An approximate answer to the right problem is worth a good deal more than an exact answer to an approximate problem. – John Tukey

An excellent dissection of the Heartbleed bug affecting OpenSSL

Heartbleed Dissection

The short version is that the heartbeat for OpenSSL sends data to the server and the server sends the data back. The issue is that the length specified in the header isn’t checked to verify it matches the length of the actual data, so the server simply responds with the number of bytes the heartbeat header indicated to respond with. It’s a 2-byte field so that’s up to 64k in per response.

The reason that this is a problem is that the server is copying random data out of server memory. That data may happen to contain user ID / password or the server’s private encryption keys. Obviously grabbing a user’s ID / password could be a problem but grabbing the private key would then allow an attacker to decrypt all data being sent by that server.

Is suppressing fever a good thing ?

Fight the Flu, Hurt Society?

My belief is that in complex, non-linear, dynamical systems (e.g. the human body, the environment, economics) that the default position should be one of non-intervention. All interventions tend to have both positive and negative consequences, as well as, unforeseeable consequences. However, I’m also skeptical of studies where the result hasn’t been repeatedly replicated and even then one has to be careful of generalization that are drawn from the results.

Given that lengthy disclaimer – Is it possible that the increase in body temperature that results from a virus has a negative effect on the virus ? Seems plausible. It would then seem plausible that suppressing that response would have a relatively positive effect on the virus. (i.e. positive in that it’s good for the virus but bad for the host).

The statement from the article that I agree with the most is:
“The main message, he says, is that the effects of suppressing fever need to be studied much more carefully.”

DD-WRT configuration

I was setting up my home network with two identical wireless routers. However, I was having issues getting everything to work properly. Consistently, one of the two wouldn’t work. Long story short – DD-WRT allows you to clone the MAC address via the web interface. However, it only alters the WAN and Wireless MAC and not the LAN MAC. The result is that all DD-WRT installs have the same LAN side MAC. This is only a problem if you have two routers running DD-WRT on the same LAN, which I did.

The only way to change the LAN side MAC Addr is to telnet to the router and change it via the shell. The following commands accomplish the task:

nvram set et0macaddr=xx:xx:xx:xx:xx:xx
nvram commit

Healthcare.gov and development

Healthcare.gov and the Gulf Between Planning and Reality

It’s a rather long read. One important take away is that it’s not possible to plan out any large project to the n-degree entirely up front. To do so is to believe that you’ll learn nothing during the development process that will impact the plan. Don’t get me wrong – up front planning is a requirement. However, planning is an open loop process – it’s when you get to the development that you’re able to close the loop against your plans. The sooner that happens the less latency you have in your loop. And Latency is the death of a closed loop system.

Blockbuster to close its remaining 300 stores

Blockbuster Closes

Time and time again, the same scenario repeats.  A business optimizes itself for the current market and wins the battle against its competitors… only to one day wake up and the battle it’s fighting is no longer relevant and it has lost the war.  I think in publicly held companies this is due in part to the focus on the short term numbers rather than developing the business long term.  The mantra of the market: innovate or die.



Inflation and Inflation Indicies

MIT has taken a novel approach to calculating inflation by pulling prices of approximately 1/2 million items from online retailers.  The results are published as part of their Billion Prices Project (BPP)  @ http://bpp.mit.edu/usa .  Note that one would expect that the BPP index to lead the CPI (Consumer Price Index) due to the higher update frequency.

According to BPP, if you had $100 in 2010, that same $100 is worth about $93 today (about $95 according to CPI), which puts inflation at around 2.0% (1.6% based on CPI).  So while you still have $100 dollars (this is what economist refer to as the nominal value), what you can purchase with the $100 has declined (refer to as the real value).

Xilinx ISE and Ubuntu

I recently had to install the Xilinx ISE toolkit on an Ubuntu machine (12.04 LTS for the record).  There were to changes that I had to make to the system in order to get the tools to function.

  1. Xilinx uses ‘gmake’. Ubuntu doesn’t come with gmake.  This was resolved by simply creating a symbolic link to ‘make’
    (sudo ln -s /usr/bin/make /usr/bin/gmake).  This resolved the failure in getting synthesis to run.
  2. Implment (Translate) failed with an unhelpful message about a bad loop variable and XIL_DIRS[0].  A little more Googling turned up that the issue was that the default Ubuntu shell is configured as ‘dash’.  Changing the default shell to ‘bash’ resolved the issue (sudo dpkg-reconfigure dash).
  3. In order to run Xilinx’s SmartXplorer, I had to install ‘ia32-libs’ (sudo apt-get install ia32-libs) as it seems SmartXplorer is a 32-bit app.


Development Schedules

I’ve been pontificating about the problems with planning project schedules lately.  Unfortunately, I’ve been involved with companies that have, for whatever reason, had schedules that were grossly unrealistic.  In more than one instance, management was claiming the project was only a couple months from completion when all of the engineers were openly stating that completion was a year out (note: these were both large IC developments so the year+ schedule isn’t out of the norm).  One might argue that schedule pressure forces people to work harder.  However, unrealistic schedules force inefficient choices to be made.

Consider writing some tool to make your development process more efficient.  It’s going to take time to write that tool.  If the amount of time your going to save having the tool is less than the time it takes to write the tool, it’s a net loss of time and not worth it from the perspective of time savings.

Let’s consider an example.  If it’s going to take a developer 3 days to write a tool and according to the schedule the task that the developer will be using the tool on is to be done in 10 days, that tool must save at least 3 days of work over the 7 days remaining to be a net time saver.  That means that in order for the tool to be worth the time investment that the developer must get done in less than 7 days what would have originally taken 10 days.  This would mean that the tool would have to increase productivity by >= 10/7 or ~43%.  That’s a fairly high bar so it’s probably better simply working less efficiently and forgo writing the tool.  Instead, the time entire 10 days should probably be spent on the actual development instead of a development tool.

However, what if the 10 days wasn’t realistic.  What if it’s really 20 days of work, but the ‘overly optimistic’ schedule pushes the developer to try to hit the 10 days.  What if the schedule had been more realistic and allocated 20 days ?  The 3 days spent developing the tool would only require that the tool increase productivity by 20/17 or 17% to break even.  It’s certainly more likely the the productive gain from the tool is > 17% than it is > 43%.

Scheduling is more of an art than a science.  If you’re doing truly new development, the time that a task is going to take is largely an unknown and any estimate is little more than a guess.  It’s important to have milestones and to have dates for those milestones.  However, if the dates are overly aggressive, it very possibly may result in the development taking longer than if the developers had been working toward more realistic dates and able to make proper time trade-offs.

Hello World

Well, I’ve had this installed for a while now, but have yet to post anything. So here goes…

The reason I’ve setup this space is to make notes to myself in a central location that I can reference in the future.  Additionally, the process of writing something out, in a style as if it were being explained to someone else, helps me identify areas where my understanding isn’t as solid as I would like.  I also would like to improve my (very poor) writing skills.  Lastly, if someone else finds the information useful, that’s great but an unintended consequence :).