Attention Lonely Men: The Reason Women Don’t Like You Is You

Along with all of the other nasty reasons for people killing each other, we now have the “Incels” or “Involuntary Celibates”. This is not really a new phenomenon, when I was young we had the “Son of Sam” who made a habit of killing couples who were making out in cars.

There are many young men who gravitate to programming and gaming who have trouble relating to women. I’ve previously written about why this happens. You might see yourself in that essay, or not.

So, as a person of some stature in the computer nerd community, I am embarrassed that I need to explain this to our community, but I do. Here goes. Continue reading “Attention Lonely Men: The Reason Women Don’t Like You Is You”

Companies Just Really Stink at Compliance – Training Is Usually The Problem

HIPAA is a law that is supposed to prevent medical professionals from inappropriately disclosing your medical information to anyone not involved with your treatement and insurance, so that your medical status can not be used against you – for example by an employer who wishes to discriminate against people who are HIV positive. HIPAA compliance is a big deal – it’s likely your personal doctor has given you disclosures related to it, and has had you sign releases regarding your medical data. Penalties for not complying with HIPAA have been as large as 75 Million dollars.

Not too long ago, a major medical manufacturer and their partner, a research hospital, ran a program in which they sent some crucial medical equipment to patients in a large soft rolling padded suitcase. At some point the suitcases became surplus to operations, and they sold them to an online store known for its military surplus. As it happens, I needed a soft padded suitcase to store a ham radio in my trailer, and thus found myself the new owner of one of these cases.

The case came with a patient identification card neatly mounted in an identification window. This gave the patient’s name, birth-date, gender, and the name of a medical device that they were using. A FedEX waybill attached to the case’s handle gave the patient’s home address. Obviously this was a HIPAA violation. I notified the manufacturer and destroyed the patient data.

I’m involved in a different form of corporate compliance: Open Source license compliance by technology companies. But the problems are the same: dumb mistakes like failing to remove patient data before selling suitcases happen because the “little people” in the company – employees who get the assignment of getting the suitcases into a freight container and shipping them out, haven’t been adequately trained to identify a HIPAA issue while it’s happening and protect their employer. Similarly, violation of Open Source licenses happens because engineers and their managers have never had their first class in copyright, licenses, and technology law – it isn’t required for an electrical engineering or computer science degree. When I train such people, I find that they identify problems and bring them to legal when the problems start, rather than letting them happen until there is a development investment and products released to customers, and the intellectual property issues get expensive. Staff who have been properly trained feel in control, and become the first line of defense rather than where the mistakes happen. This saves companies many Millions.

Unfortunately, training people meets strong resistance in every company where I propose it, because the course as it should be taught would take every member of the staff out of production for a whole day. So, I’m always under pressure to cut the entirety of a Compliance 101 class down to two hours.

Somewhere in a medical company, the little people weren’t taught enough about HIPAA to be able to identify an obvious problem, or maybe they were that day’s temps. Managers were tasked to keep this sort of problem from happening. But as always, the managers weren’t the people at the front lines, who really do have brains and can use them if they’re just given some awareness of what’s important.

Someone who isn’t as nice as me could use the information that I saw to bring a class-action suit on behalf of the patients whose information was disclosed, perhaps costing this company tens of Millions. It’s only when that happens that the companies understand the value of training all of their staff.

Learning the Crystal langauge and Lucky web framework

Crystal is a rising programming language with the slogan “Fast as C, Slick as Ruby”.  It has some compelling features that make it more attractive than other modern language attempts like Go. You really can program in a Ruby-like language and achieve software that performs with the speed of a compiled language.

But the greatest advantage of Crystal, that I have experienced so far, is that it provides type-safety without excessive declarations as you would see in Java. It does this through program-wide type inference. So, if you write a function like this:

def add(a, b)
  a + b
end

add(1, 2) # => 3, and the returned type is Int32
add(1.0, 2) # => 3.0, and the returned type is Float64

You get type-safe duck-typing at compile-time. If a method isn’t available in a type, you’ll find out at compile-time. Similarly, the type of a variable can be inferred from what you assign to it, and does not have to be declared.

Now, let’s say you never want to see nil as a variable value. If you declare the type of a variable, the compiler will complain at compile-time if anything tries to assign another type to it. So, this catches all of those problems you might have in Ruby or Javascript with nil popping up unexpectedly as a value and your code breaking in production because nil doesn’t have the methods you expect.

There are union types. So, if you want to see nil, you can declare your variable this way:

a : String | Nil

a  : String? # Shorthand for the above.

Crystal handles metaprogramming in several ways. Type inference and duck typing gives functions and class methods parameterized types for free, without any declaration overhead. Then there are generics which allow you to declare a class with parameterized types. And there is an extremely powerful macro system. The macro system gives access to AST nodes in the compiler, type inference, and a very rich set of operators. You can call shell commands at compile-time and incorporate their output into macros. Most of the methods of String are duplicated for macros, so you can do arbitrary textual transformations.

There is an excellent interface to cross-language calls, so you can incorporate C code, etc. There are pointers and structs, so systems programming (like device drivers) is possible. Pointers and cross-language calls are “unsafe” (can cause segmentation faults, buffer overflows, etc.) but most programmers would never go there.

What have I missed so far? Run-time debugging is at a very primitive state. The developers complain that LLVM and LLDB have changed their debugging data format several times recently. There’s no const and no frozen objects. The developers correctly point out that const is propagated through all of your code and doesn’t often result in code optimization. I actually like it from an error-catching perspective, and to store some constant data in a way that’s easily shareable across multiple threads. But Crystal already stores strings and some other data this way. And these are small issues compared to the benefits of the language.

Lucky

Paul Smith of Thoughtbot (a company well-known for their Ruby on Rails expertise) is creating the Lucky web framework, written in Crystal and inspired by Rails, which has pervasive type-safety – and without the declaration overhead as in Java.

The point of all of this is that you can create a web application as you might using Ruby on Rails, but you won’t have to spend as much time writing tests, because some of the most common problems of Ruby code are taken care of by the type system. And the combination of exceptions and type-safety does an excellent job of getting rid of most of the function return error checking I’d have to write in other languages. When you want to check for a nil rather than catch an exception, there are method versions suffixed with a ? which provide that.

Learning Crystal and Lucky, since I’m already a Rubyist, wasn’t difficult, but I took about two days including finding some bugs in Lucky and learning some non-obvious things about the language. Like it’s better not to declare the types of things a lot of the time. Rather than look up that the type of something was Lucky::AdmittedField, I could just declare the name of an argument that used it and go on with my life, and the compiler would take care of things.

The biggest problem with Lucky right now, in its pre-1.0 state, is that there is no API documentation. There are tutorial guides that tell you how to do most things, but I found myself exploring the Lucky code several times.

I am porting an application I’d written in Ruby for a new startup to Crystal and Lucky, to see if I can have more comfortable development with fewer run-time errors. If this works, I’ll have a large production application to better evaluate the language and framework.

Somewhere in the world there is someone in love with Node who is asking why I don’t use that. Javascript isn’t a particularly elegant language. Attempts to pretty it up like Coffeescript fall short of what you really should see in a modern language.

The advantage of Node is that the native IO framework is non-blocking. Some Node enthusiasts don’t realize that almost every other web framework and server does non-blocking IO to handle the web requests, and you don’t have to concern yourselves with that. But you still have blocking by default for database queries, file I/O, and your calls to other services in the cloud. Crystal library authors could provide non-blocking I/O with promises for this, but the developers haven’t seen a good reason to do so. Crystal uses Fibers for concurrency (and will get multithreading). Fibers start with a 4K stack, and are so inexpensive that a 64-bit processor can realistically provide thousands of them per process. Having a straight-line logical flow through I/O rather than many event-handling blocks (probably nested) means more readable and maintainable code. The overhead of fibers seems a low cost for that.

And finally, one thing I won’t ever miss is a JIT compiler as in Java and Javascript, and its complexity. The architecture portability reasons elucidated when Java was created were never nearly so big an issue as expected – even on Android phones. It works to have it in browsers, but even there the future focus is on Webassembly, a bytecode that runs inside of the Javascript engine, which will be compiled from various other languages.

Open Source vs. Munitions Export Restrictions – Announcing Open Research Institute, Inc.

In the United States, some technologies are considered “munitions”. Space satellites, rocketry, digital voice encoding, and encryption are among them. Depending on the technology, they are regulated by the Department of State under ITAR, or the Department of Commerce under EAR.

The Open Source cryptography community worked out how to operate in compliance with ITAR and EAR a decade or more ago, filing several lawsuits against the U.S. Government on the way. Unfortunately, the Amateur Satellite and Space community hasn’t been as up-to-speed. It’s time for that to change.

In January, Michelle Thompson W5NYV and I decided to form a new non-profit corporation specifically structured for the purpose of operating international Open Source development of projects that might otherwise be considered to be munitions under ITAR and EAR. To do this, we make use of carve-outs in ITAR and EAR for published information.

Ben Hilburn (of GNU Radio fame) joined Michelle and I on the board of directors.

Michelle is leading the Phase 4 Ground Station project, an Open Source project to create a digital space communications system. Phase 4 Ground and my Open Cars research will be the first projects under our new organization, Open Research Institute, Inc.

We are now incorporated in California and are filing our registration with the State as a charitable organization today. We have contracted a firm to prepare our 501(c)3 tax-exempt non-profit application with the Internal Revenue Service.

Read about Open Research Institute.

Bruce Perens Seeks Mandatory Award of Legal Fees For His Defense in Open Source Security, Inc. and Bradley Spengler v. Bruce Perens

In August, Open Source Security, Inc. brought a lawsuit against me in federal court, seeking over $3 million, and later added Bradley Spengler as a plaintiff. Open Source Security and Mr. Spengler sued me because they disagreed with my blog posts and Slashdot comments which expressed my opinions that their policies regarding distribution of their Grsecurity product could violate the GPL and lead to liability for breach of contract and copyright infringement.

This lawsuit should never have been brought.  My blog post and Slashdot comments are first amendment speech protected by the California anti-SLAPP law.  While Open Source Security and Mr. Spengler were free to disagree with my opinions, they were not free to sue me to try to stop me from expressing them.  The anti-SLAPP law requires recovery of attorneys’ fees and costs–precisely to deter actions like this one that chill the exercise of first amendment rights.  Fee recovery also encourages private representation in anti-SLAPP cases so that defendants may obtain quality representation without being bankrupted.  Thus, the law provides for successful defendants to recover fees and costs from plaintiffs who bring meritless suits.

The court has now ruled in my favor that Open Source Security and Mr. Spengler’s claims are not meritorious.  Today, I am asking the court to award my legal fees and costs so far, which will go to O’Melveny, the law firm I retained.

The cost of my defense well exceeded half a Million dollars.

When I got sued, I called upon the best attorney I know in the Open Source world, Heather Meeker, who I have known for 20 years and worked with professionally. Heather is the author of Open (Source) for Business: A Practical Guide to Open Source Software Licensing — Second Edition and three other books.  Heather formed a team including Melody Drummond Hansen, a Silicon Valley partner with experience in Open Source and defamation matters, Cara Gagliano, an associate focused on copyright and speech issues, and two bright first-year associates, Marissa Rhoades and Eric Ormsby .

I sought this high-quality team because the stakes were high.  Open Source Security and Mr. Spengler sought at least $3 Million and also attacked my professional reputation and integrity.  While the fees incurred in this case are significant, they are based on the standard rates charged for attorneys of similar experience and caliber.  In my experience, this team is well worth it.  Also, the amount of fees reflect Open Source Security’s and Mr. Spengler’s litigation tactics, which unnecessarily increased the time spent defending this case by forcing responses to the many filings and shifting theories they pursued.

Had Open Source Security and Mr. Spengler not filed their suit, they would not be facing this expense at all.  For example, had they engaged in the spirit of reasoned debate rather than filing a lawsuit, the fees could have been avoided entirely.  And had they not greatly complicated the suit, the fees would be much smaller.  Plaintiffs now also are appealing the case, which will further increase my legal costs.

Fee awards under anti-SLAPP are mandatory and they are meant to deter unnecessary suits like this one–to protect everyone’s freedoms to engage in public debate without fear of being sued.

Generally, I would prefer not to talk about a lawsuit in progress. My desire to keep the Open Source community informed is my reason for making this statement.  Unfortunately, I will not be able to make any further statements about the case for now.

ARRL Suspends Controversial Director Confidentiality Requirements

At its January 18 meeting, ARRL suspended some of the controversial director confidentiality requirements. These requirements first made news when ARRL publicly censured director Richard Norton N6AA, apparently for publicly discussing at an ARRL conference the requirements themselves and the board’s handling of the matter.

The board resolved that:
The entire Code of Conduct must be reviewed by the ARRL Officers, Directors and Vice Directors with a deadline for completion of a final draft version 60 days in advance of the July 2018 meeting of the ARRL Board of Directors and be reported at that meeting.

 

So, we will need to move in the upcoming month to inform ARRL directors of our sentiments regarding the code of conduct, while this draft is being created.

 

The board moved to delete one section of the existing code of conduct and suspend another:

1. Confidentiality 6. C. delete the following sentence: “A Board member may not, in disclosing anything about the Board’s deliberations, discuss or disclose the votes of the Board or of individual Board members (including his/her own) unless the Board has previously made the votes public”.
2. Suspend all of Section 8. “Support of Board Decisions.”

 

The action by the board was much better than the previous rather unresponsive A Note to Members from ARRL President Rick Roderick, K5UR. Roderick didn’t venture to apologize in any way for the new code of conduct and its application to Director Norton, which at least some of the members found disturbing. One would hope that Roderick, re-elected as president at the same meeting, could man up and say “I’m sorry”, since the board did indeed look into the issue and take action just days after his unresponsive editorial, and must have already had the item in its agenda as Roderick wrote his piece.

 

These are the sections that are deleted or suspended:
6(c)A Board member may not, in disclosing anything about the Board’s deliberations, discuss or disclose the votes of the Board or of individual Board members (including his/ her own) unless the Board has previously made the votes public. Nor shall any Board member falsely characterize the positions, policies or decisions of the Board or the points of view taken by any member of the Board with respect to them.
8. SUPPORT OF BOARD DECISIONS: A Board member must accept and publicly support Board decisions.
a. A Board member, as a leader in Amateur Radio, is encouraged to be an ambassador and an advocate for ARRL and, subject to the Confidentiality Standard of this Code of Conduct, to publicly promote the activities and actions of the organization with the ARRL membership. In doing so, a Board member must act at all times faithfully to the intent of the Board as expressed in its official statements, and should not reinterpret or re-characterize the Board’s actions to reflect his/her own view or the views of any other Board Member.
b. While having the right and responsibility to exercise independent judgment and to express dissenting opinions during Board deliberations, a Board member also has the obligation outside the Boardroom to respect and support final decisions of the Board, even when the Board member dissented from the majority view.
c. A Board member who does not support a Board decision may express his/her opposition within the Board in an appropriate manner.
d. A Board member must not take actions publicly or with respect to the ARRL membership that have the purpose or effect of undermining or discrediting the decisions or actions of the Board.
e. If a Board member is ultimately unable to accept a Board decision and is unable to influence a change, the Board member should consider voluntarily resigning his/her position on the Board.
f. A Board member may not publicly oppose a Board action prior to the effective date of his or her resignation from the Board.

SpaceX Expendable Rocket Fails

SpaceX expendable rocket fails to be expended

Today’s Sescom launch by SpaceX failed spectacularly when the expendable first stage failed to be expended, surviving after soft-landing in the ocean. An embarrassed SpaceX had no choice but to attempt to tow the rocket to shore, lest it reveal ITAR-restricted secrets and other proprietary information of SpaceX to anyone who cared to salvage it.

SpaceX Zuma Launch Might Not Have Been a Real Satellite

I wrote a while back that the Zuma satellite mission might not have been real. Well, SpaceX launched it yesterday, Sunday January 8, and there is still no indication that a real satellite was launched. While the Zuma mission is secret, rumors today are that the mission failed.  See 1 2 3 4 and the best article so far. SpaceX claims that nothing went wrong on their side. My surmise is that this mission was for the purpose of evaluating SpaceX readiness to perform launches for government intelligence, and like the Falcon Heavy demo (which is carrying Elon’s Tesla Roadster) might not have been carrying a functional payload.