RSS

Category Archives: architecture

Mosh is still a bit of a pit

07 Dec

Some months ago I reviewed Mosh (mobile shell). At the time I wrote the article I was looking at the project as a user with a secure view of the world. Now, with the help of a troll, I have rediscovered Mosh, however, it is still “a bit of a pit“. This time I have some new complaints.

There is a presentation on the Mosh site. The speaker knows the project and is probably the project owner or lead developer. I’m not certain. He tells the audience about what is wrong with standard terminal sessions and how they developed this mobile communication protocol that rides somewhere between the various layers of SSH and so on. Since the website touts that they are more secure… by inheritance they are as strong as the weakest link but this was an earlier argument.

Then he talks about predictive local echo. The idea here is that in a normal terminal session your keystrokes are not actually echoed on the terminal (unless you have local echo turned on) but represent the output of the server application whether it is a command shell, editor, curses app, or something else. Predictive local echo will echo the character to the local console with the expectation that 70% of the text is echoed by the server anyway… and then the PEL will clean things up.

Well, there are a number of problems with this. The first is that PEL really only works in the shell itself. Once you are in vi and changing modes it is impossible to echo properly… and that is why most terminal emulators default to local echo off. Many old-school applications screen scrape terminal sessions and would not be capable of dealing with PEL as it does not effect the byte stream so much as it does the representation in the terminal window. The demo that was presented was a command shell which is the easiest use-case but is by no means proof or substantive.

Next the presenter tweaks Google for doing an adequate job with mobile applications in that Gmail echos to the console. This argument also misrepresents the domain of webapps, network capable apps, and probably MIT’s position on computing all in one statement. SSP is not going to help Gmail be a better app. SSP is not going to make my mobile browser better as I leave my home’s hotspot and head into the wilds of 3G/4G. Re-establishing my mobile session is no different than any network disaster recovery plan within the enterprise.

The only thing that might be interesting about SSP is that the important bits about the connection are being moved from one layer of the OSI to another. (I do not know which is which anymore).

**I went back to the Mosh site to get some more details. Sure Mosh is all about the shell but what about the app? They state that the Mosh server is actually a terminal emulator of sorts and that’s how they get the delta of screen changes to the local console. It’s not until version 1.3 that they implement larger screen buffers… meaning that you’re back to tmux or screen for that.

The big issue for me is the firewall issue plus UDP plus roaming connections. This makes hijacking or sniffing more likely once you break the encryption. And if you can get past all that… it only solves one use-case.

 

 
Leave a comment

Posted by on 2012/12/07 in architecture, security

 

What does it cost to charge your electric car?

22 Oct

plug in your electric car

If you are the owner of the car in the picture then you are not likely to be paying anything. This is a pseudo public space but I’m certain that the property owner was not expecting to have to burden the cost of charging every electric car out there. And I’m certain that homeowners are not interested in replacing all of their receptacles with secure alternatives.

 
Leave a comment

Posted by on 2012/10/22 in architecture, Complaint Depatment

 

Rethinking software development

18 Oct

When I read that Apple was ejecting Java from it’s browsers I believe my heart skipped a beat. On the one hand Java, when it was managed by Sun, was very good to me. And now that Oracle owns it I’ve been reluctant to use it and that has nothing to do with Apple’s decision. It’s just the way I see Oracle.

Coincidentally Google announces Dart 1.0, Firefox announces Rust 0.4, Google’s GO is making headway … but most telling is the article, I read today, criticizing FogBugz for implementing their cornerstone application using a proprietary and internal language and toolchain (Wasabi which looks like VB).

So my intuition tells me that if Oracle does not make some serious corrections “we” are about to experience a paradigm shift akin to the magnetic swap that the mad scientists have been talking about for the last 10 years; because:

  • business owners need to reduce their risk – general security and maintain control of the API
  • increase their intellectual property – proprietary toolchains would add some value if they work
  • reduce programmer turnover – in a way proprietary languages will not actually enhance individual marketability (of course you have to get them first)

But if you cannot afford to design and implement a first class programming language… then you’re forced to develop a DSL. And if you cannot afford that… then you have to use someone else’s or something that is open source and liberal (nothing with the GPL; stick to MIT, BSD, and a few others)

In conclusion, and I hope I have connected the dots, there will be a major fracture. A small portion of the developers and businesses are going to go for the 100% commercial toolchain like Objective-C, iOS, .CLR/.NET and then there is going to be another group that is going to go completely open source as in perl, python, ruby, GCC, GO, Dart, Rust, and internal DSLs.

  • javascript is interesting but will be killed along with the JDK
  • Java might fork with a reasonable replacement but the devs working on the commercial version, who are responsible for the current state of affairs might poison the same tree.

Sadly, Google’s current price drop might have something to do with the Java security issues as it was recently reporting that Android had it’s own security issues.

It’s clearly a sad state of the industry. It feels like a huge grey cloud overhead. I hope it’s just a little rain and not a flood.

 
Leave a comment

Posted by on 2012/10/18 in architecture, ProgLang, Tools

 

Is Gmail privacy gone?

11 Oct

There are a couple of things that the average user should know.

  1. There is no such thing as email privacy.
  2. Most email travels through the internet from point to point in the clear
  3. So called legalese on the email footer about intended recipient and communication has not been tested in court and it not binding.

That said, if you have a private email server that you think is secure and you use it exclusively because you want secure email that is not to be seen by the prying eyes of big brother or even Google, Yahoo, Hotmail, Facebook or other… then you are sadly mistaken and misinformed.

Just because you have an uber secure email server does not mean that the recipient has the same. So then the real question becomes… Why not use Gmail yourself?

 
Leave a comment

Posted by on 2012/10/11 in architecture, security

 

Tags:

Writing good log messages

02 Oct

Writing good log messages is part design, part good practice, part knowing what and when to say it.

Design

(1) You need to decide what exactly you hope to get out of a logging session. Are you going to be debugging bugs, crashes, or other critical events like a forensic accountant or like a whack-a-mole?

(2) Are you going to use flat files, how big will they get, how many files will you keep around? All very important when thinking about backups, disk space, maintenance, recovery, and so on. You might also be thinking about the different versions of syslog-like tools where you can ship the events remotely.

(3) Are you going to store the logs in a DB on the local system and then use sharding to allow for more permanent maintenance? This is interesting because the searching can be easier than grep, awk, etc… Also, considering (4) grouping related messages is easier and you can use SQL-like reporting tools.

(4) Are there some pre-optimizations you want to perform like all logged entries are stored in temp storage until the transaction is complete. Then the data is shipped to the repository for storage.

Good Practice

Treat all of your code the same.  Whatever level of logging you are performing you should be consistant throughout your application. This way you will not be surprised by your results and you will not have to worry about “and then a miracle occurred)

What to Say, Where to Say it

If you are processing transactions then make sure that you create a transaction ID as soon as possible and start using that ID with every log message related to this transaction. This is necessary so that you have a thru-line and so the transaction can be traced.

Also make sure that you are clear as to the intent of the function and what the results were. That also means that the type of entry should make sense. INFO, WARN, ERROR, EXCEPTION and so on.

You might even time the execution of the function.

Warning

One thing to be wary of. Logging can consume your disk, disk I/O, CPU, memory, message queues, database. You can spend more time copying, moving, and filtering your messages that it might effect the ability to produce meaningful results.

For example, using a Redis pub/sub in order to log transactions might seem like a good idea, however, if you consume all of system memory you may end up swapping and then net result is going to be poor performance.

 
Leave a comment

Posted by on 2012/10/02 in architecture, Tools

 

Tags:

I ripped through the Mythical Man-Month

30 Sep

[Update] You cannot read MMM without reading “Death March — Yourdon”. I just skimmed sections named “Good Enough” and “Best Practices, Worst Practices”. I will have to rip this book shortly.

I was given my first copy of this book when I was a contractor at IBM. The manager that loaned it to me was a good person and an effective leader, manager and architect. I ripped through parts of the book and gave up. Brooks is a fine writer but some of the stories were just a little too slow. Also,  for my taste, once you acknowledge that the writer is credible and provides reasonable references then I get lost in the arguing over the minutia.

What is also interesting that this tomb tome was accepted as gospel in the 1980s. A lot of the information in the book is still consistant with my personal experience but someday it may all be regarded as false. For the moment I’ll keep my one page summary as the summary I might use when my intuition checks out.

 
2 Comments

Posted by on 2012/09/30 in agile, architecture, education, management

 

What are the minimum DB fields required in an Agile Story Schema?

25 Sep

I’m getting ready to define the schema for the bugs backend DB when it occurred to me that I needed a minimal schema in order to maintain the one-page requirement. I do not want to get crazy with 100′s of one-off fields. Just a simple set of required fields… auto filling them when possible.

Fields in the most normal form:

  • id
  • bug_id (FK)
  • date
  • field_id [opened_by, open_date, close_date, status, importance, assigned_to, story, note, ...]
  • field_value
  • field_text

I have included field_value and field_text because most DBs have different profiles for TEXT and VARCHAR fields. So in this implementation certain field_ids will be assigned to certain field_**.

What fields would you add and still keep it lean? Would you add a separate agile state or wrap that in status?

This appears to be a good reference. It’s still more info than I wanted… but it might be practical for both bugs and requirements.

 
Leave a comment

Posted by on 2012/09/25 in architecture

 

Tags: ,

What is next for my desktop?

20 Sep

I’m staring at two MacBooks on my desk. One PPC Mini in pieces because of a mainboard failure. And a Macbook in the kitchen which belongs to my wife. The two machines on my desk are updating to OSX 10.8.2 and it is painfully slow. My wife’s computer will not install 10.8.x because the hardware is old enough that it’s no longer supported by OSX. And I have two kids who already navigate our recycled iPhones in order to play educational games. And to top it all off my wife wants me to buy them a computer.

So to say that I’m looking for a new desktop is not exactly correct. To be perfectly clear I’m looking for a new desktop for my kids. And I have some requirements. (a) I do not want to maintain upgrades (b) no moving parts (c) secure (d) inexpensive (e) reboots quickly (f) a preview of sorts for when the grandparents need a new computer.

The chromebox and chromebook are look like real candidates. My first chromebox is on order. It should be here in a few days. I plan to velcro the box to the underside of an Ikea kids table, screw the monitor to the table. and secure the keyboard and mouse to the table too.

I’m hoping that this setup is so successful that I can replace my desktop in the office with one of these too.

 
Leave a comment

Posted by on 2012/09/20 in architecture

 

Tags: , ,

MDD and DSL – I feel like I’m circling the drain

14 Sep

Have you ever seen one of those charity boxes that looks like a large funnel and when you put your coins in motion it goes round and round until it falls into the center hole only to be collected by the charity’s processor. Looks something like this. Well when I think about MDD (model driven development) and DSL (domain specific language) I feel like the coin going round and round.

MDD and DSL were and still are viable tools for deconstructing systems and processes that are to be implemented in hardware/software but to fail to recognize the history is pure folly. Many years ago they were referred to as DFD(Data Flow Diagram) and FFD(Funtion Flow Diagram). Sure, back in the day, we used analog systems to capture the details and now it’s digital but the results were exactly the same.  In fact even if you say that MDD is the new and improved DFD…. it’s new and improved in terms of same box of PopTarts with just a little less filling.

And so now I wrestle with OO.next(). Object Oriented programming was and continues to be leap years ahead of DFD/FFD and the jury would seem to be out on any comparisons to MDD/DSL. So instead let’s jump ahead another generation. What is the next version or incarnation of OO going to look like and is it ready for some early adoption now?

 
Leave a comment

Posted by on 2012/09/14 in architecture, future, Tools

 

Tags: , , ,

Is the JVM a viable release platform?

03 Sep

I have written a number of server applications based on Sun’s JVM and luckily for me I have not had to code anything beyond a few interview questions under Oracle’s stewardship. In the last year or so Oracle has released two versions of it’s JVM with well publicized security holes. Normally this sort of thing would go unnoticed or at least pass quietly so what does it mean?

Back in the day when Sun was touting the benefits of Java it was “rewrite once and run anywhere”, “the network is the computer” and security. Whether “security” is defined by phone home, crypto, private and protected modifiers… or the effects of recent attacks you really have to start thinking about Java a little differently.

So when I watched an interview with Rich Hickey this weekend where he talked about Clojure, and by extension Datomic, just plugging into the JVM on your local machine I could not help but get a little concerned. First of all while Clojure is interesting and probably functional and plenty of first-class implementations of things… the hangers on and other libs still use basic JDK libs thus infecting the pure implementation(see that Lift embeds Jetty). And while Clojure is supposed to implement similar read-only features of erlang and other functional languages… what happens when the JVM is attacked sideways?

I like java for what it is and what it might be again. I categorically disagree with some of the language features that are clearly designed for the proprietary sect of this business. And frankly so many more have accomplished much more with less effort using dynamic languages like Ruby, Perl and Python.

One of my strongest beliefs is that in order to scale you need the following: (a) a reasonable ROI on the initial development. (b) ability to automate administration/deployment of the second wave of hardware. (c) ability to automate the automation of the crazy scaling where the application, infrastructure, and people scale organically. At the end of the day scaling must be achieved by applying the lessons of Henry Ford and the assembly line.

 
Leave a comment

Posted by on 2012/09/03 in architecture

 

Tags: , , , , , ,

Older posts
 
One Page Docs

Creating a library one page at a time.

One Page Bugs

Reducing the friction of writing and fixing bugs or features.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers