Effective OpenStack contribution: Seven things to avoid at all cost

There are numerous blogs and resources for the new and aspiring OpenStack contributor, providing tips, listing what to do. Here are seven things to avoid if you want to be an effective OpenStack contributor.

I wrote one of these.

There have been presentations at summits that share other useful newbie tips as well, here is one.

Project repositories often include a CONTRIBUTING.rst file that shares information for newcomers. Here is the file for the Trove project.

Finally, many of these resources include a pointer to the OpenStack Developer’s Guide.

Over the past three years, I have seen several newbie mistakes repeated over and over again and in thinking about some recent incidents, I think the community has not done a good job documenting these “Don’t Do’s”.Just don't do it!

So here is a start; here are seven things you shouldn’t do, if you want to be an effective OpenStack contributor.

1. Don’t submit empty commit messages

captureThe commit message is a useful part of the commit and it serves to inform reviewers about what the change is, and how your proposed fix addresses the problem. In general, (with the notable exception of procedural commits for things like releases or infrastructure), the commit message should not be empty. The words “Trivial Fix” do not suffice.

OpenStack documents best practices for commit messages. Make sure your commit message provides a succinct description of the problem, describes how you propose to fix it, and includes a reference (via the Close-Bug, Partial-Bug or Related-Bug tags) to the Launchpad entry for the issue you are fixing.

2. Don’t expect that reviews are automatic

In OpenStack, reviewing changes is a community activity. If you propose changes, they get merged because others in the community contribute their time and effort in reviewing your changes. This wouldn’t work unless everyone participates in the review process.

Just because you submitted some changes, don’t expect others to feel motivated or obligated to review your changes. In many projects, review bandwidth is at a premium and therefore you will have a better chance getting your change reviewed and approved if you reciprocate and review other people’s changes.

3. Don’t leave empty reviews

captureWhen you review someone’s code, merely adding a +1 serves no useful purpose. At the very least indicate what you did with the change. Equally useful is to say what you did not do.

For example, you could indicate that you only reviewed the code and did not actually test it out. Or you could go further and download and test the patch set and indicate in your review comment that you tested the change and found it to work. On occasion, such as when I review a change for the first time, I will indicate that I have reviewed the changes but not the tests.

Feel free to ask questions about the change if you don’t follow what is being done. Also, feel free to suggest alternate implementations if you feel that the proposed implementation is not the best one for some reason(s).

Don’t feel shy about marking changes with a -1 if you feel that it is not ready to merge for some reason.

A drive-by +1 is a generally unhelpful activity, and if you persist at doing that, others in the community will tend to discount your reviews anyway.

4. Don’t game the Stackalytics system

captureBy far, the most egregious violation that I’ve seen is when people blatantly try to game the Stackalytics system. Stackalytics is a tool that tracks individual and company participation in OpenStack.

Here, for example, is the Stackalytics page for the Trove project in the current release:

Reviews: http://stackalytics.com/?module=trove-group

Commits: http://stackalytics.com/?module=trove-group&metric=commits

It allows you to see many metrics in a graphical way, and allows you to slice and dice the data in a number of interesting ways.

New contributors, bubbling with enthusiasm often fall into the trap of trying to game the system and rack up reviews or commits. This can end up very badly for you if you go down this route. For example, recently one very enthusiastic person showed up with a change that got blasted out to about 150 projects, and attempted to add a CONTRIBUTING.rst file to all of these projects. What ensued is documented in this mailing list thread:

A few of the changes were merged before they were reverted, the vast majority were abandoned.

Changes like this serve no real useful purpose. They also consume an inordinate amount of resources in the CI system. I computed that the little shenanigan described above generated approximately 1050 CI jobs and consumed about 190 hours of time on the CI system.

I admit that numbers are important and they are a good indication of participation. But quality is a much more important metric because quality is an indicator of contribution. And I firmly believe that participation is about showing up, contribution is about what you do once you are here, and contribution is a way more important thing to aim for than participation.

5. Don’t ignore review comments

Finally, when you’ve submitted a change, and people review and provide comments, don’t ignore them. If you are serious about a change, you will stay with it till it gets merged. Respond to comments in a timely manner, if only to say that you will come back with a new patch set in some time.

If you don’t, remember that review bandwidth is a scarce resource and in the future your changes may get scant attention from reviewers. Others who review your changes are taking time out of their schedules to participate in the community. At the very least you should recognize and respect that investment on their part and reciprocate with timely responses.

6. Don’t be shy

And above all, if you aren’t sure how to proceed, don’t be shy. Post a question on the mailing list if you aren’t sure what to do about something. If that’s too public for you (and that’s perfectly alright), ask the question on the IRC channel for the project in question. If that is too public, find someone who is active on the project (start with the PTL) and send that person an email.

An important aspect of the role of a PTL is fielding those questions, and all of us (PTL’s) receive several of these questions each month. Not sure whom to ask, then toss the question out on IRC at #openstack or #openstack-dev and you should receive an answer before long.

7. Don’t be an IRC ghost

ghost_single-15An important thing to remember about IRC is that it is an asynchronous medium. So, don’t expect answers in real time. The OpenStack community is highly distributed, but also most active during daylight hours, Monday to Friday in US time. If you pop up on IRC, ask a question and then disappear, you may not get your answer. If you can’t stick around for a long time on IRC, then post your question to the mailing list.

But better still, there are many ways in which you can connect to IRC and leave the connection up (so you can read the scrollback), or find some other mechanism to review the scrollback (like eavesdrop.openstack.org) to see if your question was answered.

If you have your own pet peeve, please share it in the comments section. I hope this will become a useful resource for aspiring OpenStack contributors.

Addressing a common misconception regarding OpenStack Trove security

Since my first OpenStack Summit in Atlanta (mid 2014), I have been to a number of OpenStack-related events, meetups, and summits. And at every one of these events, as well as numerous customer and prospect meetings, I’ve been asked some variant of the question:

Isn’t Trove insecure because the guestagent has RabbitMQ credentials?

A bug was entered in 2015 with the ominous (and factually inaccurate) description that reads “Guestagent config leaks rabbit password”.

And while I’ve tried to explain to people that this is not at all the case, this misconception has persisted.

At the Summit in Barcelona, I was asked yet again about this and I realized that obviously, whatever we in the Trove team had been doing to communicate the reality was insufficient. So, in preparation for the upcoming Summit in Boston, I’m writing this post as a handy resource.

What is the problem?

Shown here is a simplified representation of a Trove system with a single guest database instance. The control plane components (Trove API, Trove Task Manager, and Trove Conductor) and the Guest Agent communicate via oslo.messaging which is typically implemented with some messaging transport like RabbitMQ.

rpc-security-1To connect to the underlying transport, each of these four components needs to store credentials; for RabbitMQ this is a username and password.

The contention is that if a guest instance is somehow compromised (and there are many ways to do this) and a bad actor gains access to the RabbitMQ credentials, then the OpenStack deployment is compromised.

Why is this not really a problem?

Here are some reasons this is not really an issue on a properly configured production system.

  1. Nothing requires that Trove use the same RabbitMQ servers as the rest of OpenStack. So at the very least, the compromise can be limited to the RabbitMQ servers used by Trove.
  2. The guest instance is not intended to be a general-purpose instance that a user has access to; in the intended deployment, the only connectivity to the guest instance would be to the database ports for queries. These are configurable with each database (datastore) and enforced by Neutron. Shell access (port 22, ssh) is a no-no. No deployer would use images and configurations that allowed this kind of access.
  3. On the guest instance, other database specific best practices are used to prevent shell escapes and other exploits that will give a user access to the RabbitMQ credentials.
  4. Guest instances can be spawned by Trove using service credentials, or credentials for a shadow tenant to prevent an end user from directly accessing the underlying Nova instance. Similarly Cinder volumes can be provisioned with a different tenant to prevent an end user from directly accessing the underlying volume.

All of this notwithstanding, the urban legend was that Trove was a security risk. The reason invariably involved a system configured by devstack, with a single RabbitMQ, open access to port 22 on the guest, run in the same tenant as the requestor of the database.

Yet, one can safely say that no one in their right mind would operate OpenStack as configured by devstack in production. And certainly, with Trove, one would not use the development images whose elements are part of the source tree in a production deployment.

proposed security related improvements in Ocata

In the Ocata release, one additional set of changes has been made to further secure the system. All RPC calls on the oslo.messaging bus are completely encrypted. Furthermore, different conversations are encrypted using unique encryption keys.

rpc-security-2The messaging traffic on oslo.messaging is solely for oslo_messaging.rpc, the OpenStack Remote Procedure Call mechanism. The API service makes calls into the Task Manager, the Task Manager makes calls into the Guest Agent, and the Guest Agent makes calls into the Conductor.

The picture above shows these different conversations, and the encryption keys used on each. When the API service makes an RPC call to the Task Manager, all parameters to the call are encrypted using K1 which is stored securely on the control plane.

Unique encryption keys are created for each guest instance, and these keys are used for all communication. When the Task Manager wishes to make a call to Guest Agent 1, it uses the instance specific key K2, and when it wants to make a call to Guest Agent 2, it uses the instance specific key K3. When the guest agents want to make calls to the Conductor, the traffic is encrypted using the instance specific keys and the conductor decrypts the parameters using those instance specific keys.

In a well configured production deployment, one that takes steps to secure the system, if a bad actor were to compromise a guest instance (say Guest Agent 1) and get access to K2 and the RabbitMQ Credentials, the user could access RabbitMQ but would not be able to do anything to impact either another guest instance (he wouldn’t have K3) or the Task Manager (he wouldn’t have K1).

Code that implements this capability is currently in upstream review.

This blog post resulted in a brief twitter exchange with Adam Young (@admiyoung)

Unfortunately, a single user (in RabbitMQ) for Trove isn’t the answer. Should a guest get compromised, then those credentials are sufficient to post messages to RabbitMQ and cause some amount of damage.

One would need per guest instance credentials to avoid this; or one of the many other solutions (like shadow tenants, etc).

Amazon’s demented plans for its warehouse blimp with drone fleet 

Amazon’s demented plans for its warehouse blimp with drone fleet http://arstechnica.com/information-technology/2016/12/amazons-demented-plans-for-its-warehouse-blimp-with-drone-fleet/?amp=1

Shit like this is what gives patents a bad name!

New law protects your right to review

President Signs Law Protecting Your Right to Review https://www.eff.org/deeplinks/2016/12/president-signs-law-protecting-right-review

I did not know that companies could (and had been) doing this. 

4 Beginner Tips for Doing Architecture Photography

4 Beginner Tips for Doing Architecture Photography http://digital-photography-school.com/4-beginner-tips-for-doing-architecture-photography/

A great article from Digital Photography School. I especially like the picture of the temple at dusk, wonder where that is.

Another look at IFTTT

In March 2012 (that’s a while ago) I wrote this article about a new service I’d discovered called IF-This-Then-That.

Now, almost five years on, IFTTT has come a long way. Just looking at the channels (they now call them services) it is amazing how far they’ve come. Quite amazing.

Time to go revisit IFTTT. It still amazes me that they are a free service.

Facebook at a Crossroads

Interesting article in MIT Technology review at https://www.technologyreview.com/s/603198/facebook-at-a-crossroads/.

More than half of the 3.4 billion people with Internet access log on to Facebook each month. Revenue in the first nine months of 2016 jumped 36 percent to $19 billion; profit nearly tripled, to $6 billion. Yet the company’s founder has spent the year talking up his plans to become something much larger and more meaningful.

With the election now over, the coming crackdown on fake news, and getting mired in the censorship controversy after blocking the video stream of Philando Castile after he was shot in Minnesota surely didn’t help.

I wonder how much all these things will affect Facebook, and how much that is driving the urge to do unnatural things.

Drones, Virtual Reality, get a grip …

The case(s) for and against PGP

When I read I’m throwing in the towel on PGP, and I work in security, which appeared as an Op-ed in ArsTechnica, I felt that it certainly deserved a response. While Filippo Valsorda makes some valid points about PGP/GPG, I felt that they were less about shortcomings in the scheme and rather usability issues that have been unfortunately ignored.

Then I read “Why I’m not giving up on PGP“,  an excellent article, also in ArsTechnica, and it does a much better job of refuting the article than I could ever have done.

Both are well worth the read.

May I please get whatever Windows version powers the Dreamliner?

It is being widely reported that the FAA has issued an Airworthiness Directive (AD) requiring that Boeing 787 Dreamliners must be rebooted every 21 or so days.dreamliner

This is not a hoax.

This is the AD issued by the FAA 0n 2016-09-24, I obtained a copy of this AD from here.

The AD states:

This AD requires repetitive cycling of either the airplane electrical power or the power to the three flight control modules (FCMs). This AD was prompted by a report indicating that all three FCMs might simultaneously reset if continuously powered on for 22 days. We are issuing this AD to address the unsafe condition on these products.
A little investigation indicates that this isn’t the first time the FAA has had to do this. The last time they had to do something like this was in 2015-09 when they issued this AD which I obtained from here. That AD was more specific about the reason for the problem, stating
This condition is caused by a software counter internal to the GCUs that will overflow after 248 days of continuous power.
It has been widely rumored that the present AD about the 21 day action is similarly motivated, and the logic is that a timer with millisecond precision which will overflow at about 24 days.
This is all very droll, and I hope to hell that they power cycle their planes on the ground regularly and all that. My only question is this, since they are in fact running Windows under the covers, how on earth are they able to keep the thing going for 21 days?
With Windows 7 that was a piece of cake but this new Windows 10 that I have wants to reboot every night and I don’t have any say in the matter.
So whatever Boeing did to keep the damn thing going 21 days, it would be great if they shared that with the world.

The Monty Hall problem

I’ve long wanted a simple explanation of the Monty Hall problem and I’ve never found one that I liked. Some I really detested like one that tried to make some lame analogy to baseball pitchers.

Anyway, here is what I’ve found to be the simplest explanation yet. First, what’s the problem.

In a game show, the contestant is shown into a room with three identical closed doors. He is informed that behind one door is a prize and behind the other two doors, there is nothing.

He is then asked to pick a door. Once he has picked a door, the host proceeds to open one of the other two doors (that he had not picked) and shows the contestant that there is nothing behind that door.

The host then offers the contestant the option of either changing his selection (picking the third remaining door), or sticking with his initial choice.

What should the contestant do?

The simplistic answer is that once the contestant has been shown that there is nothing behind one door, the problem reduces to two doors and therefore the odds are 50-50 and the contestant has no motivation to switch.

In reality, this is not the case, and the contestant would be wise to switch. Here is why.

image1Three doors, behind one of them is the prize, behind the other two, there is nothing.

The contestant now picks a door. For the purposes of this illustration, let’s assume that the contestant picks the door in the middle as shown below.

image2Since the prize is behind one of the three doors, the odds that the prize is behind the door that the contestant has picked is 1/3. By extension therefore the probability that it is behind one of the other two doors is 2/3 (1/3 for each of the doors).

So far, we’re all likely on solid footing, so let’s now bring in the twist. The game show host can always find a door behind which there is nothing. And as shown below, he does.

image3The game show host has picked the third door and there’s nothing there.

However, nothing has changed the fact that the probability that the prize was behind the door that the contestant chose is 1/3 and the probability that it is behind one of the other two doors is 2/3. What has changed is that the host has revealed that it is not behind the door at the far right. If then the probability that it is behind the far left door and the far right door (the two doors that the contestant did not pick) is 2/3, we can say that the probability that it is behind the far left door has to be 2/3.

With this new information therefore, the contestant would be wise to switch his choice.

Defining Success in OpenStack (With Heisenberg in Mind)

This article first appeared at http://www.tesora.com/defining-success-in-openstack/

I recently read Thierry Carrez’s blog post where he references a post by Ed Leafe. Both reminded me that in the midst of all this hand wringing about whether the Big Tent was good or bad, at fault or not at fault, and whether companies were gaming the system (or not), the much bigger issue is being ignored.

We don’t incentivize people and organizations to do the things that will make OpenStack successful, and this shortcoming poses a real and existential threat to OpenStack.

Werner Heisenberg observed that the act of measuring the position of a sub-atomic particle affected its momentum and vice-versa. In exactly the same way(s) that Heisenberg said, the act of measuring an individuals (or organizations) performance in some area impacts that performance itself.

By measuring commits, lines of code, reviews and other such metrics that are not really measures of OpenStack’s success, we are effectively causing individuals and organizations to do the things that make them appear “good” on those metrics. They aren’t “gaming the system”, they are trying to look good on the measures that you have established for “success”.

At Tesora, we have always had a single-minded focus on a single project: Trove. We entered OpenStack as the DBaaS company, and have remained true to that. All the changes we have submitted to OpenStack, and the reviews and participation by Tesora have been focused on the advancement of DBaaS. We have contributed code, documentation, tests, and reviews that have helped improve Trove. To us, this single minded focus is a good thing because it has helped us advance the project, and to make it easier for people to deploy and use it in practice. And to us, that is the only thing that really matters.

The same thing(s) are, true for all of OpenStack. Actual adoption is all that matters. What we need from the Technical Committee and the community at large is a concerted effort to drive adoption, and to make it easier for prospects to deploy and bring into production, a cloud based on OpenStack. And while I am a core-reviewer, and I am the Trove PTL, and I wrote a book about Trove, and our sales and marketing team do mention that in customer engagements, we do that only because they are the “currency” in OpenStack. To us, the only things that really matter are ease-of-use, adoption, a superlative user experience, and a feature rich product. Without that, all this talk about contribution, and the number of cores and PTL’s is as completely meaningless as whether the Big Tent approach resulted in a loss of focus in OpenStack.

But, remember Heisenberg! Knowing that what one measures changes how people act means that it would be wise for the Technical Committee to take the leadership in defining success in terms of things that are surrogates for ease of installation, ease of deployment, the number of actual deployments, and things that would truly indicate the success of OpenStack.

Let’s stop wasting time defending the Big Tent. It was done for good reasons, it had consequences. Realize what these consequences are, perceive the reality, and act accordingly.

10 ways to make Windows computers safer

These days everyone knows someone whose computer was hacked; everyone has heard of others who have been hit by ransomware, and who have suffered significant losses as a result. The losses are sometimes financial, but often they are non-monetary, like losing all family photographs, music, files, and so on.

While it is not possible to entirely prevent these kinds of things, there are some easy steps that we can all take to considerably minimize the likelihood of this kind of thing. It is however equally the case that the majority of these things also make it a little harder to use our computers, and this is by design.

The primary reason why people fall victim to these attacks is complacency, or letting one’s guard down for just a moment. The simple tips below try to prevent that by making it just a little bit harder for you do yourself harm in this way. So here are some tips that I believe we can all take to improve our computers security. I write them from the perspective of a Windows user; if you are a user of a Mac, similar things apply to you but I don’t use a Mac so I don’t know what they are. And, if you are one of those few Linux users, you are likely a nerd anyway and probably can figure this stuff out for yourself.

There used to be a time when the #1 way to make Windows computers safer was to move to a Mac. That is unfortunately not true any longer. Macs are also vulnerable to many of the exploits that we see these days.

  1. Don’t login as an Administrator user; restrict administrator privileges

One of the horrible things that Windows does on initial installation is to ask you for your name, and setup an account for you. And it makes that user an Administrator. In my experience, most home computer users regularly login using that account.

When setting up a computer, always create a user who will be an administrator, and after the computer is setup, create a regular user who is a standard user. It should look something like this when you look at the users settings.

If the account(s) that are commonly used on your computer are Administrators, do this:

  • Create a new user on your machine with a name like “MyComputerAdministratorDingDong” and make that user an Administrator.
  • Login as “MyComputerAdministratorDingDong” and change the accounts that you regularly use to be a Standard User. If this is a shared computer, this means all users become Standard Users.
  • Ensure that the password MyComputerAdministratorDingDong is long and different from your own password; and don’t tell everyone what it is.
  • Update Windows User Account Control (UAC) to be paranoid and prompt you on all changes to the computer.

What have you accomplished here?

By making all common users Standard Users, you have made it harder for exploits which typically require Administrator privilege to, well, exploit.

When someone wants to install software, make changes to your computer, and so on they will need to be the Administrator, and will need the password to the “MyComputerAdministratorDingDong” account. This does make it mildly harder to use the computer, but it is a worthwhile safeguard.

  1. Look at all the software on your machine and uninstall things that you don’t recognize

Over time, computers accumulate cruft. And if your computer wasn’t secured as described above, you are likely to find lots of cruft. Uninstall anything that you don’t recognize, or don’t use now.

What have you accomplished here?

In addition to potentially making your computer quicker, you have also removed all potentially suspicious software from your machine. Should you need one of them later, you can certainly add it back.

  1. Get yourself a good Anti-Virus software package

It is amazing that this is still something one has to list. Most ISP’s offer Anti-Virus free, download and install one. If your ISP doesn’t purchase one and install it.

Windows 8 and 10 come with Defender. In my experience they are not quite as good as commercial Anti-Virus software packages. While Defender is free, it is worth getting something else at this stage; maybe someday soon Defender will be better.

What have you accomplished here?

Anti-virus software is an essential part of your protection plan.  Make sure you have one; and Windows Defender isn’t (today) the answer.

  1. Change your WiFi password and make it something that is hard to guess, preferably obscene

This should be self-explanatory but passwords like “password”, “homewifi”, and “xfinity” are just too easy to guess! Make it something that is hard to pronounce, uses numbers and punctuation.

My preference is to make it something obscene, that way you won’t be yelling it out to people you meet.

That last thing is something I advocate for all passwords, make them words that you will not utter in public; does wonders for password security.

What have you accomplished here?

Getting on a network with other computers is one of the ways in which a bad actor could infect your computers. By making it harder to get on your network, you have added a layer of protection to your network.

  1. Only allow secure computers on your homegroup, and your home WiFi network

Most households with more than one computer likely share a homegroup and share files, music, and pictures on the homegroup.

If you are not able to secure a computer (as described above) kick that computer off your homegroup, move them to a Guest WiFi network.

So, what do I do about my internet connected TV’s, phones, and other devices which I can’t secure in this way. You could do one of two things, either get another cheap WiFi access point for those, or put them on the Guest WiFi network as well.

What have you accomplished here?

Your homegroup should be a safe space. By eliminating all potentially unsafe actors from the homegroup, you have improved the level of safety there.

  1. No matter how you read email, don’t click on links that you don’t recognize

Phishing, link highjacking, and numerous other nasty things that cause harm to your computer are caused by clicking on links. So if you receive email that includes links, buttons, and other calls to action, think before you click. Hovering over a link or a button will typically reveal what the action will be.

There is no easy way to tell someone how to recognize a fake email message; scammers are quite sophisticated these days. So just be safe and don’t click on things unless you are really sure you know what you are doing.

But, you can remember these simple tips:

  • Banks, Financial Institutions, and most legitimate businesses will address emails to you by name; not “Dear Customer”. If the email does not address you by name, it is likely bogus.
  • If you get an email saying your account has been terminated, will be terminated, has been compromised and you need to take immediate action, don’t click on the link provided. Instead find the link to login to whatever account, institution, or website and login directly. If the link is real, that’s fine, you at least know where you are going. And if it is a fake, you will realize it very quickly when you find that your account is fine!
  • If you get email saying “someone in your contact list has shared a document with you” it is a fake; services like Dropbox will tell you who shared the file with you.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. By taking these steps, you have made it harder for this to happen.

  1. Disable automatic downloads, disable automatic showing of images

Web browsers and email clients allow you to set these privacy options. And they are well worth setting.

Search for directions for your specific browser and email client and make these changes.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. Automatic downloads and infection buried in some image file formats are one way in which bad actors get around this. By taking the steps described here, you have made it harder for this to happen.

  1. Enable a screen-saver (with a lock and a timeout)

This is particularly important for laptops and computers in shared areas. Enable a timeout and a lock screen. When you step away from the keyboard, lock the computer (Windows Key-L). Require a password to unlock the computer.

What have you accomplished here?

An unlocked computer is an invitation for someone to meddle. A locked computer (with a good password) is significantly harder for one to damage.

  1. Disable autoplay USB

One of the most common sources of malware, viruses, and other nasty stuff is shared USB drives. Disabling autoplay along with the steps above can significantly improve the security of your machine.

If you are given a USB drive, consider the source carefully. I prefer to just say “No” and ask people to email the document(s) to me, or to put them on a shared drive like Dropbox.

What have you accomplished here?

Recently a new breed of exploits merely require someone to plug in a rogue USB stick into your machine and the malware gets automatically installed because of autoplay. By disabling autoplay, you make this harder (not impossible).

  1. Disable USB ports

And if you want to be truly sure, here’s what I do with my laptop when I travel. Reboot the machine to BIOS and disable the USB ports.

That way, when the friendly gentleman comes along and gives you a document on a USB stick, you can safely say it doesn’t work (then blame your IT department for it). If the person insists that he can fix it, you are still safe because no matter how much he jiggles the USB stick in the port, it won’t work.

On one occasion, a particularly persistent (read: pesky) individual said he knew what was wrong, that the port was disabled in the BIOS. And he went to reboot the computer to BIOS and sure enough “My IT Department” had set a password on that and damn them because I don’t know what it is.

What have you accomplished here?

Similar to the earlier step, you make it much harder for bad actors to infect your computer using the USB port as the attack vector.

As you can likely see, each of these steps will make it just a little bit harder to use, and enjoy your computer. But as the adage goes, “no pain, no gain”.

Enabling hacking extensions: The right way

Of late, I wake up every morning revving to go and work on the next cool thing in Trove and I see that overnight some well-meaning person has contributed a change that looks something like this:

String interpolation should be delayed to be handled by the logging code, rather than being done at the point of the logging call.
Ref:http://docs.openstack.org/developer/oslo.i18n/guidelines.html#log-translation For example:
# WRONG
LOG.info(_LI(‘some message: variable=%s’) % variable)
# RIGHT
LOG.info(_LI(‘some message: variable=%s’), variable)

And the code submitted fixes a small number (lets say 5) places where strings sent to logging are rendered.

As I said at the TC-Board meeting in Barcelona, these well-meaning people are actually submitting what on the face of it appear to be valid corrections to the code. Yet, I submit to you that these changes represent a scourge that we should stamp out.

I know for a fact that in Trove there are (currently) 751 occurrences of this particular style error. This is the hacking extension H904, and when enabled in Trove, I get this:

$ tox -e pep8 | grep H904 | wc -l
751

That’s the catch, Trove does not enable this hacking extension. A quick look indicates that only Neutron does.

Why are these well meaning changes a scourge? Here’s why …

  • They don’t materially improve a project to fix a small fraction of these errors without preventing them from reoccurring
  • Each of these changes takes some considerable CI resources to verify and get approved
  • Each of these changes take time for someone to review, time which could be better spent if we were to fix these problems properly.

So, I submit to you that if you want to submit a patch to fix one of these hacking issues, here is the right way. Of course, I’m opinionated, I’m going to reference one of my own changes as an example!

  1. If your project does not have hacking extensions, this commit shows you what you have to do to enable that. You may have to bump test-requirements.txt and update the version of hacking that you use in order to use the ‘enable-extensions’ option.
  2. Enable the hacking rule or extension for the particular style issue at hand; let’s illustrate with H203. H203 ensures that we use assertNone() and not assertEqual(None, …).
  3. Run the pep8 test against the project and find and correct all places where the failure occurs. Typically this is accomplished by just running ‘tox -e pep8’.
  4. Test that the code does in fact work as expected; correcting style guidelines can introduce functional errors so make sure that the unit tests pass too. Typically this is accomplished by running ‘tox -e py27 -e py34’.
  5. Actually exercise the system; launch a system with devstack and the project enabled, and actually exercise the system. In the case of Trove, actually build a guest and launch a database or two.
  6. Then submit your change including the change to tox.ini that enables the hacking rule for review.

Well, that’s a lot of work! Sure, you really have to work for your Stackalytics credit, right? I’m sure the load on the CI system will show that this is worthwhile.

It is better to do things this way in the long run. With the hacking rule enabled, future commits will also comply with the rule (they will fail pep8 if they don’t). And that will put an end to the cottage industry that has sprung up around finding these kinds of errors and fixing them one at a time.

In conclusion I urge reviewers in all projects to summarily reject style changes that don’t also enable a hacking rule. Approving them is the wrong thing to do. Require the contributor to enable the hacking rule, and fix the problem the right way. That’s what a good code review is about.

Meter Maid Monitor: parking protection with Pi 

https://www.raspberrypi.org/blog/meter-maid-monitor-parking-protection-pi/

This is just brilliant. I think only good things can come from this.

The difference between __new__ and __init__

Lintel Technologies: Python: new magic method explained

See:  http://howto.lintel.in/python-new-magic-method-explained/

How To Build Your Own NAS From Scratch (With Parts List!) 

How To Build Your Own NAS From Scratch (With Parts List!)

http://www.diyphotography.net/build-nas-scratch-parts-list/

How to Prepare Your Images for Print and Display 

A very nicely written article with some clear advice.

http://digital-photography-school.com/preparing-images-print-display/

The saga of the mixed up email continues

In May 2015, I wrote about the risks of handing out your email address and making a mistake. (That post appeared on facebook at the time).

Well, it appears that the person handing out my gmail address isn’t just one person; we now have a second.

Someone handed out my email address and applied for life insurance. And the agent promptly emailed the entire application packet to me!

This time, it had a phone number so I called the guy. After explaining (what seemed like an eternity) that I had his application packet, I asked him what his email address was.

His answer “amrith something dot com”.

Oh boy!

Google-Funded Free Wi-Fi Kiosks Are Scrapping Web Browsing Because Too Many People Were Using it For Porn 

Google-Funded Free Wi-Fi Kiosks Are Scrapping Web Browsing Because Too Many People Were Using it For Porn 

Really? They can’t put simple Web filtering in place? This is lame.

https://tech.slashdot.org/story/16/09/14/1945241/google-funded-free-wi-fi-kiosks-are-scrapping-web-browsing-because-too-many-people-were-using-it-for-porn

A Teenage Hacker Figured Out How To Get Free Data On His Phone 

A Teenage Hacker Figured Out How To Get Free Data On His Phone. Awesome!

 https://tech.slashdot.org/story/16/09/14/2242216/a-teenage-hacker-figured-out-how-to-get-free-data-on-his-phone

Memory regained

When I resurrected this blog, I lamented the loss of history and old posts from the time when this blog was hypecycles.wordpress.com and pizzaandcode.com.

Well, thanks to the wonders of the internet (and help from my friend Daniel Senie) I was able to recover all of the old posts and add them back to this blog!

History going all the way back to sometime in 2009 is now back online.

My adventures with pylint

I have long believed that it is ok to make any given mistake once. But to make it again is, I believe, unforgivable.

This should, I believe, apply to all things that we do as software developers, and to that end, I feel that code changes to fix issues should be backed up in some way by testing that prevents recurrence of problems.

In my day job, I work on the OpenStack Trove project, and when I review changes proposed by others, I tend to apply this yardstick. When someone fixes a line of code to correct some issue, it is common to expect that there will be a test to verify this operation in the future.

Recently, I reviewed and approved a change that pretty immediately resulted in a regression. Here’s the diff of the code in question:

     if not manager:
-        msg = ("Manager class not registered for datastore manager %s" %
+        msg = (_LE("Manager class not registered for datastore manager %s") %
                CONF.datastore_manager)
         raise RuntimeError(msg)

Not being a compiled language, and since no tests exist for the case where manager is None, this code was never exercised, and _LE was not defined. Sure enough a couple of days later, the regression was reported.

This got me wondering how the problem could be avoided. Surely python must have some tools to catch this kind of thing. How did this escape the development process (obvious explanation of sloppy code review aside).

It turns out that there is a mechanism to catch these kinds of things, pylint. And it turns out that we don’t use pylint very much in OpenStack.

Well, a short while later I was able to run my little pylint based wrapper on Trove and fix some egregious bugs.

pylint doesn’t natively give you a way to provide a specific set of issues that must be ignored (something which bandit does). So I modeled this wrapper on the way bandit does things and allowed for a set of ignored exceptions.

I’ll make this a job in the Trove gate soon and that will help stamp out these kinds of issues more quickly.

VizEat, a startup that lets you dine in a local’s own home, gobbles up €3.8M 

Really? Uber for your kitchen? Will they be regulated like restaurants? 

VizEat, a startup that lets you dine in a local’s own home, gobbles up €3.8M funding https://techcrunch.com/2016/09/06/vizeat/amp/

SETI has observed a “strong” signal that may originate from a Sun-like star

SETI has observed a “strong” signal that may originate from a Sun-like star

http://bit.ly/2cBQRO1

Continue reading “SETI has observed a “strong” signal that may originate from a Sun-like star”

VMware says, “We’re not dead,” updates Fusion and Workstation for free

VMware says, “We’re not dead,” updates Fusion and Workstation for free

http://bit.ly/2ci6KG3

Tips for Shooting the Milky Way

Tips for Shooting the Milky Way

http://bit.ly/2cdTnZi

Seeing the Milky Way with your own eyes is what you may call a jaw dropping experience, but one that can be truly achieved only in complete darkness. While stars are visible even in light polluted areas, the Milky Way’s beauty, which is actually caused by concentrations of stars, gas and dust, fades away in the light polluted areas and cannot be seen.

2 frames portrait

Continue reading “Tips for Shooting the Milky Way”

Circular Polarizers Versus Graduated Neutral Density Filters for Landscape Photography

Circular Polarizers Versus Graduated Neutral Density Filters for Landscape Photography

http://bit.ly/2bRHjf1

Whether you’re a professional or hobby photographer, odds are you’ve come across a beautiful, scenic landscape, that you absolutely had to photograph. Unless you’re an experienced landscape photographer, there’s a good chance the color in that photo wasn’t as saturated, or balanced as you were expecting. That’s because there’s generally a wide disparity in the dynamic range between the foreground and background of landscapes, as well as between the upper (sky) and lower (earth) halves of the frame. Thanks to a couple of lens filters, this hurdle can easily be overcome without having to spend hours of post-processing in Photoshop.

Continue reading “Circular Polarizers Versus Graduated Neutral Density Filters for Landscape Photography”

How and Why to Use Back Button Focus

How and Why to Use Back Button Focus

http://bit.ly/2csPA7Y

Continue reading “How and Why to Use Back Button Focus”

Common Photography Mistakes Newbies Make and How to Avoid Them

Common Photography Mistakes Newbies Make and How to Avoid Them

http://bit.ly/2bSnVyJ

Every shooter will tell you that they all made the same photography mistakes when they were starting out. From horizon lines not being straight to poor focusing, here are some of the most common newbie mistakes and how to avoid them.

KD-2016-Common Mistakes-11

Continue reading “Common Photography Mistakes Newbies Make and How to Avoid Them”

This is How Light Pollution Affects How We See the Night Sky

This is How Light Pollution Affects How We See the Night Sky

http://bit.ly/2c75qqO

Continue reading “This is How Light Pollution Affects How We See the Night Sky”

Debugging Trove gate failures

Of late, I’ve spent a fair amount of time debugging Trove’s gate failures. And this isn’t the first time, it generally happens around release time. And each time, I relearn the same things. So this time, I’ll make a note of what I’ve done recently. Hopefully, it’ll ease the process next time.

Continue reading “Debugging Trove gate failures”

6 tips for shooting fall colors

It is almost that time of the year again and that means it is time to start brushing up of the fall color tips and tricks.

6 tips for shooting fall color

https://www.dpreview.com/techniques/4329601714/6-tips-for-shooting-fall-color

Leading India e-commerce site launches OpenStack hybrid cloud

This is huge news!

Leading India e-commerce site launches OpenStack hybrid cloud

http://superuser.openstack.org/articles/leading-india-e-commerce-site-launches-openstack-hybrid-cloud

Just to give you a sense of the size of this company, consider this:

Snapdeal has already cornered about a quarter of the Indian e-commerce market, that’s twice as much as Amazon but about half of its largest local competitor Flipkart, in what some are calling the “great race” to rule what may become the world’s largest online marketplace. With the fastest growing e-commerce market, Snapdeal reaches people that brick-and-mortar businesses can’t, since half of its customers live outside India’s biggest cities.

Expanding DBaaS workloads with OpenStack Trove and Manila

In this interview, learn more about how OpenStack’s Trove and Manila projects are adapting to meet the varied database needs of cloud users..

Source: Expanding DBaaS workloads with OpenStack Trove and Manila

Capture Incredible Water Droplet Impacts with a High Speed Camera Rig

Some day, I want to do this! I’ll post some of my attempts at this in a later post.

High speed photography is great for capturing the moment when two water droplets collide and make incredibly beautiful fluid impacts.. Read more on MAKE The post Capture Incredible Water Droplet Impacts with a High Speed Camera Rig appeared first on Make: DIY Projects and Ideas for Makers ..

Source: Capture Incredible Water Droplet Impacts with a High Speed Camera Rig

Utilizing OpenStack Trove DBaaS for deployment management

Ron Bradford posted this interesting article on his blog after a recent trip I made to New York City.

Trove is used for self service provisioning and lifecycle management for relational and non-relational databases in an OpenStack cloud.. Trove provides a RESTful API interface that is same regardless of the type of database.. CLI tools and a web UI via Horizon are also provided wrapping Trove API requests..

Source: Utilizing OpenStack Trove DBaaS for deployment management

Stanford Professor puts his entire digital photography course online for free

When it comes to the list of digital imaging pioneers, Marc Levoy is one of those names that belongs right near the top.. His work has led to many of the technical advances that we see in use today with computer generated imagery..

Source: Stanford Professor puts his entire digital photography course online for free

Get Started with OpenStack – 5 Easy Steps

This post appeared first at the Tesora blog.

I was recently asked what resources I would recommend to someone looking to get started with OpenStack. I’d like to provide them here for those who may be beginning their OpenStack journey.

Continue reading “Get Started with OpenStack – 5 Easy Steps”

An old blog returns

See an update to the content of this post at https://hypecycles.com/2016/09/14/memory-regained/

This isn’t my ‘new’ blog.

This blog actually started in ~2009 (it was https://hypecycles.wordpress.com at that time). The page history on the “about” page indicates that it was about July 2009. For several years, it was quite active; through about 2012 when I moved it to a different hosting location and it was then called http://pizzaandcode.com.

Then, it went mostly dormant and about a year ago I shut it down. Unfortunately at that point, I didn’t bother to save the old posts and things so all of that is gone.

Untitled-1

I use a service from statcounter.com and that has enabled me to go back and look at some of this history. I enabled statcounter in ~October 2009 on hypecycles.wordpress.com and the graph below shows daily traffic to the sites over time (through today).

So, in a sense this is the rebirth of an old blog. With a new URL (http://hypecycles.com).

Why you really should be careful when you hand out your email address

About three years ago I received an email from the large Indian Cell phone provider AIRTEL with the subject “Your airtel Bill for airtel number: 0444*******”. Now, I don’t have an AIRTEL phone number, and I figured this was odd but it looked like a real bill. I still have the email, billing period 11/4 to 10/5/2012. And that was the start of my saga.

It said my airtel ebill was protected with a unique password and all that so I couldn’t do much so I ignored it.

But I called the number and spoke with some dude. His name is also Amrith. And I told him that he must have accidentally given Airtel my email address so would he please fix it. He muttered something and hung up.

Shortly thereafter I received email from ICICI with a life insurance policy for “BEENA P”. There was some link which took me to their online site and I’d have to login and register and stuff which I didn’t have any way of doing.

Over the past three years I have received numerous emails from Airtel asking for payment on the landline which I replied to and said I wasn’t the person. Later I replied and said they should cancel the telephone line. They sent me email saying they were sorry to see me go. I called Airtel support and told them what was up and the dweeb I spoke with couldn’t figure out what to do with me so they said they’d email the customer. And yes, I got that email.

Over the years, I have canceled the phone service numerous times, it gets reactivated. I have received numerous statements for Beena’s insurance policy but now they send encrypted PDF’s with a password. The password is the first four letters of Beena’s name (BEEN) presumably and the date of birth as DDMM. OK, I’m bored but not that bored and I didn’t have the patience to try the 366 possible combinations to figure out what the right one was so I ignored it.

And each time this dipshit gives ICICI and Airtel my email address.

Today I got an email from ICICI wishing Beena P a happy birthday!

Would someone who knows someone at ICICI who has a slightly non-trivial job title please put me in touch with that person?

Oh, the PDFs which are all sitting in my GMAIL (we all know google never deletes anything) contain a policy number and all you need to create an online profile with ICICI is a policy number and a date of birth.

Tech Blogger tries to on cancel service … hilarity ensues

Tech Blogger Tries To Cancel Comcast Service, Hilarity Ensues http://feedproxy.google.com/~r/Techcrunch/~3/gesTdo0aLkY/

Wow.  I’m going to try this as well.

Waste water in your water bottle

Texas Town Turns To Treated Sewage For Drinking Water

http://rss.slashdot.org/~r/Slashdot/slashdot/~3/sfkixCAeC7c/story01.htm

Not a very high bar …

“He said there have been few complaints so far. A glass of the finished product, sampled at a downtown restaurant, tasted about average for West Texas.”

How to really wipe your android device!

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption http://rss.slashdot.org/~r/Slashdot/slashdot/~3/HzbWPjzSHKE/story01.htm

Surprisingly simple.

Web Browsing, Cookies and Privacy!

What with things like HeartBleed, keyloggers and other exploits that are possible on your machine, web browsing is inherently risk prone. When you choose to do something like “Online Banking”, you just brought these risks very close to your money. So you had things like passwords to keep you safe.

So here’s where I think Banks are going stupid, or they are being advised by imbeciles.

My bank:

  • requires me to login with my account number
  • and provide a password, which they never require me to change
  • and if they find a cookie on my machine, they log me right in!
  • and if they don’t find a cookie, I must answer three questions correctly before being allowed to login.

They are changing this as follows:

  • requires me to login with my account number
  • and provide a password, which they never require me to change
  • and if they find a cookie on my machine, they log me right in!
  • and if they don’t, they will send me an email, an SMS or a phone call and give me a one time use passcode.

In the old way of doing things, I effectively had four passwords and someone would have to compromise all four before he or she could login. And my browser deleted all cookies on exit, and only retained cookies for the session. With the new mechanism, someone who wanted to hack my account only need access to one password and either my telephone or the password to my email account.

How, pray, is this more secure?

Article: Holland says yes to the network-agnostic SIM card

Holland says yes to the network-agnostic SIM card

http://gigaom.com/2014/03/14/holland-says-yes-to-the-network-agnostic-sim-card/

This is really cool. But what of networks that have no SIM, you know who I mean. Can you hear me now?

Article: The 40 Must-Have Android Apps for the Power User – The Next Web

The 40 Must-Have Android Apps for the Power User – The Next Web

http://thenextweb.com/apps/2013/10/30/40-must-android-apps-power-user/

Say no to pay-to-pitch schemes!

The dust-up yesterday in the Lean-Startup-Circle-Boston mailing list about yet another pay-to-pitch scheme is pretty distressing to me personally. I think it is unfortunate that these schemes are actually allowed to continue because they prey on the entrepreneur. Kudos to all who voiced their objections to this spam, and thanks to Abby for putting a stop to it.

I believe that pay-to-pitch schemes are a shame, and I continue to be appalled by them.

Not long ago I was a rookie entrepreneur, all wet behind the ears and looking for my first investor to fund ParElastic. And one of these “pay-to-pitch” schemes found their way into my mailbox. Naive as I was I asked for more details. Here’s part of an email I got in October 2011,

Wanted to confirm you received my previous email with the details you requested regarding the opportunity to have ParElastic recognized as one of the Top Innovators presenting to our leading group of investors at The New England Venture Summit, as well as make sure you’re aware that the first round deadline to apply is this Wednesday, October 26th. (Final deadline is November 9th).

Let me know if you’d like to submit ParElastic for a Top Innovator slot and I’ll send you the summary outline to fill out for our review.

I have also included below, an updated list of VCs confirmed to speak (more to be announced shortly).

So I sent off for the summary outline and here’s a part of the email that I got in response.

Fee to present: $1,485 (there is no fee to apply)

The deadline for company submissions is November 9th, 2011.

OK, I never pitched at NEVS 2011. I think it is a shame for people to actually attempt to gouge an entrepreneur almost $1,500 for the opportunity to pitch a bunch of potential investors. (The gall of it, to say it is $1,485, no fee to apply). I heard also of an angel group near Boston that charged entrepreneurs to have the opportunity to pitch. I swore not to pitch to such folks and I did not have to (luckily).

Many have written about the scourge of pay-to-pitch. From the Foundry Group blog, an article by Jason Mendelson, from Sajad Ghanizada’s blog, from the Driven Forward blog, from Fred Wilson’s blog,

I know the feeling of desperation at wanting to get funded and I’m thankful that there are plenty of things that one should consider first.

  1. If you, as an entrepreneur spend any money on a pay-to-pitch scheme, that is money that you don’t have available for what really matters; building a product, identifying customers, and building revenue. If you have a product, you have customers and some revenue and you wish to treat this “fee” as a cost of doing business, that’s one thing. But if you are not yet at that point, don’t waste your money on pay-to-pitch schemes.
  2. The value of an introduction to a potential investor is only as good as the person from whom the introduction comes. Build your network and get introduced to potential investors through your own network.
  3. There are many organizations in the Boston area (and the same can be said in most tech communities) that can help you much more than a pay-to-pitch scheme can. A list of some that I know of are provided below. If you know of others, please post a comment.
  4. There are any number of entrepreneur focused events in the Boston area each week, find one in a topic area that is best suited for your own interests and attend a couple. You’ll find not only a lot of fellow entrepreneurs but also many opportunities to grow your own network and meet potential investors and customers. They are also a great place to hire people to join your new enterprise.

Organizations that may be able to help you!

I’m proud to be associated with organizations like TiE Boston and in particular the TiE Challenge initiative.

Local groups like MassTLC organize an unConference (the next one is November 1st) and there are tons of opportunities for mentoring and networking. Yes, I realize that the unConference is not free but if you are a 1-3 person start-up, a $180 entry fee that gives you a one year membership to MassTLC is a whole lot more reasonable than a $1,500 entry fee for a single chance to pitch.

I have not (personally) been part of the many incubators in the Boston area but my company was for over a year a resident of Dogpatch Labs in Cambridge. Techstars  used to be in the same location as well.

There are many business plan contests in the Boston area. They are a great opportunity to pitch and all of the ones that I know of have been free. If you went to one of the many fine educational institutions in the Boston area, check whether your school has one of these. Maybe there’s a “venture forum” that is part of your business school?

I was incredibly fortunate to have been introduced to Foley Hoag LLP and I know that they have helped me and many first-time entrepreneurs in the Boston area.

My experience

My own experience has been that in the Boston area there are many very successful entrepreneurs who are willing and able to help, and they do this in many ways. And most of them participate in mentoring and angel investing as a way to give back to the community.

There are many benefits to building your own network and connecting with people through that network. Yes, I agree that it is frustrating and hard for many of us introverted engineer types to actually go out there and hang out with other people and try and make connections. And the pay-to-pitch schemes prey on this frustration and desperation.

There are many things should be much higher on your list of things to pursue, before you go fritter away good money on a pay-to-pitch scheme.

 

Say no to pay-to-pitch!

Normal
0

false
false
false

EN-US
X-NONE
HI

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
mso-bidi-font-size:10.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}

How to lose $172,222 a second for 45 minutes

A sad tale of pathetic devops process and the attendant consequences.

http://pythonsweetness.tumblr.com/post/64740079543/how-to-lose-172-222-a-second-for-45-minutes

Article: Microsoft Yanks Windows RT 8.1 Update

Microsoft Yanks Windows RT 8.1 Update

http://allthingsd.com/20131019/microsoft-yanks-windows-rt-8-1-update/

—–

That was quick 😉