Planet Bozo

February 24, 2021

Worse Than FailureNews Roundup: We're Going to Need a Bigger Boat

You’ll have to stay patient with me on this post, since the point I will eventually get to really is the confluence of a number of different threads that have been going through my head the past few weeks.

Let’s start with my time in business school from 2007 to 2009. Charles Dickens couldn’t have penned a better dichotomy between the beginning and end of my time in school. In short: 2007 = the economy couldn’t be better, 2009 = the economy couldn’t be worse.

As my dream of a career in finance seemed further and further from reality while my time in school was coming to a close, I took a chance on a product development class for my last semester. It was the first time that the concept of ‘user experience’ was introduced to me, and judging from Google Trends, interest in user experience was at a real low point.

graph of searches for the term 'user experience' over time

The class was really an exercise in patience by our professor; it involved us students continually frustrating the professor with our complete lack of creativity. For our final project, we were randomly assigned to teams to find a real user problem and an elegant solution. My team followed a pretty standard process:

  1. Brainstorm problems we observed
  2. Do user research to validate the problem and identify pain points
  3. Design solutions to the pain points
  4. Test out the solutions against potential customers
  5. Optimize the product based on feedback
  6. Repeat steps 4 and 5

Our team consisted of 5 of the most passive, easy-going individuals - which was not conducive to the sort of analytical and critical thinking necessary to build a great product. After waffling for weeks over an appropriate problem, one of the teammates revealed that his wife was about to give birth and that a recent concern had been finding a mobile baby unit that would hang over their crib that would be both fun and educational.

A little aside here: A point of emphasis from our professor was Henry Ford’s famous quote (which he may not have actually said), “If I had asked people what they wanted, they would have said faster horses”. People seem to take out of this quote what they want to hear, and it made little impression on me at the time, but I understand it to mean the following: “Linear solutions to complex problems don’t result in novel solutions for customer problems. They result in old solutions with more bells and whistles. What is oftentimes required is starting from scratch in building user-friendly solutions that solve for customer needs, even if they are unstated.”

Mobile baby units were already fun and engaging, so it was the educational part that hung us up. I’ll cut to the chase: our final deliverable was a monstrosity that combined every feature of every current mobile baby unit into one ugly mass. Think the chandelier from ‘The Phantom of the Opera’ with all of the theatrics of it swinging through the crowd (in fact our prototype fell from the ceiling into a crib we were using for testing). We fell into the trap of a linear solution to a complex problem, if it even was a problem to begin with! We took a solution already in place, added more functionality, and got a failing grade on our final project.

This whole experience helped me relate to a product that was recently brought to my attention. Even though user experience is at its apex in interest according to Google Trends, people continue to create linear solutions to complex problems. Case in point: The Expanscape, the all-in-one security operations workstation; a product that purports to solve every problem a security operations analyst may need.

a photo of a laptop with too many screens hanging off of it, like comically ridiculous ...How about designed for no one?

The specs advertise 7 screens, but is only 60% of its 10 kg goal. What does getting a percentage of a weight goal even mean? Does it mean that it weighs 16.67 kgs, since 60% of that weight makes 10 kgs?

Honestly the weight itself isn’t even that egregious, since it’s in line with most gaming machines nowadays. The problem being solved for is quite straightforward: “Design and build a proper mobile Security Operations Center.” It is indeed mobile, with its ability to “fold down compactly to facilitate travel”. But is it proper? I think not.

This all-in-one, mobile bundle is trying to solve every problem linearly, by adding more features to an existing laptop. Judging by the sheer number of screens, I wonder if any real user testing was done. I can’t imagine any single human not feeling anxiety just looking at this machine. The problem being solved was not to increase efficiency and shrink a team to just one person, it was to design and build a proper security operations center! Who can focus on this many screens and information at once?

I don’t want to be harsh on the Expanscape; history is filled with examples of linear and poorly-executed tech solutions. Who can forget the Nokia N-Gage, which was a mash-up of every phone feature at the time? Or Google Glass, which was trying to allow users to engage with the world without even needing to look at a phone, trying to force the wrong solution to their stated problem? Or the Apple Newton, which while arguably was ahead of its time, focused too heavily on functionality over user experience?

I’m left thinking of the famous quote by Ian Malcolm. They are good words for us all to live by:

Ian Malcom's quote: You were so preoccupied with wether or not you could you didn't stop to think if you should

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

February 23, 2021

Worse Than FailureCodeSOD: A Lack of Progress

Progress bars and throbbers are, in theory, tools that let your user know that a process is working. It's important to provide feedback when your program needs to do some long-running task.

Hegel inherited a rather old application, written in early versions of VB.Net. When you kicked off a long running process, it would update the status bar with a little animation, cycling from ".", to "..", to "...".

Private Sub StatusRunningText(ByVal Str As String) If ServRun = True Then Select Case Me.Tim.Now.Second Case 0, 3, 6, 9, 12, 16, 19, 21, 24, 27, 30, 33, 36, 39, 42, 45, 48, 51, 54, 57, 59 Me.StatusBarPanel1.Text = Str + "." Case 1, 4, 7, 10, 13, 17, 20, 22, 25, 28, 31, 34, 37, 40, 43, 46, 49, 52, 55, 58 Me.StatusBarPanel1.Text = Str + ".." Case Else Me.StatusBarPanel1.Text = Str + "..." End Select End If End Sub

Now, you or I might have been tempted to use modulus here. Second % 3 + 1 is the exact number of periods this outputs. But how cryptic is that? It involves math. This developer has lovingly handcrafted their animation, specifying what should be displayed on each and every frame.

Modular arithmetic is math, but this code, this is art.

Bad art, but still, art.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

February 22, 2021

Worse Than FailureCodeSOD: Self-Documented

Molly's company has a home-grown database framework. It's not just doing big piles of string concatenation, and has a bunch of internal checks to make sure things happen safely, but it still involves a lot of hardcoded SQL strings.

Recently, Molly was reviewing a pull request, and found a Java block which looked like this:

if (Strings.isNullOrEmpty(getFilter_status())) { sql.append(" and review in ('g','t','b','n','w','c','v','e','x','')"); } else if (!"a".equals(getFilter_status())) { sql.append(" and review = '"+getFilter_status()+"'"); } else { limit_results=true; }

"Hey, I get that the database schema is a little rough, but that big block of options in that in clause is incomprehensible. Instead of magic characters, maybe an enum, or at the very least, could you give us a comment?"

So, the developer responsible went back and helpfully added a comment:

if (Strings.isNullOrEmpty(getFilter_status())) { sql.append(" and review in ('g','t','b','n','w','c','v','e','x','')"); // f="Resolved", s="Resolved - 1st Call" } else if (!"a".equals(getFilter_status())) { sql.append(" and review = '"+getFilter_status()+"'"); } else { limit_results=true; }

This, of course, helpfully clarifies the meaning of the f flag, and the s flag, two flags which don't appear in the in clause.

Before Molly could reply back, someone else on the team approved and merged the pull request.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

XKCDMars Landing Video

Dave HallParameter Store vs Secrets Manager

Which AWS managed service is best for storing and managing your secrets?

February 19, 2021

Worse Than FailureError'd: The Timing is Off

Drew W discovers that the Daytona 500 is a different kind of exciting than we ever thought.

XXX Wins the Daytona 500

It feels like the past year has been a long one, and based on this graph's dates, it's going to get a lot longer.

Integer Underflow by Quarters

But time really does fly. Look how much earlier Scott Lewis's package is arriving.

Even earlier than 2/15, 2/15

Which, with the way time flies, it's good that this limited time offer on a video game will stick around long enough that Denilson will get a chance to take advantage of it.

On sale for 1000 years

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

XKCDPerseverance Microphones

February 17, 2021

XKCDAnimal Songs

February 15, 2021

XKCDmRNA Vaccine

February 12, 2021

Dave HallA Lost Parcel Results in a New Website

When Australia Post lost a parcel, we found a lot of problems with one of their websites.

February 11, 2021

Dave HallWe Have a New Website (Finally)

After 15 years we rebuilt our website. Learn more about the new site.

January 21, 2021

etbeLinks January 2021

Krebs on Security has an informative article about web notifications and how they are being used for spamming and promoting malware [1]. He also includes links for how to permanently disable them. If nothing else clicking “no” on each new site that wants to send notifications is annoying.

Michael Stapelberg wrote an insightful posts about inefficiencies in the Debian development processes [2]. While I agree with most of his assessment of Debian issues I am not going to decrease my involvement in Debian. Of the issues he mentions the 2 that seem to have the best effort to reward ratio are improvements to mailing list archives (to ideally make it practical to post to lists without subscribing and read responses in the archives) and the issues of forgetting all the complexities of the development process which can be alleviated by better Wiki pages. In my Debian work I’ve contributed more to the Wiki in recent times but not nearly as much as I should.

Jacobin has an insightful article “Ending Poverty in the United States Would Actually Be Pretty Easy” [3].

Mark Brown wrote an interesting blog post about the Rust programming language [4]. He links to a couple of longer blog posts about it. Rust has some great features and I’ve been meaning to learn it.

Scientific America has an informative article about research on the spread of fake news and memes [5]. Something to consider when using social media.

Bruce Schneier wrote an insightful blog post on whether there should be limits on persuasive technology [6].

Jonathan Dowland wrote an interesting blog post about git rebasing and lab books [7]. I think it’s an interesting thought experiment to compare the process of developing code worthy of being committed to a master branch of a VCS to the process of developing a Ph.D thesis.

CBS has a disturbing article about the effect of Covid19 on people’s lungs [8]. Apparently it usually does more lung damage than long-term smoking and even 70%+ of people who don’t have symptoms of the disease get significant lung damage. People who live in heavily affected countries like the US now have to worry that they might have had the disease and got lung damage without knowing it.

Russ Allbery wrote an interesting review of the book “Because Internet” about modern linguistics [9]. The topic is interesting and I might read that book at some future time (I have many good books I want to read).

Jonathan Carter wrote an interesting blog post about CentOS Streams and why using a totally free OS like Debian is going to be a better option for most users [10].

Linus has slammed Intel for using ECC support as a way of segmenting the market between server and desktop to maximise profits [11]. It would be nice if a company made a line of Ryzen systems with ECC RAM support, but most manufacturers seem to be in on the market segmentation scam.

Russ Allbery wrote an interesting review of the book “Can’t Even” about millenials as the burnout generation and the blame that the corporate culture deserves for this [12].

January 15, 2021

Dave HallPrivacy Policy

Skwashd Services Pty is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information. We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at www.

January 12, 2021

etbePSI and Cgroup2

In the comments on my post about Load Average Monitoring [1] an anonymous person recommended that I investigate PSI. As an aside, why do I get so many great comments anonymously? Don’t people want to get credit for having good ideas and learning about new technology before others?

PSI is the Pressure Stall Information subsystem for Linux that is included in kernels 4.20 and above, if you want to use it in Debian then you need a kernel from Testing or Unstable (Bullseye has kernel 4.19). The place to start reading about PSI is the main Facebook page about it, it was originally developed at Facebook [2].

I am a little confused by the actual numbers I get out of PSI, while for the load average I can often see where they come from (EG have 2 processes each taking 100% of a core and the load average will be about 2) it’s difficult to work out where the PSI numbers come from. For my own use I decided to treat them as unscaled numbers that just indicate problems, higher number is worse and not worry too much about what the number really means.

With the cgroup2 interface which is supported by the version of systemd in Testing (and which has been included in Debian backports for Buster) you get PSI files for each cgroup. I’ve just uploaded version 1.3.5-2 of etbemon (package mon) to Debian/Unstable which displays the cgroups with PSI numbers greater than 0.5% when the load average test fails.

System CPU Pressure: avg10=0.87 avg60=0.99 avg300=1.00 total=20556310510
/system.slice avg10=0.86 avg60=0.92 avg300=0.97 total=18238772699
/system.slice/system-tor.slice avg10=0.85 avg60=0.69 avg300=0.60 total=11996599996
/system.slice/system-tor.slice/tor@default.service avg10=0.83 avg60=0.69 avg300=0.59 total=5358485146

System IO Pressure: avg10=18.30 avg60=35.85 avg300=42.85 total=310383148314
 full avg10=13.95 avg60=27.72 avg300=33.60 total=216001337513
/system.slice avg10=2.78 avg60=3.86 avg300=5.74 total=51574347007
/system.slice full avg10=1.87 avg60=2.87 avg300=4.36 total=35513103577
/system.slice/mariadb.service avg10=1.33 avg60=3.07 avg300=3.68 total=2559016514
/system.slice/mariadb.service full avg10=1.29 avg60=3.01 avg300=3.61 total=2508485595
/system.slice/matrix-synapse.service avg10=2.74 avg60=3.92 avg300=4.95 total=20466738903
/system.slice/matrix-synapse.service full avg10=2.74 avg60=3.92 avg300=4.95 total=20435187166

Above is an extract from the output of the loadaverage check. It shows that tor is a major user of CPU time (the VM runs a ToR relay node and has close to 100% of one core devoted to that task). It also shows that Mariadb and Matrix are the main users of disk IO. When I installed Matrix the Debian package told me that using SQLite would give lower performance than MySQL, but that didn’t seem like a big deal as the server only has a few users. Maybe I should move Matrix to the Mariadb instance. to improve overall system performance.

So far I have not written any code to display the memory PSI files. I don’t have a lack of RAM on systems I run at the moment and don’t have a good test case for this. I welcome patches from people who have the ability to test this and get some benefit from it.

We are probably about 6 months away from a new release of Debian and this is probably the last thing I need to do to make etbemon ready for that.

etbeRISC-V and Qemu

RISC-V is the latest RISC architecture that’s become popular. It is the 5th RISC architecture from the University of California Berkeley. It seems to be a competitor to ARM due to not having license fees or restrictions on alterations to the architecture (something you have to pay extra for when using ARM). RISC-V seems the most popular architecture to implement in FPGA.

When I first tried to run RISC-V under QEMU it didn’t work, which was probably due to running Debian/Unstable on my QEMU/KVM system and there being QEMU bugs in Unstable at the time. I have just tried it again and got it working.

The Debian Wiki page about RISC-V is pretty good [1]. The instructions there got it going for me. One thing I wasted some time on before reading that page was trying to get a netinst CD image, which is what I usually do for setting up a VM. Apparently there isn’t RISC-V hardware that boots from a CD/DVD so there isn’t a Debian netinst CD image. But debootstrap can install directly from the Debian web server (something I’ve never wanted to do in the past) and that gave me a successful installation.

Here are the commands I used to setup the base image:

apt-get install debootstrap qemu-user-static binfmt-support debian-ports-archive-keyring

debootstrap --arch=riscv64 --keyring /usr/share/keyrings/debian-ports-archive-keyring.gpg --include=debian-ports-archive-keyring unstable /mnt/tmp

I first tried running RISC-V Qemu on Buster, but even ls didn’t work properly and the installation failed.

chroot /mnt/tmp bin/bash
# ls -ld .
/usr/bin/ls: cannot access '.': Function not implemented

When I ran it on Unstable ls works but strace doesn’t work in a chroot, this gave enough functionality to complete the installation.

chroot /mnt/tmp bin/bash
# strace ls -l
/usr/bin/strace: test_ptrace_get_syscall_info: PTRACE_TRACEME: Function not implemented
/usr/bin/strace: ptrace(PTRACE_TRACEME, ...): Function not implemented
/usr/bin/strace: PTRACE_SETOPTIONS: Function not implemented
/usr/bin/strace: detach: waitpid(1602629): No child processes
/usr/bin/strace: Process 1602629 detached

When running the VM the operation was noticably slower than the emulation of PPC64 and S/390x which both ran at an apparently normal speed. When running on a server with equivalent speed CPU a ssh login was obviously slower due to the CPU time taken for encryption, a ssh connection from a system on the same LAN took 6 seconds to connect. I presume that because RISC-V is a newer architecture there hasn’t been as much effort made on optimising the Qemu emulation and that a future version of Qemu will be faster. But I don’t think that Debian/Bullseye will give good Qemu performance for RISC-V, probably more changes are needed than can happen before the freeze. Maybe a version of Qemu with better RISC-V performance can be uploaded to backports some time after Bullseye is released.

Here’s the Qemu command I use to run RISC-V emulation:

qemu-system-riscv64 -machine virt -device virtio-blk-device,drive=hd0 -drive file=/vmstore/riscv,format=raw,id=hd0 -device virtio-blk-device,drive=hd1 -drive file=/vmswap/riscv,format=raw,id=hd1 -m 1024 -kernel /boot/riscv/vmlinux-5.10.0-1-riscv64 -initrd /boot/riscv/initrd.img-5.10.0-1-riscv64 -nographic -append net.ifnames=0 noresume security=selinux root=/dev/vda ro -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-device,rng=rng0 -device virtio-net-device,netdev=net0,mac=02:02:00:00:01:03 -netdev tap,id=net0,helper=/usr/lib/qemu/qemu-bridge-helper

Currently the program /usr/sbin/sefcontext_compile from the selinux-utils package needs execmem access on RISC-V while it doesn’t on any other architecture I have tested. I don’t know why and support for debugging such things seems to be in early stages of development, for example the execstack program doesn’t work on RISC-V now.

RISC-V emulation in Unstable seems adequate for people who are serious about RISC-V development. But if you want to just try a different architecture then PPC64 and S/390 will work better.

January 07, 2021

etbeMonopoly the Game

The Smithsonian Mag has an informative article about the history of the game Monopoly [1]. The main point about Monopoly teaching about the problems of inequality is one I was already aware of, but there are some aspects of the history that I learned from the article.

Here’s an article about using modified version of Monopoly to teach Sociology [2].

Maria Paino and Jeffrey Chin wrote an interesting paper about using Monopoly with revised rules to teach Sociology [3]. They publish the rules which are interesting and seem good for a class.

I think it would be good to have some new games which can teach about class differences. Maybe have an “Escape From Poverty” game where you have choices that include drug dealing to try and improve your situation or a cooperative game where people try to create a small business. While Monopoly can be instructive it’s based on the economic circumstances of the past. The vast majority of rich people aren’t rich from land ownership.