Modern Society, Old Tech

Society Depends on Old Tech

So much of the technology infrastructure that modern society today currently depends on was created long before security was even being considered as a primary concern. In many cases, how technology is being used now use is far different from what was originally envisioned or designed. While this is great for today’s users, many of the things we have come to depend on have vital flaws that can be exploited. What’s worse, we know that these exploits exist, but only limited progress has been made against the work required to protect these critical systems that we have come to depend on.

When many of these technologies were first created or developed, the focus was aimed directly at proving if something could even work. Of course, this makes sense as so much of what we take for granted today was the subject of science fiction not so long ago.

Development and Consumers

Companies burned large quantities of cash in order to unlock the potential of these products, so they pushed to get them on the market and profitable as quickly as possible. Adding in additional security features could have required additional time and money; it also might have slowed the adoption of the technology or product. Sometimes, however, the spec is right but the implementation is fouled. I believe an excellent example of this can be seen in Bluetooth pairing. How many times have you seen a default PIN of 0000 for a device?

Governments, especially their military components, have a lot of incentive to keep things secure. However, so much of the technology that was originally built for military use is now being used by consumers in a way that they don’t even realize is insecure.

For consumers, technology generally succeeds only once people find it easy enough to use and adopt it. This presents a challenge for those creating new products and technologies to find the correct balance between ease of use and underlying security. Too many times we see security being downplayed so as to simplify usability, but this is a recipe for disaster. The best options are those that

The Future

Nowadays, we are seeing shifts towards a world where security is considered during the beginning stages of projects, instead of as an afterthought. This is excellent news, but it doesn’t mean we’re in the clear yet. Any software developer knows that there are always bugs in code. Some of them can be catastrophic, but only when extremely specific scenarios occur. Even so, any product or technology that attempts to reduce security holes from the start is already in a better place than most.

Plans for updating and replacing existing technologies need to be created, and their implementation needs to begin quickly to allow time for consumers to adopt them. Some technologies that are impacted and need to be updated include GPS, cellular telephony, and the electrical grid. It is quite obvious that these systems are critical to everyday life in the modern area. In some cases, inroads are being made to secure them. In others, known vulnerabilities continue to exist without repair.

Much like our physical infrastructure, we must invest and maintain these systems to ensure they will continue to operate. We can choose to pay the cost now, which is admittedly quite expensive, or we will find ourselves with no choice to pay even more in the future… possibly after something disastrous has happened.

Doubling Down

Simply by adding an article now, I’ve created double of what I’ve posted to this site last year.

I’ve been writing so many papers for school that I sometimes find it difficult to sit down and construct posts for this site. I’ve been able to square that by considering that nobody really reads this drivel anyway.

Based on what I’m currently thinking, the next year might very well get interesting. I’ve gone back to my interests in cloud computing and other nerdy things, and I’m trying to push through to finish earning my bachelors degree 15+ years too late. What for? Is it simply to check something off of a list? Or am I trying to make a statement? I’m honestly unsure.

Anyway, Toliver is pushing me to write more here, and simply by including his name in this post I’ve fanned his potentially narcissistic flames.

I’ve got a place where I can post words, and it’s time I start using it.

Amazon and AWS

There have been a lot of rumblings over the past year or two suggesting that Amazon needs to spin off Amazon Web Services (AWS). These rumblings have waxed and waned as various pundits attempt to prognosticate on what Amazon is going to do next.

I find it increasingly difficult to parse the suggestions given in articles when trying to match it to the reality of the world at this time.

Amazon will decide to split off AWS, because it makes a lot of sense and market forces will dictate it.

Scott Galloway The business school prof who predicted Amazon would buy Whole Foods now says an AWS spinoff is inevitable.

I completely understand that spin offs are designed to unlock the value in a company, I don’t think it’s nearly that simple in this case. There is far more to it than just making the numbers work as part of a business case. If you read the backstory as chronicled on TechCrunch, the idea behind Amazon launched from previous integration nightmares the company had experienced in the past. Amazingly, this was 15 years ago already, long before most developers were even thinking of integration at a scale like this.

The feasibility of a spin off is not the question here. Of course AWS could be spun off into a separate corporate entity, and it absolutely would do quite well. The reason it seems unlikely to me that they would do so is that Amazon would lose a lot of the flexibility that they currently enjoy from operating the AWS platform.

The principals at AWS most assuredly look at the needs of all of their customers; just a casual glance at the list of product announcements from AWS re:Invent 2018 should provide ample evidence of their intent. Ensuring the ease of integration as well as a convenient ability to quickly harness a large number of tools continues to help businesses of all sizes.

But, I’d be shocked to learn that Amazon proper doesn’t have the ability to put their thumb on the scale to push feature development as part of AWS development timelines. That alone indicates that the value proposition of retaining control of AWS hasn’t been fully considered, suggesting that the cost of an AWS spin off is higher than previously calculated. Considering how Jeff Bezos approaches, well, everything, it seems to be a stretch that relinquishing control of a well-run division of Amazon, when the company itself depends so much on it, would be something considered unless an unexpected hardship were to occur.

The conclusion that Amazon and AWS aren’t co-dependent seems quite short-sighted when considering the technical aspects. Sometimes the math is only part of the equation, and further investigation is required.

In the end, arguably the most compelling reason to split up – and the most meaningful end goal that can’t be achieved in another way – is to avoid government regulation.

John Divine, U.S. News and World Report Should Amazon Split Up? 3 Pros and Cons.

The idea of avoiding government regulation is an interesting one, but I doubt it’s a concern the company will need to face in the near future. It seems much more plausible that an entity like Facebook would need to worry about this. The Department of Justice took on Microsoft with little to show for it; for all of the bluster of the day, Amazon seems well positioned to avoid the scrutiny of U.S. regulators.

Of increasing concern could be the European governments with the implementation of GDPR, but AWS is well ahead of this. It’s always possible that Amazon could run afoul of the GDPR privacy rules, but a company with resources like Amazon should have that well in hand. Furthermore, while I haven’t read GDPR in its entirety, it seems more likely that Amazon would be charged with hefty fines than find itself burdened by regulation it can’t keep up with.

Ponzi Schemes Need Docs Too

Documentation in code is extremely important, even if developers hate doing it. We’ve all been there, stuck debugging some confusing code that has zero code comments. It made sense to the dev at the time, but they’ve long since moved on and you’re stuck supporting that bad boy.

GitHub recently released the results of their Open Source Survey, which polled active users to better understand how they were using the software. One of the primary insights they learned?

"Documentation is highly valued, but often overlooked."

I just recently finished listening to Ponzi Supernova. This podcast provides some interesting backstory around the Bernie Madoff investment scandal that he confessed to in late 2008.

I won’t give away many details from the podcast, as it was very well done (and you should go listen to it immediately). But, I couldn’t help but to reflect on a very important point. In the podcast, it was suggested that the code comments from the application(s) used to generate the fraudulent transaction statements and other corroborating documents were used to confirm that the trading programs were specifically constructed to target or avoid ongoing audit activity.

That caught my attention, so I did some searching. Sure enough, I came across an article that detailed that the RPG programs included code comments specific enough to convince a non-technical jury that the application was indeed built and subsequently manipulated in a way to pass various audits:

So the pair resorted to what any normal RPG programmers would do: They added comments to the code.

"The programmers nicely commented the code, which made explaining some things easier, because they said this is what they’re doing," Diedrich says. The jury didn’t have to try to read the code. They said ‘This is how we’re generating these numbers.'"

Perez and O’Hara also added comments to ensure their audit preparation was up to snuff. "There were comments in the code hat indicated, for this kind of audit we need this kind of information," Diedrich says. "The code would say, ‘We don’t need this for this audit,’ so they commented it out from the code at times, then they would put it back in for the other audits."

So, there you have it. Code comments are important to everyone, because you never know when you’ll be involved in a high stakes Ponzi scheme designed to defraud people of over 65 billion dollars.

Personal Retrospective

As part of Agile development, one of the many important processes is the Retrospective. This is a meeting held by the team at the end of a sprint or a release or some such other important milestone. The intent is to allow the persons involved the ability to comment on what went well, what went poorly, and offer suggestions on what could be done to improve things in the future.

One year ago, I elected to make two significant life changes on the same day. It was completely terrifying time in some respects, yet it was also exhilarating in others. On that day, I decided to both tender my resignation to my employer and advise that it was time to end my marriage. After it was done, more than a few people thought I was a little crazy to be making such big changes at the same time. I plan to discuss some of the things related to my employment changes on this site in the future, but will refrain from discussing anything related to the divorce as that’s private and only two people will ever understand those dynamics.

So, on to the retrospective. I’ve become much more active, have been making better choices when it comes to the food I prepare and eat, and have made significant improvements to my financial situation. I’m sitting down less, I’m reading more books, and I’m getting a consistent amount of sleep. I’m pushing myself to stay organized, and I’ve finally begun posting things on this site again.

In the negative column, I’ve somehow managed to lose contact with a few people who are really important to me, and I’m not sure how to get that back. I would never have expected that a year ago, and it’s still painful today. I also realize that I’ve been more moody and introverted as I deal with the fallout from some things. But I’ve always been like that, so I’m not really surprised.

In some ways, I hardly recognize myself from a year ago. I’d definitely do a few things differently given the chance, but in most respects I’ve made a lot of progress over the past year. There are a few more things that I’ve realized as well, but I have no plans to put EVERYTHING up on this damned site.