The Apple Watch, that fancy new high-tech product, had a XXE vulnerability. That’s a security flaw in XML parsers that dates back to at least 2002. It keeps popping up in new products because apparently safe XML parsing is too hard for anyone to get right.

techbad
  2015-05-19 22:12 Z

It’s common for tech industry employees to be compensated with stock options. Stock options are complicated and many engineers I know are terribly na├»ve about how they work. But options are often the most valuable part of an employee’s compensation! This engineer’s guide to stock options is good reading.

Here are some basic questions every owner of stock options should ask their employer. With these answers an accountant can work out the value of the option package and plan a tax strategy.

  1. How many shares of the company will I own?
  2. How many shares of the company exist?
  3. What percentage of the company will I own?
  4. What is the strike price of my options?
  5. What is the fair market value of the stock today?
  6. Can I early exercise my options?

Many companies are reluctant to answer #2 and #3 (they are equivalent). Trying to keep an employee in ignorance about this is bullshit. Knowing what percentage of the company you own is the only way to evaluate your option package. Companies will generally answer this question if you press hard enough; if they refuse, it is a very bad sign.

Tax strategy is important for several reasons. Early exercising could save you ~20% in taxes later on. But even more importantly, early exercising could save you 100% should you leave the company. Most option agreements include a clause where your options disappear 30 or 90 days after you stop being an employee. If you quit and can’t afford the taxes to exercise those options, you can lose everything. Planning ahead matters.

life
  2015-03-27 16:40 Z

One of my first email addresses (in 1989) was tektronix!ogicse!reed!minar. I’m feeling old today and I’m guessing half my readers have never seen an email address like that. It was from the long long ago, in the time that was before the Internet, when UUCP was the main Unix mail system.

My unique email address was reed!minar. But there was no ubiquitous routing infrastructure for mail, no global addressing. Unix network email was store-and-forward based on scheduled phone calls and modem transfers via uucico. Each host only talked to a few other hosts. Reed talked to OGICSE regularly, so my address suggested mail be forwarded through there. Other mail hosts might or might not know how to get mail to OGI but they certainly knew how to get to Tektronix, so that sufficed as a global route. UUNET was a hub that knew how to talk to everyone; often addresses began uunet!.

The essential idea is that UUCP email addresses included not just the address but the route to that address. It's a powerful idea. But modern Internet systems don’t do that. Instead we rely on global address lookup systems like DNS and global routing systems like BGP. (If anyone can think of a modern system that includes routes in names, please email me via SMTP)

UUCP users did build a routing system; pathalias. It relied on UUCP maps published to comp.mail.maps. Those maps were discontinued in December 2000. I haven’t found a modern view onto this data; it’d be fascinating to see the history of the growth of UUCPnet. telehack has a usable snapshot of the data, try uumap reed for instance.

tech
  2015-03-08 16:21 Z

I’ve been doing some fiddly coding for the OpenAddresses project. It reminds me of one of my favorite engineering interview questions. “How do you know your code works?”

The arrogant candidate says “I’m smart so I know my code is good”. That’s certainly a bad sign, although sometimes they’re right. Slightly wiser responses are “I run it and look closely” or “I trace the code and make sure it works like I expect”. Better, but too manual. The truly enlightened say “I have an automated test suite” and then you’re off to the real questions about how to test code properly.

I have a deep distrust of code. Software is organic, unpredictable, chaotically complex. It’s difficult enough to understand what the code you write now is likely to do right now with expected inputs. But hostile inputs, or a weird environment, or the same code a year from now, or the slightly modified open source contribution in some fork somewhere? Forget it. That’s why automated tests are so valuable. It’s a way to demonstrate the code is doing what you expect it to.

Writing good tests is hard, almost as hard as writing good code. Modern environments have a lot of testing tools you should learn. From language unit test frameworks to mock objects for servers to fuzz testing to various continuous integration systems for functional tests. GitHub projects have the miracle which is Travis CI, free no-fuss continuous build and test for any open source project. It’s amazing.

So until software correctness proofs become a real tool we can use in real production code, ask yourself how you know your code is going to work. If you’re honest, you probably don’t. But some testing will certainly help give you at least a little confidence.

tech
  2015-01-23 19:51 Z

I love the Internet service I get from Astound, but not so much their online account system. The billing login is pretty screwed up. Things to know:

  • The billing credentials are separate from your “Internet Account Manager” credentials.
  • Username and password will both be forced to lowercase.
  • The password recovery system will mail you your password in plaintext.
  • Parts of the online system ask for a registration password. That password is “astound”.
  • Astound formats account numbers in three fields, like 005 0123456 01. The form presents two boxes: try 005 012345601
techbad
  2015-01-20 18:25 Z

Astound is a good ISP. I started getting Internet from them a few months ago, upgrading from a $50 6Mbps DSL link to a $70 100Mbps cable link. And it’s like I can see through time. The difference in usability is astonishing. Equally importantly, Astound has been entirely reliable and trouble-free.

The key thing is Astound is not Comcast. Comcast is an evil company with a long history of breaking TCP/IP in various ways that harm customers. Astound just provides pure, sweet, clean bits. Installation requires they bring their own coaxial from the pole to your house. They also offer phone and TV packages. The customer experience is a bit squirrely, I wouldn’t count on them for email hosting or tech support. But the basic Internet service is terrific.

I’d previously been a very happy Sonic DSL customer. They are also a terrific independent ISP with fantastic service. Unfortunately DSL is limited by the technology, the best they could deliver to my house is 12Mbps and that would have been significantly more expensive than Astound. Sonic is now working on fiber-to-the-house, including San Francisco, which should be terrific if they can do it.

We’re very lucky in SF to have a competitive ISP market. We have two DSL providers, two cable providers, and a surprisingly robust fixed wireless provider in MonkeyBrains. Most of the urban US only has two options and large parts of the rural US don’t even have that. The Sonic CEO’s 2011 blog post about broadband duopoly is fantastic background for how we got to have such crummy service in the US.

techgood
  2015-01-10 18:33 Z

Ancestry.com is a good web site. It’s a tool for researching and maintaining family history, genealogy. It’s also a remarkably sophisticated database, data repository, and user interface with a lot of lessons for people who design webapps. I’m particularly fascinated that their target market is older people, your grandma who’s not so good with computers but has gotten interested in family history. But in no way is Ancestry dumbed down.

The web UI is great. The primary view is a visual family tree, a refocusable graph view that’s not much like a web page but works great in the browser. You then click through on a name to get to a person’s profile page that’s more like a normal document view. From there you do extra research, add information, etc.

The facts and sources tab on a person’s profile is my favorite part of Ancestry. They don’t just track a fact like “Born on 29 May 1917”, they also track the source of that fact, like “birth certificate” or “census record”. With a link right to a scan of the source document with the relevant information highlighted. Most people’s genealogy is full of bad data. (No, you’re probably not related to that 16th century king.) Ancestry provides a model for establishing the veracity of the data you record. Crowdsourced databases like OpenStreetMap and Wikipedia would benefit from more explicit attribution.

Ancestry is particularly useful because they have a fantastic collection of American genealogical records. The census records are the ones I use most frequently. Meticulously transcribed images of 100+ year old handwritten pages, completely searchable on fields like name, address, age, etc. They’ve collected all sorts of other data too: immigration records, social registers, railroad payrolls.. All this diverse hand written data, presented in a uniform computer search interface. They even proactively find hints for your family members for you to review and add to your data.

The app has some problems. Most of their data collections are only useful for researching Americans. Grassroots genealogists complain about Ancestry being too commercial and proprietary (see GEDCOM). Some people snark about the site being so grounded in Mormonism, although that criticism seems unfair to me. I’ve enjoyed doing a bit of family research in Ancestry. Mostly I’m impressed with the usability of the web app given how complex the data is.

techgood
  2015-01-04 18:08 Z

Today’s SF Chronicle has two remarkable opinion colums about state politics in California.

Debra Saunders, the token right-winger, reveals Carly Fiorina is a deadbeat. She owes $500,000 to her employees for her failed 2010 senate candidacy. What makes this laundry-airing remarkable is Fiorina is rumored to be running for President. And Saunders got Fiorina’s former campaign manager Marty Wilson on the record confirming the debt. Quite a takedown.

Also Slick Willie Brown’s normally terrible column is interesting this week in revealing the Democratic machine. He floats a trial balloon for how California’s top politicians might shuffle jobs in the next few years, with Harris for Boxer and Newsom for Jerry Brown. “The issue will be which of their clients they persuade to run for the Senate seat”; the “they” refers to consultancy Ace Smith. I guess they’re the ones calling the shots.

politics
  2014-12-28 21:12 Z

California’s biggest individual health insurer, Anthem, treats its customers with remarkable contempt. This blog post is boring, but I think it’s important to occasionally document poor behavior from powerful companies.

I received a letter December 9, “INTENT TO NON-RENEW”. They said I owed them $6.89 and had three weeks to pay up or they’d cancel me, a ten year customer. Except I didn’t owe them money. I pay all those bills automatically, the correct amount had been sent. The exact amount is for “pediatric dental insurance”, something they tacked on this year when they realize they screwed up the ACA requirements. I’m guessing their billing system failed to post one month somehow.

What is so contemptuous is the communication. They go straight from “minor problem” to “we are cancelling your health insurance”, in an officious letter, with no followup. Their customer service is terrible. I finally got through (two separate automated phone systems) to someone who could only vaguely say I look paid up and they have no idea why the letter was sent.

Anthem has a remarkable online bill pay system, BTW. Or rather they don’t, they outsource it to Princeton eCom, a site that looks like a clumsy phishing attempt. It requires a separate login. Your password is limited to 8 characters. For the billing site. Of a health insurance company.

Cancelling health insurance is a big, scary threat. Anthem appears to casually do that because of random billing errors, with no humane communication. I dread what the process will be like if I ever have a significant claim.

life
  2014-12-17 19:45 Z

A friend of mine is buying his first Mac, so here’s a list I made for him for essential software.

  • Chrome for web browsing with LastPass for passwords.
  • Alfred for launching apps, small actions, etc. I can’t imagine using MacOS without it.
  • iTerm2 for terminal windows.
  • Homebrew for Unix tools. It’s not awesome, but the best option.
  • Sublime Text for text editing.
  • nvALT for note taking.
  • Adium for instant messaging.
  • VLC for playing video and audio. Plex for networked serving of video.
techmac
  2014-12-05 16:50 Z