Fun. 5/5 Stars.
Sunday, May 31, 2020
Good primer for DevSecOps threat modeling
Jim Gumbley, writing in Martin Fowler's valuable web site, gives us a simple, and very-approachable primer for how to do threat modeling in DevSecOps. I had previously not seen the thrilling NotPetya story before and really enjoyed that real-life cyber thriller.
If you are a software developer or DevOps professional and your perception of DevSecOps and information security is simply "minimal compliance with draconian InfoSec policies," you are in for a frustrating experience and you will develop inferior software services.
Arbitrary dates destroy software and service value
Here is an article by "Gandalf Hudlow" from IISM on the failure of date-driven schedules. I have a slightly different perspective that accommodates date-driven schedules but enables the creation of business value.
Many software or services are intended to meet some business goal or innovate in some way that consumers will immediately love, disrupting an entrenched consumer norm. In these cases, schedule-driven software development always fails to deliver value to customers and results in much more waste than enabling normal software gestation and postpartum iteration until the business objective is achieved. Across all industries, 70% of software projects fail to produce their intended business result because the specific business purpose of the software becomes schedule-driven. In these cases I agree with the author.
Thursday, May 28, 2020
Exhalation Stories by Ted Chiang
This fantastic collection of short stories finally rose up in my queue. 5/5 Stars. Very good.
Monday, May 25, 2020
Tinkerers by David Brinn
For a short time in 1982 - 1983 I lived near David Brin in La Jolla (near San Diego) and despite his fame and fortune as a great writer and speaker we have stayed in touch. David helps me whenever I ask, most recently with my High School curriculum development for applied terrestrial terraforming. (I hope to blog more on that topic in the future). David wrote a very short, somewhat political graphic novel called Tinkerers that has become available online for free. It's an interesting perspective on Yankee Ingenuity and US culture. 4/5 Stars.
Sunday, May 24, 2020
Automatically delete your stale feature flags
If you use feature flags extensively, it is likely you have a large number of stale feature flags clogging up your code base. Those back room boys over at Uber have released a useful dead-code deletion tool they call "Piranha" that lints your code for dead feature flags and refactors the code to eliminate the flags. Slick.
Learn Linux
At a recent Large Installation Systems Administration (LISA) conference I used to attend in the 20th century, one of the speakers gave an introduction to some useful Linux and Bash concepts with examples. If you are an absolute beginner you will get a lot out of it.
Among the many annoying and self-destructive features of my personality is my tendency to assume everyone knows as much or more than I do about some topic we are discussing, or, more frequently, that everyone remembers everything from all of their college courses. I noticed at work recently, that my use of pipelines and xargs in a command line freaked everyone out and my suggestions about better bash wrapper script programming was way above the heads of my audience.
Based on peer feedback about one of my mentees, I strongly suggest that the mentee learn Linux and Bash, to become facile at command line typing, as the skills will be useful through more than one career. The mentee diligently took courses and was promoted. I was thrilled when my mentee privately relayed that one secret of success was proficiency at Bash and Linux.
A new volume of ThoughtWorks' "Tech Radar" series
There is something for everyone in the new "Tech Radar" series. ThoughtWorks calls it "an opinionated guide to technology frontiers," it has some good information on tools and process. It's easily worth a skim through the table of contents.
Windows Package Manager -- Linux assimilation continues
If you are as confused as I am by the PowerShell commands to manage Windows applications and their dependencies, this preview of "winget" the forthcoming Windows package manager will be a welcome addition to Windows. I have already replaced my terminal with Windows' new, awesome terminal program in which I run bash on Ubuntu.
Microsoft continues its predatory "embrace and extend" Linux assimilation, creating promising, tantalizing but not-quite-good-enough proprietary alternatives to basic Linux features and capabilities.
NoOps, DevSecOps, Cloud Functions, Serverless
I just stumbled across Tom McLaughlin's 3-part series on serverless.: (part-1, part-2, part-3). Tom was bitten by the NoOps Serverless bug because of its promise to relieve the pain of managing people and process associated with the mundane and painful 24x7 operation of web services. For Tom, there is no need to consider alternatives.
Yesterday, I had an hour-long debate with a very-intelligent mentor and friend about the economics and total cost of ownership for NoOps. There are many devils in the details of each business and each situation. For small and non-tech businesses right now, the public cloud providers charge too much for each API call of their libraries in most serverless settings. If your business requires predictable, high-availability services with neither distractions nor overhead of consultants or employees who "operate" or develop your operations (DevOps) then the TCO model of maintenance favors serverless. If I were a consultant, I would develop a complex TCO spreadsheet model and questionnaire to enable companies to make the right choice now and revisit their choices as public cloud costs change. But if you are a scrappy small business where everyone wheres "many hats" (works in many different roles), it is less expensive in the short term to burn all the labor hours and do the DevSecOps yourself. If there is clear opportunity cost associated with burn-out and the labor of this work, the economics will still swing the other way and you should go NoOps and Serverless all the way down.
Tales from the Planet Earth, edited by Frederik Pohl (1986)
Fantastic potpourri of international cyberpunk from the 1980's. 4/5 Stars.
ship's log (Alliance book 1) by Lawrence P White
The writing (editing, really), characters, and story line are not bad and the premise has some merit. But the science and politics are so awful and the magic system is so inconsistent, I am not going to pursue the series and almost stopped reading. 1/5 Stars.
Hatching the Phoenix by Frederik Pohl (1999)
I had read this one before and realized I knew the ending about half way through; I got a little more out of it this time because it was a blatant reminder of how much global societal values have shifted away from self-reliance, individual responsibility towards our current ideas that value a totalitarian nanny state and entitlements. 3/5 Stars, probably not worth reading twice.
continuous integration build times
Kelly Sutton takes us on a fantastic journey of how to think about and details of how to optimize your continuous integration (CI) build times. Interestingly and counter-intuitively they concentrated on 99th percentile build times instead of 75th or, shudder, 50th percentile time. Why? Because a very-slow build constipates the pipeline, disrupting everyone. Lots of other insights in the post; it is worth your time to skim the whole thing.
Saturday, May 23, 2020
Positive Results: Time to Sell Gilead (GIL) stock?
The New England Journal of Medicine (I love their studies) has published some extremely good news for Gilead's Remdesivir. Among the interesting results from the study is that the Chinese researchers lied. Remdesivir shortened a patient's time to recovery compared to the placebo group, from an average of 15 days to 11 days. Improvements occurred whether or not the patient was receiving supplemental oxygen. What's more, the data lays to rest any worries that remdesivir has to be given very early after the onset of symptoms. In fact, those participants who entered the trial more than 10 days after the onset of symptoms actually showed a better response to remdesivir than those who started being treated during the first 10 days!
Friday, May 22, 2020
Foundations of Behavioral Economics' Cognitive Bias confirmed
Prospect Theory from the 1979 paper has been confirmed with a comprehensive n=4098 study.
All of our computer hardware is riddled with exploits
I stumbled across this devastating exposé of the hardware we use every day and it is extremely depressing. All of our hardware contains massive exploits and is surveilling us; and the evil big-government and big-business entities are adding more and more exploits that enable their enemies and common criminals to succeed in attacking us. I am seriously considering switching to a ChromeBook.
Monday, May 18, 2020
even more good news about our genocidal war against SARS-CoV-2
A company called "Moderna" has announced findings from their first study, that their vaccine likely works. Also (today), a study was published claiming the immune systems of people who were infected have changed SARS-CoV-2's genome but we don't know what that means yet.
Sunday, May 17, 2020
Compliance as Code in Terraform: behavior driven development (BDD)
Check out terraform-compliance on github and the author's slideshare presentation. Very slick. It concentrates on negative tests using behavior driven development (BDD) testing.
Helm 3: simplifying secrets
Helm is still clunky, young, and lacks most functionality we need from package managers. But Kubernetes is bizarre and difficult, so we can't blame Helm for its slow evolution. Helm v3 now has a fantastically elegant way to create and managing secrets that is very safe and easy to use. This very-short tutorial is worth 3 minutes of your time.
DevSecOp: Information Security concepts
The rapid evolution, sophistication, economics, and political implications of "cyber" -- organized attacks against computing systems -- is forcing more DevOps specialists to branch into DevSecOps and InfoSec.
The folks at SpecterOps (Jared Atkinson) take us on this worthwhile three-part journey through a simple and clear way to conceptualize your defenses:
https://posts.specterops.io/capability-abstraction-fbeaeeb26384
https://posts.specterops.io/detection-spectrum-198a0bfb9302
https://posts.specterops.io/detection-in-depth-a2392b3a7e94
https://posts.specterops.io/detection-spectrum-198a0bfb9302
https://posts.specterops.io/detection-in-depth-a2392b3a7e94
Observability (again)
Alexis Richardson (founder of Weaveworks) takes us on a deeply-insightful journey through principles of infrastructure automation, and the foundations of DevOps. Great article! Don't fall for the hype. Think. Read his article on observability.
Why Your Private Cloud is a Terrible Idea
Sam Newman gives a devastating analysis of the suicidal trajectory of Enterprises that are late adopters of public cloud services. Watch the video. If you aspire to be a "high performing" team, you are 24X more likely to succeed against competitors if you accelerate your move to the public cloud. In my "day job" we are watching our own slow motion train wreck. I may write a sequel to In Search of Stupidity.
Saturday, May 16, 2020
Dial Out -- Zoom Features you should be using (1 of 10)
TL;DR
On Windows type Alt-I ; on Mac type Command-I
Type invitee-name <tab> invitee-phone-number
Click "Call" button
Background
At my company we have standardized on the Zoom video conferencing software, replacing a handful of other expensive, bad, frustrating systems in our conference rooms, computers, and desktops. Zoom has very many interesting features to explore that are not immediately obvious. This article is part of a series I am writing to walk you through some of the most useful features. (Screenshots in these articles are from a Mac. The Windows and Mobile Zoom programs are almost identical.)
Dial out to a mobile phone
It is not hard to imagine you are in a Zoom meeting with a large number of people but someone with important information for a decision or action is not present. No problem: add that person to your Zoom meeting by dial-out:
At the top of your Zoom application is a menu header called "Meeting:"
You can select the "Invite" option from the menu or use the keyboard shortcut (on a Mac the shortcut to add a participant to your meeting is command-I; on Windows it is Alt-I).
A dialog appears. Fill in both the name and phone number. Click the "Call" button.
Thursday, May 14, 2020
Istio services mesh resource list
Here is a cool github repository for resources and learning about the Istio services mesh. I worked with the developers of Istio during early beta testing before the v1.0 release. The Istio developers discussed features my teams needed and how they would like to use them. I love the approaches and design patterns Istio uses. In particular, if you have a complex mesh with performance sensitive micro-services that do not connect through Istio, you can align logging time stamps of your services by logging to the same prometheus / grafana system.
Deserted Island DevOps
Sometimes you feel as if you woke up in the twilight zone. The Deserted Island DevOps conference was held entirely inside a Nintendo Switch video game called "Animal Crossing New Horizons" and live-cast on twitch.tv. Videos of the talks are here.
Tekton Toolkit
The choices in DevOps toolkits and approaches to containerized public cloud continuous integration / continuous deployment (CI/CD) methods and tools is crowded. Older, failed approaches from companies that previously provided infrastructure management like Puppet Labs and Chef have transmogrified themselves to offer more modern approaches.
Puppet Labs has released part of their new framework as free open source software (FOSS); they call this toolkit Tekton (cool name). Eric Sorenson takes us on a two-part tour of what's new in Tekton and what Puppet Labs plans to do with the toolkit other than evolving Jenkins-X.
Will it catch on? Leave a comment.
Wednesday, May 13, 2020
Absolute Beginner's Guide to git actions from pull requests (GitOps)
Sander Knape takes us on a clear step-by-step explanation of git actions through the motivating example of auto-deployment from a pull request. Oppa GitOps style!
internal "platform" products
Software developers enjoy calling their code libraries and reusable components a "platform." And they feel rewarded when other developers use their components, libraries, or APIs. The fantastic service we enjoy from free, open source software (FOSS) platform components is a direct result of this propensity and "reward" the developers feel when others use their code.
All public cloud providers have profit-oriented "platforms" that include APIs, libraries, & components, with associated documentation, support, tutorials, videos, certifications, evangelists, and free consulting. These "true" platforms are often very comfortable to use and can enable rapid development with less maintenance cost than from-scratch development, even when developers use open source components.
In most big companies, including where I work, large teams of developers are often tasked with building what they call internal "platforms." Unfortunately, these internal platforms have many challenges. Camille Fournier writes about a few of these challenges and her recommendation for remedies. The challenges she address are: a small, captive audience with whom it is hard to empathize, and an odd tendency to build too much into a platform that is never or infrequently used. Her remedies are spot on and I recommend you skim the article to see what worked for her.
Monday, May 11, 2020
5 terrible AWS services you should avoid -- for now
David Lin takes us on a fun adventure of how terrible a few AWS services are (currently) and why you should avoid them at least until their next major releases. For the impatient, the services are:
I disagree with David on this last one (Lambda). If you embrace our serverless no-ops future, then you must refactor your object models and separate your concerns differently in your designs to keep the right number of end-points for your needs and your organization. David's argument is that if you were to factor your services his (per-end-point) way, you would have explosively many web functions. I challenge his assumption.
Lots of good news!
Researchers have identified an antibody that blocks both SARS-CoV-1 and -2 from infecting cells in culture and have already obtained the DNA that encodes this specific antibody and have made a human version of it. As the authors note, we already know that therapies and vaccines based on this approach are effective.
#
Coronaviruses code for big proteins that are inactive until they are cut into smaller pieces. Proteases slice them into bad, functioning proteins. Inactivating the proteases would block viral infection. Existing, human-safe protease inhibitors were screened against SARS-CoV-2's enzymes. One of those, carmofur, turned out to be effective; this study shows how it's able to bind the SARS-CoV-2 protease and inactivate it. Woot!
#
One more: Where will we get all those human antibodies we need for treatments? People are currently giving them away. I think the evil insurance companies should pay the donors in a free, open market-based system.
Tuesday, May 5, 2020
security anti-patterns in your dev-ops design
The UK government has published this friendly guide to the most-common anti-patterns they have observed in large companies across the commonwealth realm. And I, personally have seen all of them recently; Uh oh.
Monday, May 4, 2020
Reminder about Testing Accuracy in a population
Here a review of Bayes' Theorem and its application to remind us how estimations from small samples (even a million tests) are extremely inaccurate:
P(A|B) = P(Covid|Test) = P(Test|Covid) * P(Covid) / P(Test) =
0.99 * 0.01 / (P(Test|Covid)*P(Covid) + P(Test|~Covid)*P(~Covid)) =
0.99 * 0.01 / (0.99*0.01 + 0.01*0.99) = 0.5
0.99 * 0.01 / (P(Test|Covid)*P(Covid) + P(Test|~Covid)*P(~Covid)) =
0.99 * 0.01 / (0.99*0.01 + 0.01*0.99) = 0.5
This question is on every MCAT exam but doctors forget it as soon as they begin practicing.
continuous delivery oppa gitops style!
Back in 2017, Alexis Richardson coined the term "GitOps" to describe operations by pull requests. Now, the container solutions folks have written a fun evaluation of FluxCD, ArgoCD and Jenkins-X to compare continuous delivery pipelines in what they call "GitOps Style." Oppa gitops style! GitOps Style can be summarized by these rules:
- Store all Kubernetes resource configuration in Git
- Use only pull requests to modify resources on that Git repo
- Once Git is modified, apply changes to the cluster immediately and fully automated
- If the actual state drifts from the desired state, either correct it or alert operators about it
The authors restrict their analysis to containerized kubernetes-managed environments. But the principles apply broadly.
Sunday, May 3, 2020
Genghis Khan and the Quest for G-d by Jack Weatherford
Dense and well-researched, mildly interesting, interesting revelations and bizarre twists. 3/5 Stars.
Friday, May 1, 2020
Good news about vaccine development
(click image to enlarge)
ArsTech published a great round-up of the 102 vaccine candidates' progress today and Bill Gates wrote up some details about how quickly we are moving. In broader terms, the capability these efforts enable will be re-used in the future as we enhance the health of all humans to treat and contain infectious disease.
Martin Fowler on Branching strategies in software
Martin Fowler wrote a fantastic explanation of the best patters for successful merging strategies, including my favorite short-lived feature branches pattern. Make sure to skim this one!
Subscribe to:
Posts (Atom)
