Oops! Something went sideways.

Looks like the styling got goofed up. Sorry about that, unless it's what you wanted. If this isn't what you were looking for, try force refreshing your page. You can do that by pressing Shift + F5, or holding Shift and clicking on the "reload" icon. (It's the weird circle arrow thing "⟳" just above this page, usually next to where it says https://blog.unitedheroes.net...)

isn't quite ashamed enough to present

jr conlin's ink stained banana

:: Ec-COVID-Nomics

SARS/Corona Virus 2019 (COVID19) is a terrible disease, on a lot of fronts. The thing i really can’t get over are folks that say stuff like this:

A NextDoor post where someone proudly claims their going to a 40-50 person gathering because the disease has a \

i mean, sure? If you’re young-ish and fortunate, you do have a fairly good chance of getting through it alive. Hooray?

Of course, that’s not really the problem, at least, that’s not the most significant problem you face in the US.

Let’s consider what you face if you get the disease.

First off, there’s dealing with the disease itself. For some folk, it’s nothing. As in they have no symptoms what-so-ever. Other folks require hospitalization. How your body reacts to COVID is pretty much anywhere in-between, and there’s no knowing what it will be. There are also potential long term considerations as well, since it’s still quite a new disease and nobody is quite sure how it will impact everyone.

You may only be “sick” for a few days get “better” and since you got the ‘rona, feel you don’t need to worry about wearing a mask. You’re now a spreader since you’re still contagious since the virus is still very much present in your system. (You could also be asymptomatic, which means you have the disease, but aren’t showing or feeling any symptoms. Feel free to read up about “Typhoid Mary” if you want a nice, historical record of how this could happen.)

But let’s say you’re unfortunate enough to actually require hospitalization. Because we’re America, once you’re released, you’re looking at a bill of anywhere from $32,000 to $73,000 (depending on how good your coverage is). It can also be a whole lot more than that, depending on where you get your care.

i don’t know if you’re able to buy a car right now out of pocket, but that’s kind of the numbers you’re looking at. If you’re not, you’re going to have to figure out where to get that money. Again, since we’re America, you’ll probably turn to the age old practice of finding someone to sue. If not you, don’t worry, your insurance company will probably do it for you. They don’t want to spend that sort of money either, so if they can find someone who exhibited clear, reckless behavior, you bet they’ll be right on top of that.

Of course, if you’re in the clear and someone you’ve contacted afterwards develops COVID, well, let’s just say that announcing your open defiance of strongly suggested health guidelines may not be quite as bold as you had thought.

(i honestly believe that this is the major reason that the US has not implemented Contact Tracing like Canada has. i’m pretty sure someone figured out that having a clear path between litigant and plaintiff may not be fantastic.)

What’s more, again, since we’re America, and our health providers don’t like pre-existing conditions, this is something that could actually come back to haunt you years from now.

So, yeah, that’s why i have zero intention of going to large gatherings so long as COVID is still very much a thing.

:: Why Are You Doing That?

i’ve been doing a fair bit of mentoring lately. i guess because i’m obviously old and folks think i’ve got some wisdom about anything. To be fair, i am old.

Anyway, recently i got into a discussion with someone who’s been thinking a fair bit about her career. She started off doing data work, then did a bit of UI/Front end stuff, and just didn’t find it super fun or compelling. Honestly, very understandable.

i’ve always hated the semi-utopian thing about “Find a job doing what you love”. i’ll just come out and say that’s incredibly rare. There’s a reason that they can do shows about folks who manage to do that, it’s because they’re unique enough to be interesting. The rest of us? Yeah, we’re not as fortunate.

Don’t get me wrong. i have training for programming and some level of skill at it, but what makes me happy is not making servers go ping, but fixing problems and clearing tasks off of lists. i could do that anywhere and feel just as much sense of accomplishment. What makes me excited is not what i do, but why i do it.

Call me an idealist, but i actually really do want to make things better for people. To that end, i view personal privacy and security currently woefully lacking. It’s out there, but it’s not the path of least resistance and so folks tend to skip over it. Working for mozilla gives me the daily opportunity to fix things to be easier, more secure, and more private. That’s the reason i’m still working there and not, i dunno, CTO of some ad network that resells organs harvested from orphans or something.

What i do is not glamorous. My peers and i keep a bunch of back-end services running. We’re not going to be top of HackerNews. Heck if we get double digit count of stars on github, we’ll wonder what the hell happened. Still, we have around half a billion active connections and deliver messages in less than 100ms, juggle nearly a petabyte of encrypted user data, and write in the latest version of Rust because it’s the most performant and cheapest option for doing all of that.

Still, i’m working for a company that’s philosophically aligned with my interests, so yeah, i’ll deal with the frustrations and stress just fine, thank you.

Of course, there are down sides. i will never be invited on to the stage to talk about what i do. That means that promotions and bonuses are rare events. You’ll never know if i do my job right, but you’ll sure as hell know when i do it wrong.

:: The Internet Hates Long Lived Things

First off, this is not about ageism. i’m talking about long lived connections. There are a few folk out there that believe that you can hold a connection between two devices open forever. This is not the case. There are a lot of reasons that a great many things will actively fight your long lived connection. So, here are a few insights from someone who has dealt with Very Long Connections in Webpush and was once naive like you.

Why does the internet hate long lived connections?

Short answer: Money.

Longer answer:
The internet is not free.

Everything about the internet costs money, because everything requires either power or devices. Devices are way more costly because you not only need to buy and power them, you need to shelter, maintain, inspect, and eventually replace them. This includes everything from colocation farms to servers to cables to the conduits that carry the cables and the folks who’s jobs it is to do all that sheltering, maintaining and inspection. The costs may be near infinitesimal for a 10 byte ping, but they’re there, and they add up surprisingly fast.

i’ll also add in that connections between devices also have a software cost. Turns out, there are a limited number of connections that a given computer can accept. There are also constraints depending on the language you use, how much memory you have installed, how fast your CPU is, and how many files you need to have open. There are fun ways to tweak that number and get really high counts, but if you’re doing any actual work with them, you’re going to hit that upper limit. If you’re doing real, serious work (like running TLS so things are secure) boy golly are you going to hit that number and it’s not going to be anywhere near that 10 million connection number someone built for Erlang.

So, in that sort of world where having connections that are basically doing nothing but tying up resources, connections are not going to stick around. You may not want to pay for them, and neither do any of the dozens of intermediary companies what want to maximize profits. They’ll spot a connection as being underused and will simply drop it, since there is probably some other company that wants to use it and send lots of capital producing data over it.

There are tons of reasons a connection could be killed at any time and a whole lot of incentive to ignore any requests you might make to keep a low bandwidth connection up. This includes various “Keep Alive” packets helpfully provided by protocol authors. Those tend to be very light weight dedicated Ping/Ack packets that are sent on a regular cycle. They’re useful if you’ve got a lull for a few minutes, but anything longer than that and the connection is toast. You’re better off crafting a NoOp type message that you fire off regularly. Granted, i fully expect that those will be dropped in the future too once providers use stuff like packet inspection machine learning to further reduce costs and free up “idle” connections.

Well, what about using stateless UDP instead of stateful TCP?

It’s not a bad idea, really. It’s the reason that QUIC is the base for HTTP 3.0, and it’s very clever about making sure that packets get handled correctly. Packets are assigned Server Ids, and cryptography is isolated so data corruption doesn’t cause blockages. Even though, if there’s a connection severance, it’s still dependent on the Client getting back to the Server. The server needs to be at a known, fixed address. That’s neato for things like HTTP, but less so for things like WebPush where the client could be waiting hours or days for a response, and unless the client is actively monitoring the connection (remember, built in KeepAlive packets ain’t enough), it’s basically doing long polling, so you’re kind of back at square one.

(There’s definitely something to be said about that for things like WebPush. WebPush’s “Immediate receipt” requirement, like relativistic travel, depends a great deal on the perspective of the parties involved. That’s a topic for another post.)

So, be mindful young protocol developer/designer. The internet is out to get your long lived connection dream and will dance on it’s grave at every opportunity.

:: Pandemic Network Effect

There was an article done years ago that pointed out folks who’s job started during a recession generally earned far less over their careers. There’s a lot of reasons for this, but a big one is that folks don’t generally discuss their salaries so they have no idea if they’re being grossly over or under paid.

i can’t help but wonder if we’re overlooking a huge hurdle for folks starting out now, in the midsts of a global pandemic. In short: Are they missing out on peer networking?

Let me be open and say that i’m an introvert. i’ve trained myself to be sociable and can present as extrovert when needed, but it’s draining and not really my happy place. That said, i’ve still built up reasonably good relationships with folks i’ve worked with. i’m sure that some dude in a pressed white shirt and lavalier mic would proclaim this as “Networking”, but it’s something that i’ve kinda fostered and benefited from. A good many of those are with folks i’ve not directly worked with on a project, but have been folks who’ve i’ve had parallels with. i may have met them at a meeting, or in a few cases, at an offsite. Maybe it’s been one of those “Fellows in Arms” where we’ve all done some terrible group improvement class being directed by a dude in a pressed white shirt and lavalier mic.

With a year of “social distancing” and zoom meetings, that’s one less year of building the sort of work network that’s going to be critical to getting better positions, or be a lifeline when the layoff axes start falling. What’s worse is that video meetings are tiring and terrible as is, so the thought of doing them outside of work isn’t really going to be super appealing. Nor are junior folk going to see how beneficial they can be from more senior folk dragging them off to some semi-casual meet-up.

Plus, conferences and big get-togethers are probably not going to be happening for years to come. Sure, it was funny how you’d catch Con-Flu after a meet-up, but that didn’t carry the risk of killing you or doing serious, long lasting bodily harm. i’m going to guess that it’s going to be a while before insurance companies reduce the liability costs for those.

Humans, even the more anti-social of us, are social creatures. We think in tribes and communities.

If you’re a junior person, don’t neglect this. Reach out to mentors and peers to find and establish networks.

If you’re a senior person, watch out for the junior folks. Maybe introduce them to some of your larger nets the way you would at a conference.

Eventually the pandemic will go away, let’s make sure the damage done isn’t worse than it already is.

:: A Letter to Sen. Feinstein

*sigh* this again..

Dear J-R:

Thank you for writing to me to share your concerns about law enforcement access to encrypted communications. i appreciate the time you took to write, and i welcome the opportunity to respond.

i understand you are opposed to the “Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020” (S. 3398), which i introduced with Senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), and Josh Hawley (R-MO) on March 5, 2020. You may be interested to know that the Senate Judiciary Committee—of which i am Ranking Member—held a hearing on the “EARN IT Act” on March 11, 2020. If you would like to watch the full hearing or read the testimonies given by the hearing witnesses, i encourage you to visit the following website: https://sen.gov/53RV.

The “EARN IT Act” would establish a National Commission on Online Sexual Exploitation Prevention to recommend best practices for companies to identify and report child sexual abuse material. Companies that implement these, or substantially similar, best practices would not be liable for any child sexual abuse materials that may still be found on their platforms. Companies that fail to meet these requirements, or fail to take other reasonable measures, would lose their liability protection.

Child abuse is one of the most heinous crimes, which is why i was deeply disturbed by recent reporting by The New York Times about the nearly 70 million online photos and videos of child sexual abuse that were reported by technology companies last year. It is a federal crime to possesses, distribute, or produce pictures of sexually explicit conduct with minors, and technology companies are required to report and remove these images on their platforms. Media reports, however, make it clear that current federal enforcement measures are insufficient and that we must do more to protect children from sexual exploitation.

Please know that i believe we must strike an appropriate balance between personal privacy and public safety. It is helpful for me to hear your perspective on this issue, and i will be mindful of your opposition to the “EARN IT Act” as the Senate continues to debate proposals to address child sexual exploitation.

Once again, thank you for writing. Should you have any other questions or comments, please call my Washington, D.C. office at (202) 224-3841 or visit my website at feinstein.senate.gov. You can also follow me online at YouTube, Facebook and Twitter, and you can sign up for my email newsletter at feinstein.senate.gov/newsletter.

Best regards.

Sincerely yours,

Dianne Feinstein
United States Senator

Thank you for your response.

While i don’t believe that anyone will ever stand up and be pro-child abuse, i caution that using that banner can often cover significant issues as well. i cite Ms Banker’s testimony at the hearing you attended. Perhaps you may have missed it.

One important decision that should be addressed by Congress in the first instance is any choice to limit or weaken encryption technology. While the bill does not identify “encryption” as a specific matter that the Commission must address, the Commission is not prevented from addressing it and the bill calls for the Commission to include a privacy, security, or cryptography expert. For these and other reasons, it is widely anticipated that the best practices that might emerge from the Commission would require that companies either weaken, or refrain from deploying, encryption protections for private communications. Limitations on the deployment or strength of encryption would impact a wide range of stakeholders and equities that are not represented on the Commission, as well as topics not within its scope.

Requiring companies to engineer vulnerabilities into their services would make us all less secure. Encryption technology stands between billions of internet users around the globe and innumerable threats—from attacks on sensitive infrastructure, including our highly automated financial systems, to attempts by repressive governments to censor dissent and violate human rights. Strong encryption is key to protecting our national interests because encryption technology is an essential proactive defense against bad actors.

Giving the government special access to user data—by building in security vulnerabilities or creating the ability to unlock encrypted communications—is impossible without generating opportunities that would be exploited by bad actors. The exponential growth of the internet both deepens and broadens the risks that would be caused by weakening encryption technology. As the internet becomes relevant to more areas of society and the global economy, our exposure to security vulnerabilities expands as well. Foreign and domestic entities have, for decades, targeted private data in hacks aimed at internet companies—a clear threat to our economic and national security. Strong encryption is our best tool for ensuring that the costs of cyberattacks, data breaches, and other types of exposure are low. And encryption can also be a smart strategy to decrease the incentive to engage in hacking. Encryption fundamentally protects the vital interests of our country and its citizens.

i feel i need to underscore this.

Criminals will continue to use effective encryption. Your bill will simply open the potential for innocent citizens, like yourself, your associates, and your families, to have personal information stolen or used against them.

You can either have effective secure encryption, or you don’t. You cannot have secure “back doors” because they WILL be discovered and used. There’s a saying in computer security: “Hackers have infinite time and resources”. i’ll also state that you cannot have an effective secure key escrow system.

i have a copy of the Washington Post article that shows the TSA master keys. These are now available for 3D printing by anyone. There’s also the famed 1620 key, which opens elevator control panels, job sites, and thousands of other locks in New York, and is available for $8. i’d also encourage you to read up about the DeCSS DVD decryption key, or how quickly even very sophisticated Anti-Piracy systems like Denuvo are cracked. Now imagine how big a target your finances and your secure email would be.

It’s a bit like putting up a bill against the practice of dropping puppies into wood-chippers that included installing cameras into every person’s home. Surely, you oppose puppy mulching, so a camera that watches you 24 hours a day, 7 days a week that may be accessed by authorized persons only. Surely, since you love puppies, you wouldn’t be opposed to it, nor would you be shocked if footage of your morning routine showed up on America’s Funniest Home Videos because the master password was written on a post-it that appeared on the Wichita evening news.

i understand how important keeping children safe is. i also understand how critical it is to keep everyone’s personal data safe, and how fragile that system is already. Please don’t make it any more fragile.

Oh for fuck’s sake…

"550 5.1.1 User senator@feinstein.senate.gov' not found

Blogs of note
personal Christopher Conlin USMC Henriette's Herbal Blog Where have all the good blogs gone?
geek ultramookie

Powered by WordPress
Hosted on Dreamhost.