Four Short Links
Nat Torkington’s eclectic collection of curated links.
Four short links: 8 June 2020
Privacy, Automating Decryption, Development, and Homomorphic Encryption
- Privacy Threats in Intimate Relationships — This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships. Many common assumptions about privacy are upended in the context of these relationships, and many otherwise effective protective measures fail when applied to intimate threats. Those closest to us know the answers to our secret questions, have access to our devices, and can exercise coercive power over us. We survey a range of intimate relationships and describe their common features. Based on these features, we explore implications for both technical privacy design and policy, and offer design recommendations for ameliorating intimate privacy risks.
- Ciphey — Ciphey uses a deep neural network to guess what something is encrypted with, and then a custom built natural language processing module to determine the output.
- No Bugs, Just Todos — Nice set of guidelines for software development teams. Practical and based in the real-world. Example: The possible ticket states are often designed by architects and not by people who are actually going to use the thing. I’ve seen a map of issue state transitions that definitely looked Turing-complete. I advise to start with the “Todo”, “Doing” and “Done” triad and only add more if absolutely required. Moving issues from one state to another needs to be associated with an explicit action. If you add more, make sure that you have an explicit agreement with everyone that the latest-stage ticket has the highest priority unless you are going to get all tickets stuck in the most boring stage, such as “verification”.
- Homomorphic Encryption Libraries — A list of mature open source Full Homomorphic Encryption libraries.
Four short links: 5 June 2020
Computers Barely Work, Instrumentation, Feedback, and Robotics Debates
- Computers Barely Work — An interview with Greg Kroah-Hartman. A joyful interview with a Linux kernel maintainer, words I never thought I’d type.
- TinyInst — a lightweight dynamic instrumentation library that can be used to instrument only selected module(s) in the process, while leaving the rest of the process to run natively. It is meant to be easy to understand, easy to hack on and easy to hack with. It is not designed to be compatible with all targets.
- Stay Motivated When Feedback is Scarce — Reduced feedback, diminished external encouragement, and decreased interpersonal interaction don’t just take an emotional toll; they can take a toll on our work outcomes as well. If you want to be a valued coworker and manager, learn to give feedback.
- Robotics Debates — Great moots! Robotics research is over-reliant on benchmark datasets and simulation; and Robots designed for personal or household use have failed because of fundamental misunderstandings of Human-Robot Interaction (HRI).
Four short links: 4 June 2020
GANs, Detecting Generated Text, Workflow, and Open Source Business
- Ears to Faces — our goal is to generate a frontal face image of a subject given his/her ear image as the input. It’s … astonishing.
- GLTR — a visual forensic tool to detect text that was automatically generated from large language models.
- Moving Work From Push to Pull — A small Phoenix Project-type story for something that isn’t software. This caught my eye: Studies of new product development organizations in the consumer electronics and motorcycle industries suggest that R&D systems often have three to five times as many projects in progress as they have capacity to complete.
- The Business of Open Source — Adam Jacob’s excellent advice on how to commercialise your open source project. 1) produce a product based 100% on open source code. 2) be the sole distributor of that product, based on your trademark, under whatever commercial terms make sense for your business. 3) encourage and collaborate with folks who want to build alternative distributions. I asked him to unpack various bits of this to make sure I understood it, and I think you’ll find it a short yet interesting read.
Four short links: 3 June 2020
Undie Detector, Formal Methods, Workflow Automation, and Open Source Multimedia Communications
- Undie Detector — Safe Meeting keeps an eye on you during your video conferences, and if it sees business-inappropriate attire, the video is immediately muted.
- Using Formal Methods to Eliminate Exploitable Bugs — An overview video of the use of formal methods to prevent bugs, with reference to DARPA’s High Assurance Cyber-Military Systems project.
- n8n — A workflow automation tool with a not-for-sale/hosting license (Apache 2.0-licensed, with a “Commons Clause”).
- PJSIP — a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. (via Hacker News).
Four short links: 2 June 2020
Coders on Twitch, Information Warfare, Myths of Reliability, and Policy as Code
- Coders on Twitch — Currently, livestream coding is an open secret — a flourishing subculture that’s easily overlooked. At any given moment, there are at least a dozen coders streaming, and there are hundreds of active streamers cataloged in Twitch’s Science & Technology category. Passive pair programming?
- Finding and Characterizing Information Warfare Campaigns — I present the strategic context of the information warfare that we see today, and identify and define information warfare forms of maneuver. I develop
various supervised and unsupervised methods to identify bots at four different data granularities. I present a deep learning model to classify memes as well as study
the evolution of memes within a conversation. I present a template for understanding the major components of an information campaign and develop automatic ways
to populate this template for a specific event. Finally, we present a Bot, Cyborg, and Troll Field Guide to help analysts and the general population understand these entities. - Myths of Reliability — 1. Remove the people who cause accidents; (2) document best practices and runbooks; (3) defend against prior root causes; (4) enforce procedures; (5) avoid risk; (6) simplify; (7) redundancy = better reliability.
- Policy as Code — policy staff typically write rules in English and distribute them in PDF form. Technical staff then read the complex policy rules and translate them into computer code to implement the policy in digital systems. Structuring this as a two-step process introduces lag and room for misinterpretation. Bringing technical and policy staff together to write and publish policy rules as computer code together early on improves both speed and accuracy.
Four short links: 1 June 2020
Face Swapping, Disinfo, Image Scrubber, and Taste Display
- Real-time Face Video Swapping From A Single Portrait — Our method runs fully automatically and at real-time rate on any target face captured by cameras or from legacy video. More importantly, unlike existing deep learning based methods, our method does not need to pre-train any models, i.e., pre-collecting a large image/video dataset of the source or target face for model training is not needed. We demonstrate that a high level of video-realism can be achieved by our method on a variety of human faces with different identities, ethnicities, skin colors, and expressions. Video.
- Disinformation Strategies and Tactics — Notes from a talk at the Internet Freedom Festival by Gabrielle Lim. See also David Schmudde’s summary.
- Image Scrubber — Interesting transparency and trust model: it’s open source and a static site run from GitHub Pages.
- Taste Display — The Norimaki Synthesizer taste display was designed using five different color-coded gels made of agar packed into a tube shape, which uses glycerin for sweet, citric acid for acidic, sodium chloride for salty, magnesium chloride for bitter, and glutamic sodium for umami. When pressed against the tongue, users experience all of the flavors at the same time, however mixing those gels and adjusting their amounts and intensities creates specific flavors. Can you imagine the bug reports? “When I combine mushrooms and orange juice, it tastes like a sour fart.” If you’ve got a taste display, you don’t want no core dumps.
Four short links: 29 May 2020
Confidential Computing, Systems, Visual Programming, and Deno
- Confidential Computing — Confidential computing uses hardware-based techniques to isolate data, specific functions, or an entire application from the operating system, hypervisor or virtual machine manager, and other privileged processes. Data is stored in the trusted execution environment (TEE), where it’s impossible to view the data or operations performed on it from outside, even with a debugger. The TEE ensures that only authorized code can access the data. If the code is altered or tampered with, the TEE denies the operation. (via John Gossman
- Six Levels of Interaction with a System — The six levels of interaction with a system are: Non-use; Use; Monitor; Maintain; Repair; and (Re)build. (via Charlie Harrington)
- Nodes — a JavaScript-based 2D canvas for computational thinking. It’s powered by the npm ecosystem and lives on the web. We take inspiration from popular node-based tools but strive to bring the visual interface and textual code closer together while also encouraging patterns that aid the programmer in the prototype and exploratory stage of their process.
- Deno is a Browser for Code — Interesting thoughts on trust, dependencies, and discovery in Deno vs Node.
Four short links: 28 May 2020
Museum Closes, EOS Webcam, Influence Operations, and Automation Failure
- Living Computers Museum Closing — Since we opened, our philosophy has been simple. To understand computing technology, you need to experience that technology firsthand. The current global situation is making it difficult for us to serve our mission and we will spend the months ahead reassessing if, how, and when to reopen. It’ll be a great loss if they don’t reopen. I hope someone who made a bundle in the last 30 years, and who loves this vintage hardware, will keep them going.
- EOS Webcam — Turn Canon DSLR camera into a webcam.
- Coordinated Influence Operations — Google have a new transparency report, around the takedowns and other activity around coordinated influence operations.
- Automation Failure — Good story about attempting to add an automated regression suite, and how it failed.
Four short links: 27 May 2020
Facebook Ethics, Ubiquitous Voice, ML in Production, and Prediction Limitations
- Facebook Reportedly Ignored Its Own Research Showing Algorithms Divided Users — “Our algorithms exploit the human brain’s attraction to divisiveness,” one slide from the presentation read. The group found that if this core element of its recommendation engine were left unchecked, it would continue to serve Facebook users “more and more divisive content in an effort to gain user attention & increase time on the platform.” A separate internal report, crafted in 2016, said 64 percent of people who joined an extremist group on Facebook only did so because the company’s algorithm recommended it to them, the WSJ reports.
- Voice in Everything — Look, my point is that this is not beyond the reach of very clever people with computers. Stick a timer in my stove, a switch in my light bulb, give each a super limited vocabulary, never connect to the internet, and only act when somebody is addressing you. Which, in turn, gets rid of the complicated set-up and addressing interaction design issues of centralised voice assistants. No more “front room lights: lamp 1 turn on” because… you just look at it.
- A Practical Guide to Maintaining Machine Learning — As Mike Loukides says, “ops is unprepared for ML”. [S]ome practices I’ve found useful to maintaining machine learning in production.
- Measuring the Predictability of Life Outcomes with a Scientific Mass Collaboration — Hundreds of researchers attempted to predict six life outcomes, such as a child’s grade point average and whether a family would be evicted from their home. These researchers used machine-learning methods optimized for prediction, and they drew on a vast dataset that was painstakingly collected by social scientists over 15 y. However, no one made very accurate predictions. For policymakers considering using predictive models in settings such as criminal justice and child-protective services, these results raise a number of concerns. Additionally, researchers must reconcile the idea that they understand life trajectories with the fact that none of the predictions were very accurate.
Four short links: 26 May 2020
High-Performing Teams, DOS Source Code, Safety vs Encryption, and Online Conferences
- Habits of High-Performing Teams — instead of experience points that build strength, defense, magic, and resistance, every new piece of work is an “enemy” that, when delivered, will spread domain context and confidence around your team.
- Original Sources of MS-DOS 1.25 and 2.0 — Best old nerd joke on this was on Lobsters: Luckily all of the source files are under 64KB, or else they’d have to host it at github.exe.
- Facebook Adds Safety Alerts to Encrypted Chats — Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provide tips and suggest you block the offenders. […] But crucially, Facebook says that the detection will occur only based on metadata—not analysis of the content of messages—so that it doesn’t undermine the end-to-end encryption that Messenger offers in its Secret Conversations feature.
- A Month Long Conference — Matt Webb’s commentary on the WebDirections online structure. The title refers to this part of the WebDirections announcement: Instead of expecting people to take two whole days out of their most likely much more unsettled than normal schedule and spend yet another 12 hours staring at the screen over consecutive days, our online conference program will take place weekly, across a whole month, with sessions approximately 3 and a half hours each week on a Friday.
Four short links: 25 May 2020
Universal Font, Deep Fakes, Streaming Database, Software Development
- NoTo Font — An elegant font with glyphs for all languages. Google commissioned it from Monotype to avoid those rectangular boxes that show up when your font doesn’t have a particular character. (Those boxes are called “tofu” and the font name is short for “No Tofu”. This is explained in Monotype’s post).
- Context-Aware Human Generation — a novel method for inserting objects, specifically humans, into existing images, such that they blend in a photorealistic manner, while respecting the semantic context of the scene. The abstract is a faster load.
(via Twitter) - Materialize — Writes SQL queries against your streaming data. Materialize does all of this by recasting your SQL92 queries as dataflows, which can react efficiently to changes in your data as they happen. Materialize is powered by timely dataflow, which connects the times at which your inputs change with the times of answers reported back to you.
- Today was a Good Day: The Daily Life of Software Developers — Our analysis confirms some findings in previous work, including the fact that developers actually spend little time on development and developers’ aversion for meetings and interruptions. It also discovered new findings, such as that only 1.7% of survey responses mentioned emails as a reason for a bad workday, and that meetings and interruptions are only unproductive during development phases; during phases of planning, specification and release, they are common and constructive. One key finding is the importance of agency, developers’ control over their workday and whether it goes as planned or is disrupted by external factors.
Four short links: 22 May 2020
Contact Tracing Standards, Functional Languages, Quantum Computing, Deno
- COVID-19 Contact Tracing Data Standard — Possibly the fastest-created government standards. New Zealand’s aiming to have all the contact tracing apps support the actions of the contact tracers, and standards are a part of that.
- Why No One Uses Functional Languages — Compared to users of C, “no one” is a tolerably accurate count of the users of functional languages. 1998 paper by Phil Wadler.
- Quantum Computing Lecture Notes 2.0 — Scott Aaronson’s 260-page introductory quantum computing textbook in beta form, covering similar material as many other introductory quantum computing textbooks, but in my style for those who like that.
- Deno: A Simple Guide — A nice surface introduction to how Deno differs from Node.js, and the rationale for those differences. A quick read, but it really gives you a sense of Deno. This is great.
Four short links: 21 May 2020
Fuzzing, Code from Comments, Open Sourced Games, Podcasting
- Fuzzing: On the Exponential Cost of Vulnerability Discovery — Given the same non-deterministic fuzzer, finding the same bugs linearly faster requires linearly more machines. Yet, finding linearly more bugs in the same time requires exponentially more machines. Similarly, with exponentially more machines, we can cover the same code exponentially faster, but uncovered code only linearly faster. In other words, re-discovering the same vulnerabilities (or achieving the same coverage) is cheap but finding new vulnerabilities (or achieving more coverage) is expensive. This holds even under the simplifying assumption of no parallelization overhead.
- Code from Comments — Demo of a system that writes code based on a function signature and a comment. I’m always on the lookout for systems that automate code production, because they’ll be a big part of how we code in a few years’ time.
- C&C Open Sourced — EA are open-sourcing (GPL!) some Real-Time Strategy classics: Tiberian Dawn, and Red Alert. After discussing with the council members, we made the decision to go with the GPL license to ensure compatibility with projects like CnCNet and Open RA. Our goal was to deliver the source code in a way that would be truly beneficial for the community, and we hope this will enable amazing community projects for years to come.
- The Coming Death of Independent Podcasting — First, Spotify is gaining power over podcast distribution by forcing customers to use its app to listen to must-have content, by either buying production directly or striking exclusive deals, as it did with Rogan. This is a tying or bundling strategy. Once Spotify has a gatekeeping power over distribution, it can eliminate the open standard rival RSS, and control which podcasts get access to listeners. The final stage is monetization through data collection and ad targeting. Once Spotify has gatekeeping power over distribution and a large ad targeting business, it will also be able to control who can monetize podcasts, because advertisers will increasingly just want to hit specific audience members, as opposed to advertise on specific shows.
Four short links: 20 May 2020
Source Code Secrecy, Video Chat, Perl in the Browser, Cybersecurity and Intelligence
- The Paradox of Source Code Secrecy — In a world of privatized decisionmaking, the largely consistent move towards closed code in software sectors, has a number of deleterious results for the public, particularly in the age of algorithmic dominance. However, this Article argues that source code also carries a paradoxical character that is peculiar to software: the very substance of what is secluded often stems from the most public of origins, and often produces the most public of implications. And it is the failures of intellectual property law that has made this possible.
- Chaskiq — Open source messaging platform for marketing, support, & sales. Chat, bots, video, conversation routing, and more.
- WebPerl — The perl interpreter in WebAssembly, so you can put Perl code into your web pages. I’m not sure many people were itching to do this, but it shows how WebAssembly opens doors.
- A National Security Research Agenda for Cybersecurity and Artificial Intelligence — GWU’s collection of questions and subjects for research in cybersecurity and intelligence. Four components: offense (vulnerability discovery, spear-phishing, propagation, obfuscation & anti-forensics, destructive-power), defense (detection, interdiction, attribution), adversarial learning (adversarial examples, data poisoning, data pipeline manipulation, model inversion), and overarching questions (cyber-accidents, influence campaigns, speed, offense-defense balance, proliferation, strategic stability).
Four short links: 19 May 2020
Malware Services, AI Ops, Moldable Environment, and Social Software
- This Service Helps Malware Authors Fix Flaws in their Code (Krebs on Security) — Of course the Bad Guys(tm) are going to want security audits. Of course! “We can examine your (or not exactly your) PHP code for vulnerabilities and backdoors,” reads his offering on several prominent Russian cybercrime forums. “Possible options include, for example, bot admin panels, code injection panels, shell control panels, payment card sniffers, traffic direction services, exchange services, spamming software, doorway generators, and scam pages, etc.”
- What to Do When AI Fails (O’Reilly) — Why even think about incident response differently in the world of AI? The answers boil down to three major reasons, which may also exist in other large software systems but are exacerbated in AI. First and foremost is the tendency for AI to decay over time. Second is AI’s tremendous complexity. And last is the probabilistic nature of statistics and machine learning (ML).
- Glamorous Toolkit — a live notebook. It is a flexible search interface. It is a fancy code editor. It is a software analysis platform. It is a data visualization engine. All in one. And it is free and open-source under an MIT license.
- Rethinking Conference Calls for Video Calls (Matt Webb) — I find the idea of Zoom talks fascinating. What does it means to do something: which is live; where everyone in the audience is potentially multitasking; that includes a text chat backchannel which is visible to everyone? Matt’s been thinking about how we might remake “The Talk” in the age of Zoom. One thing’s clear: there’s huge room for tools to evolve.
Four short links: 18 May 2020
Web Assembly, System Design, Underhanded Source, and GNU Radio
- The Web Assembly App Gap — This essay states the case for the modern browser as a platform, and explores some components that might fill the gaps in a modern stack. […] Content-aware, versioned data; UI Framework; Standard interfaces for automation; Stateful Service Architecture. (via Paul Butler)
- Hints and Principles for Computer System Design — suggests the goals you might have for your system—Simple, Timely, Efficient, Adaptable, Dependable, Yummy (STEADY)—and effective techniques for achieving them—Approximate, Incremental, Divide & Conquer (AID).
- Initial Analysis of Underhanded Source Code — source code that appears benign to human review but is actually malicious. This paper looks at examples, summarizes literature, identifies promising mechanisms for countering it, and digs deep into one dataset (the Obfuscated V Contest).
- Tempest in GNU Radio — TEMPEST (or Van Eck Phreaking) is a technique to eavesdrop video monitors by receiving the electromagnetic signal emitted by the VGA/HDMI cable and connectors (although other targets are possible, such as keyboards, for which the same term is generally used[…]). This is basically a re-implementation of Martin Marinov’s excellent TempestSDR in GNU Radio.
Four short links: 15 May 2020
Park Downhill, VR DOS, WASM COBOL Pong, Scaling Engineering Teams
- Favourite Developer-Efficiency Tips — Before putting a project or incomplete task away, make notes of what the next thing was that you were going to work on. This lets you bypass that 10 minute orientation getting back into the project the next time you pick it up. I’d not heard it called that before. All the suggestions are very good.
- VR-DOS — an experimental “PC running DOS” emulator inside a VR environment.
- Web Assembly COBOL Pong — The silliest flex of the week: Pong written in COBOL, compiled to WebAssembly.
- Scaling an Engineering Team from 0 to Infinity — Really good breakdown of the different ways engineering team needs and structure change as the company grows.
Four short links: 14 May 2020
Airgap Malware, AI Surprises, OBS Mac, and Deno
- Malware Toolkit Targetting Airgapped Networks — ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.
- Our Weird Behavior During the Pandemic is Messing with AI Models — Machine-learning models trained on normal human behavior are now finding that normal has changed, and some are no longer working as they should.
- OBS Mac — Creates a virtual webcam device from the output of OBS. Especially useful for streaming smooth, composited video into Zoom, Hangouts, Jitsi etc.
- Deno — Deno is a new runtime for executing JavaScript and TypeScript outside of the web browser. Server-side JavaScript from some of the folks behind node.js and built in Rust.