The Grognard Faces Down XCode

My favorite term these days is grognard. I am misusing it terribly, no doubt. But I like this word. It’s evocative. It’s more polite than neckbeard, but only slightly; grognard has a gutteral sound in the back of the throat that makes it a bit more worldly-sounding.

This leads into a technical discussion of sorts. I am trying to learn iPad programming (I will no doubt talk about it at length as I puzzle it out and get things working) and this means moving out of my rather enormous comfort zone and into somewhere new. I’m a UNIX grognard. I haven’t written any Linux kernel mode drivers* but if something needs to be done on Linux or a UNIX variant I’ve probably done it, boostrapped it, duct taped it, or otherwise shouted at it really super loudly.

When I cracked out the books I let loose a mocking laugh for lo, everything started with “NS” for “NeXTStep” and we all know where we are with NeXT. Yeah we know where we are — lost. I work in a text-mode universe** and all the sudden I had… tools… that generate… code… and do… things. And it all mocks me from its NeXTStep past!

I downloaded Xcode 4 and got it all set up and running and was instantly lost in a maze of twisty passages all alike. Swearing happened. So did the throwing of the book. Here I am in a very familiar universe of gcc and gdb and Unix-mode tools and a completely weird world of clicking and dragging and things that refactor code by somewhat magic and, uh, stuff.

I don’t… do… stuff.

I was weirded out.

Two days — two full days for someone who cut C on a mainframe — before popping up a window, creating some controls, generating a class, and having it display “Hello World.” Look! Something approximating success!

It’s kind of funny how things that are old are new again. NeXT. Smalltalk in its cunning disguise as “Objective-C.” Low-level C hacking. Hand-coding memory management. GCC tricks. Trying to fit a ton of code in a very small place. It is all wrapped in a little tiny happy graphical shell.

I have reached grognard.  And I have faced down XCode.  And I am fairly certain it has won.

* Yet.

** I am occasionally okay with Eclipse but even when working in Java I find it annoys me enough to go back to the text mode universe. The only non-nano/vim universe I have ever liked is TextMate for MacOSX. I am, in fact, writing this post in gedit on Ubuntu which is a half step above “putting HEX into memory.”

The Route to Nirvana

I don’t believe this has to be said but I have discovered that it has to be said:

If you are hosting a huge party for a whole bunch of random people, you should have your DJs mix up 80s pop music, preferably 80s top 40. Sure, playing the newest techno and trance out of Ibiza is hot and edgy and cyberpunky, and I openly admit I own some of said newest techno and trance from the clubs in Ibiza, but no one is going to dance. What is the point of having a dance floor when no one is going to dance to the throbbing techno? Geeks don’t pack Ecstasy and they don’t flop around to Gabriel and Dresden, but I guarantee they know the words to Bon Jovi songs. Everyone who owns Rock Band knows the words to Bon Jovi songs!

This is the Route to Nirvana. Even off Nevermind.

Come on, guys. This is the secret to the success of Glee. The hits of the 80s. And Queen. Some Bowie. It should be obvious.

I just had to get that off my chest. I thought it was clear to all and sundry but apparently it needs to be said.

RSA Conference

Hey all —

This is a Public Service Announcement that I am attending the RSA Conference out in San Francisco, CA from February 14th-18th and coming home the 19th. If you want to meet up because you a) haven’t seen me in 10+ years or b) you are curious what I actually look like, let me know and I can make arrangements!

On Wikileaks

I am torn on the latest dump from Wikileaks. On the one hand, the United States needs to be able to conduct its dealings on a world stage with the security standbys of “integrity, confidentiality and availability.” Diplomats need to be able to prove they are who they are, have confidential communications with other parties, and do so securely. This is basic security: they need to be able to have the dealings they need to have, no matter the content, without fear of unauthorized prying eyes. Otherwise, it is very difficult for people who have to have sensitive conversations as a routine part of their job to have these sensitive conversations. A government needs to work behind closed doors from time to time to function properly.

On the other hand, this is the same United States government that wants to read my email and see me naked if I want to fly to Detroit. I want to have sensitive conversations too.* I want to not have the government peer at my daughter’s body “for her own good.” I find my sympathy a bit limited. When I see heads of state complaining of feeling their privacy has been violated, I want to give them a Club Membership and a Beanie. It has a propeller. Welcome to the Club: it’s nice of over here.

We live in a data-centric world and, if data wants anything, it wants to be free. It’s like pollution: pour a little into a stream and the whole fish stock is contaminated. We generate so much data even on a daily basis as individual human beings that simply attempting to analyze it all or even record it is currently prohibitive.** Data is just noise, for the most part; a denial of service attack on our higher brain functions. To do anything with data, it has to be correlated and sifted and sorted. To get the right data across the right functions, the data has to be, above everything else, shared.

This is where the government is way behind the curve. Most of the three-letter agencies have been working in absolute silence for their entire existence. But now, data has to be shared to make any sense of it. There’s just too much data coming from too many points and it all needs to make sense. And going from a full confidentiality environement to one with availability of data is actually and honestly a hard problem. Data is going to get everywhere. It is going to leak. It is going to pour out the cracks. This is what data does.

Hard problems are hard.

The DoD immediately banned USB drives***. Lots of people started screaming and yelling about espionage or treason****. There’s a few hair shirts. From what I have seen — and I admit I haven’t sat down to read the cables, only the NYT summaries of the cables — there’s nothing really amazing or breathtaking in there. The Chinese Government attacked Google. People think Iran getting the Bomb is Bad. I have seen people yelling with hands clutched over their chests that it will end transparency in government — although this is staggeringly unlikely. The government is not particularly transparent to begin with; that’s the entire point.

So ANYWAY, To Sum Up, My feelings in Exciting Bullet Point Form:

* When journalists get juicy information they publish it. Where they get it doesn’t matter. As long as it’s verifiable, it gets published. That’s what journalists do. Or at least they did once upon a time. And not all foreign journalists are super nice to the People In Power.

* … and this is healthy, because Democratic Governments really and truly need an adversarial press to keep it honest. This is why we have enshrined the freedom of speech and the freedom of the press as some of our highest cultural ideals. The government needs to be exposed and of course a government will do anything they can to repress information that got out of their control. That is what governments do. These sort of things are good for governments. It’s like getting a flu shot. Sure, yeah, we’ll have a few months of retrenching but it might make some people think. It is the job of the people to keep their elected officials plausibly honest and it is the job of journalists to pour data into the heads of the people.

* And it is not like foreign countries are going to stop hosting systems with Wiki software. In fact, it’s kinda fun! Except for the DDOS parts; those are a little annoying.

* Meanwhile, the Federal Government is learning what lots of us in industry have learned: defending data while still making it usable and useful and safe is really freaking hard.***** What do I always say? Security is hard and encryption is slow. Yes, I absolutely believe that people who need AIC should get AIC while sharing data between two parties. Yes, I feel the State Department should be able to work in a confidential atmosphere. Yes, I feel this is important for the security of the United States. But see points A, B and C, above.

* There’s a balance to be struck between what the governments can do and what the people know. We need to rediscover that balance.

* Ta-da! Behold what the Slashdot crowd and security crowd has been yelling about for years: privacy is important. And not just for people in the public sector. For everyone. FBI back doors into ISPs and unauthorized wiretapping and tracking cookies and naked scanners and you name it. Privacy is important. It is. It really is.

* Sure, I can. I know how. It’s not that difficult but it is time consuming and nonstandard and key sharing/rotation is annoying.

** Although, dear God, who knows for how long. I can run a MySQL DB on my laptop and mine hundreds of gigs of data. I can buy a T from Best Buy. A T! And I made a fool out of myself in graduate school asking: “Why would you ever need a T of space?” Why indeed.

*** Yeah. Well, good luck with that. Physical security of teeny devices that can look like bananas or coke cans is a bit challenging. I hear the TSA has some new machines to search people for plastics, I guess. I would fill all the USB ports with rubber cement but I know that’s really not workable because it blows up service contracts.

**** Not sure how treason works with a foreign citizen living in a foreign country but whatever. We don’t let details get in the way of a good soundbyte.

***** I know this initiative has been going on for a while now, actually.

On the TSA

Security conferences are a little microcosms of the security industry mindset.  Everyone herds excitedly to the talks with the new, big, lurid hacks because offense is super sexy.  We all ooh and aah as someone with a Powerpoint deck demonstrates some explosive breach of known security.  Then the talk is over and immediately we’re herded to the vendor aisle where the vendors shlep an array of expensive pieces of hardware.  Seen the attack?  Now here’s the countermeasure!  It will only cost you $100,000 and several hundred man-hours to get up and working but you don’t want to be subject to that attack you just saw, did you?  The CTOs and CEOs, many with MBAs instead of engineering degrees, shake hands, watch demonstrations, take cards, promise to make calls because this hoopy new equipment will stop that very scary new attack because wow was that scary.  They have room in their budgets, they promise.

As a security professional, my brain isn’t wired right.  I love hot new attacks.  I find them fascinating.  I read about them obsessively. I should be working but no, I’m reading some new way to take out a database with a well crafted command.   But I’m also an engineer and I know that an offensive demonstration sells expensive, and somewhat dubious, defense hardware and defense is big business.  Yeah, you need a big heap of hardware these days to run a secure network, I’m not claiming you don’t, but I also know that the sexy new attack may also be mitigated, not with another $100,000 expenditure, but with a few hours of expert code review.  I have a dollop of doubt gleaned from many years of experience.

But that doesn’t stop the anxious CTO or CEO who has a mandate and, instead of doing threat modeling and risk analysis, wants to fix the problem quick with a new piece of hardware because wow that Powerpoint deck was pretty scary.  Everyone get to work!  Plug this in!  Make system changes!  So it goes.  It keeps us all employed.

Terrorism is a physical security problem that cannot be stopped at the gates of an airport.  If a terrorist has reached an airport, the terrorist has breached many layers of other security — real security and law enforcement.  It is far too late.  The system has failed.  At that point, only three things mitigate the attack: reinforced doors on airplanes, passengers who will not be cowed, and people who blow themselves up are generally not the sharpest tack in the pile.*  That’s it and those goals have been achieved.  Past that, putting money into police and emergency response would be useful.  It’s a crime and like any crime it’s essentially random; it’s an externality whose real risk probability is low.  If you have 300 million fliers and 1 terrorist, then you deal with the problem when it happens because searching for the real risk at the point of entry is futile.**

Logic and good engineering dictates we model for high probability risks when securing our systems and work to mitigate those risks. However, the Powerpoint deck for global terrorism offensive attacks is super hot: it shows buildings blown up and dead people in the streets and bodies and planes crashing into buildings.  It’s damn scary.  Worse, it makes the stakeholders unelectable if such a thing comes to pass.  Non-engineers sitting in elected or appointed office look at those Powerpoint decks and Get the Fear. They then walk out down the aisles of vendors afterward and they say: “I will take one of everything.”

The TSA is not a security organization.  They don’t serve any real security purpose.  Other people in other government organizations deal with the real work.  No way can people hired from ads off the back of pizza boxes and given 40 hours of web-based instruction know what to do if they encountered an actual terrorist.  That’s absolutely absurd.  The threat model shows the probability of an actual terrorist in an airport line instead of, say, just mailing the bomb, is infinitesimally low. It’s an acceptable risk to put non-security personnel in security positions.  It makes for a great government work project in a recession.    And wouldn’t a terrorist with an actual live bomb just blow himself up in one of those backscatter machines?

The TSA does serve a very important purpose to the Federal Government: Marketing.  They market security.  They have SIGNS.  And UNIFORMS.  They give people Very Meaningful Looks.  They stand around in airports with big machines that go bloop like great big advertisements full of warm fuzzy safety.  They market for elected leaders who want to show they are keeping us all safe.  They’re like the election time TV advertisements except with groping.  Go through the bloop machine!  Don’t you feel safer now?

Take off shoes, take off jackets, throw out liquids, get pat downs, go through scanners — none of it serves any actual purpose except to sell to a jittery public who feasts on capitalist marketing a feeling of security because real security is hard and doesn’t always succeed.  That’s the hard truth the public will not accept: we are unable to defend against all risks.  It’s not physically possible. But the Government will give you a pleasant illusion.  To sell warm fuzzy non-offensive security when faced with a real (if lame) attempt, the TSA must buy more machines that go bloop because someone in a suit watched a very scary Powerpoint deck indeed and some smiling vendor was standing with their card right outside the demonstration.  If they don’t install the machines that go bloop, what do they do?

Funny thing, the Government, under money pressures, now has to provide a strategic, risk-based assessment of their security countermeasures starting Real Soon Now.  The machines that go bloop and the new security measures must be in place before the risk-based models go in.  The TSA has not turned in any risk assessments of the new machines to the GAO to justify the purchases and they won’t because the risk of finding someone real with their current operation is so tiny and the risk of something going wrong with the machines is so much greater that the purchase can’t be justified.  But they don’t need risk assessments because, at the core, the mission isn’t security.

My stance on the TSA is well known.  I don’t like such obvious wastes of money, and I especially don’t like it with machines that go bloop and may or may not cause skin carcinoma.  Nate Silver has an interesting article on the hidden costs of extra airport security.  But next time you go through security, you should ask for a Coke with your grope — at least with a Coke, you get a Coke!

I have more stuff, about how security has a customer service and customer expectations model to it, about how the TSA needs to think of itself as a customer service organization first, about how the entire organization has to be rethunk, but this post has gone on long enough. The TSA is here to stay.  They provide too much CYA to lawmakers to ever disband.  But to save us all money, they should just pull the plugs on the machines and send us all through.  It will help with global warming, at least.  If they unplugged the machines, would you ever be able to tell?

Here’s the recruitment pizza box. You can find it a bunch of places.

Threat Level’s discusson on TSA training.  40 hours of web based instruction and 60 hours on the job!

Here’s the GAO report I cite.  I cannot find if their position has changed but as far as I can tell, no risk management study has been completed.

* If you think strapping a bomb to your nads is smart then I have some equipment I can sell you!

** The argument here is “but the attack is huge.”  Yes, that’s possible, but the point stands: if the terrorist gets on the plane there are bigger problems with the system.

A required iPad app

A quick interlude:

If you have an iPad, you will want to go to the store and download the new, free TED talk app. It’s an interface to the TED website ( ) but much more comfortable to view. TED talks are about really cool things given by really cool people. Want to learn something cool about science or tech or art in 20 minutes? Watch a TED talk.

My only complaint is the lack of a good search engine to find talks. Hopefully they’ll take feedback – it’s a common complaint – and get one into the app soon.

It shows off your iPad and it’s free. If you have an iPad, you should have the TED app.

Awesome Guitar Software is Awesome

I have two — two! — pieces of awesome software to showcase today for the iPad. Perhaps you thought the iPad was only good for watching Netflix streaming but now it is made of rock.

TabToolKit by Agile Partners

At first blush you may be all “buh?” But let me tell you the greatness of TabToolKit.

If you’ve played guitar for years… and years… and years… and years… you occasionally open up an old book or an old bag and there, lurking within, is a badly scratched out downloaded from an ASCII document from some repository tab of some guitar song or other you really wanted to learn but all you had was this tab that sort of told you where to put your fingers and not a hell of alot else. You struggled for a while and then gave up. TabToolKit:

1. Organizes your tabs. If anything else, it means no more printing them out, folding them up, or ripping them while trying to play awkwardly on the couch.
2. Displays them in a neat and easy way for practice — especially on an iPad with an easel stand.
3. Uses Guitar Pro tabs which have all the parts to a song, the sheet music, and the tabs so the music-saavy can actually look at notes and go “oh, that is way less difficult than I thought.”
4. Has metronomes, speed up, slow down, looping and repeat features for working on a particular practice.
5. Count in and play at any point in the song.
6. Drop voices in and out.
7. For those wondering how to play said power chords, it highlights where to hold the strings down on the fretboard.
8. And Guitar Pro tabs are extremely plentiful for free.

I love this piece of software. I absolutely love it. I recommend TabToolKit to anyone with a guitar — a beginner, someone looking to improve, someone wanting to carry their collection of tabs around conveniently, anyone. It is squee in a can. It’s iPhone/iPod/iPad — the iPad version is a native, full screen version.

Amplitube for iPad by IK Multimedia

I love the original Amplitube but getting my guitar jacked into my Macbook Pro was always a huge hassle — converter boxes that never worked, feedback noise, weird issues. I ended up with an actual guitar-to-usb cable that lost sound and had high latency but at least worked. Despite this, Amplitube is such a marvelous piece of software it justifies buying a Mac (a Windows version is now available) to complement one’s electric guitar. Who wouldn’t go through the trouble for all those stompboxes, amps and cabs in one place to model any sound, anywhere?

Now I have Amplitube for iPad. Sure it has far fewer stompboxes, amps and cabs then the big software load but what it has is more than enough to model up any sound for any purpose.

1. The iRig dongle works out of the packaging without any software or configuration. Plug guitar into iRig. Plug headphones into iRig. Plug iRig into iPad. Done.

2. Amplitube for iPad (iPhone, iPod) works right out of the box and comes with 12 presets, 11 stomps, 5 amps and 5 cabs for the full ($20) install of the software. The stomps and amps all have little knobs that turn by running a finger along the screen for custom settings. Settings can be saved.

3. The modeling sounds excellent. The latency is low. The feedback is non-existent.

4. Everything sounds better with the Delay pedal which does lock to a BPM. You, too, can sound like a bad Yes knock-off!

I have not played with pulling in my own track and putting effects over it on the fly but this is a supported feature.

It’s just full of squee. Instead of carrying around a Mac and a whole toolbox full of chords and gizmos to get it to work and then not able to get it out to a speaker or an amp all I need is my regular guitar cable, the iRig, headphones and/or output device and the iPad. It sounds fantastic.

For someone who just wants to sit and pick up a guitar and play, and have the guitar sound good through the headphones, this is a must-have. The iRig is $40. The software is either free (Amplitube FREE) with the option to add to it, or $20 for the full build. Everything, yes, is $80 but $80 is the cost of a single, good stompbox*.

So see? The iPad does do things other than just stream videos.

The alternative I recommend for the same price is TabToolKit and a Line6 PocketPOD, but the Amplitube has the visceral feeling of messing with gear where the PocketPOD is dialing to a setting. Not that I don’t love the POD, but I am more likely to have the iPad on me than the PocketPOD.


I know this is a little stale (2 whole days!) but I have some quick thoughts on the whole Wikileaks thing:

1. The documents posted aren’t the Pentagon Papers. They contain nothing people didn’t already know. They say the War in Afghanistan is going badly and was never funded well. No news there.

2. Regardless, these were classified documents and leaking classified documents to unclassified sources is bad. Yet, it was a matter of time. If anyone has been following the Top Secret America series on the Washington Post, you know the Intelligence Community in DC has almost 900,000 people. Holy Jumping Jesus, it’s a government jobs program! And all of those people have been cleared. That’s an awful lot of Trust with a capital-T. If 99% of the people involved are honest and 1% of those people feed information to places like Wikileaks, that’s still 900 people — most of them contractors.*

According to Threat Level, the Pentagon claims it has someone but I would be shocked — SHOCKED — if that was the only person leaking to wikileaks. By a long shot.

3. Why is everyone breathlessly surprised at the rise of rogue media?  Hell, if spammers and phishers can put up renegade sites, run them for a few hours, tear them down, and bring them up somewhere else, why are we so surprised someone with a hard drive can move a PHP wiki?

Really? Surprise? Hosting sites abound — many nicely outside the US jurisdiction. How hard is it to find a DNS server, a LAMP stack, and SCP to upload files? Wikileaks cannot be stopped or killed — and certainly not by some angry words and a shaking finger. If you can hide your millions offshore, you can certainly run a website.

It’s point #3 that gets me — the shock and surprise. I want to Vanna White and say, “The Internet — Let Me Show You It.” What did people think was going to happen when mass communications met guerrilla disclosure and guerrilla journalistic tactics?  Or did we all believe we were going to hold hands and watch FOX News together, forever?

* As a professional security weenie, I have a hard time believing in a mere 1% of dishonesty in contractors.

Extra Bonus Post!

1. I found a nice program called Calorie Tracker for the Droid (free) that backs to a massive database of restaurants and foods. It also has barcode search via the camera, tracking across all sorts of metrics (carbs, fat intake, etc), graphing, etc. My experience with trying to find out what is wrong with my diet is mostly one of data collection. Whatever it is, I’ll find it and stop eating it. Or at least find things I shouldn’t be eating in general and stop doing that.

2. I fell asleep watching this older documentary on the Dark Ages from the History Channel last night. Yay Netflix streaming to device that… I shouldn’t be in bed with but I was trying to stay up and failing. It occurs to me two interesting facts:

A. These documentaries are myopic. They completely leave out the existence of Constantinople and the Eastern Roman Empire. No mention is ever made that they tried to recover Rome through several invasions via southern Italy. All of Eastern and South-Eastern Europe simply disappears off the map. Leo the Great! The General Basiliscus! Zeno vs. the Ostragoths!

Oh… nevermind. No one gives luv to Constantinople.

B. If one wants to know what would happen in the case of a Zombie Invasion, study the Fall of Rome. Seriously! A decadent Empire is felled by invaders who take over the cities and force the few survivors to scrabble through the ruins to scratch out survival. Any moment a barbarian may appear and take people out with an axe (or a zombie virus). They never stop coming! To survive, the survivors collect next to the ruins of technological marvels they could never hope to replicate and strip them for parts. Aqueducts fail. Roads crumble. Bits of civilization holds out — the Roman Governor of Gaul held out for a breathtaking 70 years — before the barbarians (zombies) took out the last bit of existence.

I was so excited by the parallels last night I fell asleep. But don’t duplicate my example. Read a book! Or Wikipedia! The perfect blueprint for a Zombie Invasion — right from history!

More eBooks

I saw yesterday some statistics that people are reading slower on their eBook devices then on actual books. I find that I read noticeably slower on the Kindle then the iPad, but not noticeably slower on the iPad than a real book. I’m not a jiffy speed reader anyway; I’m not sure it makes a huge difference. The stat I saw was 6.2%. A summary of the study is here.

But what did we learn? People hate to read off their PCs*, loved their iPad, and was still fond of the printed book. This is sort of a “duh” moment, but it is “duh” quantified.

I am firm in my belief that the codex is going nowhere. Not only are the devices expensive**, but they are good only for fiction and narrative-form non-fiction. I know that Amazon has a dream of getting into the textbook market but I have a hard time seeing how a math book is going to work on the Kindle.

Meanwhile, the market is predicted to grow to some 12.5% this year. Borders, late as always, opened their eBook store this morning with the execrable Sony Reader. Better late than never, I suppose. But I cannot seem to browse the store online to see if it has Pynchon in eBook form so it is dead to me.

For those of you who are sort of waffling on this eBook thing, I recommend downloading Arturo Perez-Reverte’s absolutely brilliant “The Club Dumas.” from the Kindle store to try it out and read it on whatever device has Kindle software (all of them). Or really, just read that book in general because it’s awesome.

* I am notorious for having to dump every PDF I get to the printer — or did before I had an iPad and the sainty perfection of GoodReader. I avoided long articles like the plague but now between Instapaper and GoodReader on the iPad, I can read them easily.

** w00t had a $150 Kindle and it sold out almost instantly. The Kindle is now at Target. I expect a sub-$100 reading device that doesn’t suck by Christmas. Even then, it will lock out a fair amount of the market in price.