a clear bias in what's currently available, but the vision is more aspirational than practical.

Anyway, I wanted to take some inspiration from the logo for Python, which I thankfully found in SVG form:

http://depthfirstsearch.net/blog/uploads/2013/02/Python_logo.svg

Using my limited Inkscape skills I thought I'd play around with the Python logo a bit. I wanted to see what I could do to evoke the idea of the namesake of this project: the pirouette. My first idea was to make the two snakes dance with each other, but the image still seemed quite static, and so to capture the idea of a spinning motion I decided to include some form of speed lines. Not actually being a designer or artist, I opted for the out-of-the-box spiral from the Inkscape toolbar, suitably squashed.

http://depthfirstsearch.net/blog/uploads/2013/02/Python_logo2.svg

Yeah, I'm not proud. Anyway, I put the project on hold, but just today I had one of those rare shower ideas. My logo could pay homage to the Python logo without being the Python logo. I could capture both motion and grace with smoother, slender figures (still suitably abstract), and keep the color scheme. Here's what I came up with:

http://depthfirstsearch.net/blog/uploads/2013/02/pyrouette.svg

The colors on the yellow snake aren't quite right, but I kind of like how the red accents add a nice character and even a bit more motion. I'm happy enough with this draft that I decided to go with it. The logo is now live at http://pyrouette.net. Not sure it will bring any new interest, but I like the new look.

Headless

February 22, 2013
Headless

A Tour of Blog Engines

February 21, 2013

There's a famous and massive comparison of iOS writing apps on the web and I think it's time for someone to put together a similar comparison of blogging/site generation engines. There's a new Python/Markdown based blog engine on Hacker News today called Letterpress, and at least one commenter has already chimed in with a Node/Markdown blog engine of his own.

Considering how the last static site generation post went, I'd expect a lot more programmer/bloggers to jump in with their own contributions. The proliferation of static site generation tools (consider this list) is something of a marvel. It's a great problem for reinvention, with lots of parameters and, given the state of modern tooling, nothing about building a blog or site generator requires a lot of strenuous effort. Every project of this kind seems like a weekend project.

Also, Wordpress is slow as shit. Browsing the plugin library is like browsing for STDs. That's usually enough to get hobbyists like myself sifting around for something else, or give us the bump to put a few lines of our own code behind the problem.

The Unreasonable Effectiveness of Excel

February 21, 2013

Hacker News has highlighted a few recent pieces on Excel recently. This thread is a good example of the general sentiment. I've long thought that the real power of Excel was the ability of Excel to bring important programming concepts to the masses. The complex models that "non-programmers" can develop in Excel are surprising to programmers who haven't spent a lot of time with the software.

This comment captures a lot of what goes wrong whenever organizations attempt to replace Excel workflows:

Most of us who have been there and done that know what happens next: higher-level stakeholders get involved, broader objectives get defined, more team members are brought on, timetables are established, results are "metricized", paradigms are going to be shifted, etc.

As a computer scientist, it seems like the ground here is fertile for a bit more technology and a little less "process". Why not design an Excel compiler that takes in an Excel spreadsheet and outputs an application in a particular stack? Of course there's a bit of detail that needs to be filled in, but it seems like 90% of the work can be automated.

I'd imagine there would be fewer tales of failed porting projects if these projects took hours instead of weeks.

A New Look

February 20, 2013

The look and feel of this blog has changed a bit. Underneath the hood there is a new engine called lorem (a complementary project to ipsum). Lorem is a bespoke blog engine inspired by Jekyll but built using Python and docutils. I originally planned on ReST/docutils being a bigger part of the engine, but most of the post parsing is done prior to any application of docutils (and imported posts, already rendered in html, bypass docutils entirely). Even so, the post file format is compatible with ReST.

Turns out docutils wasn't the real hero of this project. It was the somewhat oddly named Jinja2 template engine. There are a few other nice features that are actually legit improvements over the Wordpress plugins I was using before. MathJax is an amazing way to format math on the web. Pygments provides very nice source code formating for all my imported posts. New source code snippets now go in gists.

I never really liked the bells and whistles that Wordpress provided, and in my quest to minimize the features I needed, I realized I just wanted an engine that would take text files and render static html on a webserver. My shared hosting plan is sort of ghetto, so a static file blog, in addition to being exactly as "feature rich" as I desire, is also a bit faster. I wouldn't recommend using the code for anything at this time. As I grow into this new platform, I may get the chance to file down some of the rough edges.