a refreshingly frank article about cloud security...

...focusing on the audit aspect.


The basic thrust is that cloud computing security claims rely on SAS70 type audits, which have an inherent conflict of interest of the kind that was at the heart of the recent financial meltdown.  Jay Heiser, a Gartner analyst who specializes in security, [says] "I found more parallels between what happened in the financial services and cloud computing than I anticipated."

The second point, which is probably even more important in my personal opinion, is that SAS70 is an auditing standard for financial statements, and never had anything to do with IT in the first place.  And the people who conduct them are, more often than not, accountants.  The kind of questions I asked Raghavan when we were discussing the TQMS cloud setup are probably not even asked in a SAS 70 audit ;-)

We Have Met the Enemy and He Is PowerPoint

a GREAT article in the NY Times.  The best line goes to Gen. Stanley A. McChrystal.  Referring to this slide, he said: "When we understand that slide, we'll have won the war".

More quotes:

"PowerPoint makes us stupid," Gen. James N. Mattis of the Marine Corps, the Joint Forces commander, said this month at a military conference in North Carolina. (He spoke without PowerPoint.) Brig. Gen. H. R. McMaster, who banned PowerPoint presentations when he led the successful effort to secure the northern Iraqi city of Tal Afar in 2005, followed up at the same conference by likening PowerPoint to an internal threat.

"It's dangerous because it can create the illusion of understanding and the illusion of control," General McMaster said in a telephone interview afterward. "Some problems in the world are not bullet-izable."


Commanders say that behind all the PowerPoint jokes are serious concerns that the program stifles discussion, critical thinking and thoughtful decision-making. Not least, it ties up junior officers  -- referred to as PowerPoint Rangers -- in the daily preparation of slides, be it for a Joint Staff meeting in Washington or for a platoon leader's pre-mission combat briefing in a remote pocket of Afghanistan.


Senior officers say the program does come in handy when the goal is not imparting information, as in briefings for reporters.

The news media sessions often last 25 minutes, with 5 minutes left at the end for questions from anyone still awake. Those types of PowerPoint presentations, Dr. Hammes said, are known as "hypnotizing chickens."


I don't fit in this group anymore

...or what I see of it anyway.

They're so much more affluent and powerful and just plain money-smart,
politics-smart, and street-smart than I ever will be or want to be.
Are we really all products of the same college?

Someone said something praising Pratap Reddy for bringing Apollo to
its supposed greatness, professionalism, and whatnot from supposedly
corrupt beginnings. I had already had 2 drinks by then, but that
would not have mattered anyway:

"I wouldn't go to Apollo even if I were dying". Not my drink
speaking. Stone cold sober I'd just say it louder and include my
family and loved ones also in the statement. I've had personal
experience of Apollo's "professionalism".

"That's your problem, not theirs. They're making money" [or words to
that effect; can't quite recall now].

It's amazing how big a disconnect there is between me and the guy(s)
who said/endorsed this. None of these guys will ever be "middle
class" like I am. They'll never feel "the system" is getting them
down because they *are* part of the system, or help to sustain it.
One guy is an entrepreneur whose turnover has doubled in the last year
(we're talking more than a few millions of USD). One is a very senior
person in the state bureaucracy -- pretty close to the top. The other
are all construction and real-estate czars, or at least mini-czars, in
their own right. One is a CEO of a small part of one of India's
largest (and IMNSHO most corrupt) industrial houses. One of the
absentees is a guy who's already made so much money he's on a 1-year
sabbatical to play golf. What a life...

And what a contrast to a guy whose most expensive possession is a flat
that cost about 32 lakhs (about 70,000 USD) and still has 11 years of
the mortgage to go.

That doesn't mean all 160+ of the batch are like this -- not at all.
But the group that tends to meet often... They'll never be able to
explain to me how they can idolise someone who essentially made his
millions the way I firmly believe he did (and they aren't even
contesting it; they seem to agree it is true but it is just not

And I'll never be able to explain to them how much fun I'm having,
say, building and supporting gitolite, or any of the other things that
drive me (all, sadly, to do with computers... maybe it is true I don't
have a life!)

I definitely don't fit. Too bad... they're really nice guys inside,
every single one of them. But sometimes that's just not enough.


I'm so proud...


The Music And Film Industry Associations are trying to get India to toe the line.  India says "sure" but it's actually "nice try, buddy!".


  - I can still watch DVDs on my Linux box.  Since I refuse to install any proprietary software on any computer that I own, and don't have a TV or consumer DVD player, the only way I watch movies is either at the theater (often enough, actually) or by buying a DVD.  The Music And Film Industry Associations and their friends would try to ban DeCSS, which is of course critical to watch DVDs on Linux.

  - these b*st*rds [ you know when Sitaram brings out the swear words that someone is threatening open source or some other freedom dear to his heart ;-) ] apparently want to add India's borderline friendliness to open source as a matter of concern.

I couldn't care less if I never got to watch another movie for the rest of my life (and the music I like best is stuff like Tchaikovsky so that doesn't matter either).  If DeCSS was made illegal I would have been slightly inconvenienced, but may have considered buying a personal DVD player to use occasionally.

But this... this means war!

With that one sentence thrown into the end of their PDF, they've lost the moral high ground.  It's very clear that copyright infringement is NOT their main priority -- if it were, they should be applauding the move toward open source for its impact in reducing software piracy.

If you take this to its logical conclusion, is it really that different (in it's **attempted** scope, even if not achieved) from the salt issue?  I thought this "forcing people to buy imported stuff they can't afford even if they have local, cheaper, stuff" went out with the British Raj!


bureaucracy gone crazy


Google won't allow the co-inventor of Unix and the C language to check-in code, because he won't take the mandatory language test.

Obama outdoing Kalam? Nice...


it's a short article, so:

The White House - the seat of the US presidency - has announced that it is releasing some of its improvements to the Drupal content management system. "By releasing some of our code, we get the benefit of more people reviewing and improving it. In fact, the majority of the code for WhiteHouse.gov is already open source as part of the Drupal project. The code we're releasing today adds to Drupal's functionality in three key ways." It is nice to see that the president's office cares about such things.


facebook's privacy issues

Let me make this point clear with an example. I met a teen whose abusive father was recently released from jail. Recognizing that a restraining order would not be enough protection, the teen and her mother moved thousands of miles away. As the teen began making friends in her new school, she begged for a Facebook account. Her mother caved and both the daughter and mother worked to make the account as private as possible; neither of them wanted to face the consequences of being found. In December, when Facebook changed its privacy settings, this teen and her mother didn't realize what the change in privacy settings meant until someone else pointed them out after the fact. Is putting her at-risk an acceptable bi-product of Facebook's changes?

-- http://www.danah.org/papers/talks/2010/SXSW2010.html


Matt Blaze and the afterword

[...] but basically, not much has changed in 15 years. If I had it to do over again, I wouldn't really need to change a word. If I had to tweak it, I might add something about human factors in security, a poorly understood and hugely important subject if ever there was one.

-- http://www.crypto.com/blog/afterword

Since about 2005 or so, the "brief profile" I send out whenever I have a speaking engagement of any kind, has had this line in it: He also has a good breadth of knowledge on e-security and related issues, ranging from technology aspects to the human factor aspects that are so important in implementations.

Looks like I'm in good company!

Not that claiming it means I can do it, or do it well, but I just wanted to reinforce the importance of this -- it's not just the algorithms that are important, it's how the algorithms fit into your big picture that counts.

PS: Matt Blaze is a well known crypto and security guru; currently he's at UPenn.  He's not just an eSecurity guru -- he's also an expert safe-cracker and lock picker, as far as I can remember :)  He runs http://www.crypto.com/ and his blog and articles are always interesting...


Matt Blaze on SSL certificates

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.

-- http://www.crypto.com/blog/spycerts/


(git) first time Jon said something I didn't agree with :)

[background: I have a lot of admiration for Jon Corbet, kernel hacker and editor of LWN.  His writing skill, sense of humour, and clarity of thought are legendary in the Linux community]

But in http://lwn.net/Articles/382090 , Jon tried to draw a parallel between two recent heated discussions on LWN -- one in response to SVN's grandiose, disingenuous, borderline-FUDding (against DVCS), "vision" statement (hah!), and one about some UI change that Ubuntu had made.  Jon seemed to be trying to get people to calm down and be a little more mature in their reactions -- a sort of admonishment of their responses perhaps.  Considering that the last such debate I am aware of (Monty trying to steal MySQL back) did not get such a response from Jon, this was interesting.

I don't use or recommend Ubuntu anymore due to its installing Mono by default, so that discussion is out of my radar.  Reading the comments from the perspective of an all-out git fan, however, a few interesting comments stand out:

http://lwn.net/Articles/382459/ -- [...] another difference, is that the complaints about SVN are from people who want it to die and the complaints about Ubuntu are from people who want it be to be great.

http://lwn.net/Articles/382138/ -- Subversion, on the other hand, probably annoyed most people by a vision statement that implied it had a legitimate claim to be superior in those areas, which it doesn't - note that the latter found arguments (large binary blobs, among others) weren't in that statement, but that the claims it did make were at the expense of the "competition". It read like "DVCS: not simple to use, not controlled, don't support centralized work-flows". Of course that annoyed the hell out of DVCS users.  There's more good stuff in that comment, by the way.

http://lwn.net/Articles/382142/ -- The community has always responded rapidly to incorrect information. With the amount of FUD thrown our way from the outside, the responses have gotten faster and stronger. This is a good thing when the people making the false statements are companies like SCO, it's not as good when it's something like the Subversion vision statement. However I don't think that you can get one without the other.

The rest of the comments were details of how to do something or other in DVCSs and so on.  For the record, I have always suggested that folks whose main work product is binary formats like doc/xls/ppt should stick to a VCS that allows mandatory locking, such as VSS.  This holds true for OOo files also, even if they are XML underneath, so the key point is they are difficult to merge if parallel development happebs.

I also know that extremely large files do cause a problem for git, and checking out a partial tree is complicated by the SHA calculations being thrown out of gear (although in theory this *is* solvable).


...too late

OK, I'm ready.  Let's go.

No.  You forgot something.


Your smile :)


She was almost always in a temper at her brothers and parents.  I was 16 or 17, the same age as her younger brothers.  But I had two things going for me: I was sane enough to have a conversation with, and I was a cousin who just visited once in a while.

So I could risk her wrath, and say something cheeky or funny.  I could make her smile :)


I never did try and catch up with that smile in later years, even after I moved back to India and to the same city where she lived.  I just never bothered.  I can't explain why.

And now it's too late.


And I realised something today.  I tear up too easily.