nick bruun

And so, Microsoft ruins Skype

May 20, 2013 16:48:03

I'm appalled and amazed at the same time. I'm apmazed. It's not even a word, but I think a situation like this requires the invention of new words, although harsher ones are probably more fitting. You see, after an amazing DjangoCon Europe, I arrived home to a few odd Skype messages from Guan Yang with a dead link to his blog (http://guan.dk/skypetest) and a comment saying "let's see if they crawl this."

Today, Guan explained the reason for the weird link; an alleged back door in Skype has been discovered, in which Skype or Microsoft will make an HTTP HEAD request to any link exchanged in Skype chats. While both the author of the above mailing list post, Adam Back, and The H Security have confirmed the back door, I was still shocked when Guan later dumped the following from his access log:

65.52.100.214 - - [20/May/2013:13:04:11 +0000] "HEAD /skypetest HTTP/1.1" 404 - "-" "-" "guan.dk" "guan.dk"

Performing a reverse lookup of the requesting IP address returns an AS number, AS8075, which Microsoft have been the proud owners of since 1997. According to The H Security, Skype responded with the following explanation for the behaviour to the German security company, heise online:

"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."

While the above legalese may indeed legally justify the request, I as a user feel absolutely violated that a large corporation like Microsoft will take links that I send in all privacy to my friends and make requests to the same URLs. Worst of all, under the pretence that all Skype communications are encrypted, I'm pretty sure that a fair number of sensitive URLs have been exchanged over the years. It wouldn't be a far fetched thought for someone to have constructed a, say OAuth 2.0-esque URL which, when requested, would result in the deletion of a resource, as an example to a colleague. Many web servers do not distinguish between HEAD and GET or even POST requests, so, Microsoft's behaviour alone may actually wreck havoc. And I'm pretty sure, that this is even a way too complicated example of how this could be abused, especially considering how arbitrary tokens are thrown around these days. I know that you should always do things perfectly and securely, but, as the world has proven time and time again, no one ever does. Microsoft, of all people‚ should know this, which makes their actions even more apmazing and disgusting at the same time.

We all feared that Microsoft taking over Skype would have dire consequences. Yet, despite ever decreasing service quality, I've so far continued to use Skype, in the hopes that it was "just" pure neglect — something that is at times fixed with declining user numbers scaring executives into picking up the ball. But, as Microsoft has now proven, and has been pointed out by numerous rights movements in an open letter to Skype, our worst fears have become reality. Microsoft have absolutely no good intentions, or at least none which are backed by morals, and so they have now effectively ruined Skype.

My time as a Skype user is coming to a grinding halt as soon as I find a completely end-to-end encrypted alternative — and, for your own sake, I seriously hope that you consider going down the same path.

→ Performance as design

Apr 30, 2013 13:32:05

Brad Frost has written an extremely interesting post on "performance as design". While his post is limited in scope to frontend web development, he makes a point that I feel applies to development across the board:

The road towards better performance doesn’t start with developers or technology stacks (though I’m certainly not suggesting those things are unimportant). It begins with a shared interest on everyone’s part in making a product that’s lightning fast.

The current trend in web development is to build something as quickly as possible without giving much attention to performance in any shape or form. Once things start to slow down, you fumble and replace bits and pieces until it's all fast and stable again — hence the stupid startup metaphors of building a plane in free fall or whatever. Twitter is the perfect example of this with their years of Fail Whales as they approached stability which used absolutely none of those hot, trendy technologies they started out with. But, even with lessons like Twitter, the trend persists. Anyone who dares go against it by having performance considerations during the initial design process are often shamed for being "premature optimisers" and told to go figure out their product before they even consider making it fast.

The thing is, though, as Brad Frost so brilliantly points out, performance is integral to a product and thus also its design. As design is to quite an extent a reflection of the culture that created it, performance thinking is by proxy integral to a culture that creates a great product. The "lean" club of non-optimizers are ruining product design by culturally neglecting one of the single most important user experience aspects of all; speed. Don't agree? Think about the last time you actually saw "fast as an afterthought" working in practise before you pull the "premature!" card next time.

→ On the hypocritical nature of self-entitled entrepreneurship

Apr 29, 2013 16:27:58

I've often expressed how deeply I am repulsed by the kind of people with a personal mission statement like the following:

“I want my idea to become a reality, change the world for the better, and get rich in the process”.

We all know them, and if you've attended startup events for the last couple of years, you'll have seen an ever increasing number of them storming around the room "networking" and gathering business cards, only to give you that magically exclusionary look of disgust when you make it clear that you do not use business cards because the world has moved on. But, for so long, I've been unable to pin point exactly what it is about these people, that I repulses me so much, beyond their mere attitude.

The aliased vigilante, Software Gunslinger has once and for all solved this in his provocatively titled blog post, "On the hypocritical nature of self-entitled entrepreneurship":

Then, lastly, you want to get rich in the process. The shorter the process, the better. Explain to me again how a new rich person is going to make the world a better place. No, seriously. Disparities in wealth distribution are one of the main reasons because the world is in such an horrendous state. Isn’t your argument self-negatingly hypocritical?

The bottom line is simple. This kind of people are trying to hide their goal — getting rich, preferably fast — behind what they think, people want to hear. The end result is an inevitable disparity in statements and opinions, and all of this stinks to high heaven of dishonesty. Hence the repulsion.

→ Retroactive taxes or asset seizure

Mar 26, 2013 20:20:27

Bryan Goldberg gives a pretty thought provoking perspective on the recent retroactive retraction of the tax deduction on sale of "Qualified Small Business" stock in California going all the way back to 2008 in his recent article on PandoDaily:

While the law stipulates that I must surrender this money, I refuse to acknowledge this as a tax at all. This is not a tax. This is an asset seizure plain and simple. The term “retroactive tax” is a despicable euphemism. It is no different than when Hugo Chavez used the benign-sounding “nationalize” to describe his seizure of private property in Venezuela.

Breathtaking

Mar 25, 2013 00:03:43

Icy, snow covered Stockholm in early spring is nothing short of breathtaking. I do not think I've ever seen so much style, beauty and elegance in one place. I'm sad to admit it, but Sweden has outdone us Danes with this one:

Why events are a bad idea

Mar 20, 2013 14:55:54

With event based systems being all the rage at the moment, Rob von Behren, Jeremy Condit and Eric Brewer's 2003 paper "Why Events Are A Bad Idea (for high-concurrency servers)" offers an interesting perspective to the discussion of threaded versus evented systems by showing almost unbelievable results using a more light weight and optimized threading library:

Although event systems have been used to obtain good performance in high concurrency systems, we have shown that similar or even higher performance can be achieved with threads. Moreover, the simpler programming model and wealth of compiler analyses that threaded systems afford gives threads an important advantage over events when writing highly concurrent servers. In the future, we advocate tight integration between the compiler and the thread system, which will result in a programming model that offers a clean and simple interface to the programmer while achieving superior performance.

Personally, I often prefer a call/return execution pattern over a callback driven pattern, as it seems to fit a lot of common computing problems for which shoehorning a callback patterns adds unnecessary overhead and indirection — from a development perspective, if nothing else. Sadly, though, in the ten years since the paper was published, we don't seem to have gotten even a tiny bit closer to the recommendation made by von Behren and his team. In fact, Node.js, Go etc. seem to instead push even further in the direction of events — presumably because application level abstractions offering cheap wins are so much simpler that the added pain is far outweighed by the complexity of taking the approach presented in the paper. Maybe now is as good a time as any to start learning kernel programming.

→ Proprietary monocultures

Mar 20, 2013 13:43:16

Simply brilliant piece by Marco Arment on the dangers of the proprietary monocultures as well as the root of said monocultures, sparked by the recent shut down of Google Reader and the walling of the API gardens of large services like Twitter, Netflix etc.:

If you try to play by the traditional rules and regulations, you run the risk of getting steamrolled by someone who’s perfectly willing to ignore them. Usually, that’s the biggest potential failure of the tech world’s crazy economy, which sucks for you but doesn’t matter much to everyone else. But sometimes, just like unregulated capitalism, it fails in ways that suck for everyone.

→ Time machine to the rescue

Mar 19, 2013 11:47:16

Sometimes the most exciting news of developments come from as odd a place as the Plan 9 message board. Well, given Plan 9's nature, it's not really that odd in this case. But, what's odd is that for something this exciting, virtually the only non-legalese information about IBM's new "multi-pipe" patent available is on that same message board. A multi-pipe is, as Ben Kidwell explains it, essentially every Big Data kid's wet dream; a UNIX pipe like system with an arbitrary number of senders and receivers supporting constructs like fan-in and -out in networked systems as well as arbitrarily complex chaining structures. The origin is unsurprisingly the IBM Blue Gene project, which makes plentiful use of Plan 9's transparent networking constructs:

The Blue Gene team wrote about multipipes: "The result dramatically simplified the architecture and improved overall system performance. It became clear that multipipes were a useful primitive for the construction of applications and other system services."

While this innovation, which beyond the complicated patent filing is briefly described in the 2011 final report on HARE and the OSDI 2010 poster, is pretty impressive, the sense of humor that Kidwell brings to the table in an attempt to circumvent the legal implications of copying a patented technology by far surpasses it:

Anyway, I thought the world deserved to have a non-patent encumbered version of Multi-pipes that could deliver very similar functionality, but not conflict with IBM's Patented Invention. So, I used /dev/timemachine to send some software back in time to 2009, before I could see any trace of IBM Multi-pipes. I sent the Iosrv and Hubfs software back to the sources server between 7/01/09 and 8/01/09 (you can check the dump) so in this way I thought I could avoid any potential issues with IBM's legal team.

Who owns flat?

Mar 06, 2013 17:40:26

I'll be honest; I'm by no means a fan of the Metro/Windows 8/flat style UI. Yesterday, I was horrified to learn that everyone's favorite super-generic frontend framework, Bootstrap, is going flat as well — at least if we are to trust their release candidate. Looking through Dribbble it's pretty clear that this is starting to become a trend, possibly as an extreme response to the skeuomorphism that has ruled the design world for a couple of years. With Microsoft clearly being one of the largest driver of this trend, I also kind of assumed them to be the primary source.

As it turns out, though, I may have been wrong. At least if my understanding of LayerVault's DMCA takedown notice to Github, stating that they own the rights to the elements of designmodo's open source Flat UI framework, is not completely mistaken:

Pursuant to 17 USC 512(c)(3)(A), this communication serves as a statement that:

I am the exclusive rights holder for the artwork contained within Flat UI, Free Web User Interface Kit; These exclusive rights are being violated by material available upon your site at the following URL:

I of course don't know the whole story, but looking at the stylesheets of LayerVault and Flat UI, I'm unable to find any direct correlation. A representative from designmodo also claims that they have no professional relations with LayerVault. So, is LayerVault really claiming ownership of the style? In that case, I'd love to see the takedown notice they sent Microsoft, Vine et al, not to mention the fact that any future Bootstrap user will be but a DCMA notice away from having to find themselves a new framework.

I sincerely hope that someone stole something here. If not, this is beyond laughable.

→ Highly Available Transactions

Mar 05, 2013 16:39:17

With the CAP theorem dominating distributed systems design thinking, one particular characteristics has for the last couple of decades been written off completely in real time systems; transactions, particularly ACID transactions. However, a research group at UC Berkeley seems to have closed this theoretical gap through a somewhat more classy sounding theorem: the HAT theorem — with HAT referring to Highly Available Transactions.

Co-author on the research paper, Peter Bailis, gives a great introduction to the problem and their work:

In recent research at UC Berkeley, we show that high availability and transactions are not mutually exclusive: it is possible to match the semantics provided by many of today’s “ACID” and “NewSQL” databases without sacrificing high availability. While these Highly Available Transactions (HATs) do not provide serializability—which is not highly available under arbitrary read/write transactions—as I blogged about last week, many ACID databases provide a weaker form of isolation. The problem is that these databases do not implement their guarantees using highly available algorithms.

I can't wait to see what kind of implications this will have for the development of vastly distributed systems like Google's Spanner for us mere mortals.