Category Archives: ideas

ideas, insights

document what didn’t work

Leave a comment

In a recent episode of Paul’s Security Weekly, an off-hand comment was made about documentation: you shouldn’t merely document what to do, nor even why, but also what you tried that didn’t work (ie, augment the status quo).

The upshot being, to save whomever comes to this note next (especially if it turns out to be yourselfeffort you spent that was in vain.

This is similar to a famous quote attributed to Edison,

I have not failed. I’ve just found 10,000 ways that won’t work.

In light of my recommended, preferred practice and policy of “terse verbosity“, I would strongly suggest not placing the “doesn’t work” in-line, typically. Instead, put footnotes, an appendix, etc. But always

explain everything you did, but use bullet points if possible, rather than prose form

Loads of other goodies in that episode, too – but this one jumped-out as applicable to everyone.

commentary, ideas, technical

what is “plan b” for iot security?

4 Comments

Schneier has a recent article on security concerns for IoT (internet of things) devices – IoT Cybersecurity: What’s Plan B?

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

There are loads of great comments on the post.

Here’s the start of some of my thoughts:

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

  • safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
  • well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
  • related to the above, notifications from the device as it nears end of support
  • notifications from the device as well as the vendor that updates/patches are available
  • liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
    1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
    2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
    3. patches / updates for 3 years ||
    4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
    5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.

ideas

crowdsourcing patronage

3 Comments

Just what is journalism going to look like in the future?

It’s a question that’s been bouncing around my head for a while, and articulated in various pieces by Ben Thompson (in a nichification process), my friend Eric Hydrick, and others.

Eric brought up the idea of supporting “special” journalism through services like Patreon.

I think that’s a start … but still limits – as do paywalls, subscriptions, etc – informing the populace to those who care enough to pay intentionally and specifically for that publication / journalist / etc.

I think an improvement upon that is a bucket approach. I outlined one such possible technique in my recent critique of Pi-hole:

Maybe there needs to be a per-hour, per-article, per-something option – a penny for an hour, for example (which, ftr, comes out to a monthly fee of about $7)- so that viewers can toss some scrilla towards the creators, but aren’t permanently encumbered by subscriptions they’ll soon forget about

I’ll go out on a limb and predict “journalism”, as we have known it for hundreds of years, is going to completely disappear in the next 10 years. Now, that doesn’t mean it’s completely going away (though, with the general willful ignorance of people…maybe it will). It does mean, though, that it’s going to be radically different in form.

With the rise of decentralized (and, nowrecentralized) publishing with widespread adoption of the world wide web, everyone can (and, maybe, should) be a publisher.

The overwhelming majority of publishers are not receiving anything from their writing – except personal satisfaction (that includes myself .. in 20+ years of having websites, blogs, etc, I’ve made about $35 online). And publishing for “free” (ie, self-funded) should always be an option: as a content creator, it should always be up to you as to whether you wish to charge for what you’ve made.

But if you want the possibility of getting paid for your work, that should be an option, too: and while you might be “worth” subscribing to, the odds are very good you are not. And that leaves a quandary: how can you get paid for your work (if you want), without encumbering your audience into either leaving instantly, or succumbing to pressure to subscribe.

Which is why I think a bucket approach could work well – you’d know how much you had available in your balance, recharging would be simple (could even be automated – hit a threshold, recharge to some preset amount), and you’d know exactly who was getting your money, and, more importanly, for what – it’s not some ambiguous “subscription” to a “site”, but paying for precisely the content you see (or want to see).

In many ways, it’s extending the Patreon idea, which is really just a modern reimagining of patronage, from mere individual shows, sites, etc, down to a granularity of specific pages, articles, images, etc.

And let’s not even talk about the analytics that could be performed on payments and page views under such a model: identifying regions that are interested in certain content, audiences that like certain things, what are immediate turn-offs, etc. Incorporate some form of solid feedback/interaction mechanism, and you could possibly develop healthy gamification of your site: maybe even waiving monetary contribution if you hit certain levels of interaction on the site.

Active community building via people who actually care (and that just happens to fund the service).

Now that would be something.

ideas, technical, update

pi-hole revisited

7 Comments

Back in November, I was really up on Pi-hole.

But after several more months of running it … I am far less psyched than I had been. I’m sure part of that is having gotten better internet services at my house – so the impact of ads is less noticeable.

But a major part of it is that Pi-hole is just too aggressive. Far far too aggressive. Aggressive to the point that my whitelist was growing sometimes minute-by-minute just to get some websites to work.

Is that a problem with the site? No doubt somewhat. But it’s also a problem of blacklists. When domains and IPs are just blanket refused (and not in a helpful way), you get broken experience.

Pi-hole has also gone to a quasi-hijack approach: when a domain has been blocked, instead of it just silently not working, it now returns a message to contact your Pi-hole admin to update the block lists.

I hate intrusive ads as much as the next person .. but that shouldn’t mean that all ads are blocked. I have unobtrusive ads on a couple of my domains (this one included).

But even with Pi-hole, not all ads are blocked.

Part of that is due to the ever-changing landscape of ad servers. Part of it is due to the inherent problems with the blacklist/whitelist approach.

Content creators should be entitled to compensation for the efforts (even if they voluntarily choose to give that content away). Bombarding visitors with metric buttloads of advertising, however, makes you look either desperate, uncaring, or greedy.

The current flipside to that, though, is the pay-wall / subscription approach. Surely subscriptions are appropriate for some things – but I’m not going to pay $1/mo (or more) to every site that wants me to sign-up to see one thing: just today, that would’ve encumbered me with over $100/mo in new recurring bills.

Maybe there needs to be a per-hour, per-article, per-something option – a penny for an hour, for example (which, ftr, comes out to a monthly fee of about $7)- so that viewers can toss some scrilla towards the creators, but aren’t permanently encumbered by subscriptions they’ll soon forget about (though, of course, that recurring subscription revenue would surely look enticing to publishers).

As with the per-song/episode purchase model that iTunes first made big about 15 years ago, you could quickly find out what viewers were most interested in, and focus your efforts there. (Or, continue focusing your efforts elsewhere, understanding that less-popular content will not garner as much revenue as popular content will).

Imagine, using my example of $0.01/hr, how much more engagement you could end up garnering while visitors are actively on your site! A penny is “nothing” to most people – and probably just about all who’re online. Maybe you’ll have a handful of people “abusing” the system by opening a thousand pages in new tabs in their hour … but most folks’ll drop the virtual coin in the nickelodeon, watch the video / read the page / whathaveyounot, and move on about their day.

And not everyone will opt for the charge model. Sites that do utilize it can have some things marked “free” or “free for the next 24 hours” or “free in 7 days” or whatever.

Ad companies like Google could still work as the middleman on handling transactions, too – any time you visit per-X content, there could be a small pop-up that indicated you’d be withdrawing Y amount from your balance to view the site (I’m sure there’ll be competition in the space, so PayPal, Facebook, Stripe, Square, etc etc can get in on the “balance management” piece). And at the end of whatever period (day, week, month), Google can do a mass-settle of all the micropayments collected for each site from each visitor (with some percentage off the top, of course).

No ads. You’d actually Get What Your Pay For™, and issues like the recent Admiral thing would go in a corner and die.

ideas

raas – the failure of “-as-a-service” in the physical world

3 Comments

Roads are empty something like 90% of the time.

8% of the time, they’re rightly-sized. 1.5% of time, they’re a little tight

1.5% of time, they’re a little tight.But that .5%? Holy CRAP

But that .5%? Holy CRAP are they ever too small when they’re too small.

Imagine if the “*-as-a-Service” model could be applied to roads: expand their capacity on-demand as use requires. It works for businesses expanding and contracting their technical needs (a la cloud computing).

It [could] work for getting fancy dentures when you need them.

I guess this is what flying cars are supposed to alleviate – but with ~220,000,000 registered drivers in the US, imagine even 0.1% of them driving flying cars. That’d be 220,000 flying cars. If even 1% of them decided to utilize the “flight” aspect at any given time, that’d be 2200 vehicles in the air. 2200 vehicles with no flight plans. 2200 vehicles in an unknown state of fueling, repair, etc. Air travel is currently the safest form of transport. Would that still be true with 2200 angry drivers trying to escape from the traffic they find themselves in at the same time? Especially given the non-uniform distribution of those vehicles (they’ll dominantly simultaneously appear in ultra-densely-populated areas and ultra-rural ones), this wouldn’t be the utopia of George Jetson. It’s be the insanity of Back to the Future Part II when the Delorean arrives in 2015 from 1985. But worse.

My best professor once said, “no one has gotten elected saying they want to eliminate roads”. But followed that up with, “every time roads are expanded, they get just as busy during busy times, and waste an awful lot of concrete the other 23.2 hours of the day”.

What we need is a way to carry-over the technological paradigm of “*-as-a-Service” into physical infrastructure. Because it sucks. Bad.

I don’t know best to approach that. Certainly the “sharing economy” models of Uber & Lyft are a component.

And self-driving cars will help.

But only when they’re not only “self-driving”, but when they’re actively communicating and optimizing with other vehicles. But what happens when you are “optimized” into a “slower” path because other vehicles were “optimized” into “faster” ones?

It’s certainly a thorny area of societal thinking to wade into. And one that needs lot of thoughtful input and consideration from many quarters.

commentary, education, ideas, insights

kvp is a lousy way to teach 

Leave a comment

Recently on one of the podcasts I listen to, I heard an offhanded comment made about how history is taught not in patterns but as facts. For example, “On the 18th of April in ’75, hardly a man is now alive, who remembers that famous day and year”.

Rarely are the “whys” explained – understandably so at early ages, but not understandably as maturation happens.

“Teaching” in so many subjects has become memorization of what really amount to key-value pairs. Like, Columbus: 1492. Norman invasion: 1066. Etc.

Certainly, facts are important. And some things truly are best learned in a rote memorization form – for example, the multiplication table through 12, 15, or 25. But what about states and their capitals? Sure, they’re “pairs” – but are they more?

This is awesome if you’re a trivia nut. But if you’re not, or you truly want to learn the material – not merely pass a test or regurgitate facts – then you need to understand more than just the “facts”.

Outside history classes, it’s especially prevalent in math – very little (if any) time is taken to explain why the quadratic formula works (or even what it is), instead algebra students are expected to just learn and use it.

My late aunt, who did a lot of tutoring in her life, summed-up the problem with algebra (and other math subjects past elementary school) thusly: before algebra, we give a problem like “3 plus box is 9; what goes in the box?” but in algebra, we swap the box for a t or x or g, and we freak out. She would teach the facts, but [almost] never without the whys.

The whys are illustrated and analyzed very well in some books – like Why Nations Fail (review). But, sadly, they’re not given in more places.

We definitely need more good teachers who want their students to understand not merely enough to pass the class (or the test), but to cultivate the curiosity we’re all born with to become lifelong learners.

First step: stop “teaching” as key-value pairs.

commentary, hmmm, ideas, insights, personal, update

vampires vs zombies

Leave a comment

A few years ago I wrote about why I like good vampire and zombie stories.

I had an epiphany this week related to that, that I thought you’d all find interesting.

If vampires exist, zombies can not exist [long] in the same universe. Why? Because they’d be eliminating the only source of food for the vampires. And since vampires are, more or less, indestructible (at least to the wiles of marauding zombies), when they eliminated zombie outbreaks, they’d do it quickly and efficiently – and, most likely, quietly.