Oops! Something went sideways.

Looks like the styling got goofed up. Sorry about that, unless it's what you wanted. If this isn't what you were looking for, try force refreshing your page. You can do that by pressing Shift + F5, or holding Shift and clicking on the "reload" icon. (It's the weird circle arrow thing "⟳" just above this page, usually next to where it says https://blog.unitedheroes.net...)

isn't quite ashamed enough to present

jr conlin's ink stained banana

:: Why Are You Doing That?

i’ve been doing a fair bit of mentoring lately. i guess because i’m obviously old and folks think i’ve got some wisdom about anything. To be fair, i am old.

Anyway, recently i got into a discussion with someone who’s been thinking a fair bit about her career. She started off doing data work, then did a bit of UI/Front end stuff, and just didn’t find it super fun or compelling. Honestly, very understandable.

i’ve always hated the semi-utopian thing about “Find a job doing what you love”. i’ll just come out and say that’s incredibly rare. There’s a reason that they can do shows about folks who manage to do that, it’s because they’re unique enough to be interesting. The rest of us? Yeah, we’re not as fortunate.

Don’t get me wrong. i have training for programming and some level of skill at it, but what makes me happy is not making servers go ping, but fixing problems and clearing tasks off of lists. i could do that anywhere and feel just as much sense of accomplishment. What makes me excited is not what i do, but why i do it.

Call me an idealist, but i actually really do want to make things better for people. To that end, i view personal privacy and security currently woefully lacking. It’s out there, but it’s not the path of least resistance and so folks tend to skip over it. Working for mozilla gives me the daily opportunity to fix things to be easier, more secure, and more private. That’s the reason i’m still working there and not, i dunno, CTO of some ad network that resells organs harvested from orphans or something.

What i do is not glamorous. My peers and i keep a bunch of back-end services running. We’re not going to be top of HackerNews. Heck if we get double digit count of stars on github, we’ll wonder what the hell happened. Still, we have around half a billion active connections and deliver messages in less than 100ms, juggle nearly a petabyte of encrypted user data, and write in the latest version of Rust because it’s the most performant and cheapest option for doing all of that.

Still, i’m working for a company that’s philosophically aligned with my interests, so yeah, i’ll deal with the frustrations and stress just fine, thank you.

Of course, there are down sides. i will never be invited on to the stage to talk about what i do. That means that promotions and bonuses are rare events. You’ll never know if i do my job right, but you’ll sure as hell know when i do it wrong.

:: The Internet Hates Long Lived Things

First off, this is not about ageism. i’m talking about long lived connections. There are a few folk out there that believe that you can hold a connection between two devices open forever. This is not the case. There are a lot of reasons that a great many things will actively fight your long lived connection. So, here are a few insights from someone who has dealt with Very Long Connections in Webpush and was once naive like you.

Why does the internet hate long lived connections?

Short answer: Money.

Longer answer:
The internet is not free.

Everything about the internet costs money, because everything requires either power or devices. Devices are way more costly because you not only need to buy and power them, you need to shelter, maintain, inspect, and eventually replace them. This includes everything from colocation farms to servers to cables to the conduits that carry the cables and the folks who’s jobs it is to do all that sheltering, maintaining and inspection. The costs may be near infinitesimal for a 10 byte ping, but they’re there, and they add up surprisingly fast.

i’ll also add in that connections between devices also have a software cost. Turns out, there are a limited number of connections that a given computer can accept. There are also constraints depending on the language you use, how much memory you have installed, how fast your CPU is, and how many files you need to have open. There are fun ways to tweak that number and get really high counts, but if you’re doing any actual work with them, you’re going to hit that upper limit. If you’re doing real, serious work (like running TLS so things are secure) boy golly are you going to hit that number and it’s not going to be anywhere near that 10 million connection number someone built for Erlang.

So, in that sort of world where having connections that are basically doing nothing but tying up resources, connections are not going to stick around. You may not want to pay for them, and neither do any of the dozens of intermediary companies what want to maximize profits. They’ll spot a connection as being underused and will simply drop it, since there is probably some other company that wants to use it and send lots of capital producing data over it.

There are tons of reasons a connection could be killed at any time and a whole lot of incentive to ignore any requests you might make to keep a low bandwidth connection up. This includes various “Keep Alive” packets helpfully provided by protocol authors. Those tend to be very light weight dedicated Ping/Ack packets that are sent on a regular cycle. They’re useful if you’ve got a lull for a few minutes, but anything longer than that and the connection is toast. You’re better off crafting a NoOp type message that you fire off regularly. Granted, i fully expect that those will be dropped in the future too once providers use stuff like packet inspection machine learning to further reduce costs and free up “idle” connections.

Well, what about using stateless UDP instead of stateful TCP?

It’s not a bad idea, really. It’s the reason that QUIC is the base for HTTP 3.0, and it’s very clever about making sure that packets get handled correctly. Packets are assigned Server Ids, and cryptography is isolated so data corruption doesn’t cause blockages. Even though, if there’s a connection severance, it’s still dependent on the Client getting back to the Server. The server needs to be at a known, fixed address. That’s neato for things like HTTP, but less so for things like WebPush where the client could be waiting hours or days for a response, and unless the client is actively monitoring the connection (remember, built in KeepAlive packets ain’t enough), it’s basically doing long polling, so you’re kind of back at square one.

(There’s definitely something to be said about that for things like WebPush. WebPush’s “Immediate receipt” requirement, like relativistic travel, depends a great deal on the perspective of the parties involved. That’s a topic for another post.)

So, be mindful young protocol developer/designer. The internet is out to get your long lived connection dream and will dance on it’s grave at every opportunity.

:: Pandemic Network Effect

There was an article done years ago that pointed out folks who’s job started during a recession generally earned far less over their careers. There’s a lot of reasons for this, but a big one is that folks don’t generally discuss their salaries so they have no idea if they’re being grossly over or under paid.

i can’t help but wonder if we’re overlooking a huge hurdle for folks starting out now, in the midsts of a global pandemic. In short: Are they missing out on peer networking?

Let me be open and say that i’m an introvert. i’ve trained myself to be sociable and can present as extrovert when needed, but it’s draining and not really my happy place. That said, i’ve still built up reasonably good relationships with folks i’ve worked with. i’m sure that some dude in a pressed white shirt and lavalier mic would proclaim this as “Networking”, but it’s something that i’ve kinda fostered and benefited from. A good many of those are with folks i’ve not directly worked with on a project, but have been folks who’ve i’ve had parallels with. i may have met them at a meeting, or in a few cases, at an offsite. Maybe it’s been one of those “Fellows in Arms” where we’ve all done some terrible group improvement class being directed by a dude in a pressed white shirt and lavalier mic.

With a year of “social distancing” and zoom meetings, that’s one less year of building the sort of work network that’s going to be critical to getting better positions, or be a lifeline when the layoff axes start falling. What’s worse is that video meetings are tiring and terrible as is, so the thought of doing them outside of work isn’t really going to be super appealing. Nor are junior folk going to see how beneficial they can be from more senior folk dragging them off to some semi-casual meet-up.

Plus, conferences and big get-togethers are probably not going to be happening for years to come. Sure, it was funny how you’d catch Con-Flu after a meet-up, but that didn’t carry the risk of killing you or doing serious, long lasting bodily harm. i’m going to guess that it’s going to be a while before insurance companies reduce the liability costs for those.

Humans, even the more anti-social of us, are social creatures. We think in tribes and communities.

If you’re a junior person, don’t neglect this. Reach out to mentors and peers to find and establish networks.

If you’re a senior person, watch out for the junior folks. Maybe introduce them to some of your larger nets the way you would at a conference.

Eventually the pandemic will go away, let’s make sure the damage done isn’t worse than it already is.

:: A Letter to Sen. Feinstein

*sigh* this again..

Dear J-R:

Thank you for writing to me to share your concerns about law enforcement access to encrypted communications. i appreciate the time you took to write, and i welcome the opportunity to respond.

i understand you are opposed to the “Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020” (S. 3398), which i introduced with Senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), and Josh Hawley (R-MO) on March 5, 2020. You may be interested to know that the Senate Judiciary Committee—of which i am Ranking Member—held a hearing on the “EARN IT Act” on March 11, 2020. If you would like to watch the full hearing or read the testimonies given by the hearing witnesses, i encourage you to visit the following website: https://sen.gov/53RV.

The “EARN IT Act” would establish a National Commission on Online Sexual Exploitation Prevention to recommend best practices for companies to identify and report child sexual abuse material. Companies that implement these, or substantially similar, best practices would not be liable for any child sexual abuse materials that may still be found on their platforms. Companies that fail to meet these requirements, or fail to take other reasonable measures, would lose their liability protection.

Child abuse is one of the most heinous crimes, which is why i was deeply disturbed by recent reporting by The New York Times about the nearly 70 million online photos and videos of child sexual abuse that were reported by technology companies last year. It is a federal crime to possesses, distribute, or produce pictures of sexually explicit conduct with minors, and technology companies are required to report and remove these images on their platforms. Media reports, however, make it clear that current federal enforcement measures are insufficient and that we must do more to protect children from sexual exploitation.

Please know that i believe we must strike an appropriate balance between personal privacy and public safety. It is helpful for me to hear your perspective on this issue, and i will be mindful of your opposition to the “EARN IT Act” as the Senate continues to debate proposals to address child sexual exploitation.

Once again, thank you for writing. Should you have any other questions or comments, please call my Washington, D.C. office at (202) 224-3841 or visit my website at feinstein.senate.gov. You can also follow me online at YouTube, Facebook and Twitter, and you can sign up for my email newsletter at feinstein.senate.gov/newsletter.

Best regards.

Sincerely yours,

Dianne Feinstein
United States Senator

Thank you for your response.

While i don’t believe that anyone will ever stand up and be pro-child abuse, i caution that using that banner can often cover significant issues as well. i cite Ms Banker’s testimony at the hearing you attended. Perhaps you may have missed it.

One important decision that should be addressed by Congress in the first instance is any choice to limit or weaken encryption technology. While the bill does not identify “encryption” as a specific matter that the Commission must address, the Commission is not prevented from addressing it and the bill calls for the Commission to include a privacy, security, or cryptography expert. For these and other reasons, it is widely anticipated that the best practices that might emerge from the Commission would require that companies either weaken, or refrain from deploying, encryption protections for private communications. Limitations on the deployment or strength of encryption would impact a wide range of stakeholders and equities that are not represented on the Commission, as well as topics not within its scope.

Requiring companies to engineer vulnerabilities into their services would make us all less secure. Encryption technology stands between billions of internet users around the globe and innumerable threats—from attacks on sensitive infrastructure, including our highly automated financial systems, to attempts by repressive governments to censor dissent and violate human rights. Strong encryption is key to protecting our national interests because encryption technology is an essential proactive defense against bad actors.

Giving the government special access to user data—by building in security vulnerabilities or creating the ability to unlock encrypted communications—is impossible without generating opportunities that would be exploited by bad actors. The exponential growth of the internet both deepens and broadens the risks that would be caused by weakening encryption technology. As the internet becomes relevant to more areas of society and the global economy, our exposure to security vulnerabilities expands as well. Foreign and domestic entities have, for decades, targeted private data in hacks aimed at internet companies—a clear threat to our economic and national security. Strong encryption is our best tool for ensuring that the costs of cyberattacks, data breaches, and other types of exposure are low. And encryption can also be a smart strategy to decrease the incentive to engage in hacking. Encryption fundamentally protects the vital interests of our country and its citizens.

i feel i need to underscore this.

Criminals will continue to use effective encryption. Your bill will simply open the potential for innocent citizens, like yourself, your associates, and your families, to have personal information stolen or used against them.

You can either have effective secure encryption, or you don’t. You cannot have secure “back doors” because they WILL be discovered and used. There’s a saying in computer security: “Hackers have infinite time and resources”. i’ll also state that you cannot have an effective secure key escrow system.

i have a copy of the Washington Post article that shows the TSA master keys. These are now available for 3D printing by anyone. There’s also the famed 1620 key, which opens elevator control panels, job sites, and thousands of other locks in New York, and is available for $8. i’d also encourage you to read up about the DeCSS DVD decryption key, or how quickly even very sophisticated Anti-Piracy systems like Denuvo are cracked. Now imagine how big a target your finances and your secure email would be.

It’s a bit like putting up a bill against the practice of dropping puppies into wood-chippers that included installing cameras into every person’s home. Surely, you oppose puppy mulching, so a camera that watches you 24 hours a day, 7 days a week that may be accessed by authorized persons only. Surely, since you love puppies, you wouldn’t be opposed to it, nor would you be shocked if footage of your morning routine showed up on America’s Funniest Home Videos because the master password was written on a post-it that appeared on the Wichita evening news.

i understand how important keeping children safe is. i also understand how critical it is to keep everyone’s personal data safe, and how fragile that system is already. Please don’t make it any more fragile.

Oh for fuck’s sake…

"550 5.1.1 User senator@feinstein.senate.gov' not found

:: Web Pushless

Hi!

i’m one of the nice people that brought you WebPush. That lovely tech that is probably one of the most user hated things to roll out. i work on the back-end bits. i still hold that in spite of idiot web marketing folk who don’t want us to have nice things, web push is still really useful, but that’s not important right now.

What i want to talk about today is something i’ve been asked a good deal lately:

“How do i provide push notifications on mobile devices if i can’t use device native Push?”

Ok, that probably sounds like a really weird question, but let me explain a few things.

How Push works:

i’m not going to go into super detail here, but suffice to say that Web Push provides a way for servers you’re not connected to currently to send you messages that you’ve agreed to having delivered. It’s super easy for you to send messages to servers since they don’t move around and change their IP address every 15 minutes. Your phone may well do that. So what we do internally is have your phone connect to one of a bunch of servers we run, then it sits around waiting for you to send a message. For things like laptops or desktops which have big batteries or are always plugged in, that’s a great solution. For phones, however things are a bit different.

How Push works on Mobile Devices:


i do believe that Donald does not approve of your battery usage.

Your phone doesn’t want to be on. It wants to power down as much as possible so that your battery doesn’t die after an hour or so. It has LOTS of VERY AGGRESSIVE power management things it does in order to facilitate that. It will also flag any app that consumes “too much” battery and point at it like Donald Sutherland in Invasion of the Body Snatchers. Naturally, since having a reliable connection from your devices maker’s servers to your device is actually really useful, they’re very forgiving about any that they might set up. In fairness, they have a lot of neat tricks they can pull at very low levels to keep your CPU asleep and the battery usage minimal that they’re absolutely not going to let your J. Random Application take advantage of.

So instead they offer a way for you to piggyback on top of their protocols. That’s what Firefox on Android (and to some extent Firefox on iOS and Amazon FireTV) does. The data we send over these bridges is still encrypted because the decryption key is in the User Agent (the actual “Firefox” application).

The problem is, running machines that your device connect to for long periods is kind of expensive. As in people in the Accounts Payable department screaming “WHY DOES THIS BILL HAVE SO MANY ZEROES!?” sort of expensive. There are things you can do to control costs, but frankly, when you’re talking about hundreds of millions of phones calling in, you’re talking about having at least a few good boxes just to handle the loads. It’s kinda depressing how much doing nothing costs, particularly in setting up a secure link that does nothing, but that’s our problem more than yours. (Although, next time you want to buy something, if you were to search for it in the AwesomeBar, click on one of the ads and buy it from there, that’d be swell!)

That’s one of the reasons that Google put their messaging system under Google Play. It’s an app that only gets installed on authorized Google Android devices, and (surprise) it costs money to do that. You can absolutely grab a copy of the Android Open Source, customize it to fit your phone’s hardware platform and get rolling. You might even be able to sideload some versions of Google Play onto those devices, but Android is the most used phone platforms on the planet and even Google has pipers to pay.

So, how do you do Push if Push isn’t there?

Thus we come to the (potentially) million dollar question.

So, if you’ve got an off-brand Android phone, it’s probably using the Open Source release of Android, which does not have Google Play. Honestly, it probably doesn’t have a lot of services. So what options are there?

  1. Polling: This is probably the easiest. When your app is active (or if you set up a timer) you could have it poll a well known server address and check to see if there are any messages. You want to be careful with this, to avoid “thundering herds” where all the devices suddenly check at once and swamp your servers. You can randomize things a bit, but i’ve also seen some devices that “helpfully” round sleep timers to a nearest interval (e.g. you thought you said sleep for 5 minutes? Oh, well, we slept for 15 since that means less CPU.) Some experimentation and monitoring your servers may be required.

    Pro: here is that it’s fairly straightforward and simple to do.
    Con: it’s not exactly “timely”. Good for “Remember John’s Birthday tomorrow” less for “your tea kettle is boiling”.

  2. Active Reception: This one is a bit trickier. Basically, when your app is active, it connects to your servers using WebSocket, HTTP/2 or whatever protocol and actively pulls and listens for messages. This can provide much faster message deliveries while the user is present and attentive.

    Pro: Quick message delivery with feedback.
    Con: Could be complex and doesn’t work when the device is sleeping.

  3. Combo: This one combines the two above steps. You have a small stub program that checks a URL to see if there are any messages pending, and if so, spins up your app to do a full connection. The connection processes everything, then lets the device go back to sleep.

    Pro: Almost exactly like Push, sort of.
    Con: Complex, and probably buggy. Dances the line between “efficient” and “here come the howler monkeys”

Sadly, i believe that any of these would probably constitute a “savvy business opportunity” for some startup, and while i’ve not looks, i would not be surprised in the least if there was a company out there that was offering a service like one of these. i don’t think it would be free though, mostly because of the costs associated with it.

Blogs of note
personal Christopher Conlin USMC Henriette's Herbal Blog Where have all the good blogs gone?
geek ultramookie

Powered by WordPress
Hosted on Dreamhost.