Nothing is the ultimate anything

Channable – Nix is the ultimate DevOps toolkit
— Read on tech.channable.com/posts/2021-04-09-nix-is-the-ultimate-devops-toolkit.html

It’s not. I didn’t read the article, but I don’t have to. Why?

Invariably, articles like this start egalitarian. A problem is stated and this tool solved it. Beer and or profits ensue.

Lo and behold, it worked in other situations … in the same environment.

Wasn’t this great? Won’t this be as great for you?

Cut to — no, it won’t. Why? My org is maybe like yours but not close enough. Or not at all close to yours. My edge cases are different. My almost edge cases are different. My org has this thing, and this other thing, and …

Stop pretending your “solution” is more than a local one from which others can learn elements that might address something in their environment. THERE IS NO MAGIC BULLET, EVER, ANYWHERE, ALWAYS. There is no piece of software or shiny new device, diet, service, workout, process, or whatever that will solve your problems.

A magic bullet presupposes a lack of agency, that if your workflow doesn’t fit in this specific vortex of productivity you’re doing it wrong.

Published
Categorized as tech

The go Language is Google's Own

I’m baffled as to why programmers put their trust in this advertising company to do the right thing, or why companies would stake their reputation on go. Several people tell me that Google handed over control to open source, but the main landing page for go, golang.com, the place were everyone needs to go to program in the language, says:

The Go website (the “Website”) is hosted by Google. By using and/or visiting the Website, you consent to be bound by Google’s general Terms of Service and Google’s general Privacy Policy.

Go the go privacy policy page, and you’re sent to Google’s own privacy policy page.
The copyright page, which a lot of folks point to, actually says:

Except as noted, the contents of this site are licensed under the Creative Commons Attribution 3.0 License, and code is licensed under a BSD license.

… which means Google can exempt whatever it wants from the CC & BSD licenses. A good legal argument could be made about the BSD license for the code as the commas make things more open to interpretation. The term “code” could include HTML and other markup. But IANAL
Back to my main point, Google’s reputation is not good based on their behavior. I would not want to stake my company or my coding on them.
(Picture via Roman Synkevych (@synkevych) on Unsplash)

The End of Reputation

AI can now easily (8 seconds) change the identity of someone in a film or video.
Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
Sad but true.
What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

(Via The end of reputation; photo via Raphael Lovaski on Unsplash)
Apologies to Seth for quoting nearly his whole post, but it’s important and scary.
Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.
As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.
What do you think?

Software Subscriptions Mostly Only Benefit the Developer

Many apps I used are moving to a subscription model (a.k.a. Software-as-a-Service in the corporate world). As they move to the SaaS model I take a deep look.
Immediate red flags for me are when devs explain their move in these ways:

  • Implemented a custom proprietary sync mechanism
  • Implemented encryption
  • Costs are rising
  • Push notifications (in most apps, unnecessary chrome)
  • Theming, styling, icons &| dark mode (again, unnecessary chrome)

There are select apps in the subscription model to which I subscribe and why:

  • Apollo (Reddit reader app): superior to the native app & other options; theming; and to support development
  • CARROT Weather (Weather app) Tier 2: additional data sources; Apple Watch; map layers; and other stuff
  • Fiery Feeds (RSS reader app): for “Smart Views” ; to support development; and I read a lot of feeds
  • Overcast (Podcast app): to remove adds; to support development; and I listen to a lot of podcasts

Apollo violates two of my red flags, yet the developer is crazy responsive; his app is heads & shoulders better than the native Reddit app; and he regularly pushes out updates for security/bug fixes/functionality/chrome.
CARROT Weather also often pushes out updates for security/bug fixes/functionality/chrome, and is also better than the other options.
Overcast does, too, but more judiciously based less on chrome. I like PocketCasts, too, but less so.
Some apps that I avoid in the subscription model but use in their legacy or alternate license mode:

Published
Categorized as tech

The A Stands for Availability

Security Monitor by Riccardo Mori:

Now I’ve switched to ‘active distrust’ mode towards Apple. I don’t feel 10.14 Mojave brings anything particularly useful to me, and 10.15 Catalina even less so. Nothing really worth leaving High Sierra and its general stability behind. Everything I’m reading about Catalina, the experiences of those valiant people trying out the beta, and the technical observations of the more expert users and Mac developers, gives me the impression that Catalina is perhaps the first version of Mac OS that is more useful to Apple rather than their users, if you get my drift.

I can’t agree more. My personal machines – a 2011 Mac Mini Server and 2015 MacBook Pro are still on High Sierra because Apple is IMHO no more reliable than any other vendor. My work 2015 MacBook Air is force updated by the CIO Office to the latest macOS release – major, minor, and supplemental – to the point where internal sites are filling up with complaints about forced reboots during client meetings, presentations, customer maintenance, end-of-month/-quarter activities, and other sensitive moments.
Which makes me wonder yet again: why do people forget about availability when talking about security?

The War On Encryption

No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
unique link to this extract

(Via The Overspill)
Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

Attorney General William Barr Really Wants to Read Your iMessages

Attorney General William Barr Really Wants to Read Your iMessages:

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If [US Attorney General William] Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

(Via Pixel Envy)
This Ars Technica article is a pretty good summary of Barr’s latest attack on working encryption.

IBM: Breach Costs Impact Firms For Years

IBM: Breach Costs Impact Firms For Years:

The average global cost of a data breach has risen again, with experts at IBM claiming the financial impact can be felt for years after an incident. […]
The headline figure has risen from $3.86m to $3.92m over the past year, and in total by over 12% over the past five years, IBM claimed. However, in the US it is more than double this figure, at $8.19m.
Smaller companies with fewer than 500 employees suffered losses on average of over $2.5m, a potentially fatal sum. Mega breaches of over one million records cost $42m, while those of 50 million records are estimated to cost companies $388m.
For the first time, IBM measured the financial impact of a data breach over several years. It found that on average 67% of data breach costs were realized within the first year after a breach, but over a fifth (22%) accrued in the second year and another 11% did so more than two years after the initial incident.
Organizations in highly regulated environments like healthcare and financial services were more likely to see higher costs in the second and third years, it claimed.
Malicious breaches accounted for the majority (51%) of cases, up 21% over the past six years, and cost firms more – on average $4.45m per breach. However, accidental breaches accounted for nearly half (49%) of all incidents, with human error ($3.5m) and system glitches ($3.24m) costing slightly less than the global breach average.
For the ninth year in a row, healthcare organizations suffered the highest cost of a breach – nearly $6.5m on average.
IBM claimed that extensively tested incident response plans can minimize the financial impact of a breach, saving on average $1.23m.
Other factors affecting the cost of a breach include how many records were lost, whether the breach came from a third party and whether the victim organization had in place security automation tech and/or used encryption extensively.

(Via Infosecurity)
Highlights from my employer’s annual Cost of a Data Breach study. The live version including the calculator is here. Check it out (registration required).

Emacs! In the New York Times!

Emacs! In the New York Times!:

Paul Ford, co-founder and chief executive of Postlight, has a delightful paean to open source in The New York Times Magazine. In the article, Letter of Recommendation: Bug Fixes, Fords talks about the joys of open source and the pleasures of browsing through a program’s history with a version control system like Git. He says he likes to read commits like a newspaper. It tells him what he can do today that he couldn’t do yesterday. One of the main examples he gives of an important open source project is Emacs.
He talks about Emacs going back 40 years and how much one can learn by examining how the code evolved. Over 600 people made almost 140,000 commits to make Emacs what it is today. It is, he says, the Ship of Theseus in code form. Ford remarks, “I read the change logs, and I think: Humans can do things.
None of this is news to Irreal readers, of course, but it is significant that it’s appearing in a general purpose publication like the New York Times. Most often, what we do appears to be mysterious and arcane to the general public. Ford does a good job of capturing the flavor of some of it.

(Via Irreal)
Sweet! It’s a bit Utopia-ish, but I like the shout out for Emacs (naturally).

Published
Categorized as tech

PSA: Firefox 62+ needs Default theme for auto dark mode switching

From the Mozilla Bugzilla entry:

This patch adds the platform agnostic media selector and changes the way our themes behave as follows: If the default Firefox theme is selected, Firefox will match the system appearance (current default theme in light mode, dark theme in dark mode). Note that about:addons will continue to show “default” as the selected theme, even when it is technically using the dark theme under the hood to match the system’s dark mode. If any Firefox theme other than “default” is selected in about:addons, Firefox will not change themes when the system appearance changes.

This is missed in the release notes. I think this is true for macOS and Windows. I am not sure about other platforms.

Published
Categorized as tech