Tag: Insist On The Highest Standards

Artifactory

Artifactory

By | | Comments 1 comment

The other day I scanned and posted a gift I’d gotten from some co-workers. When leafing through the folder it was in, I found a few other fun artifacts I thought I’d share:

First, a certificate I got from my fourth grade teacher. It’s an objective I still aim for:

And second, an invite I got for helping support the underlying voting platform:

I’ve tried to do a better job recently of documenting my career experiences, not just the work-related items, but the fun stuff too. This week wasn’t so bad, even if the town isn’t my favorite:

It Is And It Is

It Is And It Is

By | | Comments 1 comment

Last night ChatGPT had a bug. But not your run-of-the-mill problem like increased latency or complete unavailability. No, it went completely off-the-rails: spouting gibberish, repeating itself ad infinitum, and other nonsensical behavior.

Hilarious though some of the outputs were, it was a powerful reminder that AI technologies are still new and mysterious, and definitely require human oversight. While this incident ended up with random output, I can now imagine a whole class of bugs where language model outputs are wrong in all manner of specifically bad ways. Humorous now, but perhaps less so once we give them agency to act on our behalf.

I anticipate the day coming when I ask my personal Scarlett Johansson to book a family vacation to Fiji and it instead sends an email to my mom lambasting her for wearing white after Labor Day and then sells my living room furniture on eBay.

The future’s going to be something else, of that we can be sure.

Buckle Up

Buckle Up

By | | Comments 0 Comment

There’s nothing like an effort to make sure all my years of accumulated data is backed up to kick up some nostalgia (not to mention an impending birthday). I doubt anyone else much cares, but this is my website and I’ll fill it up with digital relics from my past if I want to. Consider this fair warning.

We’ll get things started with this beauty, which I wrote September 24, 1992, if the file’s timestamp can be believed. Over 31 years old, it’s the oldest digital document I can find that I wrote myself.

I do not like to go to school. All the teachers do is teach you things you already were taught in 5th grade. That is, except for math and computer class. In math, we learn all about neat things, like 3y2+4(2x3+4). Mr. Farley is a great teacher, and the other teachers should teach like he does.

In computer class we learn about computers, such as this one, and about different computer programs. That is really neat for me because I enjoy working with computers, although some kids are really dumb when it comes to computers. But it is not like English, which is the same every single year. BORING!!!!!

I suppose that Science is O.K. Mr. Freese is pretty cool, and we learn some new stuff, and some old stuff. Like the scientific method. We learned it in 7th grade, and we learn it again now. It doesn’t make any sense.

This is my story about school. I hope that someday teachers will be able to read this and learn from it. Although they won’t listen to the small ideas from a thirteen year old boy, maybe they might get ideas anyway.

For the tech nerds, the file was in WordPerfect format (which definitely squares with the technology I was using in 8th grade), and opened perfectly on my Mac using LibreOffice.

More to come!

Evolution

Evolution

By | | Comments 0 Comment

(Editor’s note: the past two posts, Mother Of Invention, Edge Case, and this one form a trilogy of sorts, all related to a particular project I’ve been digging into).

When I first needed a way to get access to AWS from a non-cloud-based computer, I implemented 3 options: hard-coded IAM user credentials (generally bad), user-based Cognito (okay but not super scalable), and X.509 via IoT (good technology, but cumbersome to set up).

This week I had a similar authentication need within an on-premises cluster, and was happy for the chance to learn the most up-to-date approach: IAM Roles Anywhere. I really appreciate the authors of these two blog posts who captured the step-by-step quite a bit better than the official documentation:

I used my own certificate authority because AWS Private CA is too dang expensive; $400 a month doesn’t grow on trees, ya know? Here’s the bash script to create the root CA:

mkdir -p root-ca/certs    # New Certificates issued are stored here
mkdir -p root-ca/db       # Openssl managed database
mkdir -p root-ca/private  # Private key dir for the CA

chmod 700 root-ca/private
touch root-ca/db/index

# Give our root-ca a unique identifier
openssl rand -hex 16 > root-ca/db/serial

# Create the certificate signing request
openssl req -new -config root-ca.conf -out root-ca.csr -keyout root-ca/private/root-ca.key

# Sign our request
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

# Print out information about the created cert
openssl x509 -in root-ca.crt -text -noout

The output from the above is what’s used to create the Trust Anchor. Then here’s a script to create a certificate for the process that will be authenticating:

# Provide a name for the output files as a parameter
entity_name=$1

# Make your private key specific to your end entity
openssl genpkey -out $entity_name.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

# Using your newly generated private key make a certificate signing request
openssl req -new -key $entity_name.key -out $entity_name.csr

# Print out information about the created request
openssl req -text -noout -verify -in $entity_name.csr

# Sign the above cert
openssl ca -config root-ca.conf -in $entity_name.csr -out $entity_name.crt -extensions client_ext

# Print out information about the created cert
openssl x509 -in $entity_name.crt -text -noout

Special thanks also to the creator of iam-rolesanywhere-session, a Python package that makes it easy to create refreshable boto3 Session with IAM Roles Anywhere. Seriously, could it be easier?

from iam_rolesanywhere_session import IAMRolesAnywhereSession

roles_anywhere_session = IAMRolesAnywhereSession(
    trust_anchor_arn=my_trust_anchor_arn,
    profile_arn=my_profile_arn,
    role_arn=my_role_arn,
    certificate='my_certificate.crt',
    private_key='my_certificate.key',
)

boto3_session = roles_anywhere_session.get_session()
s3_client = boto3_session.client('s3')
print(s3_client.list_buckets())

This was a good reminder that technology marches ever onward, and what made sense yesterday might not be the best approach today. It was also a reminder that, like DNS, TLS and PKI are some of those things that every technologist ought to know (I’ve queued up this book in my Goodreads for a deeper dive). This isn’t the first time I’ve had to write code to create certificates, but it’s now the last, because I’ll have this reference post plus its associated code repository. And so will you.

Give And Ye Shall Receive

Give And Ye Shall Receive

By | | Comments 0 Comment

Open rebuke is better than secret love. Faithful are the wounds of a friend.

We’re in the midst of performance review season, a process I enjoy. Really! Of course performance conversations can happen throughout the year, but there’s something especially valuable about a concentrated time of reflection and intense discussion. Describing strengths, celebrating successes, identifying growth opportunities, rooting out behaviors that are holding someone back; these are all reasons I became a manager in the first place.

It isn’t just a manager’s job, though. It’s incumbent on us all to both be seeking feedback on ourselves (especially critical feedback), and to give feedback to others. The responsibility of Radical Candor applies to everyone.

This responsibility can feel like a chore, if not a terrible annoyance. Pointing out shortcomings or negative behaviors in colleagues is uncomfortable at best, and if not done with grace and from a foundation of trust, can be damaging and career limiting. But when the feedback is honest, timely, actionable, and includes both positives and critiques, it is a great gift to the receiver An act of love, even. We don’t use that word often in the workplace, and that’s unfortunate. Genuine human connection is the foundation of anything worth doing. It’s good for you, it’s good for your colleagues, and it’s also good business.

If you don’t know where to begin giving feedback, I recommend the SBI framework for guidance. And no matter if you discuss in person or provide in writing, you should give your feedback some thought ahead of time (and maybe take a few notes). I promise that it gets easier the more experiences you have giving it, though it will always be an emotional process, and that’s a good thing.

Keep It Secret, Keep It Safe

Keep It Secret, Keep It Safe

By | | Comments 0 Comment

AWS recently announced that blocking public access to published AMIs will be enabled by default. This is good news, as it’s an easy way to accidentally leak sensitive data. When I first started using GovCloud (2015 maybe?) I remember stumbling into a set of AMIs that, based on their names alone, clearly weren’t intended to be shared. Thankfully a quick note to AWS support and the offending party squared things away post haste, though I’ll never know if damage had already been done.

Horror stories are easily found online of the easiest way to make this mistake: turning on public access to an S3 bucket. Thankfully AWS has made taking this step difficult; in our internal accounts, in fact, without getting prior approval, creating a bucket with public access would get you a Sev-2 page in about 15 minutes. Unfun.

Which is why I found it so surprising to discover that in GCP, the only way I can tell to host a static website behind a CDN is to make the backing cloud storage bucket public. I mean, I recognize by definition it’s okay for the data to be Internet-accessible, but it meant turning off the “don’t allow public cloud storage” block project-wide, which seems a bad idea. Bad enough that the moment I hit that button I got a security warning via email. Am I missing something here? Would love to know if there’s a better way.

In any case, it’s going to be an adventure learning all these subtle differences as I broaden my cloud experience. Passing certifications is nice, but it’s no substitute for kicking the tires.

(Editor’s Note: I’m chuckling to myself as I add Amazon LP tags to a post that’s partly about GCP. Those things are burned into my brain forever).

Forth Eorlingas

Forth Eorlingas

By | | Comments 0 Comment

I once had a customer call me an “idea hamster” because of how easily I went down rabbit trails of ideation when discussing the project we were working on. We had a good laugh about that turn of phrase, and I do see the value in idea generation to some degree, but ideas are easy. I’m not impressed by someone who can come up with many of them (least of all myself). What impresses me is people and organizations that can execute on their ideas.

There might be “second half of life” factors at play as well in my desire to get better at finishing. In the last week I’ve added 10 draft ideas to my blog backlog, and this will be only the first one I’ve published. At the rate I’m going I’ll never get done, which perhaps is a good thing, but still, I want to get a few of these ideas out in the wild, and that means I need to power through the writing part.

Just Do It

Just Do It

By | | Comments 0 Comment

Don’t mean for this blog to turn into an endless stream of “gripe about all things AWS” posts, but once again today I ran into an issue that I feel the system ought to be able to figure out on my behalf.

I’m trying to deploy a CloudFormation template (which, not my favorite) in us-west-2. There’s a small bit of configuration (the WAF rules) that are globally applicable, and when not deployed in us-east-1, this causes the whole template deployment to fail (with an utter non-sequitur of an error message):

I mean, obviously that means I’m trying to deploy in an unsupported region, am I right? (eye roll)

Oh CloudFormation, why aren’t you smart enough to just apply the parts that must be global in any region? Right now you’re forcing me to either 1) deploy the whole thing in us-east-1, which I don’t want to do for locality reasons, or 2) split the template into two pieces, which adds complexity. Boo!

Next To Godliness

Next To Godliness

By | | Comments 0 Comment

For the first five years of my career, I worked for a defense contractor located on-site at an Air Force research facility. My job was to write software, but the lab had quite a bit of hardware as well. Over time, things could get pretty messy as we were regularly reconfiguring the setup, leaving random cables and parts strewn all over the place.

We must not have been unique in this, because about half-way through my tenure there the powers-that-be started a “tidying up” initiative that everyone was required to participate in, up and down the ranks, including uniformed military, civilian, and contractors. Being already something of a neat freak, I bought some split loom tubing (from Parts Express, my absolute favorite source for A/V parts) and used it to bundle all the cords at my desk. Apparently I’d done such a good job that word got around about my setup, and one afternoon the person at the top who’d launched the cleanup initiative stopped by and thanked me for my efforts, and said my desk was the example that others in the building should emulate.

Ever since I learned proper cable coiling technique I’ve enjoyed keeping areas with many of them as neat as possible, ideally with none of them visible. Today I was happy to do so in my wife’s classroom, including installing a light strip since the cubby where her desk lives is in a poorly-lit corner.

I didn’t need much nudging to do this; now the drive to tidy cables is a bit of a compulsion. If I ever see random ones laying about (such as on a conference room table), I’ll coil them out of habit. And if I ever see someone doing it wrong you can be sure I’ll have something to say about it. Yes, there is a right way, and it’s easy to learn with a bit of practice, so no excuses.