Los Últimos Días

In Los Últimos Días, English title The Last Days, an extreme agoraphobia pandemic has swept the planet. Nobody can go outside without experiencing a fatal seizure. The movie doesn’t spend any time trying to explain the cause (which is good; better than a terrible explanation), but the Panic, as it is known, starts with a few cases and then affects more people over time until eventually everybody is trapped in whatever building they were last in. This sets us up for a story in a post apocalyptic world that’s a little different than the typical zombie virus plague outbreak.

It’s not a great movie (relies too much on flashbacks for my taste), but the concept is intriguing. Different spaces (office building, subway station, apartment building, indoor mall) all follow their own Lord of the Flies trajectory based on their occupant mix.

Posted 2014-08-19 04:42:16 by tedu Updated: 2014-08-19 04:42:16
Tagged: moviereview

your data

A few thoughts reflecting on Sen. Wyden’s not quite proposal. As noted on HN there’s some question of exactly what your data is. Is it information you created (or otherwise control) or is it information about you? Is it an email you composed by typing on a keyboard or is it a log entry created by an autonomous system of whose existence you are unaware? The thornier issues of what the government can or cannot do are best deferred until this basic question is answered.

A complete your data test would likely involve several factors, much like the fair use test does, and be decided on a case by case basis. For starters, though, we can begin by asking one question. To what extent can you describe the data? The owner of some data is likely to be the party that can describe the data (and importantly, its format) most accurately and completely. This is the tried and true Lost and Found test. “Hey, I lost my iPod.” “Can you describe it?” If the hotel concierge has a green iPod, but I tell them I lost a black iPod, it’s probably not mine.

Continue reading your data...

Posted 2014-08-18 21:23:05 by tedu Updated: 2014-08-18 21:23:05
Tagged: politics software thoughts


On the wall at Sketch.

Posted 2014-08-17 21:19:55 by tedu Updated: 2014-08-17 21:19:55
Tagged: business philly quote

in defense of opportunistic encryption

I’ve always been a secret admirer (and occasional not so secret advocate) of opportunistic encryption. Sometimes less flatteringly called unauthenticated encryption. Or even less flatteringly “not encrypted”. I’ve slowly come around, on the uselessness of unauthenticated encryption, but with the caveat that many times it’s not that bad. Here are a few notes on how I made self signed certs work for me. One could always go with one of those free certs, but seriously, fuck the CAbal.


The key word here is opportunity. Basically, it’s entirely optional but we’ll take it if we can get it. This generally means a blind key exchange, where we don’t check the identity of the other end. Self signed or otherwise unverified certs. Hence, unauthenticated.

Continue reading in defense of opportunistic encryption...

Posted 2014-08-14 00:59:07 by tedu Updated: 2014-08-26 19:28:17
Tagged: rants security software thoughts

don't encrypt all the things

A while back, I observed that https is a sign of serious business. Google recently decided something similar. At the time, it was mostly a curiosity. “Hey, you got your not serious lolcats in my serious dogecoins!” After a few recent developments, I’ve been thinking about it a bit more.

Long ago, SMTP relay traffic was unencrypted. Then came the great NSA freak out. People in submarines were tapping undersea cables and reading my email. So I did what any sensible lemming would do. I created some certs and turned on TLS. Then came Heartbleed. Suddenly the set of people who could read my email went from “people in submarines” to “people who can access github”. Not strictly an improvement.

Continue reading don’t encrypt all the things...

Posted 2014-08-14 00:58:57 by tedu Updated: 2014-08-16 01:10:38
Tagged: security software thoughts


Time had an article I liked about Kentucky’s healthcare exchange, Kynect. A similar piece with some of the highlights is in LA Times.

Mostly, I’m fascinated by McConnell’s attempts at threading the political needle now that people seem to like the law that he promised them they’d hate. “Hey, this law made us do something we never would have done, but now that we have and we like the result, that still doesn’t change anything. I’m always right.” Of course, voters seem equally confused about the name and nature of the law that was passed, so he still has some wiggle room.

Nothing new, people have always filtered reality through ideology, but in this case some of the facts are going to be hard for voters to ignore. Wonder how this will play out. In five years, will people be celebrating the (actually unchanged) healthcare law that “we should have had all along” after a few more rebranding exercises?

Tangential post on Bounded Rationality.

Posted 2014-08-11 02:29:52 by tedu Updated: 2014-08-11 02:29:52
Tagged: magreview politics

the language of money

From the New Yorker, Money Talks - Learning the language of finance. For a little while I thought this article was going somewhere, but as I read more I decided I don’t like it much at all. It positions itself as piercing the veil of obscurity surrounding financial and economic jargon, but then ultimately contributes even more confusion to the field.

Yes, the field of finance and economics (let’s lump them together) have a lot of specialized jargon. If you don’t understand what a “bear market” is, you’ll be left out of the conversation, and since finance undoubtedly has an impact on your life, this is bad. But it’s no different than many other fields. Practically every day the local meteorologist mutters something about a “cold front” (except when they’re muttering about an “occluded front”, whatever the hell that is). A doctor once told me to avoid “excessive ambulation” (no joke). Jargon is jargon. It’s a part of every field of study.

Continue reading the language of money...

Posted 2014-08-01 19:15:51 by tedu Updated: 2014-08-01 19:15:51
Tagged: business language magreview

TLS decompression

As noted elsewhere, I removed the compression option from LibreSSL. The commit message of “decompress libssl” didn’t explain why. Here’s a longer rationale to expand upon “a simpler feature set overall”.

Let’s start with a classic application that wants to put some data into the cloud. It conceptually looks like this:

Continue reading TLS decompression...

Posted 2014-07-31 15:03:52 by tedu Updated: 2014-07-31 15:03:52
Tagged: security software thoughts

timing attacks vs interned strings

Some experiments with trying to extract strings from a Lua process via timing attacks.


For the first test, let’s just verify that simple == equality testing doesn’t produce measurable differences. Create a file with 2155582 lines of “aaaaaaaaaaaaaaaaaaaab” and then run this script.

Continue reading timing attacks vs interned strings...

Posted 2014-07-31 15:03:40 by tedu Updated: 2014-07-31 15:03:40
Tagged: lua programming security web

are you the one who's watching me?

Walked by an old man on the street who repeatedly asked me, “Are you the one who’s watching me?” I tried to deny it, but he didn’t believe my lies! Was briefly tempted to tell him, “We’re all watching you,” but he was clearly operating marble free and already seemed to have that impression. A strange encounter.

Posted 2014-07-30 01:02:56 by tedu Updated: 2014-07-30 01:02:56
Tagged: philly quote