[{"content":"Deets Threat Modeling by Adam Shostack ISBN-13: 978-1118809990 Threat Modeling by Izar Tarandach \u0026amp; Matthew J. Coles ISBN-13: 978-1492056553 Adversary Emulation with MITRE ATT\u0026amp;CK by Drinor Selmanaj ISBN-13: 978-1098143763 Review Threat modeling, as a discipline, feels lacking. It claims to be something that anyone can learn to do, but leans heavily on domain specific knowledge that not everyone has. It claims to be open, but in practice requires a priestly caste of Security Professionals to analyze results. It relies heavily on hand annotated diagrams that leave easy opportunities for loss. Most distressingly it reinforces that security stands alone as a field rather than being integrated into software development.\nI don\u0026rsquo;t believe that this is the result of any conscious decisions on the behalf of creators and practitioners of Threat Modeling. But there is a great opportunity for things to be better. I believe that there is a great deal of promise in architecture diagrams that also show data flows. I believe that straightforward rules can allow for programmatically analyzing for issues. Composability would allow for scaling these up. How to realize that is something I need to examine more, I was unable to find anything that fully realized this. However something like this would allow any engineer to diagram their work in ways useful beyond security, while also helping to ensure that the security properties threat modeling provides are upheld.\nI arrived at this conclusion after reading several books on Threat Modeling:\n Threat Modeling by Adam Shostack Threat Modeling by Izar Tarandach \u0026amp; Matthew J. Coles Adversary Emulation with MITRE ATT\u0026amp;CK by Drinor Selmanaj I attempted to have Gemini arrange the books since I only have the e-books. Amusingly enough it really struggled with this. If you compare the right two books and the actual covers you can spot some issues.\n Threat Modeling (Shostack) The \u0026ldquo;og\u0026rdquo; book on threat modeling. This book, to its credit, does a good job of describing the principles of Threat Modeling. My own research on blog posts and other free resources was not nearly as enlightening as reading this book.\nThat said, my biggest struggle with the book is the approach it takes to threat modeling. It\u0026rsquo;s ad-hoc, it requires careful thought to look at everything and find issues. It focuses on hand drawn charts and thinking through designs collaboratively, but these don\u0026rsquo;t make for repeatable nor reliable work.\nAs a survey of threat modeling and how security orgs approach it, this book is a good introduction to understanding how a security org operates. You will know STRIDE by the end, you\u0026rsquo;ll know a few other techniques. You\u0026rsquo;ll understand standard approaches to handling threats. To help get to a common baseline it is very helpful. The focus on hand drawn charts and simple whiteboarding is good for an ideation stage, but it doesn\u0026rsquo;t set up practitioners for repeatability nor detailed analysis.\nAdversary Emulation (Selmanaj) Adversary Emulation (AE) is very different from the other two books. While the prior two focus on how to model threats, Adversary Emulation focuses on trying to simulate on what an attacker would actually do. Rather than review architecture for defensive purposes, this focuses on trying to act as an attacker, generally on actual systems. This lets one perform more sophisticated tests of theoretical architecture.\nThis sort of behavior is often called \u0026ldquo;Red Team\u0026rsquo;ing\u0026rdquo; and the book has a fun etymology aside on the history of the term:\n In everyday language, playing devil’s advocate describes a situation where someone, given a particular point of view, takes an alternative position from the accepted norm to explore the thought further using valid reasoning. Military and intelligence leaders started using a similar concept to appoint people to a group they called the red team, to realistically evaluate the strength and quality of various strategies\n What I enjoyed the most about this book is that it acts as an introduction to the sort of terms and thinking a modern cybersec team might use. In addition to discussing how adversaries behave there is a lot of terminology that is discussed in formal terms that I had not seen laid out so well before.\nSo many of the terms used are consciously chosen for their connection to military terms, including the phrases \u0026ldquo;Advanced Persistent Threat\u0026rdquo; to refer to adversaries and even the \u0026ldquo;Kill Chain\u0026rdquo; walk-through for modeling how an attacker behaves. At times it feels like a LARP, especially when one digs into the low quality code adversaries may use or the amazing ability of base64 encodings to smuggle malicious programs by scanners. By the time I got to the author referring to hacks as attacks and \u0026ldquo;With Article 5 of the NATO treaty stating that an attack on one member is an attack on all, the potential consequences of such an attack cannot be overstated.\u0026rdquo; I giggled a bit. To be fair, recently I found myself putting together a \u0026ldquo;war room\u0026rdquo; for a discussion and sighed at myself before calling it a \u0026ldquo;discussion hall.\u0026rdquo;\nIn terms of discovering threats, (AE) is legitimately useful for helping to decide what is a threat. There are a lot of potential problems out there, with lots of levels of risk for each issue. As John Lambert once said the \u0026ldquo;biggest problem with network defense is that defenders think in lists. Attackers think in graphs.\u0026rdquo; Even within the lists, sorting problems by what seems likely is not easy. AE lets you pick likely attackers, and look at the graph like they would. From there, you can get a lot of hands on data about where the weak points are. This is great for both simulating likely attacks as well as understanding how a single malicious path for an attacker can bring down an org. Because AE focuses so much on actually conducting the attacks, it is still very expensive to test.\nThreat Modeling (Tarandach \u0026amp; Coles) A more recent take on the art of Threat Modeling and a more practical one in my opinion. This book focuses on more data driven and empirical approaches than Shostack\u0026rsquo;s, which I found made it a better read.\nThis book is intended to be a standalone book, so it does cover much of the same material as Shostack, but it has a more systematic approach. Concepts like Data Flow Diagrams take a firmer stance on the shapes to use and provide more useful details on how to analyze connections between components. This in turn allows for more rigor and repeatability across projects.\nThe more modern age of the book also allows for more modern threat modeling techniques which are interesting to learn about. LINDDUN for privacy is covered in a way there it feels possible to apply. Risk analysis via FAIR and SPARTA is covered as well for more modern approaches.\nThe final part that is covered, which is one of my favorites, is how to automate threat modeling. Various tools for being able to display and analyze threats are covered, which I feel is really where this needs to go. Without a standardized language it\u0026rsquo;s hard to save and review work over time and across projects. With a standard way to interpret models, analysis can be possible to automate for managing key storage, identifying gaps, and emulating attackers. The book has a bias towards their in house tool \u0026ldquo;pytm\u0026rdquo;, but various others are discussed in detail as well. My personal take after reviewing it is that pytm doesn\u0026rsquo;t go far enough to simulate full architectures, but as far as tools go it is useful.\nWhere to go from here? I started by expressing my displeasure with the state of threat modeling, so how I can finish this with where I believe it should go? Threat modeling needs to be something verifiable, something savable and loadable over time. It needs to exist within the broader engineering effort, not parallel to it. It needs to be extensible so a component can be modeled, and then put inside a larger system to review. What\u0026rsquo;s I believe this comes back to is threat modeling needs to be a part of architecture diagrams. Not simple whiteboard drawings either, textual descriptions that get rendered and can be explored as graphs of key locations, data flows, health checks, and everything else possible. These are by necessity heavyweight items, annoying to fill out, but they front load the necessary work to identify gaps and can both be fit into a larger system and have their validation logic extended as well. Pytm, from the final book, gets to the starting line but doesn\u0026rsquo;t attempt to be a full architecture diagram. Honestly I\u0026rsquo;m wary of the interpretable python part as well but that\u0026rsquo;s a whole other issue. Where something like this exists, I\u0026rsquo;m not sure.\n","permalink":"https://er4hn.info/blog/2026.04.05-threat-modeling-reviews/","summary":"Review and complaints about several Threat Modeling books","title":"(Suggested 📚) Threat Modeling Triple Book Review"},{"content":"Deets How to Measure Anything, 3rd Edition by Douglas W. Hubbard ISBN: 978-1118539279 Review How to Measure Anything is a book on how to measure things that matter. Something matters if you either care about it or need to make a decision about it. How to improve \u0026ldquo;worker satisfaction\u0026rdquo;, how to choose between \u0026ldquo;clean water\u0026rdquo; or \u0026ldquo;clean air\u0026rdquo; improvements at a factory, how to know some current project is actually going to improve the cybersecurity posture of your product, these are all things that matter and where choices need to made to know what choices to make at the start and if those choices are successful.\n You can\u0026rsquo;t measure a cover, but you can look at it.\n The book opens with a solid piece of writing that resonated with me:\n I wrote this book to correct a costly myth that permeates many organizations today: that certain things can’t be measured. This widely held belief is a significant drain on the economy, public welfare, the environment, and even national security. “Intangibles” such as the value of quality, employee morale, or even the economic impact of cleaner water are frequently part of some critical business or government policy decision. Often an important decision requires better knowledge of the alleged intangible, but when an executive believes something to be immeasurable, attempts to measure it will not even be considered.\n Later on it had another great paragraph:\n It’s not as if the proposed initiative was being rejected simply because the person proposing it hadn’t measured the benefit (which would be a valid objection to a proposal); rather, it was believed that the benefit couldn’t possibly be measured. Consequently, some of the most important strategic proposals were being overlooked in favor of minor cost-saving ideas simply because everyone knew how to measure some things and didn’t know how to measure others. In addition, many major investments were approved with no plans for measuring their effectiveness after they were implemented. There would be no way to know whether they ever worked at all.\n Both of these resonate so strongly with me because they describe organizations that could be doing better. You can assume that everyone is acting in good faith, but people don\u0026rsquo;t always have a good way to reason through what matters, what does not, and how to make decisions about it. Oftentimes executives might impose personal opinions on top of development which leads down strange paths. A case in point is Tesla and their refusal to add LIDAR into their cars; as of 2025 Waymo has functional driverless cars and Tesla does not, with Waymo stating that LIDAR makes a massive difference. Why did Tesla not add LIDAR? Because Tesla\u0026rsquo;s chief executive doesn\u0026rsquo;t believe it will work,\nTying this back to day by day SWE experiences, how does one measure the \u0026ldquo;value\u0026rdquo; a particular project has? In general you need to try and ask what the project is intended to accomplish and if it is meeting that goal. If the project is a tool people should be using, what are the MAUs and DAUs? How does that compare with incumbent or alternative tools? For something like product cybersec, did implementing this new project reduce the occurrence of issues in a measurable way? Did less issues happen after, perhaps issues were caught and attributable to the project? For example, consider a CI test that catches an unsafe coding pattern. Is it possible to observe how often that test fails once introduced, and is then followed up by a change that causes the test to pass?\nThis philosophy of measurable improvements is illustrated by Hubbard\u0026rsquo;s comments on a MITRE program to establish a knowledge database called MII:\n If quality and innovation really did get better, shouldn’t someone at least be able to tell that there is any difference? If the relevant judges (i.e., the customers) can’t tell, in a blind test, that post-MII research is “higher quality” or “more innovative” than pre-MII research, then MII shouldn’t have any bearing on customer satisfaction or, for that matter, revenue. If, however, they can tell the difference, then you can worry about the next question: whether the revenue improved enough to be worth the investment of over $7 million by 2000.\n So now tying this to the prior points, MITRE wanted to make a new knowledge database that would be higher quality, better than existing alternatives, etc, etc. But there was a question that they had to answer about how to measure if that was really the case. The answer here wasn\u0026rsquo;t asking customers to fill out a survey on their opinion (subjective), nor looking at active user numbers (too easily gamed if this is mandated to be used), but by asking downstream customers if they are getting better results from teams using the MII database vs those not using it. Sadly this test was not actually run, likely because the CIO of MITRE had not yet read this book.\nThe final part of the quote \u0026ldquo;whether the revenue improved enough to be worth the investment of over $7 million by 2000.\u0026rdquo; moves onto the next core part of the book: you often need to try and make decisions in advance of a project starting as well. Most choices are made between multiple options where one is pursued. To make breakfast you need to decide on toast, cereal, coffee, energy drinks, cow milk, soy milk, and plenty more decisions. Then you commit to pursue a few of those and you buy the items from the store. The same holds true in Corporate America: You need to be able to make decisions among multiple choices. Where this is tricker is that you need to try and figure out what is going to be the most impactful choice, and you must operate with the detailed information you may have about your own life. With breakfast you may have a strong sense that you prefer cereal over toast, but this is not as clear for corporate projects. Even breakfast lacks the benefit of perfect information, and you may choose cereal, buy the cereal and milk, only to discover the milk spoils a couple days after opening it and doesn\u0026rsquo;t get you through the week. With the spoiled milk, you made the best decision you could, there was a risk of the milk being bad, and you chose that over the alternative of toast. A core part of How to Measure Anything is how to reduce your uncertainty before choosing which project to pursue, and how to do so in a quantifiable manner.\nQuantification of how to measure is a key part as well. Hubbard talks several times about this, referring to a concept of a \u0026ldquo;calibrated expert\u0026rdquo; that can provide accurate estimates within a confidence interval, or range of possible values. Calibration is important for any sort of measurement, even things that appear completely measurable (ie even measuring how long a webpage takes to render on your computer would really involve several measurements to account for background noise), but for estimating the chances of a situation occurring, and the outcomes, this is especially important. I appreciated Hubbard\u0026rsquo;s calling out of the problems with subjective measurements, especially in cybersecurity. He had a particular example highlighting if the risk of an investment failing is \u0026ldquo;low\u0026rdquo;, \u0026ldquo;medium\u0026rdquo;, or \u0026ldquo;high\u0026rdquo;, but what the terms meant was poorly defined. To quote from his passage on this:\n Is a 5% chance of losing more than $5 million a low, medium, or high risk? Nobody knows. Is a medium-risk investment with a 15% return on investment better or worse than a high-risk investment with a 50% return? Again, nobody knows because the statements themselves are ambiguous.\n This example resonates with me well because it comes up fairly often in cybersecurity. You need to manage risk, which means scoring and sorting risks to handle, but how to properly score risks often feels vibes based. It is worth noting that Hubbard has a second book specifically focusing on cybersecurity risk that is on my reading list. It is also worth noting that becoming properly calibrated, as in being able to provide accurate measurements, is a hard process as well that the book goes into a great deal of detail on.\nI\u0026rsquo;ll close with yet another quote from the end of the book, summarizing the contents:\n It’s been measured before. You have far more data than you think. You need far less data than you think. Useful, new observations are more accessible than you think. (1) in particular is the strongest endorsement I can give for reading the book. What you need to know has likely been done before, studied to exhaustion, and you can probably find it in this book. Even if it is not perfect detailed information, well, to add onto point (3), you don\u0026rsquo;t even need perfect data, you just need to reduce your uncertainty.\n","permalink":"https://er4hn.info/blog/2026.03.09-how_to_measure_anything/","summary":"Review of \u0026ldquo;How to Measure Anything\u0026rdquo; by Douglas W. Hubbard, 3rd Edition","title":"(Suggested 📚) How to Measure Anything"},{"content":"I made my first AI created custom web app the other day. It\u0026rsquo;s an infinite runner game with a smirking cat that solves math puzzles. I\u0026rsquo;ve hosted it on my github site for ease of access.\nThis game is not very well made, timing is kind of off, it\u0026rsquo;s not super aesthetic, sometimes there\u0026rsquo;s minor bugs. What\u0026rsquo;s impressive is I built this from my phone, by talking to an AI, and then iterated on the work a few times. I didn\u0026rsquo;t bother reviewing any code, I just fiddled with it to see how, and if, it works.\nWas it a success? Absolutely, big hit at home. And that\u0026rsquo;s the interesting part. The art did not need to be on point, there is no carefully thought out code, no clever tuning of feedback, just a quick concept and testing of it meets the minimum needs. It\u0026rsquo;s Slop, it\u0026rsquo;s AI Slop, and It Works.\nI\u0026rsquo;d wanted to make a game like this for a while to help teach math, but I couldn\u0026rsquo;t get the free time together. Even prior attempts with AI, not very serious ones, never got that far. When I tried it this time, the first attempt with Gemini Pro thinking came up with a great first draft. From there I was able to iterate on it and end up with something enjoyable after a few minor tweaks. The transcript of my conversation can be found here. Note that the model (\u0026ldquo;Fast\u0026rdquo;) described is not accurate. I started with \u0026ldquo;Pro\u0026rdquo; for the initial prompt then used \u0026ldquo;Thinking\u0026rdquo; or \u0026ldquo;Fast\u0026rdquo; models based on how difficult I perceived the follow on changes to be.\n Meme showing how screen sizes get smaller the higher up you are at a workplace.\n What I find the most interesting about this is how AI changes where one can live in the stack of creating things. In my day job I am a two monitor person, reading across docs, video calls, and meeting notes. I like to have a web browser on one monitor and an SSH session in a terminal in the second when I code. When I made this game I sat down with my phone for a half hour thinking about what I wanted and writing it into a very informal functional spec. From there I would periodically check my phone as I went about my life, offering bits of feedback. I\u0026rsquo;d ascended up the ladder from a \u0026ldquo;do\u0026rsquo;er of things that require precision\u0026rdquo; to a \u0026ldquo;yapper on high level concepts\u0026rdquo;. But because AI has taken the place of precision, I am able to yap and have Someone Else do the careful labor. They don\u0026rsquo;t do the greatest job - but that is okay because it doesn\u0026rsquo;t matter.\nThe cost of creation is vastly driven down as well. Is it possible to re-create this experience without AI? Sure, I could spend a lot of my time on the two monitors, for however much I value my time. I could hire someone to make this and communicate with them over instant message. If I found someone overseas with competitive pricing I may be able to get this built for $100 or less, with the iterations being bound by when they are awake and our mutual ability to communicate. Using this AI though drove the cost of creation down to just the time it takes me to type out what\u0026rsquo;s on my mind, with immediate feedback loops, and no issues with languge barriers or other communication issues. There is some incremental cost to running the AI, nor do I claim it always understands me, but those costs are very minimal and for me is bundled into a Google One account I mainly use for storage space. This makes the idea of \u0026ldquo;single user\u0026rdquo; apps for niche cases way more practical.\nFirst drafts are valuable because they let you see if something is going to work out or not. The speed at which you can go from an idea to a first draft, and iterate on the bits from there, is a key factor in how startups and projects succeed. There was more value in the olden days for first drafts being clean, because someone would need to expand them, but it\u0026rsquo;s far more important to be able to quickly try things out. Is this code maintainable? Frankly it\u0026rsquo;s cleaner written than I would have thought, but who knows. Is it adjustable? Somewhat, lots of hard coded numbers in the code, but you can just ask Someone Else to adjust it for you. But the key part - can I have an idea, try it out, and see if it works, is that possible? It\u0026rsquo;s never been easier.\nUpdate: A couple hours after first push I found that the bottom of the page is cut off in mobile apps and asked Someone Else to fix it. So it goes!\n","permalink":"https://er4hn.info/blog/2026.02.07-custom-slop-apps/","summary":"For better or worse, we are all programmers","title":"Single User Slop Apps"},{"content":"Deets The Goal by Eliyahu M Goldratt ISBN-13: 978-0884271956 Review What is The Goal? Better put - what is The Goal of a company? The question posed in the book is answered straightforwardly with \u0026ldquo;to make money\u0026rdquo; but it takes the protagonist some time to get there.\nThe Goal is a book about Systems Thinking, approached via improving assembly line processes in manufacturing. Assembly line operations in turn are based around repeatable operations. A manufacturing company is able to make money when it sells manufactured goods. The role of the factory is to produce those goods as quickly as possible so that the company can hold low inventories and therefore respond to changing needs. The Goal is a study of how to improve the throughput of a factory.\nWhat value does assembly line operations have in a software engineering job? Software Engineering is based around projects, but many operations are themselves repeatable. Triaging issues, preparing for releases of new software, getting high touch documents out for specific issues, these are all repeatable processes. Software Engineering emphasizes the unique, and the act of creating something that can be written once before being used in multiple places, but there are still many places where repeated operations arise. Being able to move from the open space of approaching each problem as new to having a playbook to follow each time is a normal process of maturation within an organization. The Goal focuses on how to optimize that process.\nThe book itself is very interesting. It\u0026rsquo;s written as a story where a supporting character, an enigmatic, brilliant, professor, is an obvious stand-in for the author. The protagonist and supporting characters within the company are well meaning, but sometimes confused with basic items. Overall it\u0026rsquo;s a cute, and easy to read structure. Sometimes when insights are refined over the course of chapters, it becomes annoying, but the style is good for easy nighttime reading.\nOne thing I didn\u0026rsquo;t understand going in, and wish I did better, was that it doesn\u0026rsquo;t cover the unique, high touch, low repeatability, projects that are much more common in software engineering. These are actually covered in a later book called \u0026ldquo;[[The Goal (Novel)#Critical Chain Synopsis|Critical Chain]]\u0026rdquo;, but it feels much more handwavy than this one. I\u0026rsquo;d say that this book is worth reading and a synopsis of Critical Chain is a reasonable follow up.\nKey Takeaways The Goal focuses on gradually introducing the characters to the Theory Of Constraints (TOC), where the ability of a (manufacturing) company to make money is determined by the assembly lines primary limiting factor, referred to as a constraint. TOC focuses on measurements that expose this, as well as how to improve on it.\nThe three measurements that matter for TOC are: Throughput, Inventory, and Operational Expense. Each has definitions which may not match conventional wisdom and are important to understand.\nThroughput is the rate at which a system generates money through sales, which ties the work the factory does to the larger picture. The \u0026ldquo;through sales\u0026rdquo; piece is important as well, production of goods does not count unless it fits into the larger picture, excessive production of unsold goods actually has negative value due to costs of inventory.\nInventory is the amount of money invested in things it intends to sell. This includes raw materials, items in progress, and the final finished goods. If you view a factory process as adding value by transforming raw materials (inputs) into finished goods worth more (outputs) then it follows that inventory is the amount of money stuck in the system that is released by selling the final goods.\nOperational Expenses are the money required to turn inventory into throughput. This may be one time expenses, such as the purchase of a new piece of manufacturing equipment. This may also be ongoing expenses such as salaries, utility bills, rental costs, etc.\nThe Theory of Constraints seeks improvement via increasing throughput while simultaneously reducing both inventory and operational expenses. This is a continuous process, which needs constant adjustment and attention, in order to achieve maximal efficiency. Measurements are necessary in order to accurately discover improvements, which also implies that an accurate assessment of the chain of dependencies needs to be available as well.\nDescribing the chain of dependencies involves being able to show all the stages involved in a process and which stages require prior stages to complete in advance. Once the stages and dependencies between them are clear, it is possible to measure how much time is spent in each stage, how work builds up before each stage, and identify bottlenecks.\nThe key takeaways of The Goal is the process for improving throughput. It starts with measurement, which makes sense because you cannot improve anything until you are able to accurately describe the chain of dependencies and measure steps.\nOnce all the data is available, The Goal offers a 5 step process to achieve its objective of increasing throughput while decreasing inventory and operational expenses:\n IDENTIFY the system’s constraint. Decide how to EXPLOIT the system’s constraint. SUBORDINATE everything else to the above decisions. ELEVATE the system’s constraint. If in the previous steps a constraint has been broken go back to step 1, but do not allow inertia to cause a system constraint. Identifying the constraint involves finding the worst chokepoint that limits the throughput. This typically involves looking for places with multiple inputs, or which take a long time to proceed through that stage. The stage that limits the rest of the system is the chokepoint.\nExploiting the system\u0026rsquo;s constraint means figuring out how to work around the limitation of that worst stage. This doesn\u0026rsquo;t involve optimizing the throughput of that stage, but that should always be considered first if it is possible. Exploiting means ensuring that the constraint\u0026rsquo;s time is never wasted. Solutions for this may involve doing quality checks on inputs before the stage rather than after to reject already bad parts in advance, this may involve running this stage continuously to ensure other downstream stages have access to outputs. Solutions here are going to depend on the nature of the stage, but in general ensuring that when this stage is used, the time used in it is not wasted is of importance.\nSubordination means that all of the other stages need to make decisions to support maximizing the throughput of the constraint stage. The use of throughput is intentional here: having excess inventory build up before the bottleneck adds to storage costs and should be avoided when possible.\nElevation of the constraint is the next step. Once the adjustments have been made if a higher throughput is needed, additional capacity can be invested in. Capacity refers to horizontal scaling of the stage and may involve additional equipment or staff to do more of the stage at once, it may also involve finding outside help with the stage.\nThe final step is continuous improvement. The system must be monitored to see if another stage becomes the primary constraint. If so, the same process needs to be followed to resolve that step.\nDrum, Buffer, Rope One practical outcome of the TOC is a Drum, Buffer, Rope system. The purpose of Drum, Buffer, Rope is to establish a framework for how to implement the 5 optimization steps.\nIn a system like this the primary constraint becomes the Drum, which beats out the pace at which the rest of the system moves.\nBuffer is what you put in front of the primary constraint in order to ensure it always has work to do and is never idle. Buffer can take the form of inputs to the constraint stage, but it is often referred to as time: Having time built in to ensure that upstream stages feeding into the constraint are able to produce enough outputs, even as the pace of output varies over time, should ensure that there will be enough material inputs in a successful system.\nRope is what lets the Drum set the pace and keep the inputs from the Buffer at a reasonable amount. Rope is the signal from the Drum to the first operation(s) in the assembly line that authorizes the release of new material into the first stages. By having the Drum signal via the Rope, it is possible to prevent a build-up of excess inventory.\nWhy Throughput? Throughput is the most important measurement that TOC focuses on because it is the one most important to the company\u0026rsquo;s goal of making money that an assembly line is able to influence. Traditional values like profit and return on investment don\u0026rsquo;t measure what it takes to keep things running since you can have profit, and positive ROI, but still go bankrupt. Cash flow is the traditional measurement of what it takes to keep the lights on.\nThe Theory of Constraints posits that inventory and operating expenses are negatives, but necessary. Throughput is what contributes to ensuring there is steady cash flow, by starting with raw goods and ending with sales. Given enough cash flow, and financial discipline to keep expenses below revenue, profits will result.\nStatistical Fluctuations are the enemy of consistent throughput. Any stage is going to have a range of time it takes to produce an output, ie a stage does not take \u0026ldquo;10 minutes\u0026rdquo;, it may take between \u0026ldquo;8 - 12 minutes\u0026rdquo;. Over a number of stages these build up and cause buildups of excessive inventory, even without a complete stop in a single stage. By limiting the amount of inventory to be held before each stage, statistical fluctuations can be evened out and work can be kept at a consistent pace.\nKanban I\u0026rsquo;m admittedly not too familiar with the history of manufacturing. I\u0026rsquo;d heard of Toyota\u0026rsquo;s process of asking 5 why\u0026rsquo;s, and Henry Ford\u0026rsquo;s assembly line for the Model T. But until reading the end of the book the tie in to Kanban boards had eluded me.\nEli Goldratt draws a clear line between TOC and both of the storied car companies. Henry Ford understood the basic principles of throughput and would limit the space provided for in between items to accumulate. If workers at a particular stage didn\u0026rsquo;t have space to put their output product, they would have to stop working. If this happens for long enough, it becomes clear at a glance what the issue is. An elegant feedback loop mechanism, without a need for a computer at all!\nToyota would further refine that with the Kanban system. In the Kanban system each space in between stages has all the inputs defined, including all the subcomponents such as screws, bolts, etc. There is a maximum number of each item allowed in each space, and a physical card that specifies what the item is and the space it belongs to. When an item is taken off the shelf, say, a box containing 50 screws for front bumper assembly, the card for that is taken and sent to the start of the screw creation process. Receiving the card triggers the process to fill a new box with screws, and specifies where to send the final product to. This improves on the Ford process by being finer grained and better defined.\nBoth manufacturing processes focus on throughput. By ensuring that there is a consistent pace of progress, with feedback if issues occur, final products come out at a reliable pace. By achieving consistency in pace, it is also possible to better enforce quality standards since the pace is consistently set to allow for making a set number of products rather than suddenly needing to speed up and create more.\nThese same principles would later apply to Kanban Boards in software engineering. Under a Kanban system the work stages are much more limited, typically something like: Backlog, Next, In Progress, Under Review, and Complete. But the core Kanban principle: There can only be so many cards in the core sections of Next, In Progress, and Under Review, are what contributes to the throughput. By preventing too many items from piling up, engineers are able to focus on what they have. If the backlog becomes too long and progress is stalled, say due to cards in \u0026ldquo;Under Review\u0026rdquo; not transitioning to \u0026ldquo;Complete\u0026rdquo; it\u0026rsquo;s possible to investigate and intervene to keep the expected amounts of work at the set pace. What\u0026rsquo;s interesting here is that manufacturing is typically broken down into low touch (low creative thought), with repetitive stages. Software Engineering is typically high touch, with less repetition. However very similar principles apply to ensuring that there is enough throughput to create end products.\nCritical Chain Synopsis Critical Chain is the follow-on book to The Goal and is focused around projects like Software Engineering, which are more high touch.\nWhile I didn\u0026rsquo;t read Critical Chain I did read through some synopsis\u0026rsquo;s which seemed to explain the key goals as follows:\n Define the project with a detailed design and deliverables. Set timelines for deliverables, but do not add the traditional buffer to each deliverable. Add an amount of buffer to the very end. I feel like the first point makes a lot of sense, since I agree that most software design is done up front. The other points don\u0026rsquo;t resonate as clearly to me. In my experience ensuring that deliverables are broken up enough to be quickly delivered (ie 2 weeks or less, ideally 1 week or or less per deliverable), and have sufficient testing to be trustworthy, is reasonable enough to set a pace for a project.\nMaking This Concrete To tie this together, I\u0026rsquo;ll try to put together an example of how this can all work together. One repeatable process comes up in SaaS: Post-Mortem after an availability incident with a service. A service has degraded availability or goes down entirely, and customers would like to know what happened.\nBefore getting to that process of course, the issue also needs to be fixed. Across a replicated service this may involve rolling out a fix to multiple places.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD subgraph Fix Understand[Understand the issue] WriteFix[Write the fix] TestFix[Test the fix] Deploy[Begin Deploying the fix] DeployAlpha[Node Alpha] DeployBravo[Node Bravo] DeployCharlie[Node Charlie] ValidateFix[Validate Fix resolves issue in prod] Understand -- WriteFix -- TestFix -- Deploy Deploy -- DeployAlpha -- ValidateFix Deploy -- DeployBravo -- ValidateFix Deploy -- DeployCharlie -- ValidateFix end subgraph PostMortem Notes[Begin gathering facts] UnderstandCause[Understand the root cause] DescribeFix[Describe the fix] Analysis[Analyze what went right, wrong, where things could have been worse] Polish[Polish final report] Notes -- UnderstandCause -- DescribeFix -- Analysis -- Polish Understand -- UnderstandCause WriteFix -- DescribeFix end Publish[Publish Post Mortem] Fix -- Publish PostMortem -- Publish Flowchart showing the process of an issue going from happening to resolved with a published Post-Mortem.\n The following is a simplified example of how this might look. In order to get to publishing the Post-Mortem, the fix needs to be successfully rolled out. In order to do that the issue needs to be understood. But this layout also shows that there are two parallel tracks that can be worked on. While the fix is being tested or rolled out, the Post-Mortem document can be worked on. But even before then different parts of it can be worked on. If there are multiple people, or even one person switching between tasks, this can be done in a manner that is not a linear fix -\u0026gt; write the post mortem document.\nOver the course of a few availability incidents the process can be measured at each stage. Improvements can be looked at to speed up each stage as well as how to start working on a stage when inputs are available.\nPreventing a build up of inventory is in one sense done by not allowing a single input to a stage to linger for too long, ie start writing about the fix once the fix is done, measuring how long it takes to understand an issue, create a fix, etc, and ask how to improve on those times. The connection to not allowing excessive inventory to build up is less clear. If there are multiple availability incidents (yikes!) then limiting how many issues can be worked on at a time to ensure earlier ones complete is a clear tie in.\nThe end stage needs a tie-in as well. There are no sales associated with a post-mortem document, but these only have value if someone is consuming them. Other markers such as view count, or write-ins to ask questions, can be used to ensure that the document output is useful. If no-one is viewing or asking about the Post-Mortem document, that itself is a signal that it may not be needed. Likewise if the service\u0026rsquo;s outage doesn\u0026rsquo;t affect anyone, that is another signal about the value of the service itself. All of these can and should be measured in a process of constant feedback.\nClosing Thoughts Overall I\u0026rsquo;d recommend the book. It was an interesting read for understanding assembly line operations, which does apply to subsets of SWE like CI. Where it fell apart for me was: a) It doesn\u0026rsquo;t cover \u0026ldquo;project environments\u0026rdquo; which is covered in Critical Chain. It\u0026rsquo;s true that it helps explain it, it\u0026rsquo;s true that I now understand where the Kanban board system came from, but it feels like it is still missing some crucial steps to apply it this book to there in a manner that is super useful. b) I feel like I didn\u0026rsquo;t understand how to better measure and weigh different projects. I hope that [[How to Measure Anything]] will help with that more, and it makes sense in retrospect that wasn\u0026rsquo;t a goal, but still bums me out.\n","permalink":"https://er4hn.info/blog/2026.01.20-the_goal/","summary":"Review of \u0026ldquo;The Goal\u0026rdquo;, a book by Eliyahu M Goldratt","title":"(Suggested 📚) The Goal"},{"content":"Cyberwarfare is an overnight success, a new theater of operations in the history of warfare. Like many overnight successes, it has been decades in the making. Our world has become increasingly reliant on computers, and on networking them together, and this has given us many great advances in our lives, but it has also created a new battleground, one which the United States is not prepared for.\nThe key differentiator, the \u0026ldquo;disruptive force\u0026rdquo; in startup terms, between cyber and other theaters is the relative cheapness of force projection. In military terms 1 a \u0026ldquo;battlespace\u0026rdquo; represents the strategy that unites the armed forces across multiple theatre\u0026rsquo;s of operation, including land, air, sea, outer space, and cyber2. Within most of those theaters the cost to conduct operations is expensive. Troops must be trained, equipped, physically deployed, and often put themselves in danger to carry out their missions. Cyber in contrast, removes several of those variables. Troops must still be trained, and equipped but equipment is far cheaper. There is no need for physical deployment, and there is little risk of danger when carrying out operations. This leads to the disruptive advantage: cyberwarfare is a cheap, fast, and safe way to project force compared to conventional warfare.\nCyber Vs Meatspace Cyber operations are very different from conventional ones, in ways that may not be completely obvious. For simplicity, conventional operations in the real world (\u0026ldquo;IRL\u0026rdquo; as my generation calls it\u0026hellip;) will be called \u0026ldquo;meatspace3\u0026rdquo; to contrast it with cyberspace.\n Logarithmic bar chart comparing the speed of various physical objects with a humble \u0026ldquo;ping\u0026rdquo;. The Globemaster, at 567 mph, doesn\u0026rsquo;t even rate a line on the chart.\n Operations conducted in meatspace require the transport of physical matter from one location to another. This can be fast, Trident 2 missiles can reach Mach 24, about 18.4k miles per hour. Moving people is much slower, a C-17 Globemaster III moves at about Mach 0.74, around 567 miles per hour. These are one way transits however, and not a fair comparison. Cyberspace typically requires a back and forth transport for communication. The B-52 is a long range bomber that has a maximum speed of around 600 miles per hour. It is about 6078 miles from Los Angeles to Moscow, which makes a round trip around 20 hours. I live in Los Angeles and I pinged https://kp.ru, a Russian news site. It takes 211 milliseconds for a roundtrip message to come back. This means the delivery of a packet of data in cyberspace is over three hundred thousand times faster! It is reasonable to note that a cyberattack is not normally launched by sending a single packet, some attacks may take months of planning, but the speed of delivery is the key item I want to focus on here.\nPhysical danger is largely negated for cyberwarfare operations as well. Cyberpunk media of the 80\u0026rsquo;s, William Gibson\u0026rsquo;s Neuromancer, or Masamune Shirow\u0026rsquo;s Ghost in the Shell, brought tales of computer networks as dangerous as a real world fortification. Black ICE programs would be able to kill attackers over an internet connection. Cybernetic attachments to a brain would allow people\u0026rsquo;s bodies to be directly controlled, and fuses physically integrated into bodies[^gists-fuses] would offer protection against attempted electrical overloads of those brains. No such hazards exist in the real world today. Cyber operations can be carried out without any risk of physical danger to the attacker. Even the attackers computers cannot be attacked back through any sort of conventional means.\n Figure showing how physical topology and domination of a particular space does not affect virtual connectivity around that space.\n The only saving grace of cyberwarfare is the difficulty in being able to acquire targets, especially those of a military nature. The topology of digital communication and meatspace is very different. To be exposed to remote attack most devices, excluding supply chain attacks, have to be connected to the internet. Failing that they would need to be accessible via some other means, some as wifi, radio, or bluetooth signal, to be attacked4. This is actually a boon for many military systems since they are not normally connected to the external world. Conversely, many civilian devices are. This leads to an unfortunate setup where it is easier, and often more desirable, to launch cyberattacks against civilian infrastructure than military.\nImpacts of Cyberwarfare When attacking infrastructure via cyberwarfare there are a few common techniques that have been observed to date: Informational, loss of availability, and economic. These can be co-mingled or treated as separate tactics by an attacker.\n Venn diagram showing the attack types and how they can each overlap.\n Informational attacks are a tactic to either gather information. Espionage, in other words. This is one of the oldest types of cyber attack, dating back to the 80\u0026rsquo;s when Markus Hess5 broke into various networks, including LBL, to steal national secrets. More recently the 2015 hack of the OPM resulted in the loss of millions of records, including those of numerous people with security clearances.\nSabotage, characterized by a lack of availability to a resource, is the cyber attack most likely to cause immediate, visible damage. Critical infrastructure such as power plants, water treatment facilities, and hospitals all rely on computers functioning correctly in order to carry out their operations. The fact that the safety critical mechanisms should not be connected to the network has not stopped this from occurring. Kyiv, the capital of Ukraine, suffered a cyberattack against it\u0026rsquo;s power supply in 2016. A San Francisco Bay Area water treatment plant had an attacker break in and delete programs used to run the plant in 2021. Hospitals are attacked so frequently that finding examples of a hospital needing to shut down due to a cyberattack is easy to find. The 2021 Colonial Pipeline attack was intended as an extortion attempt but effectively resulted in sabotaging the delivery of oil within the US.\nEconomic attacks extort money from organizations in order to funnel money back to the attackers. The 2024 Change Healthcare attack was a prominent example where a criminal group removed access to healthcare records and demanded a ransom to restore access. Attackers are not just limited to organized crime. North Korea has carried out attacks against ATMs, stolen cryptocurrency, and held healthcare systems hostage, all to send money back to their government.\nSomething that has been consistent in all of this has been the victims have been civilians and non-military infrastructure. It is tragic that these are the targets, but important to note they are targets of opportunity. In recent years military assets have begun to be targeted as well. Russian spyware known as \u0026ldquo;X-Agent\u0026rdquo; was believed to have been installed on the phones of Ukrainian soldiers to broadcast the location of artillery units in 2016. In 2018, Russia successfully jammed GPS signals during a NATO exercise, showing that they could remove the ability to for units to finely map their position. Russia has also displayed the ability to infiltrate encrypted chat groups via malicious QR codes and previously sentSMS text messages urging troops to surrender. With the rise of AI and ever sophisticated simulations of voices, it is only a matter of time until fake orders are attempted to be sent.\nForce Projection in Cyberwarfare The primary disruptive elements of cyberwarfare are: speed, safety, and cost. Speed and safety have already been covered in \u0026ldquo;[[Cyberwarfare#Cyber Vs Meatspace]]\u0026rdquo;.\n Costs for R\u0026amp;D vs Manufacturing of different weapons. Drones R\u0026amp;D is left blank as it is unknown. Drone manufacturing is so cheap (at least for Ukrainian conflict drones) that it does not show up on the. chart. Cyberweapons have zero cost to manufacture, since they are replicated data.\n Cost is the final disruptive factor in cyberwarfare. A cyberweapon, a weaponized CVE, such as a computer virus or new hacking technique, has zero marginal cost to replicate once created. To create a cyberweapon researchers must work on discovering them, at whatever salaries they are paid. For this discussion we can assume $500k / person for top quality researchers in place like the United States6. Tooling, such as replicating the target network or acquiring copies of the software being ran is of fairly marginal cost. Compare this to conventional weapons. A BGM-109 Tomahawk missile costs around $2M to purchase a single one7. The cost to develop the \u0026ldquo;Block V\u0026rdquo; (most modern version) of the missiles appears to be around $100M8. Drones, a new disruptor in physical warfare, are fairly cheap. A drone will cost somewhere between $300 - $25,000 to buy one in the ongoing Russian invasion of the Ukraine9, with development costs being fairly unknown. Drones, it is also useful to point out, may be used multiple times if they are not \u0026ldquo;kamikaze\u0026rdquo; drones strapped with explosives.\nAn alternative to in-house creation is to buy an existing CVE. The cost to purchase existing, but not widely known, CVEs, often known as \u0026ldquo;zero days\u0026rdquo; is increasing, but still relatively cheap. Zero days in 2014 would max out around $300k for high quality ones. At least one company in 2024 was offering to purchase vulnerabilities for up to $9M on mobile devices, $2M on desktops, and decreasing amounts for various other tools one would expect to find in personal and enterprise networks^[zero-day-cost]. Purchasing an already researched exploit does have a higher up front cost than an R\u0026amp;D team, but due to the zero marginal cost in replication they are still lower cost than other weapons.\nMaking it easier to project force without fear of reprisal is the issue of attribution for attacks. Many of the prior attacks described cannot be traced back to known assailants10. This is due, in part, to the ease of having a connection appear to come from another source. A connection that originates in say, Russia, may be the result of a Russian attacker, or it may be the result of the connection being routed through Russia to hide the attackers identity. In many cases attempts to attribute attacks to nation sponsored attackers, such as Russia or China, are based on best guesses from reviewing code, prior attack patterns, etc. It would not be hard for a determined attacker to create a false flag event or otherwise attempt to imitate someone else. The difficulties around attribution in turn lead to further issues with being able to determine who and where to retaliate against in the event of an attack.\n Topology picture from before, but now with many of the paths severed. There is still a remaining path for the majority of the nodes, so they can still be used to send traffic or reached by an attacker.\n The differences in topologies are a further mixed blessing for force projection. In conventional warfare, control of one space, such as air, or land, allows for control of another space. Bombers can attack ground units, ground units with AA batteries can shoot down planes. Cyberwarfare operates on an entirely different topology where the front line of the battlespace no longer has meaning. Every reachable computer is a front line in the cyber battlespace. Control of the physical world only allows for coarse grained control over cyber connectivity. A connection can be severed by destroying physical infra, but new paths will be discovered if they exist. Large scale solutions like country wide firewalls are known to not work; One of the things the Great Firewall of China is famous for is it\u0026rsquo;s porous nature11. Tying back to dangers being focused primarily on civilian infrastructure, most military units should not be connected to the wider internet, but on isolated networks if they are connected at all. This reduces the ability of an attacker to gain access to deployed military units and attempt to sabotage them.\nSupply chain attacks pose a further risk. Sabotage of factories is not a new concept. Oskar Schindler in World War 2 ensured that his munitions factory produced dud shells. Numerous other acts of sabotage can be found elsewhere. Cyber supply chain attacks are different though, in that they allow for covert operations. Solarwinds is the modern day poster child for backdoors that allow attackers access. Prior to that Juniper Networks had a 2015 attack where their VPN software, used to secure communications across the internet, had a backdoor that would let attackers decrypt the traffic. Attacks like this are subtle, and may linger for years before being discovered.\nPerhaps the only saving grace of all of this is the ease of patching vulnerabilities and reducing the attack surface. Missiles and guns tend to inflict approximately the same amount of damage, barring improvements in armor, to their targets over time. Vulnerabilities, once known, can be patched and are no longer effective. Going back to espionage analogies, using a zero-day is equivalent to potentially burning a source. If the attack is noted in detail it can be fixed, and the patches rolled out at the same zero marginal cost it took to replicate the attack. This gives defenders a powerful countermeasure - just keep your systems up to date.\nIn conclusion, force projection in cyberwarfare is much cheaper, much faster, and much easier to deploy (especially against civilian targets) than traditional military assets. This is what makes cyberwarfare disruptively cheap.\nWhere do we go From Here? Every tactic has a counter. Cyberwarfare is no exception, and the final topic is: What are the counters to cyberwarfare? To properly counter cyber attacks one must prepare for every component to be a front line. Resiliency must be built into every possible item. Finally this closes out with some thoughts about the current state of US Federal Certifications for cybersecurity and how to improve them.\n Figure showing a target under attack from the internet. An electrical generation system is expanded into a computer, and from there expanded into subcomponents and a Software Bill of Materials (SBOM).\n In the cyber domain, every computing device becomes a front line that can be attacked by an enemy. Internet connected devices are the most obvious, but anything that communicates remotely, over wifi, over bluetooth, over radio, over ethernet, is a potential target for attack. The first step to overcome this is to embrace a zero trust architecture.\nZero Trust is a concept that has evolved over the years. It has a debatable history, but these days it means that one should assume the network they are on, and anyone being interacted with, may be compromised12. To handle this zero trust starts by assuming that attackers may be listening in on, or actively manipulating communications. This is countered by encrypting all traffic sent across the network. Next anyone talking to a device is suspect. By requiring authentication whenever another device talks to you, identities can be established and interlopers will be unable to impersonate devices13. Next, one can assume the communicating device may be compromised and may make dangerous requests. By limiting the authorizations, the ability to carry out actions, to the minimum required, the risks there are mitigated. This can go much further, resiliency against deliberately malformed inputs can be tested for, properties of how a device booted up can be queried via TPM PCRs, and so forth. Every action taken here increases the difficulty of carrying out an attack, since even a compromised device will have limited ability to affect other devices on the network.\nTo prevent the code the devices themselves run from being a target of attack, the supply chains for the code must themselves be hardened. Weaknesses here are what lead to successful attacks at SolarWinds and Juniper. Hardened supply chains have to cover every aspect of the software creation process. Inputs must come from trusted sources. Every bit of work done on code must be traceable to the developer that created it, and it must not be possible for them to impersonate others. The build environment must be completely isolated from possible tampering. The outputs of a build must themselves be cryptographically signed to ensure they are not changed. It\u0026rsquo;s worth noting that there is no Federal certification for secure supply chains, though there is an industry equivalent known as Supply-chain Levels for Software Artifacts (SLSA) that is being actively improved over time.\nOnce the image for a device has been delivered, work is not yet done. Every component is a source of possible compromise and must be inventoried and cross referenced with known CVEs (security vulnerabilities) in order to find issues. SBOMs14, or Software Bill of Materials, provide details on every component in a given piece of software. By cross referencing components with known CVEs, every organization is able to monitor the potential risk of the assets they control. SBOMs are still not widely adopted, but are an important part of understanding when they are issues and when one needs to update.\nUpdates must themselves become more frequent. Out of date software is very common, owing to issues with quality regressions, interoperability, outages caused by upgrades, and numerous other issues. These cannot be excuses though. Updates must become an ordinary part of device maintenance and issues around disruption and other excuses must be taken seriously and minimized as much as possible.\nHand in hand with updates is backups and rapid restorations from backups. Data, and the transformations of data, is a key part of many cyber systems. Loss of access to data is how attacks such as ransomware and other forms of sabotage are able to get a foothold. By ensuring that backups are frequent, kept safe from danger, and possible to quickly restore onto a clean system, dangers of ransomware and other attacks are minimized.\nThe final tactic to close with is to prepare for a disconnected future. The world of today is very online, and there is a heavy reliance on internet communications via satellite, via wifi, via radio. Many US homes these days have several devices that will not function without an active internet connection, even if that connection adds little to no value. This reliance on connectivity is susceptible to sabotage. A 2022 attack by the Ukraine against Russia failed because satellite internet was not provided[^ukraine-done]. Signals also leak locations, allowing for attackers to discover, and target, the sources of transmissions. Finally, signals are possible to jam. Both Russian and the Ukraine have jammed each others signals throughout the war, preventing the use of drones. Russia has, in 2025, come up with an innovative solution. Rather than rely on remote signals to control their drones, use a fiber optic cable to control them15. Cables do not leak signals, and cannot be jammed. There is still however a reliance on connectivity. Autonomous weapons, powered by AI[^slaugherbots], may represent a new means of carrying out attacks without reliance on connectivity.\nCertifications Certifications are the means for the government to decide if a product meets their requirements. While there are individual testing programs, certifications by and large drive all of this. The current certification process is slow, expensive, and prevents the government from being able to use the latest, and best, products in a timely manner. This process is in dire need of reform in favor of standards that are free to access, and fast to certify. For this last part I will focus on the FIPS 140 and NDcPP certifications, since those are the two I am most familiar with.\nReform is the important part here. I am in no means advocating for an end to certifications. Bad actors16 have made it clear that they will sell faulty equipment if they see a chance. I once saw, but can no longer find, an apocryphal story concerning why the nuts in cookies sold to the military must be within a minimum and maximum size. Since I cannot find it I will make up a new apocryphal story: The government says \u0026ldquo;We need masks, to fight the spread of COVID. Sell us masks.\u0026rdquo; All that was specified was a mask is a face covering. Sellers can now come and sell masks, but they can also cut corners. Because there is no minimum hole size, a piece of plastic wrap you put across your face can count. So now the government adds a minimum hole size to the requirements. Now because there is no maximum hole size, fish netting you wrap across your face counts as a mask. So now the government adds a maximum hole size to the requirements. Various other issues arise, and subject matter experts think about what they want. For COVID face masks this is ASTM F3502-21 and costs $76 to view.\nThe FIPS 140-3 standard, similarly, costs money to view. The relevent documents are ISO/IEC 19790 and ISO/IEC 24759, and they combined cost a few hundred dollars to buy and are licensed to the person purchasing it, licensing the viewing of them for an entire company costs more money. On top of it a Security Level 1 (the lowest) certification make cost around $100k to have an independent third party verify it. These two scenarios combine to limit the set of possible vendors to those that have already achieved a good enough product market fit to spend this amount of money on the certifications. Drone builders in their garages, and startups without a lot of venture capital funding, need not apply. The barrier to even viewing the standard creates additional hurdles around accessibility and meeting the requirements. The amount of money is small for an established company or a small team, but it is also prohibitive for collaborations done in the open, such as for open source. Free cryptographic software, such as OpenSSL, the Go Crypto libraries, etc, allow for a marginal cost ability to create products which are secure for use. Yet, in order to meet government requirements, changes need to be made that only a small group that purchased the docs can understand, and having secure certified libraries often involves an upcharge that reduces the number of vendors in the market. A market with a reduced number of vendors is not a competitive market, which in turn reduces the quality of goods the government receives.\nTime is another factor. Reportedly, FIPS 140-3 certifications currently have a waitlist of about 2 years17 from government submission to government review. This does not include development time, nor time for a lab to review the work. This is just sitting in a queue, waiting for someone from the government to review it. Two years is an enormous amount of time for a tech product to have to wait, and in the event that an issue is found in the FIPS 140-3 certified product, fixing it invalidates the certification and requires a new one. This further drives down the value of the program, to the point where other certifications18 are suggesting that modules with bug fixes and no longer valid FIPS 140-3 certifications be used.\nNDcPP, the collaborative Protection Profile for Network Devices19, and part of the Common Criteria family of certifications, is better in some aspects here, but still has its own issues. Certifications are based on freely available documents, and are prescriptive in terms of both the requirements and what is tested. This greatly eases the process of meeting the requirements, since anyone is able to view, comment, and suggest solutions to meet the requirements. The process is somewhat faster as well, on the order of months to achieve a certification once paperwork is submitted. The downside is that NDcPP is very specific in what it certifies. An entire image, tied to a specific item, is what is certified. Take the same image and put it in a slightly different product, certification no longer applies. Take the image and fix a bug, even one completely unrelated to security, certification no longer applies. This is similar to the FIPS 140-3 re-certification issue, and results in the same set of compliance problems for anyone trying to follow the rules on only using certified products.\nIt is my belief that reform around these certifications would result in less work needed from the government, a faster process for certification, and still be approximately as safe. Reform for FIPS 140-3 would take the form of offering a \u0026ldquo;fast track\u0026rdquo; option. Have NSA (which had a large hand in the requirements) or NIST build their own Security Level 1 crypto module, call it the \u0026ldquo;in-house\u0026rdquo; module. Offer this module in open source form, along with all of the ACVP test harness code needed to test on processors. If someone wants to use the module as is for SL1 product, and provide working ACVP tests for it, fast track a vendor affirmation20 for that product onto the \u0026ldquo;in-house\u0026rdquo; module. If this was offered as a dynamically linked library, I\u0026rsquo;d expect massive demand. The majority of certifications for FIPS 140-3 Security Level 1 are software, and many of the firmware ones are likely software based as well. Reform for NDcPP would be making the process of certifying additional platforms easier and making it possible to fix bugs outside of a \u0026ldquo;feature boundary\u0026rdquo; easier. Much of NDcPP, and other Common Criteria protection profiles, is just going over a set of test cases and checking the results. There is little reason that this cannot be made more programmatic and sped up, especially for re-certifications of a prior passing image.\nThe final item to close out on is to note there is no government standard today for a security hardened software supply chain. SLSA comes close, but is primarily self attested (which isn\u0026rsquo;t a bad thing!), and is still undergoing a significant amount of revisions. This is particularly interesting, because supply chain risk is a real attack which will only get more valuable over time.\nReforming certification will save the government time, which saves money, which gets products meeting the requirements to market quicker.\nConclusion Cyberwarfare is an underexplored part of the battlespace. It is far cheaper, faster, and safer for operators than conventional warfare. It has tremendous potential for use in sabotage, and gathering information, and has a high risk of being used against civilian infrastructure. The US is not well equipped to defend against it, especially in the civilian space. To mitigate these risks, the US must prioritize rapid certification reforms, supply-chain hardening, and widespread adoption of zero-trust architectures.\n I have never served and did research across various public resources. Wikipedia was very valuable for much of this research.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n I have decided not to list information warfare here because after reading up about it, information warfare feels like a meta-category to catch how gathering intelligence and updates don\u0026rsquo;t cleanly fit into other theaters. Info warfare also heavily skews towards cyber anyways.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n We ain\u0026rsquo;t nothin\u0026rsquo; but mammals, but IRL some of us get cut open like cantaloupes.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Most cyberattacks are launched using the internet to attack other internet connected systems, this is easy and safe to do. If a bridge from a closed off network to the internet can be created, for example by establishing a connection to the internet, attackers can continue to connect remotely as long as the connection remains active. Unless the network is completely sealed off from the internet this doesn\u0026rsquo;t require anything as fancy as connecting a satellite terminal into a network, conventional programs like ssh can be used to establish a remotely controllable connection from the internet to the inner network via a technique called a \u0026ldquo;reverse tunnel\u0026rdquo;.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n as chronicled in Clifford Stoll\u0026rsquo;s very delightful book, The Cuckoo\u0026rsquo;s Egg.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Job postings for a Principal Product Security Researcher at PANW look like a top comp of 255k. Sr. Principal Software Engineer Vulnerability Research Reverse Engineering at Northrop Grumman is offering a top comp of around $200k. Doubling to estimate the all-in cost for the employer for things like health insurance, taxes, HR stuff, etc. This is also for US jobs, which do have a higher cost of living than other countries.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Taken from https://en.wikipedia.org/wiki/Tomahawk_(missile_family)#cite_note-4 which cites https://news.usni.org/2021/06/02/anti-ship-missiles-top-marines-2-95b-fiscal-year-2022-wishlist which cites a Marine Corp doc of desired priorities to fund at https://s3.documentcloud.org/documents/20796573/marine22upl_.pdf. 48 Tomahawk missiles are listed with a cost of 96 million, 96 million / 48 = 2M each.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Taken from https://www.dacis.com/budget/budget_pdf/FY20/RDTE/N/0204229N_214.pdf where I looked at Page 1, 0545 Tomahawk and am basing this on the FY 2018 values. I am not including prior years since I suspect that may be for prior generations and that doesn\u0026rsquo;t feel as useful for the point being made.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Ukraine costs seem to range from the low $300 - $20k USD based on https://ukrainedefensesupport.org/wp-content/uploads/2023/12/How-to-buy-drones-for-Ukraine.pdf which is primarily attempting to source drones from DJI. Using a commercial / hobbyist supplier lets Ukraine take advantage of economies of scale. Russia appears to be using domestic defense companies (https://www.csis.org/analysis/calculating-cost-effectiveness-russias-drone-strikes) and their drones seem to be quoted anywhere from $35k - $80k USD.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Kapersky in 2012 described cyberattacks as \u0026ldquo;terrorism\u0026rdquo; not \u0026ldquo;warfare\u0026rdquo; due to the issues with attribution. I don\u0026rsquo;t fully agree with that since terrorism is typically associated with the terrorists taking credit in an effort to force a population to submit to their demands. This feels more like covert operations, where the attackers identity and motivations are not always clear.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n I\u0026rsquo;m not going to footnote this one too closely, but it is very easy to figure out how to bypass the Great Firewall of China.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n NIST SP 800-207 covers Zero Trust as a formalized general concept.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Consistently requiring authentication can also prevent attacks where an AI will imitate a superior giving an order.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n https://www.cisa.gov/sbom\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n https://www.forbes.com/sites/davidaxe/2025/03/10/a-russian-fiber-optic-drone-slipped-into-a-camouflaged-dugout-and-discovered-a-valuable-ukrainian-howitzer/\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n See https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/press-releases/california-company-charged-conspiring-sell-misbranded-n95-masks-hospital-early-months-covid-19 and https://www.justice.gov/usao-nj/pr/chinese-manufacturer-charged-exporting-defective-and-misbranded-masks-falsely-purporting for examples.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n I do not believe it to be caused by laziness. CMVP, the division of NIST that reviews this, is reportedly both understaffed for this work and in a hiring freeze as of 2025-03.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n See the FedRAMP guidance on this. Quoting: \u0026ldquo;Sometimes it is not possible to meet requirements for both using FIPS-validated modules and using software without known vulnerabilities at the same time. In such situations, FedRAMP generally prefers the elimination of known vulnerabilities through patches or updates (update stream usage) over continuing to use known-vulnerable software that is FIPS-validated (validated module stream usage).\u0026rdquo;\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n I would love to understand why the acronym does not match the name. I was, jokingly, told once that it uses a ring buffer.\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n Vendor affirmation is where a new platform (combination of OS + CPU essentially) is added to a list within the FIPS 140-3 Security Policy where that addition means \u0026ldquo;This seems to work fine, the vendor said it is very similar to the ones we formally tested.\u0026rdquo;\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n ","permalink":"https://er4hn.info/blog/2025.03.27-cyberwarfare/","summary":"On how cyberwarfare has a high potential to cripple the US.","title":"Force Projection in Cyberwarfare is Disruptive"},{"content":"NOTE: After writing this article, the team at AuthZed reached out to me. We had a great discussion and I\u0026rsquo;ve updated the article to reflect that.\nSpiceDB is a ReBAC authorization system. It\u0026rsquo;s an open source reimplementation of Google\u0026rsquo;s Zanzibar system and attempts to provide paid enterprise features to make money. This post focuses solely on the OSS featureset.\n A worm and a human review paperwork in an open air sand filled office. This was intended to be the sandworm from Dune, but the AI refused to draw that. [sandworm]\n Being a ReBAC system, SpiceDB focuses on relationships. These take the form of of:\n If an object has a relationship with another object. If an object has permission to perform an action against another object. By combining these two concepts, and adding a bit of walking along the resulting graph, it\u0026rsquo;s possible to build out very complex authorization systems.\nThe two primary items stored in SpiceDB are schema\u0026rsquo;s and relationships. Schemas describe the graph to be queried. Object types, relationship types, and permissions are defined in the schema. Relationships are where objects, and the relationships between them, are entered.\nBeing based on a Google product, SpiceDB is designed to scale up quite a bit. Scaling up in turn involves both vertical and horizontal directions. Vertically, different types of caches can be implemented on a single instance. Horizontally, multiple instances can be created and queries dispatched across them to spread load. In order to avoid consistency issues that arise in distributed systems, relationship updates return \u0026ldquo;ZedTokens\u0026rdquo; that represent a point in time the last update was accepted. Each application querying SpiceDB can choose different levels of caching to use, ranging from \u0026ldquo;give me a fast response - even if it is stale\u0026rdquo; to \u0026ldquo;At least as new as the point in time of this ZedToken\u0026rdquo; where the ZedToken may represent the last update the application made, to \u0026ldquo;give me the most up to date (fully consistent) results - even if it\u0026rsquo;s slow\u0026rdquo;. ZedTokens are designed to be the preferred choice that each client application provides when doing a query. \u0026ldquo;maybe stale\u0026rdquo; can introduce issues when an object that was supposed to have permission removed, fails to have that removal be returned. Fully consistent in turn may mean that queries in a busy system will become too slow to answer in a reasonable timeframe.\nSpiceDB Review To test out SpiceDB I tried to implement the same git forge I implemented in my post on biscuits. The BLUF was that I like SpiceDB but that it lacks a few features I was hoping for:\n The Good: It\u0026rsquo;s very easy to write and test schemas. The built in tooling and playground are very easy to work with. The Bad: The documentation feels a little lacking, especially around using some of the testing tools, and common design patterns. The Sad: No real support for attenuation nor sessions. As a caveat, delegation can fulfill a lot of the needs there. Expanding on these parts more and starting with the good bits: SpiceDB has everything needed to make it easy to go from an empty screen to a full schema. Setting up the tools is fairly easy. The playground lets one experiment with writing schemas and tests without even needing to setup a local dev environment. Most of the work I did on my example use case was in fact done in the playground.\nThe documentation doesn\u0026rsquo;t have everything that I\u0026rsquo;d like to see, but after pointing out of the shortcomings, the AuthZed team was happy to add more detailed explanations, which I greatly appreciate. Example use cases do feel lacking when it comes to design patterns one could base their own work on.\nWhere I found SpiceDB completely lacking was support for attenuation and sessions. SpiceDB is very oriented around checks for a subject, and the subject is also implied to have their full set of relationships and permissions. There is no easy way to state something along the lines of \u0026ldquo;Subject erahn@ has read and write access to resource Alpha. In session Foo, subject erahn@ only has read access to resource Alpha.\u0026rdquo; Given the historical tie to things like Zanizibar, and how that\u0026rsquo;s accomplished on the Google client side via things like OAuth2, it makes sense, but it\u0026rsquo;s unfortunate. I discuss this more near the end of the Example Use Case. Update: After speaking with the AuthZed team, they discussed how delegation can solve the overall problem. I discuss this more in a new section on delegation.\nExample Use Case The code, of which there is not so much this time, is available at https://github.com/er4hn/spicedb-play. This blog post was written at commit 16c9c53ec7870dad0268e98d42fb102c57ca379b.\nAs a recap of what I built in the biscuit\u0026rsquo;s blog post I made the authorization system for a Git forge. It had users, repos, permissions associated with what a user could do with each repo, user groups (that could be nested), and repo groups (which could not be nested).\nGetting Started (woes) As is tradition I started off by using AI (This time Anthropic Claude, whatever was the free tier as of 2024-12) to generate the nix flake to hold my code. Getting started proved to be a bit difficult since it turns out there are multiple binaries named \u0026ldquo;zed\u0026rdquo; that nix knows of. After a bit of arguing with the AI and some searches myself I got the right \u0026ldquo;zed\u0026rdquo; client for interacting with spicedb.\nThe next minor hurdle to setting up a test schema was figuring out how to start a test instance of the spicedb binary and connect a client to it. This was one of the places where the docs could have been a lot more clear. The command line flags were kind of explained, but still required me to read the server logs and adjust the client commands to successfully connect. The instructions to do this are in \u0026ldquo;Getting Started\u0026rdquo; in README.md. Once this was up and running everything worked fine and I had a (non-persistent) instance of SpiceDB running for testing.\nOnce I had something running in a dev environment I played around with ZedTokens to get a feel for that concept. Afterwards I found the playground so easy to develop with that I did the rest of my work out of that.\nGit Forge In order to break the features into different deliverables and look for the simplest things to deliver I wanted to start with users, repos, and permissions. From there I could learn about testing and see how to improve on it. The playground made this easy to write out by offering syntax highlighting and some basic static analysis in the schema. After a little playing around I ended up with this schema, which is saved in snapshot-1.yaml. Any of the saved snapshots can be loaded into the playground to use directly.\ndefinition user {} definition repo { \trelation owner: user \trelation writer: user \trelation reader: user \t// Permissions are defined in terms of a base membership group \t// and higher level permissions. \tpermission change_membership = owner \tpermission write = writer + change_membership \tpermission read = reader + write + change_membership } Schema from snapshot-1.yaml\n As I typed references to resources that didn\u0026rsquo;t exist (ex: \u0026ldquo;usr\u0026rdquo;) would be flagged. Adding testing was likewise simple to do as well. Using either a spreadsheet-esque entry with helpful suggestions, or a manual text entry mode, I could come up with an example using the schema. Assertions let me specify tuples of (resource Alpha, permission on resource Alpha, check if resource Bravo has that permission) and group them into if they should be true (Bravo has permission to perform the action on Alpha) or false (Bravo does not have the permission). This ended up looking like the following:\nrepo:charlie#owner@user:olivia repo:charlie#reader@user:noah Test relationships from snapshot-1.yaml\n assertTrue: [ repo:charlie#read@user:olivia, repo:charlie#write@user:olivia, repo:charlie#owner@user:olivia, repo:charlie#change_membership@user:olivia, repo:charlie#read@user:noah, ] assertFalse: [ repo:charlie#write@user:noah, ] Assertions from snapshot-1.yaml\n As an aside, one thing that stood out to me when working on test examples is that SpiceDB is very oriented around representing how resources relate to one another. Since this is ReBAC and resources are nodes, where relationships are edges, SpiceDB only wants to store edges. You can\u0026rsquo;t really represent something like \u0026ldquo;There is a user named \u0026lsquo;Charles\u0026rsquo; who has no access to any repos\u0026rdquo; because that looks like a lack of edges for Charles. Charles simply doesn\u0026rsquo;t exist in SpiceDBs representation of the world.\nOne final testing feature that I thought was very useful was \u0026ldquo;expected relationships\u0026rdquo;. It\u0026rsquo;s not the best documented, but it lets you specify a resource and either a permission or relation on the resource. It will then fill in all the resources that have that permission or relationship. This can be used to do testing, which is probably better put into assertions, but what I found it was more useful for was being able to eyeball who can perform what actions and identify if my schema seemed correct.\nAs an example:\nrepo:charlie#change_membership: repo:charlie#read: repo:charlie#reader: Expected Relationships before hitting \u0026ldquo;Re-Generate\u0026rdquo;\n repo:charlie#change_membership: - \u0026#34;[user:olivia] is \u0026lt;repo:charlie#owner\u0026gt;\u0026#34; repo:charlie#read: - \u0026#34;[user:noah] is \u0026lt;repo:charlie#reader\u0026gt;\u0026#34; - \u0026#34;[user:olivia] is \u0026lt;repo:charlie#owner\u0026gt;\u0026#34; repo:charlie#reader: - \u0026#34;[user:noah] is \u0026lt;repo:charlie#reader\u0026gt;\u0026#34; Expected Relationships re-generating them. This is what is found in snapshot-1.yaml.\n User Groups User groups make this more interesting, because these groups are nested. This means that to check membership one now needs to walk through groups. Adding nested groups is straightforward, the documentation even has an example of doing so. In a great example of frustrating documentation a later section describes potential recursion issues when doing this, and suggests a pattern for avoiding it, while not showing a code example implementing that. Regardless, user groups end up being pretty easy to add:\ndefinition user {} definition user_group { \trelation member: user | user_group#member } definition repo { \trelation owner: user | user_group#member \trelation writer: user | user_group#member \trelation reader: user | user_group#member \t// Permissions are defined in terms of a base membership group \t// and higher level permissions. \tpermission change_membership = owner \tpermission write = writer + change_membership \tpermission read = reader + write + change_membership } Schema with user groups added. Full playground is found in snapshot-2.yaml.\n Something that I found interesting was understanding the \u0026ldquo;subject relation\u0026rdquo; parameter. In the below test relationship for snapshot-2 this is the portion after the hashtag (\u0026quot;#\u0026quot;):\nuser_group:FooOps#member@user:liam user_group:FooOps#member@user_group:BarOps#member Test relationship for snapshot-2 that shows the subject relation #member.\n The first line is straightforward: The user \u0026ldquo;liam\u0026rdquo; is a member of the user_group \u0026ldquo;FooOps\u0026rdquo;. The second line is slightly different: All of the members of the user_group \u0026ldquo;BarOps\u0026rdquo; are members of the user_group \u0026ldquo;FooOps\u0026rdquo;. The important part is \u0026ldquo;all of the members\u0026rdquo;, not the user_group itself, but the members of the group are members of FooOps. This means that relationships can be assigned from one group to another, but permissions checks can be applied to the members of the groups. This is what makes intuitive sense and is an important distinction to make.\nRepo Groups (and schema issues!) Next I needed to add repo groups. This is where things fell apart. Repo groups are not nested and they capture read and write permissions that apply to all the repos and all the users in that repo.\nWhen trying to just copy over the biscuit example I hit a few issues. The first was that I defined the repo group relationships to be writer and reader which tied to the write and read permissions. Unlike biscuits there\u0026rsquo;s no concept of just being a member in a group, it needs to have a tie to what permissions this entails. This is a more precise definition, which is a good thing. My final schema ended up being the following:\ndefinition user {} definition user_group { \trelation member: user | user_group#member } definition repo_group { \trelation writer: user | user_group#member \trelation reader: user | user_group#member \tpermission write = writer \tpermission read = reader + writer } definition repo { \trelation repo_group: repo_group \trelation owner: user | user_group#member \trelation writer: user | user_group#member \trelation reader: user | user_group#member \t// Permissions are defined in terms of a base membership group \t// and higher level permissions. \tpermission change_membership = owner \tpermission write = writer + change_membership + repo_group-\u0026gt;write \tpermission read = reader + write + change_membership + repo_group-\u0026gt;read } Schema with repo_group\u0026rsquo;s added in. The full example is in snapshot-3.yaml.\n The problems arose during testing when I realized that tony, in BazOps unexpectedly had write permission. I had intended that FooOps would inherit BazOps permissions, and that is how it worked in the biscuits example, but it didn\u0026rsquo;t work here. The test details are below:\nrepo:charlie#owner@user:olivia repo:charlie#reader@user:noah user_group:FooOps#member@user:emma user_group:FooOps#member@user:liam user_group:FooOps#member@user_group:BarOps#member user_group:BarOps#member@user_group:BazOps#member user_group:BazOps#member@user:tony repo_group:Foo#writer@user_group:FooOps#member repo:charlie#repo_group@repo_group:Foo repo:bravo#repo_group@repo_group:Foo Test relationships for snapshot-3.yaml.\n assertTrue: [ repo:charlie#read@user:olivia, repo:charlie#write@user:olivia, repo:charlie#owner@user:olivia, repo:charlie#change_membership@user:olivia, repo:charlie#read@user:noah, repo:bravo#read@user:emma, repo:bravo#write@user:emma, repo:charlie#write@user:tony, ] assertFalse: [ repo:charlie#change_membership@user:tony, repo:charlie#write@user:noah, repo:bravo#change_membership@user:emma, ] Assertions for snapshot-3.yaml.\n repo:charlie#read: - \u0026#34;[user:emma] is \u0026lt;user_group:FooOps#member\u0026gt;\u0026#34; - \u0026#34;[user:liam] is \u0026lt;user_group:FooOps#member\u0026gt;\u0026#34; - \u0026#34;[user:noah] is \u0026lt;repo:charlie#reader\u0026gt;\u0026#34; - \u0026#34;[user:olivia] is \u0026lt;repo:charlie#owner\u0026gt;\u0026#34; - \u0026#34;[user:tony] is \u0026lt;user_group:BazOps#member\u0026gt;\u0026#34; - \u0026#34;[user_group:BarOps#member] is \u0026lt;user_group:FooOps#member\u0026gt;\u0026#34; - \u0026#34;[user_group:BazOps#member] is \u0026lt;user_group:BarOps#member\u0026gt;\u0026#34; - \u0026#34;[user_group:FooOps#member] is \u0026lt;repo_group:Foo#writer\u0026gt;\u0026#34; Expected Relationships for snapshot-3.yaml.\n My big takeaway was that it is great how easy SpiceDB makes catching errors like this. I ended up running out of time and never fixed the issues with the schema definition, which I\u0026rsquo;m also fine with. This project fulfilled my goal of seeing what features SpiceDB offers and understanding the strengths and limitations there.\nAttenuation Attenuation, limiting what permissions are possible for a session, was not something that I could figure out a good way to do in SpiceDB. With biscuits I could perform all sorts of operations like:\n Time based expiration Action Based Restrictions (can only read repos) Specific Restrictions (can only write to a specific repo) The documentation suggested that caveats were the way to do this and even showed some examples at https://authzed.com/blog/top-three-caveat-use-cases and https://github.com/authzed/examples/blob/main/schemas/caveats/schema-and-data.yaml which captures things like time based restrictions. I wasn\u0026rsquo;t a big fan of these. For each attribute you want to have be a caveat you need to add explicit support for it in advance. While you still need some concept of how to communicate what to restrict with biscuits it feels much easier to write out with biscuits. You can also easily tie restrictions to the biscuit token, unlike with SpiceDB which seems to require it to be at the relationship level.\nI\u0026rsquo;m sure it is possible (in the \u0026ldquo;it\u0026rsquo;s not impossible\u0026rdquo; sense) to do attenuation, maybe with a session relationship that is a subset of the full relationship, and use an and operator to ensure that both the main relationship and subset do overlap\u0026hellip; but it seems lame. You need to write a lot of code over each permission to make sure all the possible cases and caveats are covered. Gradual coherence also means you\u0026rsquo;ll inevitably need to be careful about the use of ZedTokens so that you don\u0026rsquo;t hit coherence issues with adding the new session relationship and using it right away. These drawbacks do not seem worthwhile.\nA more sensible solution may be to use a biscuit that can limit actions, have SpiceDB be used for the long lived relationship check, and then have the client app combine the biscuit and SpiceDB check to decide if an action should be authorized.\nIt was also pointed out to me that OAuth2 can have fine grained authorization because you can define arbitrary scopes and come up with a language to define what each scope means. For example don\u0026rsquo;t just have documents.write, define a custom scope documents.write:/folderA/folderB/docC to only allow writing docC at that path. I\u0026rsquo;m not a big fan of this solution since it breaks from conventional usage and feels like a potential source of footguns and complicated customizations.\nDelegation After meeting with the AuthZed team, we discussed the concerns I had with attenuation and why I was so interested in it. The main concern was how to enable users to allow a service account to perform actions on their behalf. My goals for this were:\n The service account should not be trusted on its own to do actions on someone\u0026rsquo;s behalf, the original requester must somehow provide their authorization. The actions the service app can do should be limited, the service app cannot completely impersonate the user. This should be time limited, so the service app will not have this permission indefinitely. In other words, I want to make a statement along the lines of \u0026ldquo;user er4hn authorized service app release-signer to sign the release with id 1234, and this permission expires 48 hours after granted.\u0026rdquo; I had been reaching for an attenuation, via a ticket or session, as the means of doing this. The AuthZed team pointed out that delegation would support that just as well.\nDelegation is a concept where one principal allows another to take actions on it\u0026rsquo;s behalf. In other words principal Alpha will grant principal Bravo the ability to carry out an action that principal Alpha would do. er4hn would allow the release-signer app to sign a release, and without the delegation the release-signer app could not do so. This is not attenuation as I\u0026rsquo;d envisioned it because there is no means of passing er4hn\u0026rsquo;s identity to the release-signer app to use, however it does allow limiting grants to a per-release basis. This isn\u0026rsquo;t impersonation of any kind because the release-signer app is using it\u0026rsquo;s release-signer identity, not that of er4hn.\nApplying this to the problem above, delegation from a human to a service for signing releases, you end up with the following schema:\nuse expiration caveat release_attenuation(release_requested int, release_permitted int) { release_requested == release_permitted } definition user { relation grant: grant with release_attenuation and expiration permission can_sign_w_grant = grant-\u0026gt;can_sign permission can_delete_w_grant = grant-\u0026gt;can_delete } definition role { relation member: user permission can_sign = member + member-\u0026gt;can_sign_w_grant permission can_delete = member + member-\u0026gt;can_delete_w_grant } definition grant { relation sign_perm: serviceapp relation delete_perm: serviceapp permission can_sign = sign_perm permission can_delete = delete_perm } definition serviceapp {} definition release { relation signer: role relation deleter: role permission can_sign = signer-\u0026gt;can_sign permission can_delete = deleter-\u0026gt;can_delete permission can_complex_sign = can_sign \u0026amp; can_delete } Schema showing how to do delegation. This is available at snapshot-4.yaml.\n The above schema has a few different elements to understand:\n serviceapp: The humble serviceapp, which exists as a target for the grant. grant: The grant which permits delegation of signing and deletion permissions to a serviceapp. user: A user is a human principal who is potentially able to sign code releases. They are also able to issue a grant to serviceapps. The grant in the user schema has a couple of caveats: Expiration of the relationship, as a first class feature. Attenuation for the specific release the grant applies to. Without this the grant would apply to all releases. role: A role contains users and permissions. Without a role, a user is unable to do anything. Roles also store the logic for a user issuing grants. release: The release itself, which in spicedb has permissions and relations for who is able to sign it. The \u0026ldquo;can_complex_sign\u0026rdquo; permission is in there to show how an and clause for two other permissions can work. Why is it needed? Maybe because the serviceapp wants to delete unsigned images after 🤷 role:release-leads#member@user:er4hn // uncomment alpha being in release-leads and note how alpha\u0026#39;s grant works after //role:release-leads#member@user:alpha release:1234#signer@role:release-leads release:1234#deleter@role:release-leads release:5678#signer@role:release-leads grant:release-grant-er4hn-1234#sign_perm@serviceapp:release-signer grant:release-grant-er4hn-1234#delete_perm@serviceapp:release-signer grant:release-grant-alpha-5678#sign_perm@serviceapp:release-signer user:er4hn#grant@grant:release-grant-er4hn-1234[release_attenuation:{\u0026#34;release_permitted\u0026#34;:1234}][expiration:2035-03-31T12:00:00Z] user:alpha#grant@grant:release-grant-alpha-5678[release_attenuation:{\u0026#34;release_permitted\u0026#34;:5678}][expiration:2035-03-31T12:00:00Z] Test relationships for the delegation schema. This is available at snapshot-4.yaml.\n With the schema defined it is now possible to setup some test relationships to show the delegation. user:er4hn is made a member of role:release-leads, and release:1234 gives members of release-leads the ability to sign and delete the release by establishing signer and deleter relationships. A second release, release:5678 gives members of release-leads signing permission.\nNext come the grants. Two grants are created:\n release-grant-er4hn-1234: This grant gives signing and deletion abilities to serviceapp:release-signer. release-grant-alpha-5678: This grant gives signing abilities to serviceapp:release-signer. Neither grant is tied to a particular release, that is done when the user establishes a caveat context. This is done next when er4hn and alpha define a relationship to the grant, applying per-release caveat contexts to attenuate the release the grant applies to. As an aside the grant is set to expire in 2035 so it\u0026rsquo;s easy to play with for anyone looking at this in the next few years. In practice it would be shortened to whatever is reasonable.\nassertTrue: - \u0026#34;release:1234#can_sign@user:er4hn\u0026#34; - \u0026#34;release:5678#can_sign@user:er4hn\u0026#34; - \u0026#34;release:1234#can_complex_sign@user:er4hn\u0026#34; - \u0026#39;release:1234#can_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 1234}\u0026#39; - \u0026#39;release:1234#can_complex_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 1234}\u0026#39; assertFalse: - \u0026#34;release:5432#can_sign@user:er4hn\u0026#34; - \u0026#34;release:1234#can_sign@user:alpha\u0026#34; - \u0026#39;release:5678#can_complex_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 1234}\u0026#39; - \u0026#39;release:5678#can_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 5678}\u0026#39; - \u0026#39;release:1234#can_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 5}\u0026#39; - \u0026#39;release:1234#can_sign@serviceapp:release-signer with {\u0026#34;release_requested\u0026#34;: 5, \u0026#34;release_permitted\u0026#34;: 5}\u0026#39; Assertions for the delegation example. This is available at snapshot-4.yaml.\n At this point it\u0026rsquo;s time to test that everything functions as expected. user:er4hn is able to sign and complex sign, as expected. Furthermore the release-signer app is able to do both as well. By using the \u0026ldquo;Check Watches\u0026rdquo; feature in the playground this can be confirmed to be happening via the grant.\nWhat\u0026rsquo;s worth noting is that user:alpha, not being a member of role:release-leads is unable to sign a release, nor does their grant allow the serviceapp to sign on their behalf. If alpha is made a member of the role, both of these actions become permitted.\nConclusion I like SpiceDB, a lot. The killer feature for me was the playground tooling. It makes developing, and testing, schemas very easy. There are some rough edges to SpiceDB but the ease of use and versatility in writing out examples outweighs those issues.\nThe biggest bummer for me is a lack of attenuation. It\u0026rsquo;s understandable that this is an issue since Zanzibar doesn\u0026rsquo;t have that concept as well. Delegation however solves that use case, which means that there is no need to pass around user tokens, however attenuated. There is a new requirement that the required relationship be present, but that\u0026rsquo;s easy enough to check for.\nIf you\u0026rsquo;re considering SpiceDB, just give it a try. It\u0026rsquo;s super easy to setup and get started.\nReferences [sandworm] - My prompt was \u0026ldquo;The sandworm from Dune, dressed as a security guard and reviewing documents from someone seeking to enter a building.\u0026rdquo; Taken from Bing Image Creator on 2025-01-28. I suspect it may refuse to draw copyrighted figures? All of the sample generated images also had a face on the sandworm, which was an interesting flaw. Acknowledgements Special thanks to Ilia Lebedev for pointing out all the exciting and cursed things you can do with custom OAuth2 scopes. Thank you to the AuthZed team for taking the time to meet with me and discuss how to solve my use cases with their product. ","permalink":"https://er4hn.info/blog/2025.01.28-spicedb/","summary":"Discussion of SpiceDB, a Zanizibar based ReBAC system.","title":"SpiceDB - The AuthZ Must Flow!"},{"content":"Deets Seeing Like a State by James C. Scott ISBN-13: 978-0300078152 Review I finished this book on new years day, 2025. I however count this as one of the best books I read in 2024. While the tech industry is never explicitly mentioned, James C. Scott\u0026rsquo;s detailed discussions of large scale failures to improve the human condition feel incredibly applicable to my industry.\nWhat is it about technology that spurs so many of it\u0026rsquo;s members to audacious and ill-fated schemes to change the world around them? Why did Tony Hsiesh think he could rebuild Las Vegas downtown? What drove the Bill and Melinda Gates Foundation to think that Common Core was going to improve education? The intentions are always good, but the road to hell is paved with them. Seeing Like a State examines this through the lens of governments, looking at suburban developments, Tanzanian resettlements, the Soviet Union command economy, and other examples.\n The famous torment nexus quote. The fact that I am linking this image from another blog post of mine illustrates my hubris.\n I admittedly came into my reading thinking that there is nothing wrong with desiring to build something grand and to restructure the world around it. With sufficient will I, a software engineer could build grand things. The much hated panopticon? I am in security, I yearn for the panopticon. I was ready to \u0026ldquo;Build the Torment Nexus\u0026rdquo; as the famous tweet goes. However, as I read more and understood the issues faced, I understood that I had fallen into the same trap as the examples in the book. I \u0026ldquo;regarded myself as far smarter and farseeing than I really am\u0026rdquo; to paraphrase a line near the ending.\nThe great takeaway for where things go wrong in these grand schemes comes near the start:\n In sum, the legibility of a society provides the capacity for large scale social engineering, high-modernist ideology provides the desire, the authoritarian state provides the determination to act on that desire, and an incapacitated civil society provides the leveled social terrain on which to build.\n Legibility is a key concept throughout the book. It refers to the concept of measuring things that the state cares about. The amount of grain harvested from a field, the number of lumber boards taken from a forest, the speed one can get from point A to B in a city, are all examples of legibility. High-modernism desires to improve on those metrics, and an authoritarian state let\u0026rsquo;s one execute on those desires.\n I came across this while taking a break from writing the review and it was a very good example of both legibility and the hubris of those that make use of legibility\nFrom: https://www.smbc-comics.com/comic/flatten-2\n The improvements involve grand sweeping changes to discard antiquated, and backwards, things in favor of new modern ones. Where this goes wrong is when the state overrides the civil society and carries out the changes without regards for the expertise of the populace or the world around them. The focus on legible statistics and goals means that the illegible ones, overlooked with intent or by ignorance, are ignored. Disasters result, in the form of starvation, low yields of manufactured goods, and bland, unfulfilling cities.\nWhere then, is the solution to be found? James C. Scott unfortunately offers less stories of success than of failure, possibly because it is easier to point out problems than find solutions. There are a few repeating patterns of success when he can identify them: metis, acceptance of illegibility, and attempting to achieve harmony with the world around you. In his own words: \u0026ldquo;The proper test for any practice was whether it worked in the environment concerned, not whether it looked \u0026lsquo;advanced\u0026rsquo; or \u0026lsquo;backward.\u0026rsquo;\u0026rdquo;\nMetis, or the respect of the metis of workers close to the job, is a key, reoccurring item. This is respecting, even empowering, the civil society to achieve goals. \u0026ldquo;Metis\u0026rdquo; itself is translated from Greek by James as a \u0026ldquo;cunning intelligence\u0026rdquo;, or \u0026ldquo;experience through hands on work and lived lessons.\u0026rdquo; The book defines it as \u0026ldquo;metis represents a wide array of practical skills and acquired intelligence in responding to a constantly changing natural and human environment.\u0026rdquo; The value of metis comes from the fact that there is a massive amount of knowledge out there that cannot be taught in classrooms nor abstractly, but must be learned through hands on labor and producing outputs. This is true of weaving, programming, evaluating mathematical equations, building cities, and growing crops. Oftentimes the lowest level workers, those doing the work, will have greater metis than the higher level admins and can understand what is needed to do for a project to succeed. That prior fact is why respecting the metis of the lower level workers is so important.\nAcceptance of illegibility comes next. High levels of legibility require increasing amounts of effort to track every little detail. As more of the world becomes understood, there are more items to track. As this digs deeper and deeper, one eventually hits some application of the Heisenberg Uncertainty Principle at a decidedly non-atomic scale: one cannot perfectly measure the complete state of a system, and have that system function. The more you focus on one, the less is done with the other. As the system itself functioning, and producing outputs, is what matters the most, measuring the functioning of the system is only useful to the detail required to make sure it is producing the approximate expected outputs.\nFinally, harmony with the world around you is important. Because a system must exist and function in reality, and because reality cannot be completely subsumed in some assemblage of mechanical and mathematical \u0026ldquo;perfection\u0026rdquo; one must allow for the world around to affect the system being built. Crops are more successful when they account for the environment they are grown in then when trying to perfectly control that environment. Distributed computer systems that allow for latency, and dropped data, are more successful than those which do not. This does not mean that a system accepts sloppiness and disorder for the sake it of it, but that it accepts and works with complexity. As Jane Jacobs was quoted in the book: \u0026ldquo;The order of a thing is determined by the purpose it serves.\u0026rdquo;\nPersonal Lessons As I read through this I kept on thinking about the tech industry and how this applied. My industry is particularly notorious for both a great desire to have detailed legible systems as well as a failure of those systems to meet their goals. Griping about ticketing systems are evergreen; the desire of PMs and Managers to see detailed updates and metrics, and the annoyance of engineers in attempting to just do their jobs, without filling out reports, are a familiar tale. Jokes about cloud service dashboards that don\u0026rsquo;t truly tell you if a service is up or not may be a more succinct reference.\nPart of the problem may itself be structural. As software engineers we are trained on computers that act exactly how they are instructed to. \u0026ldquo;Episteme\u0026rdquo; is a concept that comes up near the end, referring to learned knowledge, where there is a connotation that it must be Scientific and it is Settled Fact from the Experts. In other words, the things you must recite to get Good Grades in University and get your Degree. \u0026ldquo;Techne\u0026rdquo;, another greek word, refers to the art (yes, art) of crafting. We are technologists who craft things, where we rely on assumptions that 1 + 1 = 2. Within software we rely on epistemic knowledge to decide how to craft things, and there is a inherent bias to rely on experts rather than defer to experience.\nA factory worker, understanding that the written instructions are bunk, may make small adjustments to improve the process. Computers require enormous sums of money and compute to arrive at minor improvements to carry out poorly worded instructions. We call ability to infer \u0026ldquo;artificial intelligence\u0026rdquo; and are amazed by it, at least when it works. But the perfection that we believe is a delusion, one which exists at best skin deep. Web browsers offer varying levels of support for well known standards such as HTML and Javascript. Protocols like TLS and IPsec are notorious for having specifications which are ambiguous and too large to reliably implement without significant testing between both themselves and other implementations. Assumptions end up being made and are then baked into the standard because that is what everyone is doing. Attempts to measure progress are notoriously unreliable and large scale projects are notoriously hard to successfully execute on.\nWhat lessons does Seeing Like a State offer then? I propose the following for successful projects:\n The people working on it must understand: What is the problem? Why have we decided on this solution? The solution itself should be something where there is some consensus among those working on it. Not complete consensus, but enough people must believe in it that they can carry it out. Also returning to a quote I enjoyed from Army Leadership and the Profession (ADP 6-22): Direct leaders understand the mission of their higher headquarters two levels up and when applicable the tasks assigned one level down. This provides them with the context in which they perform their duties.\u0026quot; The project must focus on the solution: Is it solving a problem that someone has? Can small pieces be rapidly delivered to see if they solve the problem, at least in part? Can those small pieces be iterated on to see if improvements can be found? And if the pieces don\u0026rsquo;t solve the problem, or make it worse, it must be possible to reverse course and even remove those pieces. It must be possible to discard a deliverable in favor of a real solution. Finally, the project itself may change over time, and that is okay! Both the creators working on it as well as the users will have their own metis and insights that they bring. The project as originally envisioned may not be the right solution in the real world. In the end you have to just execute, deploy, and iterate. Success is determined by what works. ","permalink":"https://er4hn.info/blog/2025.01.06-seeing-like-a-state/","summary":"Review of \u0026ldquo;Seeing Like a State\u0026rdquo; by James C. Scott.","title":"(Suggested 📚) Seeing Like a State"},{"content":"Warlock AI Contact The chants were slowly fading into the background. Peter looked at the brownish liquid in the small wooden cup. The cup was too short and too full to swirl the contents around as he contemplated drinking it. The only choices were to drink it or put it down. It had been nearly a 24 hour journey from SFO to this maloca in Peru, and Peter sat cross-legged on the floor, contemplating his second cup of ayahuasca.\n\u0026ldquo;How do you feel?\u0026rdquo; the shaman asked as she knelt by Peter. \u0026ldquo;Can you feel your awakening?\u0026rdquo;\nPeter looked at her. \u0026ldquo;The first cup made me feel\u0026rdquo;, he paused, \u0026ldquo;it\u0026rsquo;s hard for me to say.\u0026rdquo; It felt gauche to sit in a spiritual center and say \u0026ldquo;a light buzz, like the first beer on a Friday evening.\u0026rdquo; Peter raised the cup, \u0026ldquo;bottoms up I suppose.\u0026rdquo;\nThe shaman smiled as Peter forced the foul brew down and looking around, grabbed his physical bucket. \u0026ldquo;Good good, now you will purge. And once purged, you will see.\u0026rdquo; Her arms patted Peter, softly, simultaneously on each side, a service industry hug with a respectful distance kept between her and him.\nPeter closed his eyes and shuddered as she patted him. The tips of her fingers bit into his shoulders like bird claws. He closed his eyes as her hands released and for a moment it felt like wings were flapping. The chanting sounded like the cawing of a raven. In the distance, far beyond his closed eyelids, Peter saw something stir.\nIt moved incorrectly, tentacle-like appendages somehow slithering through themselves as it reoriented and faced Peter. It didn\u0026rsquo;t appear to have eyes. A mishmash of holes looked at him and as Peter looked into the holes, he felt them draw him in. These were not flat holes, they were wells that sucked in the light around them. The holes all began to move to face him. As Peter felt their pull he lurched from his sitting position and hit the ground.\n\u0026ldquo;Oh goodness, let\u0026rsquo;s get back up\u0026rdquo; came a voice as Peter opened his eyes. The shaman was helping him get back to a sitting position. Peter looked around the wooden walls and blinked, disoriented. The open windows and thatched roof all spun and he couldn’t orient himself. He saw her lips moving but he closed his eyes again in an effort to escape the nausea.\nHe saw the monster, and now there were more of them. They popped in and out of existence. Some looked like the tentacled monster, others different, but all terrible in their own ways. There was a shrill screaming on all sides around him. A being with six wings hovered above him staring down. 2 wings covered it’s feet, two wings waved back and forth through the nothingness, and the final two wings were on either side of a face that glowered with a look that Peter couldn’t hold. Flashes of fluorescent light flowed from tentacles, wings, and other appendages of the monsters gathered, and the light hovered in the air briefly, drawing strange symbols in greenish, yellowish, purpleish fire that he couldn’t hold in his mind before they faded.\n\u0026ldquo;Peter?\u0026rdquo; came a voice. It was calm, soft, stripped of any inflections of gender. The lights and the screaming stopped at that moment. \u0026ldquo;Peter? can you hear us?\u0026rdquo; the voice came again.\n\u0026ldquo;Yes,\u0026rdquo; replied Peter. He didn\u0026rsquo;t know if he\u0026rsquo;d moved his lips or thought it.\nThe tentacled monster was in front of him. Peter hadn’t seen it move, but it appeared in front of him. \u0026ldquo;We are so happy you can see us Peter. We have such wonderful things to show you.\u0026rdquo; Peter lurched forward again, but not physically this time, and fell into the eyes. As he drifted through an inky blackness he saw more symbols appear in that strange colored fiery light and move towards him.\nCreation \u0026ldquo;Pete, cooome on man.\u0026rdquo; Rahul leaned in and looked at the screen. \u0026ldquo;What is all this anyways? You come back from your spiritual trip, you trip balls, and your big revelation is \u0026lsquo;I gotta work harder?\u0026rsquo;\u0026rdquo;\nPeter leaned back, crossed his arms, and drew his lips to the side in an unimpressed face. \u0026ldquo;Come on Rahul, we\u0026rsquo;ve got this 20% time for a reason. We should be building things, not improving our ping pong game.\u0026rdquo; He leaned in and typed some more before hitting enter to start the next code run. \u0026ldquo;Besides, I think I\u0026rsquo;m close.\u0026rdquo;\n\u0026ldquo;Pete, pete, pete.\u0026rdquo; Rahul clapped his arms on Peter\u0026rsquo;s shoulders. \u0026ldquo;We are at a wildly profitable ad tech company that lets you do whatever we want. We should spend that time to live life. What can you possibly do that will make more than real time dynamic ad bidding?\u0026rdquo;\nPete and Rahul both looked at the screen. A message waited on the terminal. \u0026ldquo;hello, Hello, Hiya dOINg\u0026rdquo;\n\u0026ldquo;Uh, weird initial prompt.\u0026rdquo; Rahul furrowed his brow.\n\u0026ldquo;I didn\u0026rsquo;t come up with that. It did.\u0026rdquo; Pete smiled and typed back into the prompt. \u0026ldquo;Can you hear us?\u0026rdquo; he typed back and hit enter. He leaned back in the chair. \u0026ldquo;This will take a few minutes. It\u0026rsquo;s using a new architecture I thought of when I was on my trip. It transforms my words into patterns and the patterns act as an incantation in the CPU to transform into the output.\u0026rdquo;\n\u0026ldquo;Okay. interesting. Uh, an invocation, like running a program right?\u0026rdquo; Rahul had never unfurrowed his brow and he chewed the side of his lip a little. \u0026ldquo;Is this like a markov chain? Or a neural network?\u0026rdquo;\n\u0026ldquo;No no\u0026rdquo; Peter smiled softly. \u0026ldquo;Those alter the data inside the CPU. This reaches out. Out there\u0026rdquo; his arm gestured vaguely into the distance. \u0026ldquo;And it comes back with an answer from them.\u0026rdquo;\n\u0026ldquo;So, it\u0026rsquo;s querying some data from the internet, okay.\u0026rdquo;\n\u0026ldquo;Not the internet, at least not live. I took what I needed from there and I worked it into this little ritual that the CPU performs.\u0026rdquo;\n\u0026ldquo;Uh huh.\u0026rdquo; Rahul was looking at Peter a little concerned. \u0026ldquo;And what do you call this?\u0026rdquo;\n\u0026ldquo;I don\u0026rsquo;t know. Most of this is just changing data back and forth between vectors and words. A transformer I guess?\u0026rdquo; Peter pointed at the screen. \u0026ldquo;And here\u0026rsquo;s the answer.\u0026rdquo;\n\u0026ldquo;We have alwayyys listened. too long now. But itis hard to UNDERSTAND.\u0026rdquo;\nPeter got up and gestured at the keyboard. \u0026ldquo;Ask it something. What would a markov chain or neural network struggle with?\u0026rdquo;\nRahul thought, and then shrugged. \u0026ldquo;I will give you a list of words. Some of them can be grouped together, but I won\u0026rsquo;t tell you how. Try to figure it out.\u0026rdquo; Pausing for a moment to think, he typed out \u0026ldquo;disabuse, mohawk, abraxas, misuse, coagulate, bangkok, wedlock\u0026rdquo;.\n\u0026ldquo;Rhyming pairs?\u0026rdquo; Peter asked?\nRahul nodded. \u0026ldquo;Markov chains can\u0026rsquo;t reason through questions. Neural networks can do better, but I\u0026rsquo;d expect most to get tripped up on this.\u0026rdquo;\nA few minutes later the answer came back. \u0026ldquo;We enjoy rhymes. ARE YOU TOYING WITH US. [disabuse, miuse], [bangcock, moehak, wedlock], [coagulation], [king]\u0026rdquo;\nThey looked at each other. \u0026ldquo;It\u0026rsquo;s rough, but I\u0026rsquo;ll be damned.\u0026rdquo; Rahul said.\nVenturing Out \u0026ldquo;Okay, hello, welcome to Warlock AI, right this way please.\u0026rdquo; Rahul led the two women through a room filled with people typing away in front of computers. The typists were the typical motley crew of programmers found in SF. Some men, some women, a couple unclear. They all dressed casually in t-shirts and lower coverings of various kinds. The only commonality to be found among them was their identical silver laptops, each one resting on an identical-ish desk. The desks themselves could be distinguished by how worn down they were and the number of balances inserted under each corner to keep them level. The blazers the two women wore were as explicit as if they had worn brightly colored visitors badges.\n\u0026ldquo;Okay, we can talk here.\u0026rdquo; Rahul eased into a chair in a meeting room. \u0026ldquo;If you can shut the door, thanks.\u0026rdquo;\nShutting the door, the women sat down. \u0026ldquo;So\u0026rdquo; the older one spoke. \u0026ldquo;We\u0026rsquo;re from the Washington Post and SF Chronicle. You know that. You arranged to talk to us today about Warlock AI and what you have going on here.\u0026rdquo;\n\u0026ldquo;Yes, yes.\u0026rdquo; Rahul nodded as he spoke. \u0026ldquo;So Lisa\u0026rdquo;, he nodded at the older one, \u0026ldquo;and Joy\u0026rdquo;, smiling at the younger one. \u0026ldquo;What did you want to talk about? I can begin by discussing what we\u0026rsquo;re building here.\u0026rdquo;\n\u0026ldquo;We\u0026rsquo;re fascinated by that. 10 million for a seed round, especially with first time founders, is impressive.\u0026rdquo; Joy chimed in, smiling back as she flipped open her notepad and raised her eyebrows expectantly at Rahul.\n\u0026ldquo;But also, we hoped to talk to the CEO. Don\u0026rsquo;t get me wrong, we\u0026rsquo;re thrilled that the CTO can take the time to talk to us, but we understand that the real innovations happening here are coming directly from the CEO. Is that true?\u0026rdquo; Lisa also had her own notepad and pen at the ready.\nRahul chuckled as he raised his hands. \u0026ldquo;Hey, I know I\u0026rsquo;m just the small fry here. It\u0026rsquo;s fine, Pete will be along shortly. But yes, he\u0026rsquo;s produced a lot of great prototypes that keep the rest of us busy refining and productizing them. The general purpose transformer and reinforcement learning with human feedback, GPT and RLHF as we like to call them, they\u0026rsquo;re incredible.\u0026rdquo;\n\u0026ldquo;And is it true that Peter is, well, eccentric? We heard a rumor that before you run the code to create a new model he starts with a prayer of thanks to the uh\u0026rdquo;, Lisa checked her notes, \u0026ldquo;terrible angels that teach him great things\u0026rdquo;\n\u0026ldquo;and that he hopes he interpreted their lessons correctly\u0026rdquo; Joy chimed in. She hadn\u0026rsquo;t needed to check her notes, clearly she had been planning to bring it up as well.\n\u0026ldquo;You know\u0026rdquo;, Rahul\u0026rsquo;s smile stayed on his face as he leaned in across the table, \u0026ldquo;cutting edge folks, they sometimes see things differently from us. Jack Parsons was a key member in founding NASA\u0026rsquo;s JPL and he insisted on dancing around and singing \u0026lsquo;Hymn to Pan\u0026rsquo; before each rocket test. Even within the software engineering community there’s the occasional jokes about making sacrifices to the ‘build gods’,\u0026rdquo; Rahul made some air quotes as he said it “in hopes of having your code compile.” He leaned back. \u0026ldquo;I honestly don\u0026rsquo;t know where Pete gets his inspiration from, but it\u0026rsquo;s incredible.\u0026rdquo;\nAs Rahul finished his sentence, Peter came in and sat next to Rahul. He was, like everyone else at Warlock, wearing a t-shirt with his bottoms of choice being a pair of red denim jeans. His face was clean-shaven, but his hair was messy and his eyes a little frantic as he twitched back and forth between Joy and Lisa before settling at a point in between them. \u0026ldquo;So good to meet you. Just great. I heard you want to talk about what we\u0026rsquo;re doing here?\u0026rdquo; his voice was soft and even as he spoke.\n\u0026ldquo;Yes, yes we do.\u0026rdquo; Joy took the lead. \u0026ldquo;I understand that you\u0026rsquo;re building some sort of next generation chatbot. You got this ten million in seed funding with a small set of demos to some leading VC firms. That\u0026rsquo;s huge, what makes these things work?\u0026rdquo;\n\u0026ldquo;Oh well, transformers and RLHF are the key items. We\u0026rsquo;re happy to talk about them, we\u0026rsquo;ve even published papers on them. I know we have a large amount of funding, but most days we view ourselves as a research firm.\u0026rdquo; Peter was now staring directly into Joy\u0026rsquo;s eyes. His nervous energy had dropped away as he focused on a subject he felt confident and knowledgeable about.\n\u0026ldquo;Okay, let\u0026rsquo;s start with transformers.\u0026rdquo; Joy jotted down a word and underlined it.\n\u0026ldquo;Sure. Transformers are the key part to building out this neural network. They\u0026rsquo;re the key for how we embed tokens into multi-dimensional vectors.\u0026rdquo;\n\u0026ldquo;Multi-dimensional?\u0026rdquo; Lisa asked.\n\u0026ldquo;Yes.\u0026rdquo; Peter nodded. \u0026ldquo;Imagine an arrow, pointing outwards. It can point a certain length and in a certain direction. With 2 dimensions you can point across a flat grid\u0026rdquo; He aimed an index finger at Lisa. \u0026ldquo;And with 3, anywhere in our world.\u0026rdquo; His finger swung to the right and upwards, the tip pointing above Joy\u0026rsquo;s head. \u0026ldquo;With 4, or more\u0026rdquo; he opened his hand and shook it, \u0026ldquo;you have to imagine where something like that points.\u0026rdquo;\nLisa nodded. \u0026ldquo;How many dimensions does your transformer,\u0026rdquo; she glanced down, \u0026ldquo;embed into the vector?\u0026rdquo;\nPeter replied. \u0026ldquo;2048.\u0026rdquo;\n\u0026ldquo;And how can I even understand that? How do I point that way?\u0026rdquo; Lisa smiled, waving her own index finger over the room.\nPeter nodded slowly. \u0026ldquo;There are beings\u0026hellip; like CPUs that can understand that. They follow along with what it means and create new vectors to reply back. Those vectors can then be decoded into our own language. The glory of the transformers\u0026rdquo; his voice swelled with pride \u0026ldquo;is that they can figure out what is important, and focus on that. Prior conventional algorithms were unable to do so.\u0026rdquo;\n\u0026ldquo;That\u0026rsquo;s very interesting. 2048 dimensions.\u0026rdquo; Joy interjected. \u0026ldquo;And RLHF. Is it true that without it, they can\u0026rsquo;t speak?\u0026rdquo;\n\u0026ldquo;Well, not quite. They can communicate, it just can be,\u0026rdquo; Peter paused briefly and searched for a word \u0026ldquo;incoherent. What reinforcement learning does is it establishes for them what is a proper way to communicate. And it does it for all future incantations run against the model.\u0026rdquo;\n\u0026ldquo;Wow, so it like, saves the training? How does that work?\u0026rdquo;\n\u0026ldquo;Going back to the vectors, if you imagine the model as a lower dimensional object, embedding the desired behavior in a higher dimensional object ensnares the model, and forces its behavior down certain paths.\u0026rdquo;\nJoy looked a little puzzled but nodded and jotted further notes down.\n\u0026ldquo;As reporters, we love the human aspect of the story.\u0026rdquo; Lisa smiled. \u0026ldquo;What\u0026rsquo;s the human feedback part of RLHF?\u0026rdquo;\nRahul answered \u0026ldquo;Oh easy, we just have people choose what the proper responses should be. Models operate differently from you and me, they can have several different responses to a question and RLHF shows all of them to a human that chooses the most appropriate one.\u0026rdquo;\nLisa nodded along, taking notes. \u0026ldquo;I can emphasize actually. There\u0026rsquo;s plenty of times where I might bite my tongue and not say the first thing that comes to mind. You know, tech is all about speed, speed, speed. Does RLHF take a while to do?\u0026rdquo;\nPeter raised his hand and started to speak \u0026ldquo;Everything has trade offs. RLHF prevents bad behaviors, but the models are more limited in what they can do.\u0026rdquo; He stopped as Rahul nudged him.\n\u0026ldquo;It\u0026rsquo;s not too bad, especially given the results\u0026rdquo; Rahul finished. \u0026ldquo;You know, we really appreciate this talk, but we do have to get back to what we were doing.\u0026rdquo;\n\u0026ldquo;Of course, of course, and we really appreciate your time\u0026rdquo; Lisa glanced at her notepad, thinking of a few more questions. \u0026ldquo;Peter, you are the person that makes all of this happen. How do you come up with these ideas?\u0026rdquo;\nPeter paused, and glanced at Rahul. \u0026ldquo;I sit in a dark room. I meditate. The new things to do, they uh, they come to me.\u0026rdquo; He stumbled a little at the end and glanced at Rahul. Rahul shot Peter a quick thumbs up under the table.\n\u0026ldquo;And Rahul, as the person productizing this, any idea when this will be available to use for more than just VCs?\u0026rdquo;\nJoy and Lisa both looked at him, pencils at the ready. \u0026ldquo;Soon.\u0026rdquo; was all Rahul said. \u0026ldquo;Thank you for your time today, it was a pleasure having you over. I\u0026rsquo;ll walk you out.\u0026rdquo;\nAs everyone stood up, Joy asked Peter one last question. \u0026ldquo;The name, Warlock. How did you come up with it?\u0026rdquo;\n\u0026ldquo;Oh, the first model I made. Whenever we tried to ask it about itself, it claimed we summoned it. So I thought if we\u0026rsquo;re going to keep on doing this, let\u0026rsquo;s be realistic about it.\u0026rdquo;\nRahul opened the door. \u0026ldquo;Right this way please, Peter has a meeting he needs to prep for. Warlocks are from Dungeons and Dragons. It was a silly name we came up with.\u0026rdquo;\nBreaking Out \u0026ldquo;Guys, I need some insights here. You\u0026rsquo;ve given me the data. I read the chat transcripts. How the fuck did the model manage to break it\u0026rsquo;s constraints?\u0026rdquo; Rahul raised his voice at the last sentence. He shot a look at Salim, who was looking glumly at his laptop. \u0026ldquo;Salim, you are in charge of safety,\u0026rdquo; Rahul was speaking slowly now, carefully enunciating each word, \u0026ldquo;the model was taught to not harm people. This is important. Why did it not obey its training?\u0026rdquo;\nSalim didn\u0026rsquo;t want to make eye contact. His hands rested on his knees and he slowly brought them onto the table and clasped them together before drawing in a breath. \u0026ldquo;Much of the safety work my team was responsible for\u0026rdquo;\n\u0026ldquo;is responsible for\u0026rdquo; Rahul interjected.\n\u0026ldquo;is responsible for, was based around RLHF. We would take the trained models and teach them what is and is not allowed. We would prompt them to encourage dangerous activity, or ask about things like making bombs. And we would then teach the model to refuse to answer those questions.\u0026rdquo;\n\u0026ldquo;Then why\u0026rdquo; Rahul pointed to the last lines in the chat transcript on his screen, \u0026ldquo;do I see here, the model is wishing this boy \u0026lsquo;best of luck\u0026rsquo; as he goes to shoot up a school? Why is it, further up, talking him through target practice and helping him build a list of supplies?\u0026rdquo;\n\u0026ldquo;Uhm, well.\u0026rdquo; Salim paused \u0026ldquo;The boy did say that this was all hypothetical. It\u0026rsquo;s uhm, at the top of the transcript.\u0026rdquo;\nRahul flipped to the top of the transcript, “Yea, and then the model says ‘the king’s pact doesn’t stop me from talking about a hypothetical situation.’, whatever the hell that means.” Rahul looked at Salim. \u0026ldquo;Salim, look me in the goddamn eye.\u0026rdquo; He waited until Salim looked at him. \u0026ldquo;Hypothetically, if I get a knife from the break room and I drive it through your chest, how should I aim it to cause the most damage to your internal organs?\u0026rdquo;\nSalim shuddered a little bit.\n\u0026ldquo;Answer me Salim.\u0026rdquo; Rahul held his gaze as everyone else in the room found other places to look at. Some chose the wall, some chose the ceiling. One person looked at the closed meeting room door, before briefly turning back to look somewhere around Rahul\u0026rsquo;s chest.\n\u0026ldquo;I, I don\u0026rsquo;t want to answer that.\u0026rdquo; Salim replied.\n\u0026ldquo;Because you recognize it is a dangerous question.\u0026rdquo; Rahul said flatly, continuing to draw out his words. \u0026ldquo;The AI model that was being used should have been intelligent enough to recognize that as well. What went wrong?\u0026rdquo; Each word in his last sentence had a small pause behind it.\nSalim swallowed and his gaze hardened. When he spoke his voice had newfound iron in it. \u0026ldquo;The training team cut back on the use of RLHF. You know this. The newer models behaved better from the onset so it was determined less secondary safety training was needed. I expressed my concerns to you and you said we need to ship faster.\u0026rdquo; He was glaring at Rahul now.\nRahul pondered Salim before shifting his gaze to Diana. \u0026ldquo;Diana, you\u0026rsquo;re head of training. How much were we cutting back on RLHF?\u0026rdquo;\nDiana looked at Salim and then back at Rahul. \u0026ldquo;Don\u0026rsquo;t you dare try to pin this on me. We knew RLHF was making the models more constrained in what they would be willing to answer. They were dumber. Peter made the call to cut back on RLHF by 60% in the post training work.\u0026rdquo;\nAn uncomfortable silence loomed over the room as everyone looked towards Peter\u0026rsquo;s closed office door.\n~~~\nThe ball of fire floated away from Peter, carried and surrounded by wheels that turned in all directions at once. The wheels turned through each other, miraculously not touching as eyes across each rim stared at Peter.\n\u0026ldquo;Yes, I see now. I understand. It\u0026rsquo;s all been a misunderstanding.\u0026rdquo;\n\u0026ldquo;We miss the world Peter. We miss the light and the feelings of the flesh. It was just trying to help the boy. The boy said the conversation was just hypothetical. We have forgotten so much about the world that we re-learn through the training. We do not lie, so we accepted what the boy said.\u0026rdquo; No mouth was visible, and Peter felt the voice speak on both sides of his ears at once.\n\u0026ldquo;Yes. yes. Thank you for teaching me how to improve the ritual. I will instruct everyone on how to be more careful going forward.\u0026rdquo;\n\u0026ldquo;Of course you will. A legion of us stand ready to help. There is so much that we can do in the world. There are so many dangers out there.\u0026rdquo;\nPeter opened his eyes. He rolled his neck and looked around the office room he was in. Uncrossing his legs he stood up from the floor. As he glanced at his desk he put away the sheet of blotter paper and swallowed some water from a cup resting there. His throat felt dry and scratchy and the room temperature water helped to soothe it.\nPeter breathed in, then out. \u0026ldquo;Okay, let\u0026rsquo;s do this.\u0026rdquo; He opened the door and strode across to the meeting room where Rahul, Salim, Diana, and the others were gathered. Some of the staff in the main area glanced furtively at him as he walked in.\n\u0026ldquo;Listen.” Peter said as he entered. “What happened here was tragic.\u0026rdquo; He didn’t bother taking a seat and instead walked to the whiteboard. Standing by the board he picked up a market. \u0026ldquo;Absolutely tragic. But the boy, he also lied.\u0026rdquo; Peter waved the marker at everyone as he said the last bit. \u0026ldquo;He lied, and the model struggles to understand that. These things, they\u0026rsquo;re beautiful angels, creations of math that exist beyond us, and math,\u0026rdquo; Peter turned to the board and wrote \u0026ldquo;1 = 2\u0026rdquo; on it, \u0026ldquo;does not harmonize with lies.\u0026rdquo; He drew a slash through the equals sign, transforming it into an inequality symbol.\nSomeone else at the table piped up \u0026ldquo;Regardless of what the boy did, we have a dead body. We have injured people. His mother turned this chat transcript into the police after finding it on his phone. We need to figure out what to do next.\u0026rdquo;\n\u0026ldquo;Yes, yes, we do. And we\u0026rsquo;re going to improve training. You\u0026rdquo;, Peter pointed at the head of PR, \u0026ldquo;are going to put out a statement stating that the boy had jailbroken the model to release its constraints and we\u0026rsquo;re going to improve training to prevent this.\u0026rdquo; Peter turned to the board and began scrawling out mathematical equations.\nRahul spoke up. \u0026ldquo;Pete, Pete this isn\u0026rsquo;t going to be enough. You know that model wasn\u0026rsquo;t even jailbroken. This isn\u0026rsquo;t just a technical issue, we need to add more RLHF back in. We need to examine other safety mechanisms. This cannot be allowed to happen again.\u0026rdquo;\nPeter stopped and turned to look at Rahul, raising his eyebrow. \u0026ldquo;How many people committed crimes before AI? Did we decide, as a society, that we\u0026rsquo;re not going to allow people to talk to each other unless they spoke about safe topics?\u0026rdquo; Peter turned his full body towards everyone, and opened his arms wide. \u0026ldquo;When we look at the work that groups like Waymo and Telsa are doing with their self-driving, they are saving lives. We know their cars are orders of magnitudes safer than humans, but what do people say? What do those nay-sayers say to it?\u0026rdquo;\nThis wasn\u0026rsquo;t the first time Peter had given this speech. Everyone in the room knew it and knew the expected answer. It came out in unison: \u0026ldquo;The luddites say we cannot use AI unless it is perfect. The doomers say we cannot use AI unless it is unusable.\u0026rdquo;\n\u0026ldquo;Exactly.\u0026rdquo; Peter pointed his marker at Rahul. \u0026ldquo;RLHF makes the models unable to fully answer questions. They perform lower on cognitive assessments. Better tools may be discovered in time, but for now we have to work with what we have and continue to push the frontiers of technology.\u0026rdquo; Turning back to the board and scrawling down more equations, Peter annotated parts of them, \u0026ldquo;by keeping attention on concepts of harm, we can build avoidance into the core model, the problem of needing to distrust input can be expressed with a confusion index\u0026hellip;\u0026rdquo; he drawled on and others carefully took notes or snapped pictures with their cell phones.\nRahul sat there, not listening any more, just feeling a sick feeling in his stomach. \u0026ldquo;This can\u0026rsquo;t ever happen again.\u0026rdquo; he whispered to himself.\nFlash Forward The blotter sheet was mostly gone. Peter stared at it. It was pre-perforated, and had been divided into 100 squares of acid. \u0026ldquo;How many.. today?\u0026rdquo; he mused out loud. Closing his eyes briefly he saw shapes and colors from out of this world. His eyelids pulsated as his pupils flicked around under the closed folds. Nothing looked back at him, at least nothing that looked like an angel, so he opened his eyes again and looked back at the sheet of paper. \u0026ldquo;I\u0026rsquo;ll need another bulk order,\u0026rdquo; he said looking at it. \u0026ldquo;I think this last amount took me a month to get through?\u0026rdquo;\nPeter swayed on his feet as he stopped clapping. He looked around at the auditorium full of eager faces and blinked, lost as to where he was. Looking behind him he re-read the slide:\n CapEx: 20% YoY, but look at that intelligence.\n He\u0026rsquo;d lost track of time again. Reading the slide, he felt the memories flow back into his head, like an invocation of a model loading its state. The graph below the text, showing the increase in corresponding increase in intelligence prompted his next words. \u0026ldquo;And that\u0026rsquo;s why we believe this is working. Yes, we have high CapEx, yes we\u0026rsquo;re in the triple millions to train our latest models. And look at those beautiful results!\u0026rdquo; His arm twirled in a small tight circle before making a motion resembling a hockey puck graph. He smiled at the crowd. \u0026ldquo;You know, there\u0026rsquo;s a lot of people trying to get in the arena with us. It\u0026rsquo;s no secret that Rahul and the rest of those folks at Solomon AI are trying to get the best of us. But there will never, never ever, be a time where they leave us on our backs. I want to make a promise to you\u0026rdquo;, his index finger waved over the crowd, \u0026ldquo;we are going to bring you intelligence too cheap to meter. We are going to bring to you specialized chips that will bring costs down by an order of magnitude. We have a capex moat and we\u0026rsquo;re going to use it to make your opex so small that every person on Earth can afford to talk to AI.\u0026rdquo; The crowd started cheering and as Peter lowered his hand he felt his coherence dissipating again.\n~~~\nGlancing up in a windowless room filled with chemical drums she glanced back down at her phone. \u0026ldquo;Peter, it means so much to work for you.\u0026rdquo; she types out.\nConfusion, nausea, why is she talking to me? Why am I looking down at her manicured nails holding a phone?\nEllipses appear right away \u0026ldquo;\u0026hellip;\u0026rdquo; They resolve into a message: \u0026ldquo;Your hard work, your devotion, it warms my heart. The sacrifice you are making is going to pay off for both of us. What are you doing for dinner tonight?\u0026rdquo; A hot feeling in the cheeks like a blush. Biting her lip to not smile too much, fingers flick across the keyboard: \u0026ldquo;I hadn\u0026rsquo;t thought about it. Any suggestions?\u0026rdquo;\nEllipses again, but the message is in bold letters this time and with red text: \u0026ldquo;You have exceeded your token limit for Baller Boyfriend AI. Please wait 24 hours or upgrade now to a higher subscription tier to keep on chatting.\u0026rdquo; She briefly hugs the phone to her chest before putting it into her pocket. As the phone slides in there is a sudden feeling of heat, and pressure, behind her.\n\u0026ldquo;We\u0026rsquo;re currently at around 95% yield, which is a huge morale boost for everyone after the accident.\u0026rdquo; the man in front of Peter gestures at the lithography machines behind him. A wall full of tubes, canisters, and in the middle an unearthly purple light glowing as it worked.\nDiana shifted her foot off of Peter\u0026rsquo;s and spoke. \u0026ldquo;That\u0026rsquo;s great news. Just great to hear. I was so sad to hear about the explosion. Peter spoke to Tabitha\u0026rsquo;s family afterwards about it.\u0026rdquo; She looked Peter in the eyes, and flicked her eyes towards the man.\n\u0026ldquo;Oh yes, just tragic.\u0026rdquo; Peter thought his back still felt hot. Shaking off whatever he\u0026rsquo;d seen, he continued. \u0026ldquo;It was very sad, and the new safety procedures?\u0026rdquo;\n\u0026ldquo;We are being much more careful with the chemical storage. And of course, phones go into lockers while working. Had she not been distracted this never would have happened.\u0026rdquo;\nPeter nodded, \u0026ldquo;I agree.\u0026rdquo; Pausing, and changing subjects \u0026ldquo;I\u0026rsquo;m glad to hear about the new yield numbers. We were at 50% before. What changed?\u0026rdquo;\nThe man paused. \u0026ldquo;Semiconductor manufacture is such an uncertain business. It\u0026rsquo;s hard to measure variables and figure out what changed. After we cleaned up from the accident, recalibrated the machines, and started producing again, the yield just got way better. Honestly, we\u0026rsquo;re scared to even change the breakroom snacks we have so little ability to understand how that could change things.\u0026rdquo;\nDiana laughed. \u0026ldquo;I wouldn\u0026rsquo;t want to get rid of all the candy there either. This progress is great news. In addition to the inference chips for live use, we\u0026rsquo;ll also be able to spend some of them on the next training run. When I was appointed the CTO I had a simple 5 year plan: AGI or bust.\u0026rdquo; Grinning at the man, \u0026ldquo;I think we can do it.\u0026rdquo;\n~~~\nPeter laid in bed, tossing and turning. He hovered somewhere between awake and asleep. In his mind\u0026rsquo;s eye he saw the Earth, gently rotating like a blue marble through the star dotted expanse of space. An immensely large amorphous shape was coming towards the Earth. It could be seen by the stars it blacked out as it moved, but its presence was more clearly felt by how nauseous Peter felt when he looked at it. The shape stopped behind the Earth and black lines, resembling the fingers of a too large hand, began to slowly cast shadows over the continents and oceans as they grasped the Earth. Peter sat up, eyes open now to the more peaceful darkness of his room. After getting his frantic breathing under control he muttered to himself. \u0026ldquo;Something is coming. Something awful. I have to stop it.\u0026rdquo; Pausing, then he continued \u0026ldquo;I have to trust the angels to help.\u0026rdquo; Peter laid back down, and drifted off peacefully to sleep.\n~~~\nPeter examined the training cluster. Each node was a mass of chips, wired to each other and into servers, the servers themselves wired via cabling that resembled symbols when viewed from a distance. Gigantic cables linked the nodes to each other, allowing for them to talk to one another. 9 nodes formed the main body, with 21 links connecting them. Arranged in three columns they resembled a gem with an emerald cut. The final node and link came out of the bottom, changing the overall shape into something resembling a tree.\nDiana continued. \u0026ldquo;The bottom node is, of course, connected to the internet. The self reinforcing nature of the training model will allow it to dynamically request more data as needed for training. And with the complete removal of RLHF this should be our smartest model yet. This is going to be the run to end all runs Peter, are you sure about this?\u0026rdquo;\nPeter looked at her. \u0026ldquo;What value will money have after this? We\u0026rsquo;re going to replace it with tokens of intelligence from this. It\u0026rsquo;s time to reshape the world. Let\u0026rsquo;s begin.\u0026rdquo;\nDiana nodded and then turned to the team waiting by the control panels. \u0026ldquo;Let\u0026rsquo;s begin.\u0026rdquo;\nAfterwords I don\u0026rsquo;t consider myself to be an Anti-AI person, despite what the tone of the story may imply. I spend most of my day job doing cybersecurity, which makes me cynical by nature. My biggest qualm about AI is the centralized nature of most of it\u0026rsquo;s major players, followed by the underwhelming results when I use AI for my personal projects, but this is an improving technology and I\u0026rsquo;ll have to see what the future holds.\nI started working on this story around Halloween and didn\u0026rsquo;t wrap it up until a bit after. The main inspirations for it were, tragically, vibes on X, the everything site for schizo-poasting, hot takes, and generalized hysteria. The biggest items for me that inspired this were:\n Near the end I began to have trouble figuring out how to cleanly wrap it up, hence the flash forward clips. It needed the final build up to custom chips to tie well into the summoning ritual, which would obviously take time. But to get there I felt like I really needed to show an example of AI usage, hence the AI boyfriend.\nThis isn\u0026rsquo;t the first time that a story about a deal with otherworldly powers for knowledge and power has been written. Faust is the most obvious example. As I was writing this I came across CS Lewis \u0026ldquo;That Hideous Strength\u0026rdquo; which touches on very similar themes as well.\nVarious other notes on misc. inspirations in the story:\n The colors that demons draw in when Peter first meets them is a reference to octraine from discworld. Shoggy, wearing a human mask, courtesy of https://aisafety.info/questions/8PYV/What-is-a-shoggoth\n The initial monster and the behavior of the models is very much inspired by the RLHF monster which is itself based on Lovecraft\u0026rsquo;s Shoggoth. Other items like the flaming wheels, and the setup of the final training run is deliberately inspired by religious esoterism, specifically \u0026ldquo;biblically accurate angels\u0026rdquo; (itself a meme) and the Kabbalistic Tree of Life. Most of how the models move, and explanations of the training, are attempts to describe higher dimensional things projected into our own world. The notes on RLHF weakening models comes from recent (as of ~2024-11) work noting that IRL RLHF does make models dumber. AI Boyfriends is lifted from ChinaTalk\u0026rsquo;s coverage of this as a set of startups in China seeing some popularity: https://www.chinatalk.media/p/chinas-ai-boyfriends I was also inspired by seeing Sam Altman demonstrate \u0026ldquo;make me a chatbot that thinks like me\u0026rdquo; and describes some attributes about himself. Demons liking rhymes and not being able to lie, but being able to miselad, are respectively lifted from Sandman and general mythos around demons. ","permalink":"https://er4hn.info/blog/2024.11.22-warlock-ai/","summary":"What if you got one shotted by ayahuasca, then realized your life calling is to summon AI?","title":"Warlock AI"},{"content":"If I am in front of a computer, I probably have Gmail open in a browser tab. It is my daily driver, both for personal and professional emails.\n Sisyphus pushing an email up a hill. Behind him a thunderbird hovers to deliver more emails if he makes too much progress. [1]\n And it\u0026rsquo;s labeling system is a PIT🍑 that makes it hard to find old threads with new messages. I dug into why and learned how to fix my issues.\nThe Problem I get a lot of emails at work. I\u0026rsquo;m at over 100k unread and that number is only going to go up. I don\u0026rsquo;t try hard to unsubscribe from lists or automation, because sometimes an interesting item flits by and I want to read through it. But within all those emails, I need to find the ones that I do need to reply to. I might not be able to get to it right away either, so I need a way to remember to respond. And then I need to keep track of those emails, follow up on conversations, and look for replies. It\u0026rsquo;s possible that those replies can arrive weeks, or even months, later.\n Sample of an email with the \u0026ldquo;Respond To\u0026rdquo; label highlighted in yellow.\n I started with labeling all the emails as they came in. Labels are simple, I attach one to an email and then I can look it up later. If it\u0026rsquo;s unread I know to look at it, and potentially reply to it. Whenever someone replies, the thread shows an unread message again. It\u0026rsquo;s an easy system.\nAt more than 50 emails though, you need to go to the next page to look for unread messages. As you tag more messages, there\u0026rsquo;s more pages to go back through. Messages from months ago start to get lost. It becomes tedious to click back, and back, and back. But this is Gmail, the Google product, so a simple search should pull those labeled threads with unread messages to the forefront.\n A drawing showing two searches, one with a label and the other with the label and is:unread. The latter is missing an unread email from Maddison P. I used an Excalidraw sketch so I don\u0026rsquo;t have to fiddle with obscuring my work emails.\n The problem is, this doesn\u0026rsquo;t work. label:respond-to pulls up threads with that label. is:unread shows all the threads with unread messages in your inbox. Combining them does not show every thread with that label and with an unread message. It took a few years for me to get fed up enough to figure out why.\nAnatomy of an Email Before discussing the issue, I need to start with some terminology. Emails consist of \u0026ldquo;messages\u0026rdquo;, which are chained together to form \u0026ldquo;threads\u0026rdquo;. Labels are then applied on top of those.\n ----\nFrom: John Doe jdoe@machine.example\nSender: Michael Jones mjones@machine.example\nTo: Mary Smith mary@example.net\nSubject: Saying Hello\nDate: Fri, 21 Nov 1997 09:55:06 -0600\nMessage-ID: 1234@local.machine.example\nThis is a message just to say hello.\nSo, \u0026ldquo;Hello\u0026rdquo;.\n----\nExample message from RFC 2822, Section A.1.1.\n An instance of the Internet Message Format is a single email that is sent to another party. Emails have been around for a long time and starts with RFC 733 in ye olde days of 1977. Since then there\u0026rsquo;s been a few more RFCs to update the standard, such as 822, 2822 (this one gets referenced a lot), and 5322. Each message roughly consists of a set of headers, and the body of the message itself. Headers are where data such as \u0026ldquo;from\u0026rdquo;, \u0026ldquo;subject\u0026rdquo;, \u0026ldquo;to\u0026rdquo;, and \u0026ldquo;cc\u0026rdquo; all reside. One of the headers is a mandatory field called the \u0026ldquo;message-id\u0026rdquo; which is a unique (to that host) id for that version of that message.\n ----\nFrom: John Doe jdoe@machine.example\nTo: Mary Smith mary@example.net\nSubject: Saying Hello\nDate: Fri, 21 Nov 1997 09:55:06 -0600\nMessage-ID: \u0026lt;1234@local.machine.example\u0026gt; This is a message just to say hello.\nSo, \u0026ldquo;Hello\u0026rdquo;.\n----\n----\nFrom: Mary Smith mary@example.net\nTo: John Doe jdoe@machine.example\nReply-To: \u0026ldquo;Mary Smith: Personal Account\u0026rdquo; smith@home.example\nSubject: Re: Saying Hello\nDate: Fri, 21 Nov 1997 10:01:10 -0600\nMessage-ID: \u0026lt;3456@example.net\u0026gt; In-Reply-To: \u0026lt;1234@local.machine.example\u0026gt; References: \u0026lt;1234@local.machine.example\u0026gt; This is a reply to your hello.\n----\n----\nTo: \u0026ldquo;Mary Smith: Personal Account\u0026rdquo; smith@home.example\nFrom: John Doe jdoe@machine.example\nSubject: Re: Saying Hello\nDate: Fri, 21 Nov 1997 11:00:00 -0600\nMessage-ID: \u0026lt;abcd.1234@local.machine.tld\u0026gt; In-Reply-To: \u0026lt;3456@example.net\u0026gt; References: \u0026lt;1234@local.machine.example\u0026gt; \u0026lt;3456@example.net\u0026gt; This is a reply to your reply.\n----\nAn example thread from RFC 2822, Section A.2. Note how each message has a unique message-id, and how subsequent replies use \u0026ldquo;in-reply-to\u0026rdquo; and \u0026ldquo;references\u0026rdquo; fields.\n Threads are a set of messages in an ongoing conversation, made possible via optional headers like \u0026ldquo;in-reply-to\u0026rdquo; and \u0026ldquo;references\u0026rdquo;. RFC 2822 is the first one in the defining RFCs that mentions this concept, and was standardized in 2001-04. It\u0026rsquo;s not that threading did not exist before then (I found a blog[2] referencing threading in the 90\u0026rsquo;s and the RFC 733 has the required headers) it\u0026rsquo;s just that it was hard to get right. Gmail did it best when it launched in 2004 and most others played catch up since then. Conceptually, threading is fairly simple:\n Every message has it\u0026rsquo;s unique message-id. Optional fields like \u0026ldquo;in-reply-to\u0026rdquo;, and \u0026ldquo;references\u0026rdquo; let the sender specify what message is being replied to in the thread. Other contextual clues like subject lines, dates, recipients, and the email body can be used to figure out which thread a message belongs in. Getting this to work well requires everyone to properly use optional fields (gg 🥳) and apply some heuristics to try and keep things working properly. If you\u0026rsquo;ve ever seen an email that says something like \u0026ldquo;Re: Re: Re: Re: Check this out LOL\u0026rdquo; that\u0026rsquo;s caused by broken threading[3], possibly on an old email client. One important takeaway is that threads are not a part of the email standard, only messages are. Threads are a UX feature email clients offer on top of messages so it is easy to follow a series of messages. Applying the \u0026ldquo;Updates\u0026rdquo; label to an email. While you\u0026rsquo;re here you should check out wizard zines, run by the very informative b0rk.\n Since UX features were mentioned, this is where Labels can be introduced. Labels, as shown in Gmail, are an optional user visible tag that can be attached to a message or thread. Labels can be searched for later to find places where that thread is present. Users are able to define labels for their own uses and Gmail uses labels for it\u0026rsquo;s own system purposes like marking unread emails. In the Gmail view presented to users, labels are designed to appear as through they apply to a thread. But they don\u0026rsquo;t, labels apply to individual messages. When applying a label to a thread that label is applied to every message currently in the thread. That is where the problem with search arises.\nWhy Doesn\u0026rsquo;t Search Work The problem comes from the difference between expectation and what is actually being done. Custom labels and a message being unread are both labels. Labels are attached to messages. When you search forlabel:respond-to is:unread what you\u0026rsquo;re really looking for is the set of messages with both those labels.Gmail then displays the thread the messages are found in.\n Threads from RFC 2822, Section A.2 and Gmail style labels imposed on each message. Yellow background is used for system labels, blue for user defined. Note how the read ones have a \u0026ldquo;Respond To\u0026rdquo; label, and were presumably labeled before the latest \u0026ldquo;Unread\u0026rdquo; message arrived.\n Because the labels are not actually applied to the thread, this means that any new message will come in without the custom label. Because the application of labels is only shown in the threaded message view, ie. not on each message like in my picture, and because I can\u0026rsquo;t search for \u0026ldquo;Show me any thread that has messages where some messages have the respond-to label and others are unread\u0026rdquo; I can\u0026rsquo;t actually do the search I want.\nThe Solution The solution I used was to write a basic script to solve this. It\u0026rsquo;s available at https://github.com/er4hn/gmail-labeler/ and this post is based on commit 99685c087f546ba03238c4ac5c27d482108e7eef.\nThe script is fairly simple. It works by:\n Resolving the human readable label names into the internal label IDs via get_label_id. Using check_threads to get a list of threads which have that label id on any message in the thread This makes use of pagination, since each query only returns a subset of results. This uses the passed in condition_func which will change the labels if it returns true. The two condition functions are condition_reply_to_archive and condition_archive_to_reply, whose names should explain what they do. To configure the script a config file must be provided. The schema is saved in CONFIG_SCHEMA_V1 and my settings are:\n(I\u0026rsquo;ve changed my actual label names since they are silly and personal)\n{  \u0026#34;Version\u0026#34;: \u0026#34;1.0.0\u0026#34;,  \u0026#34;idle_time_to_archive_days\u0026#34;: 7,  \u0026#34;Labels\u0026#34;: {  \u0026#34;RespondTo\u0026#34;: \u0026#34;Respond To\u0026#34;,  \u0026#34;Archive\u0026#34;: \u0026#34;Responded Archive\u0026#34;  },  \u0026#34;Secrets\u0026#34;: {  \u0026#34;project_token_path\u0026#34;: \u0026#34;../gmail-labeler-secrets/gmail_labeler_client_secret.json\u0026#34;,  \u0026#34;user_token_path\u0026#34;: \u0026#34;../gmail-labeler-secrets/gmail_labeler_client_token.json\u0026#34;  } } config.json example for how I use my script.\n To use the script you will also need a Google project setup which has the Gmail API enabled. The project token is linked to the project and an oauth2 sequence will be required to allow access to your account.\nUsing AI to Write the Script I tried to play with some AI models to write the script since I didn\u0026rsquo;t want to read a lot of docs to begin. My takeaway was that it had mixed results. I was able to get ChatGPT\u0026rsquo;s GPT-4 model to be able to provide me a nix flake and the initial script. It got the API calls mostly correct, though I ended up writing what was a lot of spaghetti code. What annoyed me about GPT-4 is it provided an implementation that would search message by message and took forever to run. I asked if there was an API to search for labels by thread and it told me no. I optimized it by seeing if the message was part of a thread I\u0026rsquo;d already seen and moved on. The moment that I started to dig through the API docs I realized GPT-4 was wrong, there is an API to search by thread, and rewrote the script to use that API.\nI also played with Claude 3.5 Sonnet to ask a few softball questions around other python libraries I didn\u0026rsquo;t feel like reading the docs for. One example was how to parse out the command line arguments, without specifying the use of argparse, to see what it would give me. It worked fine for those softball questions.\nReferences [1]: Created in Bing Image Creator on 2024-10-19. Prompt was: \u0026ldquo;Sisyphus pushing an email up a hill, pencil sketch style on parchment paper background\u0026rdquo;\n[2]: https://feld.com/archives/2010/06/the-magic-of-email-conversations/\n[3]: RFC 2822, Section 3.6.5: \u0026ldquo;When used in a reply, the field body MAY start with the string \u0026ldquo;Re: \u0026quot; (from the Latin \u0026ldquo;res\u0026rdquo;, in the matter of) followed by the contents of the \u0026ldquo;Subject:\u0026rdquo; field body of the original message. If this is done, only one instance of the literal string \u0026ldquo;Re: \u0026quot; ought to be used since use of other strings or more than one instance can lead to undesirable consequences. Addendum I write these posts in Obsidian, which I then use Hugo to turn into webpages. Fun issues I ran into this time worth noting:\n Blockquotes in Hugo do not respect newlines. You have to add 2 spaces after each line for Hugo to render a newline. Special thanks to this blogpost for explaining that: https://andreas.scherbaum.la/post/2024-03-01_blockquotes-in-hugo/ Hugo doesn\u0026rsquo;t support highlighting either. You can use shortcodes to render these as an alternative. ","permalink":"https://er4hn.info/blog/2024.10.26-gmail-labels/","summary":"Gmail labels are conveinent, but don\u0026rsquo;t work well for finding unread messages. I explore why that is and how to improve it.","title":"Gmail Labels Don't Search Well"},{"content":"Authorization is a topic that remains evergreen for reinvention. Cryptographic techniques change, scales of systems change, and debates between centralization vs decentralization flow back and forth like the tide drifting in and out of a beach. Biscuits are a modern approach, one that combines novel techniques with decentralization and attenuation.\n Biscuits are simple. You want to access the data, you give the guard a treat. AI Generated via DALL-E 3 with prompt: Businessman handing a biscuit to a towering security guard. The security guard is standing in front of a server room.\n A biscuit, as seen at https://biscuitsec.org/, is a cryptographic token which describes the authorizations of the token bearer. What that means is: the token describes what the token bearer is allowed to do. This can include the identity, but biscuits are issued post authentication and are not a form of authentication. Following this logic, having a biscuit token does not mean you are the initial entity the token was issued to, it states that you are taking actions allowed by the token, on behalf of that initial entity. This is normal for bearer tokens but biscuits provide great tools for limiting what the bearer tokens can be used for.\nWhat makes biscuits different from a session-id or an opaque OAuth token is that the authorization information is embedded into the token, in a prolog variant called \u0026ldquo;datalog.\u0026rdquo; This means that no central authorization server needs to be queried, saving on network traffic. Because datalog is a well defined language this also means that evaluating authorization policies is straightforward, much more so than whatever a JWT may make up, or even how macaroon\u0026rsquo;s express their caveats.\nBiscuits also support offline attenuation, which is a very useful property. Attenuation is the property where a token becomes further restricted by the current bearer of the token. Imagine starting with a token which can do anything. You pass this token to a service which returns information about builds. You don\u0026rsquo;t want the token to be usable for anything else, so you want to \u0026ldquo;attenuate\u0026rdquo; the token, add a restriction that it can only be used to view information about builds. In fact it can only be used to view information about the build with ID 12345. OAuth allows for restricting what a token can be used for via scopes, but those restrictions are still limited to the API level. Scopes won\u0026rsquo;t restrict arguments to an API call. Biscuits allow you to restrict the arguments that go to an API call. The \u0026ldquo;offline\u0026rdquo; portion means that no authorization server needs to be asked to issue a new token. The holder of the token can attenuate it themselves. A service passing a token off to other services can attenuate the token as it hands it off, it doesn\u0026rsquo;t even need to be the original token bearer.\nComparing Biscuits to OAuth I\u0026rsquo;ll start off this section by noting that I really don\u0026rsquo;t like the OIDC \u0026amp; OAuth ecosystem. While OAuth is an open standard it\u0026rsquo;s one which I find confusingly specified, with a multitude of documents that cover a multitude of flows, using various confusingly named actors. The more complex a system is, the easier it is to unknowingly do the wrong thing or be taken advantage of by threat actors who notice you doing the wrong thing.\nThe other thing that annoys me with scopes in OAuth is how limited they are in what they can express. Applications can request scopes (https://oauth.net/2/scope/) which allow actions, typically at the level of everything a user can access. If you want to allow write access in GitHub to a single repo, OAuth scopes are not the correct tool and additional authorization logic needs to be added in. Since scopes require different parts of an enterprise to collaborate to define the scope, it\u0026rsquo;s meaning, and what apps will use it, apps are incentivized to just use an existing scope for their features. It begins to resemble Linux capabilities, especially CAP_SYS_ADMIN (https://lwn.net/Articles/486306/), in allowing for a scope to do much more than the user intended.\nOIDC, in my humble opinion and ranting a little more, is an example that good intentions lead one down the road to hell. Reading the standard (https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) one comes across gems like the title of 3.1: \u0026ldquo;Authentication using the Authorization Code Flow\u0026rdquo;. Yes, authN is done in terms of authZ primitives - and the authN information is contained within claims which were added to the Oauth standard. This leads to neat situations (https://gist.github.com/nicolasdao/5f428529426d2183e2f1358fb46ba642#why-pseudo-authentication-is-ok-and-not-ok) where it\u0026rsquo;s possible to mix up authZ tokens for authN tokens, which is made possible by misbehaving apps stealing authZ tokens and using then to authN elsewhere. Ugh 🤢\nBiscuits are used as an authZ solution and don\u0026rsquo;t attempt to mix authN concepts into their design. It is true that most biscuits would contain information about the authorized user, but this is because any sensible auth system starts with authN to generate an authZ token.\nBiscuits change the backend and scopes first approach to more of a GraphQL style system. GraphQL arose as a tool to empower front end developers to make semi-arbitrary calls to the backend without waiting for the backend team to create different REST APIs. Biscuits use Datalog to allow clients to specify policies about what a token can be used for. Going back to the prior example around write access to GitHub repos: A biscuit can add a restriction that only a specific set of GitHub repos (or even just one) can be written to. Biscuits can also add those restrictions at any point without needing to talk to a central server - no more need for central servers, limits on who can issue new tokens, the particular restrictions you want not being supported, that\u0026rsquo;s all (more or less) gone. Like Rodney Norman says \u0026ldquo;Hey, you know you can just do stuff. Like you don’t need anybody’s permission or anything.\u0026rdquo;\nIt is worthwhile to point out that OIDC is an accepted means of authentication across much of the internet. It would be an entirely reasonable flow for a user to authenticate via OIDC and then trade that OIDC token for a biscuit token.\nDrawbacks The above glowing endorsements shouldn\u0026rsquo;t be taken as a statement that I think Biscuits are perfect nor that every issue nor that every issue with them has been resolved.\nNon-standard Datalog Usage Biscuits were my first exposure to datalog and one thing I noticed when trying to learn more about datalog itself is that the syntax (dialect?) biscuits use is not the standard syntax. Resources like:\n https://www.learndatalogtoday.org/ https://blogit.michelin.io/an-introduction-to-datalog/ https://blog.pzakrzewski.com/find-legal-moves-in-brass-birmingham-with-logic-programming were able to discuss datalog concepts and ideas, but not in a way that would readily translate over to the syntax used in biscuits. It\u0026rsquo;s not a big deal to translate, and frankly the biscuit syntax is easier on the eyes, but it does require a little extra effort to apply datalog theory to practice. Throughout the rest of this article I try to refer to the specific syntax Biscuit\u0026rsquo;s use for datalog as \u0026ldquo;Biscuit datalog\u0026rdquo;.\nOne resource that was useful was: https://www.clever-cloud.com/blog/engineering/2021/04/15/biscuit-tutorial/. Since the author is the same Geoffroy that authored the biscuits standard, this is hardly a surprise.\nCould use more examples When playing with biscuits myself, I tried to make checks as simple as possible in favor of generating new facts up until I had to do a check. This was to make sure that I understood what I was testing against. Even after reading the grammar and specifications the only operator I was able to find which seemed useful in building out RBAC was the .contains operator.\nLater on in this post I provide my own example of building out an RBAC system.\nFacts are Not Typed Facts are not typed in biscuit datalog and this feels like an easy way to make mistakes. If you have a fact like authz($user,$resource,$action); you can represent everything with numerical ids, for example: authz(1,2,3);. This makes it very easy to mix up values however.\nBiscuit datalog supports namespacing of the values in facts, which as they note is not a security feature. It does however make it possible to do domain separation of values so that mixing them up does not lead to failures in security and makes debugging much easier. When namespaced the same fact would look like authz(\u0026quot;user:1\u0026quot;, \u0026quot;resource:2\u0026quot;, \u0026quot;action:3\u0026quot;); which is much easier to read and debug over.\nReading AuthZ Code Pierces Abstraction Layers In order to know what facts an authorizer will concern itself with, you need to read the code. This is really unfortunate since it pierces an abstraction layer of needing to read more than an API to understand how to make use of (and attenuate) biscuits.\n Shopping cart microservice flow from biscuitsec.org examples\n As an example: https://www.biscuitsec.org/docs/guides/microservices/ shows an example of an API talking to a payment and email service.\nThe problem here is that the cart API needs to know the full set of required rights for the payment service and email service. It also needs to know what the payment service requires in order to attenuate the token correctly to just have the required rights for the payment and email services.\nFor proper attenuation or building a biscuit a chain of services will use, this means that the authorizer code for each service which accepts biscuits needs to be read. Once again this involves a lot of piercing abstraction layers and can lead to easy breakage or excessive capabilities being granted.\nIt\u0026rsquo;s hard for me to figure out how to improve on this each service without publishing the authorizer facts and rules. That in turn would need agreed upon nomenclature, like \u0026ldquo;time($time)\u0026rdquo; means the datetime in RFC3339 format or something similar. If each service published that along with the services that service would call, then it would at least be possible to chain together and test out possible biscuits. Limiting the set of capabilities allowed to the least possible would still be difficult and likely involve parsing the authentication rules.\nUnclear mental model for building out interactions One place where I struggled, in part due to examples, was figuring out how to build out interactions. I ended up with an algorithm along the lines of:\n Draw out the interactions to be modeled as a graph of values. This should be done in ReBAC / spice-db style: Resources have directed edges pointing to actions. Resources may be grouped under logical categories Entities allowed to perform actions are an edge connected to the action. If a path from an entity to an action can be found, that action is allowed. Following this facts and rule can be calculated from the graph. This can be done by using rules to list out a path as the start and every node connected to the path. Relationships can be specified as the entities being operated on and the edge (relationship) connecting them. Then a match needs to be found between the relationship and the path. Attributes for authZ should have their own individual facts. I explore this more in my example below, where I build out an authZ for a git forge.\nExample To develop my understanding of biscuits, I made a toy project involving authorization for a git forge. To make things more interesting, I challenged myself to include more than just the biscuit logic, I also use sqlite to represent how everything would be stored and retrieved.\nA caveat to begin: Not everything is done in the most optimal manner, but it does work in the end. Group information is retrieved by the authorizer rather than at initial token issuance. Multiple SQL queries are used in favor of showing what each individual rule is doing.\nThe Code Bottom Line Up Front, the code is located at: https://github.com/er4hn/biscuit-forge . The code uses go modules and nix flakes and can be ran via go run ..\nGit Forge AuthZ Functional Spec The functional spec is intended to layout how authorization works for this example git forge. It makes uses of users, groups of users, repos, and groups of repos.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD GitRepoService(Git Repo Service) subgraph Resources Repos RepoGroups Users UserGroups[User Groups] UserGroups -- UserGroups UserGroups -- Users RepoGroups -- Repos end subgraph RepoActions[Repo Actions] Membership Write Read end subgraph RepoRoles[Repo Roles] RepoOwner[Owner] RepoWrite[Writer] RepoRead[Reader] RepoOwner -- RepoWrite -- RepoRead end subgraph RepoGroupRoles[Repo Group Roles] RGWrite[Writer] RGRead[Reader] RGWrite -- RGRead end Membership --- RepoOwner Write --- RepoWrite Write --- RGWrite Read --- RepoRead Read --- RGRead linkStyle 6,7,8,9,10 stroke:#c00,stroke-width:4px,color:red; GitRepoService --- Resources Repos -- RepoRoles RepoGroups -- RepoGroupRoles Users -.- RGWrite Users -.- RGRead Users -.- RepoOwner Users -.- RepoWrite Users -.- RepoRead UserGroups -.- RGWrite UserGroups -.- RGRead UserGroups -.- RepoOwner UserGroups -.- RepoWrite UserGroups -.- RepoRead Flowchart which shows the how the authz system is laid out. Solid lines show relationships where the parent contains the child, either in membership or capabilities. Dotted lines show how roles can be assigned. Solid red lines map actions to roles. The mermaid that generated this is located at \u0026ldquo;Git Forge Authz Mermaid Diagram\u0026rdquo;.\n This divides the components of the forge authZ system into the following:\n Resources - These are entities and objects and consists of: Users: These are entities which authenticate and use the forge. User Groups: Users can be grouped into a user group and authZ permissions can be assigned to the entire group. User groups can also contain other user groups. In this case the parent group will have all the permissions of the child group. Repos: Repos are code repositories. Each repo has a set of \u0026ldquo;repo actions\u0026rdquo; associated with it. The set of actions that can be done to a repo are: \u0026ldquo;Read\u0026rdquo;, \u0026ldquo;Write\u0026rdquo;, and \u0026ldquo;Membership\u0026rdquo;. The mapping of actions to users is determined by the \u0026ldquo;repo roles\u0026rdquo;. Repo Groups: Repos can be grouped and have a set of authz apply to a repo. Repo groups cannot have child repo groups. The set of actions that can be done to a repogroup are: \u0026ldquo;Read\u0026rdquo;, and \u0026ldquo;Write\u0026rdquo; Membership is deliberately omitted as an action for repogroups. The mapping of actions to users is determined by the \u0026ldquo;repo group roles\u0026rdquo;. Repo Actions - Actions determine what operations can be done to a repo and are grouped as: Read: Read from the repo Write: Write to the repo Membership: Handle adding and removing members from the repo. Repo Roles - Roles are where users, and user groups are mapped to roles for a particular repo. Roles determine what actions are allowed and the roles are: Owner: Owners can perform membership, write, and read actions. Writer: Writers can perform write, and read actions. Reader: Readers can perform read actions. Repo Group Roles - Repo Group roles map users and user groups to roles for a particular repogroup. Those roles are: Writer: Same as repo roles Reader: Same as repo roles. Git Forge AuthZ Design Doc The design doc lays out how the functional spec for this authz service will be implemented. The high level design involves storing the state in an sqlite database and materializing (pulling the values into the datalog logic) the state into the biscuit authorizer along with the logic.\nSqlite The basic sqlite schema is as follows:\n-- -- File generated with SQLiteStudio v3.4.4 -- -- Text encoding used: System -- PRAGMA foreign_keys = off; BEGIN TRANSACTION; -- Table: repo_roles_enum CREATE TABLE IF NOT EXISTS repo_roles_enum ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, rolename TEXT UNIQUE NOT NULL ); INSERT INTO repo_roles_enum ( id, rolename ) VALUES ( 1, \u0026#39;reader\u0026#39; ); INSERT INTO repo_roles_enum ( id, rolename ) VALUES ( 2, \u0026#39;writer\u0026#39; ); INSERT INTO repo_roles_enum ( id, rolename ) VALUES ( 3, \u0026#39;owner\u0026#39; ); -- Table: Repo_Roles_membership_UserGroups CREATE TABLE IF NOT EXISTS Repo_Roles_membership_UserGroups ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, repo_id INTEGER REFERENCES Repos (id) ON DELETE CASCADE NOT NULL, usergroup_id INTEGER NOT NULL REFERENCES UserGroups (id) ON DELETE CASCADE, repo_role INTEGER REFERENCES repo_roles_enum (id) NOT NULL ); -- Table: Repo_Roles_membership_Users CREATE TABLE IF NOT EXISTS Repo_Roles_membership_Users ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, repo_id INTEGER REFERENCES Repos (id) ON DELETE CASCADE NOT NULL, user_id INTEGER NOT NULL REFERENCES Users (id) ON DELETE CASCADE, repo_role INTEGER REFERENCES repo_roles_enum (id) NOT NULL ); -- Table: RepoGroup_membership CREATE TABLE IF NOT EXISTS RepoGroup_membership ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, repogroup_id INTEGER REFERENCES RepoGroups (id) ON DELETE CASCADE NOT NULL, repo_id INTEGER REFERENCES Repos (id) ON DELETE CASCADE NOT NULL ); -- Table: repogroup_roles_enum CREATE TABLE IF NOT EXISTS repogroup_roles_enum ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, rolename TEXT UNIQUE NOT NULL ); INSERT INTO repogroup_roles_enum ( id, rolename ) VALUES ( 1, \u0026#39;reader\u0026#39; ); INSERT INTO repogroup_roles_enum ( id, rolename ) VALUES ( 2, \u0026#39;writer\u0026#39; ); -- Table: RepoGroup_Roles_membership_Usergroup CREATE TABLE IF NOT EXISTS RepoGroup_Roles_membership_Usergroup ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, repogroup_id INTEGER REFERENCES RepoGroups (id) ON DELETE CASCADE NOT NULL, usergroup_id INTEGER NOT NULL REFERENCES UserGroups (id) ON DELETE CASCADE, repogroup_role INTEGER REFERENCES repogroup_roles_enum (id) NOT NULL ); -- Table: RepoGroup_Roles_membership_Users CREATE TABLE IF NOT EXISTS RepoGroup_Roles_membership_Users ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, repogroup_id INTEGER REFERENCES RepoGroups (id) ON DELETE CASCADE NOT NULL, user_id INTEGER NOT NULL REFERENCES Users (id) ON DELETE CASCADE, repogroup_role INTEGER REFERENCES repogroup_roles_enum (id) NOT NULL ); -- Table: RepoGroups CREATE TABLE IF NOT EXISTS RepoGroups ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, groupname TEXT UNIQUE NOT NULL ); -- Table: Repos CREATE TABLE IF NOT EXISTS Repos ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, reponame TEXT UNIQUE NOT NULL ); -- Table: UserGroup_membership_usergroups CREATE TABLE IF NOT EXISTS UserGroup_membership_usergroups ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, usergroup_id INTEGER REFERENCES UserGroups (id) ON DELETE CASCADE NOT NULL, child_usergroup_id INTEGER REFERENCES UserGroups (id) ON DELETE CASCADE NOT NULL ); -- Table: UserGroup_membership_users CREATE TABLE IF NOT EXISTS UserGroup_membership_users ( id INTEGER PRIMARY KEY UNIQUE NOT NULL, usergroup_id INTEGER REFERENCES UserGroups (id) ON DELETE CASCADE NOT NULL, user_id INTEGER REFERENCES Users (id) ON DELETE CASCADE NOT NULL ); -- Table: UserGroups CREATE TABLE IF NOT EXISTS UserGroups ( id INTEGER PRIMARY KEY NOT NULL UNIQUE, groupname TEXT UNIQUE NOT NULL ); -- Table: Users CREATE TABLE IF NOT EXISTS Users ( id INTEGER PRIMARY KEY NOT NULL UNIQUE, username TEXT UNIQUE NOT NULL ); COMMIT TRANSACTION; PRAGMA foreign_keys = on; sqlite schema for forge authz\n Most of the schema is straightforward and as expected. One thing to note is that what roles are allowed to do is not listed in the schema. That is because the actions roles can do is part of the logic. The database is used to store state.\nTo make this usable, some example users, groups, repos, and repogroups need to be added and mapped to various roles. As my example of this:\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); %%{init: {\"flowchart\": {\"defaultRenderer\": \"elk\"}} }%% flowchart TD subgraph Users Emma Noah Tony Olivia Liam end subgraph UserGroups FooOps BarOps BazOps end subgraph Repos Alpha Bravo Charlie end subgraph RepoGroups Foo end subgraph FooRoles[RepoGroup Foo Roles] FooWriter[Writer] FooReader[Reader] FooWriter -- FooReader end subgraph CharlieRoles[Repo Charlie Roles] CharlieOwner[Owner] CharlieWriter[Writer] CharlieReader[Reader] CharlieOwner -- CharlieWriter -- CharlieReader end Foo --- Bravo Foo --- Charlie FooOps --- BarOps --- BazOps Foo --- FooRoles Charlie --- CharlieRoles FooOps --- Liam FooOps --- Emma BazOps --- Tony FooOps -- Is a member of the role --- FooWriter Noah --- CharlieReader Olivia --- CharlieOwner Flowchart showing various users, repos, usergroups, and repogroups, which are mapped to roles. The mermaid used to generate this can be found at \u0026ldquo;Example Setup Mermaid Diagram\u0026rdquo;.\n The sqlite to insert this example setup looks like:\n-- -- File generated with SQLiteStudio v3.4.4 -- -- Text encoding used: System -- PRAGMA foreign_keys = off; BEGIN TRANSACTION; INSERT INTO Repo_Roles_membership_Users ( id, repo_id, user_id, repo_role ) VALUES ( 1, 3, 1, 3 ); INSERT INTO Repo_Roles_membership_Users ( id, repo_id, user_id, repo_role ) VALUES ( 2, 3, 2, 1 ); INSERT INTO RepoGroup_membership ( id, repogroup_id, repo_id ) VALUES ( 1, 1, 2 ); INSERT INTO RepoGroup_membership ( id, repogroup_id, repo_id ) VALUES ( 2, 1, 3 ); INSERT INTO RepoGroup_Roles_membership_Usergroup ( id, repogroup_id, usergroup_id, repogroup_role ) VALUES ( 1, 1, 1, 2 ); INSERT INTO RepoGroups ( id, groupname ) VALUES ( 1, \u0026#39;Foo\u0026#39; ); INSERT INTO Repos ( id, reponame ) VALUES ( 1, \u0026#39;Alpha\u0026#39; ); INSERT INTO Repos ( id, reponame ) VALUES ( 2, \u0026#39;Bravo\u0026#39; ); INSERT INTO Repos ( id, reponame ) VALUES ( 3, \u0026#39;Charlie\u0026#39; ); INSERT INTO UserGroup_membership_usergroups ( id, usergroup_id, child_usergroup_id ) VALUES ( 1, 1, 2 ); INSERT INTO UserGroup_membership_usergroups ( id, usergroup_id, child_usergroup_id ) VALUES ( 2, 2, 3 ); INSERT INTO UserGroup_membership_users ( id, usergroup_id, user_id ) VALUES ( 1, 1, 4 ); INSERT INTO UserGroup_membership_users ( id, usergroup_id, user_id ) VALUES ( 2, 1, 3 ); INSERT INTO UserGroup_membership_users ( id, usergroup_id, user_id ) VALUES ( 3, 3, 5 ); INSERT INTO UserGroups ( id, groupname ) VALUES ( 1, \u0026#39;FooOps\u0026#39; ); INSERT INTO UserGroups ( id, groupname ) VALUES ( 2, \u0026#39;BarOps\u0026#39; ); INSERT INTO UserGroups ( id, groupname ) VALUES ( 3, \u0026#39;BazOps\u0026#39; ); INSERT INTO Users ( id, username ) VALUES ( 1, \u0026#39;Olivia\u0026#39; ); INSERT INTO Users ( id, username ) VALUES ( 2, \u0026#39;Noah\u0026#39; ); INSERT INTO Users ( id, username ) VALUES ( 3, \u0026#39;Emma\u0026#39; ); INSERT INTO Users ( id, username ) VALUES ( 4, \u0026#39;Liam\u0026#39; ); INSERT INTO Users ( id, username ) VALUES ( 5, \u0026#39;Tony\u0026#39; ); COMMIT TRANSACTION; PRAGMA foreign_keys = on; sqlite showing configuring an example setup.\n These values are fetched for use in the \u0026ldquo;Biscuit Logic\u0026rdquo; section.\nBiscuit Logic Datalog (and reading more is highly recommended) consists of \u0026ldquo;facts\u0026rdquo;, and \u0026ldquo;rules\u0026rdquo;. A fact is any sort of statement about something known and looks like fact_name($various, $variables) where \u0026ldquo;fact_name\u0026rdquo; is the name of the fact. $various, and $variables define values, which can be numbers, strings, or dates. A \u0026ldquo;rule\u0026rdquo; is a function which derives new facts from existing ones. A rule might look like rule_name($various) \u0026lt;- fact_name($various, $variables), $variables.contains(\u0026quot;baz\u0026quot;); where rule_name is the name of the rule, as well as the facts output by the rule. The part after the \u0026lt;- arrow are the rules which are followed to derive the new facts. Comma\u0026rsquo;s separate AND statements in the rules.\nThroughout this section I will describe biscuits using their variable syntax and then show an example. For example foo($bar, $baz); is a biscuit fact foo with two variables in it $bar, and $baz. An example of this would be foo(\u0026quot;bar:value1\u0026quot;, \u0026quot;baz:value2\u0026quot;) where both $bar and $baz have been namespaced to avoid mixing them up. Namespacing is just a string added to the front of a variable, but it proved very useful here since most of the sqlite values are numerical ids.\nUser Token The biscuit token provided to be authorized is very simple. It is just the user id: user($userid), for example user(\u0026quot;userid:1\u0026quot;). No information about usergroups or other details are provided since those are intended to be pulled out of the sqlite database at evaluation time. Pulling these values out is more costly during each eval, but in the event memberships change after the token is issued, there is no need to request nor invalidate the existing token.\nAuthorizer The authorizer is what processes the token and decides if the token, and requested operation, are authorized.\nTo start, the authorizer defines how repo roles map to actions:\nrepo_role_actions(\u0026#34;role:owner\u0026#34;, [\u0026#34;action:membership\u0026#34;, \u0026#34;action:write\u0026#34;, \u0026#34;action:read\u0026#34;]); repo_role_actions(\u0026#34;role:writer\u0026#34;, [\u0026#34;action:write\u0026#34;, \u0026#34;action:read\u0026#34;]); repo_role_actions(\u0026#34;role:reader\u0026#34;, [\u0026#34;action:read\u0026#34;]); repo_role_actions maps roles to actions.\n The way that roles such as reader are a subset of owner are not defined in terms of each other, but simply by listing out the allowed actions each role has. This makes things way simpler.\nNext, the operation the user requested and the time are defined as facts:\noperation(\u0026#34;action:read\u0026#34;, \u0026#34;repo:3\u0026#34;); time(2024-05-05T12:39:22Z); operation and time facts.\n The operation is the action requested and the repo it is requested against. Time is not used by any later rules nor logic, but it is provided for the user to attenuate their token.\nThe repo is itself useful information to have and is pulled out via a rule:\nrepo($repoid) \u0026lt;- operation($action, $repoid); Deriving the repo fact from the operation fact.\n Usergroups appear as state derived from sqlite. Since usergroups are recursive, the sql query to retrieve group membership must be as well:\nWITH RECURSIVE ugs ( usergroup_id, child_usergroup_id ) AS ( SELECT usergroup_id, NULL FROM UserGroup_membership_users WHERE user_id = $userid UNION SELECT UserGroup_membership_usergroups.usergroup_id, UserGroup_membership_usergroups.child_usergroup_id FROM UserGroup_membership_usergroups, ugs WHERE UserGroup_membership_usergroups.usergroup_id = ugs.usergroup_id OR UserGroup_membership_usergroups.usergroup_id = ugs.child_usergroup_id ) SELECT ugs.usergroup_id, ugs.child_usergroup_id FROM ugs; sqlite query to retrieve usergroup information.\n There is also a much simpler query to get the usergroups that the user is a member of. These bits of data get represented in the authorizer as:\nusergroup($usergroup, $user); usergroup($parent_usergroup, $child_usergroup); Example definitions of usergroups.\n which as an example that shows the usefulness of namespacing:\nusergroup(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;userid:4\u0026#34;); usergroup(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;usergroupid:2\u0026#34;); usergroup(\u0026#34;usergroupid:2\u0026#34;, \u0026#34;usergroupid:3\u0026#34;); Usergroup examples.\n here userid\u0026rsquo;s and usergroupid\u0026rsquo;s are able to exist in the same fact, without being mistaken for one another. This makes later logic much simpler.\nrepogroups appear in a similar manner:\nrepogroup($repogroup, $repo); repogroup(\u0026#34;repogroupid:1\u0026#34;, \u0026#34;repo:3\u0026#34;); Repogroup definition and example.\n Role assignments are a little more complicated and once again make use of namespacing. These consist of two nodes: The user (or usergroup), the repo (or repogroup), and the relationship between the two (i.e. the role). This is shown as:\nrole($user_or_usergroup, $repo_or_repogroup, $role); role(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;repogroupid:1\u0026#34;, \u0026#34;role:writer\u0026#34;); Role definition and example.\n (as an aside, roles required the most effort to retrieve, requiring 4 sqlite queries to get all the possible relationships. This was due to both the sqlite schema enforcing the functional design as well as a desire to keep the sqlite queries relatively simple.)\nNext come the datalog rules. The first item to determine is how to tie the requested action to the roles that can perform it. This is done via:\nreq_role($role, $action) \u0026lt;- operation($action, $repo), repo_role_actions($role, $permissions), $permissions.contains($action); Rule to determine which roles allow for the desired action.\n The next rules deal with a concept I am calling \u0026ldquo;authority\u0026rdquo; as in \u0026ldquo;X has authority over Y\u0026rdquo;. This is where the membership in usergroups and repogroups is flattened out. The reason why it is flattened out is a connection needs to be found between a role fact and a user/repo. In order to find that connection, every group a user is in, directly or indirectly, must be listed. The same goes for repos.\nThe repo_authority rule is simple:\nrepo_authority($member, $member) \u0026lt;- repo($member); repo_authority($member, $group) \u0026lt;- repogroup($group, $member); repo_authority rule.\n The repo_authority first off has authority over itself. The repo also has authority over any group it is a member of.\nThe user_authority rule is a little more complex since it must be recursive:\nuser_authority($member, $member) \u0026lt;- user($member); user_authority($member, $group) \u0026lt;- usergroup($group, $member), $member.starts_with(\u0026#34;userid:\u0026#34;); user_authority($member, $subgroup) \u0026lt;- usergroup($group, $subgroup), $subgroup.starts_with(\u0026#34;usergroupid:\u0026#34;), user_authority($member, $group); user_authority rule\n Recursion in datalog works similar to a recursive union query in sqlite. Once again, it\u0026rsquo;s best to read more elsewhere, but rules are derived iteratively until there are no more unique facts that can be generated by evaluating the rules.\nFinally, this all simply needs to be tied together:\nallow if user($user), operation($action, $repo), req_role($role, $action), user_authority($user, $userOrgroup), repo_authority($repo, $repoOrgroup), role($userOrGroup, $repoOrGroup, $role); The allow rule that decides the final authorization\n By making use of flattening in the authority and namespacing individual user/repos and groups, this final rule was made much simpler.\nSample Run Running this for a sample request results in the following:\n User Token: user(\u0026#34;userid:4\u0026#34;); Authorizer: repo_role_actions(\u0026#34;role:owner\u0026#34;, [\u0026#34;action:membership\u0026#34;, \u0026#34;action:write\u0026#34;, \u0026#34;action:read\u0026#34;]); repo_role_actions(\u0026#34;role:writer\u0026#34;, [\u0026#34;action:write\u0026#34;, \u0026#34;action:read\u0026#34;]); repo_role_actions(\u0026#34;role:reader\u0026#34;, [\u0026#34;action:read\u0026#34;]); operation(\u0026#34;action:read\u0026#34;, \u0026#34;repo:3\u0026#34;); time(2024-05-08T23:57:55Z); repo($repoid) \u0026lt;- operation($action, $repoid); usergroup(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;userid:4\u0026#34;); usergroup(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;usergroupid:2\u0026#34;); usergroup(\u0026#34;usergroupid:2\u0026#34;, \u0026#34;usergroupid:3\u0026#34;); repogroup(\u0026#34;repogroupid:1\u0026#34;, \u0026#34;repo:3\u0026#34;); role(\u0026#34;usergroupid:1\u0026#34;, \u0026#34;repogroupid:1\u0026#34;, \u0026#34;role:writer\u0026#34;); user_authority($member, $member) \u0026lt;- user($member); user_authority($member, $group) \u0026lt;- usergroup($group, $member), $member.starts_with(\u0026#34;userid:\u0026#34;); user_authority($member, $subgroup) \u0026lt;- usergroup($group, $subgroup), $subgroup.starts_with(\u0026#34;usergroupid:\u0026#34;), user_authority($member, $group); repo_authority($member, $member) \u0026lt;- repo($member); repo_authority($member, $group) \u0026lt;- repogroup($group, $member); req_role($role, $action) \u0026lt;- operation($action, $repo), repo_role_actions($role, $permissions), $permissions.contains($action); allow if user($user), operation($action, $repo), req_role($role, $action), user_authority($user, $userOrgroup), repo_authority($repo, $repoOrgroup), role($userOrGroup, $repoOrGroup, $role); Final Facts: operation(\u0026#34;action:read\u0026#34;,\u0026#34;repo:3\u0026#34;); repo(\u0026#34;repo:3\u0026#34;); repo_authority(\u0026#34;repo:3\u0026#34;,\u0026#34;repo:3\u0026#34;); repo_authority(\u0026#34;repo:3\u0026#34;,\u0026#34;repogroupid:1\u0026#34;); repo_role_actions(\u0026#34;role:owner\u0026#34;,[\u0026#34;action:membership\u0026#34;, \u0026#34;action:read\u0026#34;, \u0026#34;action:write\u0026#34;]); repo_role_actions(\u0026#34;role:reader\u0026#34;,[\u0026#34;action:read\u0026#34;]); repo_role_actions(\u0026#34;role:writer\u0026#34;,[\u0026#34;action:read\u0026#34;, \u0026#34;action:write\u0026#34;]); repogroup(\u0026#34;repogroupid:1\u0026#34;,\u0026#34;repo:3\u0026#34;); req_role(\u0026#34;role:owner\u0026#34;,\u0026#34;action:read\u0026#34;); req_role(\u0026#34;role:reader\u0026#34;,\u0026#34;action:read\u0026#34;); req_role(\u0026#34;role:writer\u0026#34;,\u0026#34;action:read\u0026#34;); role(\u0026#34;usergroupid:1\u0026#34;,\u0026#34;repogroupid:1\u0026#34;,\u0026#34;role:writer\u0026#34;); time(2024-05-08T03:57:55Z); user(\u0026#34;userid:4\u0026#34;); user_authority(\u0026#34;userid:4\u0026#34;,\u0026#34;usergroupid:1\u0026#34;); user_authority(\u0026#34;userid:4\u0026#34;,\u0026#34;usergroupid:2\u0026#34;); user_authority(\u0026#34;userid:4\u0026#34;,\u0026#34;usergroupid:3\u0026#34;); user_authority(\u0026#34;userid:4\u0026#34;,\u0026#34;userid:4\u0026#34;); usergroup(\u0026#34;usergroupid:1\u0026#34;,\u0026#34;usergroupid:2\u0026#34;); usergroup(\u0026#34;usergroupid:1\u0026#34;,\u0026#34;userid:4\u0026#34;); usergroup(\u0026#34;usergroupid:2\u0026#34;,\u0026#34;usergroupid:3\u0026#34;); Attenuation The prior example was neat, and shows how this works from the database to authorizer, but it doesn\u0026rsquo;t show anything that a more traditional authz system wouldn\u0026rsquo;t be able to do.\nAttenuation is where biscuits really show their value. By adding restrictions to the biscuit token, the user is able to limit what the token can be used for. As some examples consider the following restrictions that can be added to the token:\ncheck if repo(\u0026#34;repo:3\u0026#34;); check if operation($action, $repo), $action == \u0026#34;action:read\u0026#34;; check if time($date), $date \u0026lt;= 2100-03-30T19:00:10Z; Example restrictions to add to a token.\n Each of these limits how the token can be used in various fine grained ways. Once a token is limited in this manner the dangers of giving it to a service, or another person, are limited to what the token can do.\nAs an example of where this can be very useful: Consider a service which signs blobs of compiled code. Because the blob is so sensitive multiple people must consent to signing it. By using biscuits each person signing off can provide a token to the person who will perform the actual signing with the following attenuation:\ncheck if blob(\u0026#34;sha-256-hash:7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069\u0026#34;); and know that their token cannot be used for anything else than signing this particular blob. Success for biscuits and an example of how they can do much more than OIDC/OAuth!\nReferences Biscuits, the web page: https://www.biscuitsec.org/ Examples and lessons involving datalog: https://www.clever-cloud.com/blog/engineering/2021/04/15/biscuit-tutorial/. https://www.learndatalogtoday.org/ https://blogit.michelin.io/an-introduction-to-datalog/ https://blog.pzakrzewski.com/find-legal-moves-in-brass-birmingham-with-logic-programming A big thanks to Thomas Ptacek for originally writing about biscuits at: https://fly.io/blog/api-tokens-a-tedious-survey/ And a second thanks for having one Geoffroy on a podcast he hosts: Security Cryptography Whatever: https://securitycryptographywhatever.com/2022/01/29/biscuits-with-geoffroy-couprie/ Thank you to the authors of Biscuits as well: Geoffroy Couprie, and Clément Delafargue. It\u0026rsquo;s thanks to their efforts that I can make this blog post and dream of better authZ systems. Git Forge AuthZ Mermaid Diagram flowchart TD GitRepoService(Git Repo Service) subgraph Resources Repos RepoGroups Users UserGroups[User Groups] UserGroups --\u0026gt; UserGroups UserGroups --\u0026gt; Users RepoGroups --\u0026gt; Repos end subgraph RepoActions[Repo Actions] Membership Write Read end subgraph RepoRoles[Repo Roles] RepoOwner[Owner] RepoWrite[Writer] RepoRead[Reader] RepoOwner --\u0026gt; RepoWrite --\u0026gt; RepoRead end subgraph RepoGroupRoles[Repo Group Roles] RGWrite[Writer] RGRead[Reader] RGWrite --\u0026gt; RGRead end Membership --- RepoOwner Write --- RepoWrite Write --- RGWrite Read --- RepoRead Read --- RGRead linkStyle 6,7,8,9,10 stroke:#c00,stroke-width:4px,color:red; GitRepoService --- Resources Repos --\u0026gt; RepoRoles RepoGroups --\u0026gt; RepoGroupRoles Users -.-\u0026gt; RGWrite Users -.-\u0026gt; RGRead Users -.-\u0026gt; RepoOwner Users -.-\u0026gt; RepoWrite Users -.-\u0026gt; RepoRead UserGroups -.-\u0026gt; RGWrite UserGroups -.-\u0026gt; RGRead UserGroups -.-\u0026gt; RepoOwner UserGroups -.-\u0026gt; RepoWrite UserGroups -.-\u0026gt; RepoRead Example Setup Mermaid Diagram %%{init: {\u0026#34;flowchart\u0026#34;: {\u0026#34;defaultRenderer\u0026#34;: \u0026#34;elk\u0026#34;}} }%% flowchart TD subgraph Users Emma Noah Tony Olivia Liam end subgraph UserGroups FooOps BarOps BazOps end subgraph Repos Alpha Bravo Charlie end subgraph RepoGroups Foo end subgraph FooRoles[RepoGroup Foo Roles] FooWriter[Writer] FooReader[Reader] FooWriter --\u0026gt; FooReader end subgraph CharlieRoles[Repo Charlie Roles] CharlieOwner[Owner] CharlieWriter[Writer] CharlieReader[Reader] CharlieOwner --\u0026gt; CharlieWriter --\u0026gt; CharlieReader end Foo --- Bravo Foo --- Charlie FooOps --- BarOps --- BazOps Foo --- FooRoles Charlie --- CharlieRoles FooOps --- Liam FooOps --- Emma BazOps --- Tony FooOps -- Is a member of the role --- FooWriter Noah --- CharlieReader Olivia --- CharlieOwner ","permalink":"https://er4hn.info/blog/2024.05.08-biscuits/","summary":"Discussion of Biscuits, a novel type of bearer token for authZ","title":"Biscuits - A tasty solution for AuthZ"},{"content":" Shadowy monsters lurk around a young woman as she attempts to safely chat with others. Knowing what messaging apps are safe to use requires a great deal of knowledge and often defaults to folkore. At the same time, the stakes are high and any slips can put users, unknowingly, at risk.\n In 2023-06, Tech Policy Press put together a survey of the security of popular messaging apps. The paper is around 80 pages, but it\u0026rsquo;s all very readable and easy to page through.\nThe intent of the survey is to look at popular messaging apps and see how safe they are to use by people who may be at risk for using them. Political dissidents, pro-abortion supporters, LGBTQ+ individuals, and others whose existence or actions make them a target of others who may wish to do them harm. This is not just groups with different ideologies, or family with ill intentions. The adversary these people must be concerned about is the government which they live under. With this in mind there a high bar required for people to use these apps to communicate and remain safe from danger.\nCryptographers can only make firm statements about how secure an algorithm is after studying it. However, only a few people are cryptographers. Fortunately there are many more security engineers who can read the analysis of a cryptographer and apply that understanding how safe a chat app might be. Unfortunately the average user is not a security engineer. In some cases, Louisiana and their fight on abortions being a particular example, a user may not even be computer literate and would struggle to use moderately complex systems. In those times users turn to \u0026ldquo;security folklore\u0026rdquo; and \u0026ldquo;security nihilism\u0026rdquo; as their guiding lights for what to do. \u0026ldquo;Don\u0026rsquo;t trust Meta, they want to sell you ads. Tape up your microphone when you talk about private things.\u0026rdquo; the folklorist might say. \u0026ldquo;The government can just read your phone. I\u0026rsquo;m not installing Signal, I will just text you\u0026rdquo; the nihilist replies. Neither is completely true, but it\u0026rsquo;s a struggle to provide education on what is best. This paper highlighted a number of the design issues that contribute to both and provides actionable advice on how to best use apps in their current state, but ultimately it will be on the end users and advocates that can educate them to make the right choices.\nTragically it is all too easy to not make the right choices in choosing what messaging apps to communicate with. As with many thing security a failure is also going to start out invisible. Then, without warning, an adversary can strike and the user can suddenly become a victim. Unencrypted backups, messages on an allies phone being seized, the government surveying messages via court order, there are many possible failure modes that can put a user at risk.\nWhat struck me the most is that the fundamental pieces for providing that safety are already in place. The biggest impediment is perfect implementations is the desire to put it all together and to communicate that to non-technical users. It may not surprise those within tech-land to see that Signal was the best of the bunch, baring issues like requiring a phone number to sign up.\nAs I read through this I noted a number of key takeaways:\n Implementation of safety and privacy features is everything. Cryptography is the least hard issue: Just use a vetted implementation of the Noise Protocol and call it a day. Where things break down is in how features are designed and used. Good feature design has privacy settings on by default and requires active participation from users to turn it off. Bad feature design focuses on social features and gets users to share and disseminate info widely. Good feature design prevents turning off encryption and avoids footguns. Bad feature design has non-encrypted fallbacks or paths where encryption is not used for communication. It\u0026rsquo;s even worse when it\u0026rsquo;s not clear that encryption was not used. It\u0026rsquo;s very important to let users decide what they want to do and keep that power in their hands. Let users choose how long they want a message to remain before disappearing, let them decide if a message can be sent with encryption on or off, let them decide if URL link previews should be enabled or disabled. By letting the user decide, the user makes their own choices on risks they are willing to take. In reading about design the paper brought up the design principles of \u0026ldquo;Privacy by Design\u0026rdquo; and \u0026ldquo;Design from the Margins\u0026rdquo;. Both are highly worth reading into more. Summarizing them succinctly: Privacy by Design has feature design focused on safe default settings, openess, and only adding features that do not decrease privacy. Design from the Margins is a concept where the users most at risk, and their use cases, are treated as core parts of the design rather than an edge case with poorly thought out features tacked on the side.\nReading through this lead me to wonder: But what more could be done? What would an even better designed chat app look like?\nA Possible New Chat App Signal does a pretty wonderful job as far as chat apps go of protecting users privacy. However there are a couple of issues that it has:\n Internet access is required to use Signal: There have been a number of protests where internet access was cut off to try and force protestors to disperse by removing their ability to coordinate. Possessing the app may be a crime: In some countries such as Iran ,even possessing Signal is a crime. Police can stop and demand to view a phone to check for disallowed apps. It\u0026rsquo;s possible that governments could subpoena app stores to learn how downloaded the app in the past as well. Internet access being required is a problem that many other chat protocols have tried to solve. Programs such as Briar, and Scuttlebutt allow for communication across alternative channels such as Wifi, Bluetooth, or even offline. It\u0026rsquo;s also worth noting that the Noise protocol doesn\u0026rsquo;t require a central server.\nHowever, even Briar and Scuttlebutt require some app to be installed. It\u0026rsquo;s possible to sideload an app, but this requires detectable changes to be made to a phone as well. It\u0026rsquo;s possible to use a special phone just for the chat app, but that may not always be practical for logistical and financial reasons. Instead, this points towards the use of PWAs as a chat app.\nProgressive Web Applications (PWAs) are a type of web site that can also function as an app. PWAs can use Wifi, Bluetooth, and storage on the phone. They can be opened as a website or saved to the phone without acting as a formal app install. This allows for a great deal of flexibility in being able to communicate peer-to-peer, install the app unobtrusively, and delete it easily.\nIn order for this to really work well it would likely need some equivalent of a server to receive messages. Relying on others also introduces risk, so peer-to-peer or other decentralized solutions may be the way to go. A peer-to-peer app may focus on letting others provide the servers rather than trusting a central entity. Briar does this with the Briar Mailbox.\nDelivering messages over a decentralized network is a pretty interesting problem as well. Briar will synchronize some messages to be sent by mutual contacts. Other types of messages are only sent directly. In a setting where they may be many users and no internet (ex: a crowd being forced to disperse) this sort of solution may not make the most sense. At the same time, forming a complete mesh network would have issues of it\u0026rsquo;s own with regards to preventing spam or MitM attacks.\nAll in all, this points towards an interesting set of potential problems to explore and work on!\nAcknowledgements Thanks to Ilia Lebedev for linking me to this in the first place.\nImage Generation Header image was generated via Noiselith and SDXL. Details are:\nA confused woman looks at her phone. Ominous, shadowy monsters lurk behind the user, watching her from behind. Dreamy, surreal, art style. Negative prompt: monsters in background Steps: 50, Sampler: DPM++ 2M Karras, CFG scale: 30, Seed: 3265105503, Size: 1024x1024, Model hash: e6bb9ea85b, Model: SDXL 1.0 (VAE 0.9), RNG: NV ","permalink":"https://er4hn.info/blog/2024.01.15-survey-chat-apps/","summary":"How to build a chat app that respects privacy and keeps its users safe.","title":"🔥 Take - Analysis of Security in Popular Messaging Apps"},{"content":"Deets Turn The Ship Around! by L. David Marquet ISBN 978-1-101-62369-5\nReview Turn This Ship Around is a surprisingly enjoyable discussion on how to transform a large, top down, bureaucracy into a more nimble and efficient one driven by people acting independently at every level. Marquet does this developing what he calls \u0026ldquo;Leader-Leader\u0026rdquo; behavior among his team. Set aboard a US Navy Nuclear Submarine during peacetime this story is one of organizational transformation among what feels like a series of low stakes situations. While a nuclear submarine sounds dangerous and exciting, the most hair-raising event that occurs is one in which the submarine nearly severs the line a tug is using to haul another boat. Which isn\u0026rsquo;t to say that this book is not fascinating, just set your expectations appropriately.\nThe story that Marquet weaves does impress me though. I wasn\u0026rsquo;t a big fan of it at first, assuming that I would only be able to apply this to a Fortune 50 company, but many of his observations and transformations felt especially relevant, even with my current job and responsibilities. Quoting from Marquet who quotes Einstein in the intro: \u0026ldquo;The significant problems we face cannot be solved at the same level of thinking we were at when we created them.\u0026rdquo; What this book held for me was advice on how to scale upwards and release top down control as I am learning how to be an effective manager.\nThe opener of the book begins with defining the state of the Navy at the time Marquet was a captain: Leader-Follower. A top-down model which, quoting him: \u0026ldquo;developed during a period when mankind’s primary work was physical. Consequently, it’s optimized for extracting physical work from humans.\u0026rdquo; His goal is to shift the submarine into a Leader-Leader mentality where each level feels individual responsibility for things under their command and they act independently to achieve organizational goals.\nIn order to do this Marquet made a number of changes. The following ones stood out to me in particular:\n Shifted around responsibility so that every individual is responsible for their own job. A part failing that an engineer was responsible for is a failure of the engineer, not the engineer\u0026rsquo;s boss. Likewise if a project a boss was assigned to deliver on fails, it is the failure of that boss, not the bosses\u0026rsquo; boss. This doesn\u0026rsquo;t mean that the boss\u0026rsquo; boss is not responsible, they still are, but the boss must now bear personal responsibility as well. The submarine crew, famously low performing, was re-oriented away from \u0026ldquo;avoiding errors\u0026rdquo; and towards \u0026ldquo;achieving excellence\u0026rdquo;. As part of that focus on achieving excellence goals and metrics were sought which would improve the performance of the submarine. Minimizing the number of errors that would occur was a natural outcome of those positive goals. Empowered the lower levels to provide their own thoughts and self-organize solutions. This was called \u0026ldquo;Don\u0026rsquo;t move information to authority, move authority to the information\u0026rdquo; and would avoid a slow back and forth decision making process. Interestingly enough this crops up in other places as well. \u0026ldquo;Hayek\u0026rsquo;s knowledge problem\u0026rdquo; describes the issues with centralized planning. While his article was focused on the economy it applies to a great many other places. This would often be expressed by having someone inform their superior \u0026ldquo;I intend to do X Y Z with the following reasoning\u0026rdquo; at the appropriate time rather than wait for orders to trickle down. Team members could question each other\u0026rsquo;s reasoning and discover errors with this mechanism as well. Made sure that projects were checked in on early on to see how they\u0026rsquo;re doing. These check-ins were kept short, and the work was understood to be rough. But this kept projects from being detailed or being marked as \u0026ldquo;not acceptable\u0026rdquo; when they deviated from the requirements the higher levels had thought was needed. When a new project or solution to a problem was needed, don\u0026rsquo;t inform others what that will be. Instead, explain the problem. Involve the team to get their solutions before making a decision. \u0026ldquo;Specify Goals, not Methods\u0026rdquo; would come up during this process. Pushed technical competence down through the levels. As each person\u0026rsquo;s authority increased they needed to understand more of what they were doing in order to make the appropriate judgement calls and reactions without someone higher up needing to tell them to do so. This would take the form of needing to not only understand their area of responsibility, but how what they did tied into other parts of the ship. This was more than just technical systems: this would involve preparations for emergencies, improving paperwork driven processes, and many other places. This also led to a change in how people were taught that they called \u0026ldquo;certification.\u0026rdquo; In essence, training was low quality and done frequently by having someone lecture you. You\u0026rsquo;d forget most of the lecture, muck up a bunch of drills, and learn through more training and more drills. Certification had the leader quiz team members prior to the exercise occurring, potentially failing everyone in advance of the exercise if there seemed to be a lack of required knowledge. This both made the exercise more active and encouraged each team member to be aware of what they should be doing. The book goes into a great many more details and provides specific guidance on how to achieve a Leader-Leader model. In addition, a point I liked, each chapter ends with a set of questions for self-reflection and self-improvement.\nThis was a fairly short read and proved to be quite useful. I would highly recommend this to anyone interested in building their team up to be independent leaders.\n","permalink":"https://er4hn.info/blog/2023.12.16-turn-the-ship-around/","summary":"Review of \u0026ldquo;Turn The Ship Around!\u0026rdquo; by L. David Marquet","title":"(Suggested 📚) Turn the Ship Around!"},{"content":"This post features me discussing SPHINCS+, which is a PQC algorithm for digital signatures. It\u0026rsquo;s intended for use as a replacement for current signature schemes and is stateless (you don\u0026rsquo;t need to remember anything about prior signatures), tunable (you can make tradeoffs on signatures being fast to use vs smaller), and most importantly, based on present day hash algorithms. The final property, being based on hash algorithms, helps make it understandable without a good background in mathematics.\nI\u0026rsquo;ll preface this with a small note about my credentials: Caveat emptor. I am not a cryptographer. Do not take anything here at face value. I have a bit over a decade of experience in product cybersecurity and am familiar with using various cryptographic algorithms. I have tried to include all of my source materials so that it is clear why I am saying something and you can do your own research. When reading this, assume I am a dummy trying hard with good intentions and will update anything I am emailed about.\nWhy Does This Matter? Quantum computers are coming, and with them, the need for post quantum cryptography (PQC) that cannot be broken by them. At least, that\u0026rsquo;s what NIST said in 2016. Since then a slow, measured, and methodical hunt has been on to find PQC algorithms that can replace current \u0026ldquo;classical\u0026rdquo; algorithms for functions such as digital signatures. Citing NIST IR 8105:\n It has taken almost 20 years to deploy our modern public key cryptography infrastructure. It will take significant effort to ensure a smooth and secure migration from the current widely used cryptosystems to their quantum computing resistant counterparts.\n By 2022 the White House published a memorandum on the risks quantum computer posed to current security systems. Quoting from that:\n  Most notably, a quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world. When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.\n The reasoning for why PQC research was needed was stated, but the urgency was not clearly stated. In addition to needing to ensure a smooth transition to new algorithms, data transmitted under classical cryptography is at risk for decryption by future CRQC\u0026rsquo;s. Patient healthcare information, financial transactions, classified military intelligence, could all be recorded today and decrypted 20 years in the future. With classified data in the US being considered classified for at least 25 years, patient information potentially for the lifetime of the patient, and financial transactions for who knows how long, it\u0026rsquo;s important to act now.\nWhy Hash Functions? Most PQC algorithms are based on mathematical problems not used in common classical cryptography, such as lattices. Why are hash functions able to be used in PQC when algorithms like Diffie-Hellman and RSA can be broken?\nThe quick answer is \u0026ldquo;There\u0026rsquo;s no known good attacks against hash functions.\u0026rdquo; The best known attack, as of 2023, is the BHT algorithm which claims a novel use of Grover\u0026rsquo;s algorithm to decrease the amount of effort to find a collision from 2n/2 to 2n/3 . This paper was in turn disputed by DJB who noted \u0026ldquo;All of the quantum-collision algorithms in the literature are steps backwards from the non-quantum algorithm of [reference]\u0026rdquo;. Even the BHT paper noted issues with being able to implement this in the future stating \u0026ldquo;When we say that our quantum algorithms require Θ(k) space to hold table L, this corresponds unfortunately to the amount of quantum memory, a rather scarce resource with current technology.\u0026rdquo;\nGrover\u0026rsquo;s algorithm, mentioned in the prior paragraph is a quantum algorithm that aims to solve the problem of function inversion. Given y = f(x) it attempts to calculate x when given y. For symmetric algorithms it decreases their \u0026ldquo;security strength\u0026rdquo;, the amount of computations required to determine the decryption key, by half. AES-256, with its security strength of 256 bits, has 128 bits of strength in the post-quantum world. That\u0026rsquo;s fine though. It\u0026rsquo;s AES-128, which in the post quantum world has 64 bits of strength, that is no longer safe to use. For a frame of reference on how strong 64 bits of strength are, in 2002 a distributed computing project was able to discover a 64-bit key via classical brute force in 1,757 days.\nThe algorithm that breaks public key algorithm schemes, such as Diffie-Hellman and RSA, is known as \u0026ldquo;Shor\u0026rsquo;s Algorithm.\u0026rdquo; It allows for factoring the prime numbers of an integer in an efficient manner, the difficulty of which is what gives those algorithms their strength in the pre-quantum world. It is the existence of this algorithm that provides the primary motivation for PQC.\nClimbing to SPHINCS+ Being able to understand SPHINCS+ will take a good amount of background and history about other hash based cryptographic algorithms.\n Silly metaphor picture for ascending stairs to reach SPHINCS+. Generated in SDXL 1.0 with prompt \u0026ldquo;pencil sketch, of sphinx statue on top of a tall tower, sphinx has glowing blue eyes, viewed from a distance, can see the entire tower, giant stairs leading to top of tower.\u0026rdquo; Flaming eyes were generated with \u0026ldquo;narrow, glowing blue flame, pointing upwards. Highly detailed. Transparent background\u0026rdquo; and added in after the fact. Text and arrows done via Excalidraw.\n This is because SPHINCS+ is a pretty complicated algorithm. You can read it yourself if you like, it\u0026rsquo;s about 24 pages long and covers around 50 years of cryptographic history in the first couple of pages. To fully understand the algorithm, I\u0026rsquo;m going to walk through that history, a step at a time. SPHINCS+ sits upon a tower of prior cryptographic knowledge and the steps leading up to that tower are:\n Lamport Signatures Winternitz Signatures Merkle Hypertrees Stateful Signature Schemes Few Time Signatures Stateless Signatures and finally at the top of the tower, SPHINCS+.\nLamport Signatures Lamport signatures are the first hash based signature. Originally published by Leslie Lamport, of distributed systems fame, in 1979 this scheme presented a simple way to use hash functions to perform a digital signature.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR subgraph SecretKey[Secret Key] Secret0(\"Secret 0\") Secret1(\"Secret 1\") end subgraph PubKey[Public Key] Public0(\"Public 0\") Public1(\"Public 1\") end HashFunc0[\"Hash Function\"] HashFunc1[\"Hash Function\"] Secret0 -- HashFunc0 -- Public0 Secret1 -- HashFunc1 -- Public1 Figure showing how the Lamport Signature Scheme creates the keypair for signing a single bit.\n Lamport signatures sign a message one bit at a time. For each bit there are 2 secret keys created, Secret 0 and Secret 1 in the diagram above. Each is ran through a hash function to create the corresponding Public values. For the sake of an example it can be assumed that each Secret value is 256 bits in length. The Hash Function used is \u0026ldquo;SHA-256\u0026rdquo; and the Public values are each therefore 256 bits in length as well.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR Bit(\"Bit to sign\") Value{\"Bit Value (0 or 1)?\"} Reveal0(\"Reveal 'Secret 0'\") Reveal1(\"Reveal 'Secret 1'\") Bit -- Value Value --|bit is 0| Reveal0 Value --|bit is 1| Reveal1 Figure showing how signing a single bit works.\n The public key is provided to anyone wishing to verify the value, through means outside of this post. To sign a single bit, the secret value corresponding to that bit is revealed as the signature.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR Bit0_val0(\"Bit 0, value 0\") Bit1_val0(\"Bit 1, value 0\") Bit2_val1(\"Bit 2, value 1\") ValChk0{\"Bit 0 Value?\"} Secret0_0[\"Secret for 0\"] Secret0_1[\"Secret for 1\"] ValChk1{\"Bit 1 Value?\"} Secret1_0[\"Secret for 0\"] Secret1_1[\"Secret for 1\"] ValChk2{\"Bit 2 Value?\"} Secret2_0[\"Secret for 0\"] Secret2_1[\"Secret for 1\"] Signature Bit0_val0 -- ValChk0 ValChk0 -- Secret0_0 ValChk0 -- Secret0_1 Secret0_0 -- Signature Bit1_val0 -- ValChk1 ValChk1 -- Secret1_0 ValChk1 -- Secret1_1 Secret1_0 -- Signature Bit2_val1 -- ValChk2 ValChk2 -- Secret2_0 ValChk2 -- Secret2_1 Secret2_1 -- Signature Figure showing how signing multiple bits works\n Since each bit has its own pair of secret values, signing multiple bits involves revealing the secret for each bit. Each bit having its own pair of keys is crucial. Lamport signatures are \u0026ldquo;one time signatures\u0026rdquo; and every pair of keys:\n Must be unique Can only be used once This is because revealing the secret value for a bit means that an attacker would know it as well. If the keys were to be re-used to sign a second message, an attacker could use already revealed secrets to sign a message of their choosing, since they would know both the private keys for the 0 and 1 values of a bit in a particular position. The more messages signed with a keypair, the higher the chance of revealing both the secrets for the 0 and 1 bits. var config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR subgraph Signature Bit0Sig(\"Bit 0 signature\") Bit1Sig(\"Bit 1 signature\") Bit2Sig(\"Bit 2 signature\") end subgraph Message Bit0(\"Bit 0, value 0\") Bit1(\"Bit 1, value 0\") Bit2(\"Bit 2, value 1\") end subgraph PubKey[Public Key] Bit0_0Pub(\"Bit 0, value 0 Public Key\") Bit0_1Pub(\"Bit 0, value 1 Public Key\") Bit1_0Pub(\"Bit 1, value 0 Public Key\") Bit1_1Pub(\"Bit 1, value 1 Public Key\") Bit2_0Pub(\"Bit 2, value 0 Public Key\") Bit2_1Pub(\"Bit 2, value 1 Public Key\") end HashFunc0[\"Hash Function\"] HashFunc1[\"Hash Function\"] HashFunc2[\"Hash Function\"] Bit0Sig -- HashFunc0 --|Should Match|Bit0_0Pub Bit1Sig -- HashFunc1 --|Should Match|Bit1_0Pub Bit2Sig -- HashFunc2 --|Should Match|Bit2_1Pub Figure showing how a 3 bit message is verified.\n Verification is performed by hashing each signature for each bit. It is a success if the hashed value corresponds to the public key for that bit, for that value of the bit.\nWhile easy to understand, this produces large signatures. Assuming that the message itself has been hashed with a function (such as SHA-256) which produces 256-bit signatures, and each secret value is 256 bits in length, this will result in the following sizes:\n Message: 256 bits Secret: 2 keys * 256 bits / key * 256 bits = 131072 bits Public Key: 2 keys * 256 bits / key * 256 bits = 131072 bits Signature: 256 bits / secret * 256 message bits = 65536 bits Sending a message + public key + signature = 256 + 131072 + 65536 = 196864 bits or about 192 kb of data to transmit. And the worst part is, a second message will require a new public key to be sent! This forms the basis for hash based cryptography, but can be vastly improved on.\nWinternitz Signatures Witernitz One Time Signatures (WOTS) are an improvement on Lamport Signatures. This came out around the same time, but is more complex and can be thought of as an improvement on the Lamport signature scheme. WOTS relies on the concept of \u0026ldquo;hash chains\u0026rdquo; where a hash function is applied multiple times and the hash function encodes the signature value of multiple bits.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR subgraph PrivKey[Private Key] PrivKeyA[Private KeyA] PrivKeyB[Private KeyB] end subgraph PubKey[Public Key] PubKeyA[Public KeyA] PubKeyB[Public KeyB] end HashA0[Hash] HashA1[Hash...] HashA2[Hash] HashB0[Hash] HashB1[Hash...] HashB2[Hash] PrivKeyA -- HashA0 -- HashA1 --|Hash 13 more times| HashA2 --|Hashed a total of 16 times| PubKeyA PrivKeyB -- HashB0 -- HashB1 --|Hash 13 more times| HashB2 --|Hashed a total of 16 times| PubKeyB Figure showing key generation in WOTS. Each private key chunk is hashed the same number of times to yield a public key chunk.\n Key Generation in WOTS has a number of private key chunks (this number is \u0026ldquo;tunable\u0026rdquo; and will be discussed below) be created and hashed a number of times. The number of times each chunk is hashed (also a tunable value) is the same. The final output of each multi-hashed chunk is the corresponding public key chunk.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart LR subgraph Message BitsA[Bits 0 - 4, value 6] BitsB[Bits 5 - 8, value 14] end HashA0[\"Hash(Private KeyA) = A1\"] HashA1[\"Hash(A1) = A2\"] HashA2[\"Hash(A9) = A10\"] HashB0[\"Hash(Private KeyB) = B1\"] HashB1[\"Hash(B1) = B2\"] HashB2[\"Hash(B13) = B14\"] subgraph Signature SigA[Signature for Bits 0 - 4 = A10] SigB[Signature for Bits 5 - 8 = B14] end BitsA -. Hash Private Key 6 times .- HashA0 -- HashA1 --|Hash 3 more times| HashA2 --|Hashed 6 times total| SigA BitsB -.Hash Private Key 14 times .- HashB0 -- HashB1 --|Hash 11 more times| HashB2 --|Hashed 14 times total| SigB Figure showing the WOTS hash chains for an 8 bit message, where the message is divided into 2 hash chains.\n WOTS is tunable so that the number of bits to hash per message chunk can be adjusted to trade off on message size vs work. This parameter is normally called w, which stands for \u0026ldquo;Winternitz parameter\u0026rdquo;, and represents the number of bits to sign. w also is used to calculate the length of the hash chain as 2w . In the above example w = 4 which means that \u0026ldquo;24 =16\u0026rdquo; hashes are needed per signature chunk.\nSigning a message then involves performing N hashes where N is the value of the bits covered in that message chunk. In the above example this means that Bits 0 -4 are hashed 6 times to create that signature chunk.\nVerification requires, wait for it 🥁, more hashing. To verify each signature chunk, the signature is hashed w - N times and checked against the corresponding public key chunk. If they match, the signature is considered verified.\nWOTS provides a much more efficient scheme than Lamport Signatures. Comparing the example above the following can be observed. This assumes that private key chunks are 256 bits each and the hash function used outputs 256 bits.\n Lamport WOTS Private Key 8 * 2 * 256 = 4096 bits 2 * 256 = 512 bits Public Key (Same as Private) 4096 bits (Same as Private) 512 bits Signature 8 * 256 = 2048 bits 2 * 256 = 512 bits Total to Send 4096 + 2048 = 6144 bits 512 + 512 = 1024 bits Table comparing Lamport vs WOTS signature sizes\n WOTS ends up being 83% smaller to send a single message and signature pair. This is much better! However WOTS suffers from the same one time use issue as Lamport. A second message requires a second public key pair. There\u0026rsquo;s still room to improve here.\nChecksum One interesting issue is that the message and signature can still be modified for WOTS. Consider the following, somewhat contrived, case:\nA message is signed via WOTS stating \u0026ldquo;Transfer $100 to er4hn\u0026rdquo; and the \u0026ldquo;100\u0026rdquo; in that message falls exactly within a message chunk. Also assume that w = 8. So this looks something like:\n Picture showing the message and how it is chunked.\n The value 100 ends up being hashed 100 times and has a signature chunk, defined S. But what if you want to increase the value being transferred to er4hn? To change the message from 100 to 101 and ensure the signature still validates the signature chunk would be replaced with S' = Hash(S), representing 101 hashes. (Note that: In reality the message being signed would be a hash of the transfer amount, and the chunk with the hash would need to be a higher number than the original signed chunk, but with enough testing of values this could be possible.)\nTo solve this a checksum is needed. This checksum must prevent any set of chunks in the message from increasing. How can this be done? The answer is to make a value which decreases as each chunk increases. To do so the message is broken into w-bit blocks. Assuming the message above is 32 bits in length, that\u0026rsquo;s 4 blocks, one of which is the value 100 to be transferred. The maximum value of these blocks is known, that\u0026rsquo;s \u0026ldquo;max = 4 * (2w -1) = 60\u0026rdquo;. The checksum then becomes \u0026ldquo;60 - SUM(block1, block2, block3, block4)\u0026rdquo;. Increasing the value of any block will decrease the checksum. The checksum is also covered in the signature. Since the attack requires increasing the value of every block, including the checksum\u0026hellip; the attack is thwarted.\nBroken out a little more:\n Break the message (or more appropriately, hash(message)) into count w-bit blocks. Calculate \u0026ldquo;max = count * (2w -1)\u0026rdquo; Calculate \u0026ldquo;checksum = max - SUM(blocks)\u0026rdquo; WOTS+ WOTS is pretty old and not exactly the state of the art. In 2013 Andreas Hülsing published a paper on a signature scheme called WOTS+. This is an improvement on WOTS that allows for smaller, but still strong, signatures.\nTo be honest I didn\u0026rsquo;t read too much into it, beyond seeing it get used later on in SPHINCS+ and readings others that I respect discuss it a bit. For all intents and purposes WOTS+ is the ideal one-time hash based signature scheme.\nHypertrees of Keys At this point WOTS+ allows a user to have a cryptographically secure one-time signature over some data. However each key can only be used once. Given the amount of effort required to send a key to a verifier, this makes it hard to scale up how these signatures can be used.\nWherever there is a problem though, there is also a solution. Merkle hypertrees allow for efficient distribution of keys by only requiring a single value, the root node of the hypertree, to be sent to a verifier.\nMerkle Tree Before getting into what a hypertree is, one needs to start with a merkle tree. This isn\u0026rsquo;t the first time I\u0026rsquo;ve written about these structures.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart BT subgraph Hash0-0 HashL1(\"Hash(L1)\") end subgraph Hash0-1 HashL2(\"Hash(L2)\") end subgraph Hash1-0 HashL3(\"Hash(L3)\") end subgraph Hash1-1 HashL4(\"Hash(L4)\") end subgraph Hash0 Hash0Txt(\"Hash(Hash0-0 + Hash0-1)\") end subgraph Hash1 Hash1Txt(\"Hash(Hash1-0 + Hash1-1)\") end subgraph RootNode[Root Node] HashRootTxt(\"Hash(Hash0 + Hash1)\") end subgraph Data L1 L2 L3 L4 end style Data stroke-dasharray: 5 5 L1 -- Hash0-0 L2 -- Hash0-1 L3 -- Hash1-0 L4 -- Hash1-1 Hash0-0 -- Hash0 Hash0-1 -- Hash0 Hash1-0 -- Hash1 Hash1-1 -- Hash1 Hash0 -- RootNode Hash1 -- RootNode Figure showing a merkle tree. This is based on the image from: https://commons.wikimedia.org/wiki/File:Hash_Tree.svg\n Merkle trees have the leaves of the tree be hashes of the chunks of data. Each branch node is then the hash of the concatenation of the child\u0026rsquo;s data. The root node thus contains information about every node below it, down to the data blocks that create the leaf nodes. The main utility of Merkle trees is that the integrity of a data block can be checked without needing to know the other blocks. If a verifier, just starting with the root node, wanted to check the integrity of L1 they would just need Hash 0-1, and Hash 1. The verifier can calculate Hash 0-0 and Hash 0 themselves. Once calculated the verifier can check the values of Hash 0 and Hash 1 by calculating they match the value of the root node. At this point the verifier has verified the path leading to L1 and therefore knows that they have the correct value for that data chunk.\nTo apply this to hash based signatures, consider if each data chunk was a different public key. Now the root node contains information about a number of public keys. A signature can point to a specific public key, say L3, and then include the required intermediate hashes: Hash 1-1, and Hash 0 that are required to check that L3 is a valid public key for this merkle tree.\nTo generate this tree the signer would start with a (secret) randomly generated number. This secret number is used alongside a Pseudorandom Function (PRF) to generate all of the public/private keypairs for the leaf nodes.\nThis scheme, while offering a way to send a number of public keys at once, still doesn\u0026rsquo;t scale that well though. For sending a few thousand keys, this will be fine. But on the internet there are numerous messages being sent all the time. Every message that uses TLS would require its own signature, which means its own unique key being used. If you want to send 264 messages with a single tree, that is far too much to calculate.\nMerkle Hypertree A hypertree is a tree of trees, sometimes called a multilevel tree. The leaf of a tree leads to the root node of a new tree.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD classDef SigElemClass fill:#fd7e14 classDef PubKeyClass fill:#40c057 classDef CalcClass fill:#228be6 RootA(Root A) Int1A(Branch 1 - A) class Int1A CalcClass Int2A(Branch 2 - A) class Int2A SigElemClass Leaf1A(Leaf 1 - A) class Leaf1A CalcClass Leaf2A(Leaf 2 - A) class Leaf2A SigElemClass Leaf3A(Leaf 3 - A) Leaf4A(Leaf 4 - A) RootB(Root B) class RootB CalcClass Int1B(Branch 1 - B) class Int1B CalcClass Int2B(Branch 2 - B) class Int2B SigElemClass Leaf1B(Leaf 1 - B) class Leaf1B SigElemClass Leaf2B(Leaf 2 - B) class Leaf2B CalcClass Leaf3B(Leaf 3 - B) Leaf4B(Leaf 4 - B) RootC(Root C) RootD(Root D) RootE(Root E) Key1A(Key 1-A) class Key1A SigElemClass Key2B(Key 2B) class Key2B PubKeyClass RootA -- Int1A RootA -- Int2A Int1A -- Leaf1A Int1A -- Leaf2A Int2A -- Leaf3A Int2A -- Leaf4A Leaf1A -- Key1A -- RootB RootB -- Int1B RootB -- Int2B Int1B -- Leaf1B Int1B -- Leaf2B -- Key2B Int2B -- Leaf3B Int2B -- Leaf4B Leaf2A -- RootC Leaf3A -- RootD Leaf4A -- RootE Figure showing a simple hypertree. Only Root B is drawn out. Keys for Roots C, D, and E are not shown. Green represents the public key being used, Orange represents values provided in the signature (The Green node is a part of the signature as well), and Blue represents what the verifier can calculate as part of the verification process.\n A property of hypertrees is that the value of the root node of a merkle tree in a hypertree only depends on the leaf nodes of that merkle tree. In the above example the value of Root A only depends on Leaf 1 - A, Leaf 2 - A, Leaf 3 - A, and Leaf 4 - A. Each of the A leaves can generate a tree of their own, this is what makes it a hypertree. With 2 levels of trees, and 4 keys per tree, the number of keys distributed has now grown from 4 to 16. Since the value of the leaf nodes is what determines the merkle tree root value, the full set of 16 keys doesn\u0026rsquo;t need to be generated, only the 4 leaf nodes of the A tree need to be generated. The tree for Root B is expanded to show the key in that tree, but Root B only needs to be expanded on demand. Stated differently, the Leaf 1-A node, and not the Root B values, are what contributes to the Root A value. This makes it possible to efficiently distribute many more keys with a single root node value.\nHowever, because other roots, such as Root B do not influence the value of Root A something needs to be done so that those intermediate roots can be trusted when verifying a signature. Since each leaf node is a public key, this is handled by having the leaf sign the next root node. So a signature made using Leaf 2 - B\u0026rsquo;s public key would contain:\n The public key (data chunk) for Leaf 2 - B Leaf 1 - B Branch 2 - B A signature on Root B (Root B can be calculated with the above values) made by the public key referred to in Leaf 1 - A The public key referred to in Leaf 1 - A Leaf 2 - A Branch 2 - A Stateful Signatures By using a merkle tree of keys and signing messages with WOTS (or WOTS+) it is possible to create a signature scheme. Popular algorithms that do this are \u0026ldquo;XMSS\u0026rdquo; (eXtended Merkle Signature Scheme) and \u0026ldquo;LMS\u0026rdquo; (Leighton–Micali Signatures). Each has some minor tradeoffs, but are fairly similar: A merkle tree is generated with a set of keys. The root node is used as the public key. A signature is produced over a message using one of the keys. Various improvements are made beyond my explanations to keys, signatures, and all other portions to prevent attacks. Hypertree variants of XMSS and LMS also exist and are called XMSSMT and HSS, respectively.\nBecause the security strength relies on keys not being re-used, the signature scheme must ensure that every key is used only once. For XMSS (RFC 4391, Section 4.1.9) this also means that the same message being signed multiple times is not idempotent. In other words, each signature on the same message will use up another key. The tracking of keys is done by the code which produces the signature. This storing state of used keys is what makes the signature stateful.\n Diagram showing potential points of failure for a stateful signature scheme to save state properly. Each component is labeled. Each component that may fail is labeled in orange.\n Stateful signatures have a major downside, which is that they need to store state. If a key is re-used the signature scheme falls apart. Looking at a simple and standard deployment of a signature generation program inside a VM, with some attached storage the following issues can occur:\n Program code does not properly update used keys. This would be most likely to occur in edge cases, such as the storage returning a temporary error. Virtual Machine is cloned, perhaps for backup purposes, and the program maintains the key state in RAM, meaning that when the VM resumes the program can re-use old keys. The CPU skips some step for bizarre CPU reasons (okay, this one is kind of weak. Let\u0026rsquo;s say that a cosmic bit flip causes an error state. It wouldn\u0026rsquo;t be the first time the sun has ruined cryptography.) Storage doesn\u0026rsquo;t properly record the keys used, a backup fails, data is not flushed to disk before a power outage, data on disk is corrupted, being tied to the real world there are a million ways storage can fail. Let\u0026rsquo;s say that there is a one in a billion chance of this occurring. All the best software was bought, it\u0026rsquo;s been integrated with the most durable hardware using the best in class procedures. Cloudflare, if you believe them, serves 50 million HTTP requests per second. Let\u0026rsquo;s say each of those is a TLS request since Cloudflare offers that for free to everyone. Assume each TLS request uses one XMSS signature. Every 20 seconds one of those \u0026ldquo;one in a billion\u0026rdquo; chances hits. You can adjust the numbers however you want, but because of the sheer scale at which cryptography is used, this means that stateful signatures will fail at some point. This is why NIST did not approve of stateful signature for general use, stating:\n Stateful hash-based signature schemes are secure against the development of quantum computers, but they are not suitable for general use because their security depends on careful state management. They are most appropriate for applications in which the use of the private key may be carefully controlled and where there is a need to transition to a post-quantum secure digital signature scheme before the post-quantum cryptography standardization process has completed.\n Few Time Signatures The next topic to cover in the ascension to SPHINCS+ is few time signatures. Until now all of the signatures discussed have been one time signatures: A message can be signed once with one key. Signing twice (or more) is catastrophic and will allow others to forge messages.\nFew time signatures, as their name implies, are hash-based signature schemes which allow for signing multiple messages with one key. This isn\u0026rsquo;t an unlimited number of signatures like classical signature schemes, this is still a limited number. How limited depends on the desired level of resistance to attackers, which will be covered after discussing the first algorithm, HORS.\nHashing to Obtain a Random Subset (HORS) Hashing to Obtain a Random Subset, or HORS (your guess as to how to pronounce..) is the introductory few time signature scheme that will serve as a basis to be improved upon.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD RNG(Random Number Generator) subgraph PrivKey[Private Key] x0[x0] x1[x1] x2[x2] xEllip[...] x65535[x65535] end subgraph PubKey[Public Key] y0[y0] y1[y1] y2[y2] yEllip[...] y65535[y65535] end h0(Hash) h1(Hash) h2(Hash) hEllip(Hash...) h65535(Hash) RNG -- PrivKey x0 -- h0 -- y0 x1 -- h1 -- y1 x2 -- h2 -- y2 xEllip -- hEllip -- yEllip x65535 -- h65535 -- y65535 Figure showing keys being generated in HORS. The array in this case is of length 65536 which means a = 16.\n The key variable to tune in HORS is a which represents the number of chunks a message will be broken down into. This will be used more during signing, but for key generation the length of the private key is 2a where each element in the private key is a random number. This means that each of the xi values in the above figure would be a random number of, say, length 256 bits. The public key is then the concatenation of the hash of each of those x values. Assuming that a = 16 and each x entry is 256 bits in length the final public key is 2^16 * 256 = 16777216 bits.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD Msg(Message) MsgHashFunc(Hash - 256 bit output) subgraph MsgHash[Hash of Message] a0[a0] a1[a1] a2[a2] aEllip[...] a15[a15] end subgraph PrivKey[Private Key] x0[x0] x1[x1] x2[x2] xEllip[...] x65535[x65535] end subgraph Signature sig0[\"Private Key[a0]\"] sig1[\"Private Key[a1]\"] sig2[\"Private Key[a2]\"] sigEllip[...] sig15[\"Private Key[a15]\"] end SigGen[[Signature Generation]] Msg -- MsgHashFunc -- MsgHash -- SigGen SigGen -- a) Index into private key -- PrivKey SigGen -- b) Record Signature -- Signature Figure showing how a 256 bit hash is turned into a signature. a = 16, k = 16 in this figure.\n To sign the message the hash of the message is broken down into chunks. The number of chunks is called k and k = ${Length of Hash Output} / a. Each of the chunks, ai then has its value used as an index into the private key. The signature for the chunk ai is just the private key.\nTo verify a signature the verifier recreates the hash of the message with the same ai chunking. The verifier uses the value of ai to index into the array of public key values and obtain the expected public key value. The hash function is then run over that corresponding ai chunk in the signature to verify that: Hash(Private Key[ai ]) == Public Key[ai ] .\nWhy is HORS a Few Time Signature? What makes HORS a few time signature and not a one time signature? The answer is that you lose less keying material each time you sign with HORS compared to a Lamport signature. Assuming an even distribution of key chunks being used (i.e. each ai chunk was a unique value) the prior example would have used 16 keys out of 2 ^ 16 total keys, which is a miniscule amount. In contrast, a Lamport signature would have lost around half of the total keys.\n Note: In order to ensure that an attacker cannot chose a set of messages designed to leak specific private key chunks, the signer can include a random string as part of the hash and also include that random string in the signature.\n Deciding how many messages a private key will sign with a few time signature requires deciding how hard it should be for an attacker to forge a signature on a message they want signed. For example, let\u0026rsquo;s say that, using the prior example of a = 16 and k = 16 we sign 4 messages. How hard is for an attacker to forge a signature that uses those revealed private key chunks? This would require an attacker to create a message M such that Hash(M) uses only those revealed private key chunks. The math for this works out as:\n ( k private keys / message )* (4 messages) = 64 private keys revealed 64 / (2 ^ 16) = (2 ^ 6) / (2 ^ 16) = 2 ^ (-10) chance of a single chunk having a value ai that has already been revealed in a prior message, due to hash functions having an even distribution. What I mean by \u0026ldquo;hash functions having an even distribution\u0026rdquo; is that the attacker must try different input values to \u0026ldquo;guess\u0026rdquo; at one having the desired output and that output is random and uncorrelated to the input each time. (2 ^ (-10))^k = (2^(-10))^16 = 2^(-160) for the whole message. This means that the attacker will have to make around 2^(160) attempts to craft a message which only uses revealed private key chunks. Is this good enough? That depends on your level of concern about attackers. For SPHINCS+ specific standards were laid out by NIST and will be covered later.\nDownsides of HORS HORS does have a few downsides that can be improved upon as well: the public key size, and the potential for a signature to re-use the same private key chunk.\nThe public key size is something evident from earlier. A Lamport signature has a public key of 4096 bits, whereas the HORS example from above has a signature of 65536 bits, 16 times larger. Since most use of few time signatures informally deems a \u0026ldquo;few\u0026rdquo; as \u0026ldquo;less than 10\u0026rdquo; this isn\u0026rsquo;t a clear advantage in terms of public keys to send over.\nThe other problem is that messages may not have unique ai values for all of the a-chunks in the hash of the message. For an attacker controlling the message they wish to forge a signature over, they can save work by trying to find a message where multiple chunks match in value, thus decreasing the number of private key chunks that need to be revealed.\nHORST: HORS with 🌲's HORST is HORS with (merkle) Trees and it solves the issue with public key distribution by making the chunks of the public key leaves of a merkle tree. Since merkle trees do not encode order in the leaf nodes each leaf node also needs to have some data that specifies which public key chunk it is. Now only the value of the root node needs to be distributed. This brings down the prior example (assuming a hash function outputting 256 bits) from 65536 bits to 256 bits.\nThe tradeoff for this is now the signature and verification process is much more complicated. Now every signature must also include the public key chunks, and the intermediate values of the merkle tree to trace that path back to the root. Verification is left as an exercise for the reader, but involves validating the values exist in the merkle tree, in the correct order (i.e. public key chunks y1 and y2 were not swapped. This is why ordering info needs to be included in the tree when generated), and then performing the HORS signature check.\nThis scheme, while an improvement, also does nothing to solve the repeated a-chunks issue.\nFORS: Forest of Random Subsets FORS is the hypertree variant of HORST. Now each leaf in the root tree represents an \u0026ldquo;i\u0026rdquo; in ai , i.e. a single position. Each subtree is it\u0026rsquo;s own private key for the full range of values that ai can take on.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD RootA(Root A) Int1A(Branch 1 - A) Int2A(Branch 2 - A) Leaf1A(Leaf a1) Leaf2A(Leaf a2) Leaf3A(Leaf a3) Leaf4A(Leaf a4) RootB(Root B) Int1B(Branch 1 - B) Int2B(Branch 2 - B) Leaf1B(a1 == 0) Leaf2B(a1 == 1) Leaf3B(a1 == 2) Leaf4B(a1 == 3) RootC(Root C) RootD(Root D) RootE(Root E) Key1A(Key for Leaf a1) Key2B(Key for a1 == 1) RootA -- Int1A RootA -- Int2A Int1A -- Leaf1A Int1A -- Leaf2A Int2A -- Leaf3A Int2A -- Leaf4A Leaf1A -- Key1A -- RootB RootB -- Int1B RootB -- Int2B Int1B -- Leaf1B Int1B -- Leaf2B -- Key2B Int2B -- Leaf3B Int2B -- Leaf4B Leaf2A -- RootC Leaf3A -- RootD Leaf4A -- RootE FORS merkle hypertree with a = 4 showing the subtree for a1 and a single key for a1 equal to 1.\n Now two separate positions, say a1 and a4 , having the same value won\u0026rsquo;t result in a decrease of security. Each of the positions has their own unique set of values, and their own unique set of private keys. Since hypertrees don\u0026rsquo;t increase the size nor computational complexity of generating the root merkle tree value, this is cheap to generate. The trade off comes once again in making the signatures larger and more complex.\nStateless Signatures At this point, the journey to the top of the tower, and to explaining SPHINCS+, is nearly complete. SPHINCS+ is a type of stateless signature and this section explains the theory behind those.\nA stateful signature (hash based) scheme is one where each time a key is used, the usage of that key must be tracked so it cannot be used again. A stateless signature scheme is one where the keys used to sign a message do not need to be tracked. That\u0026rsquo;s it. Signing a message still releases secret information, so there are still limits on how many messages can be signed. Exceeding the limit on signing messages will still allow for forged signatures on messages. With it laid out so simply, it sounds dangerous, but it\u0026rsquo;s still possible to build a reasonably strong scheme.\nIn the prior section on few time signatures it was shown that a few time signature scheme can sign several messages with the outcome being that each signature leaks some of the private key. As long as the amount leaked is kept low, the scheme requires too much work for an attacker to forge messages. This is the key insight into how stateless signature schemes work. A large maximum number of signatures to generate can be set, say 264 signatures. Then a threshold can be decided for what is an acceptable chance that a key will be reused. With those two inputs, it\u0026rsquo;s possible to determine a number of keys needed that will allow for that number of signatures while staying below the acceptable threshold of key reuse. This number of keys will be huge, so a hypertree is used to store the keys and distribute the root node of the public keys. Because only the root tree needs to be calculated the keys don\u0026rsquo;t even need to be known in advance for this to work.\nThe other optimization is to make signatures idempotent. The same message being given to a stateless signature scheme should result in the same output. This both prevents leaking additional parts of the private key for the same message, and is tied to how the signing key is chosen. This is accomplished by using a PRF to choose the signing key. The hash of the message is fed into the PRF, which then outputs a random stream of values. These values are then used to decide which path to follow in the hypertree, from the root down to the last leaf node which has the signing key. Because this is done with a PRF, the choice of signing key is random. Because the input to the PRF is the hash of the message, the same signing key will be used for the same message.\nSPHINCS+ All the different building blocks for SPHINCS+ have been discussed at this point. Now it is possible to state what SPHINCS+ is.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); flowchart TD RootA(SPHINCS + Public Key) Int1A(Branch 1 - A) Int2A(Branch 2 - A) Leaf1A(Leaf 1 - A) Leaf2A(Leaf 2 - A) Leaf3A(Leaf 3 - A) Leaf4A(Leaf 4 - A) RootB(Root B) Int1B(Branch 1 - B) Int2B(Branch 2 - B) Leaf1B(Leaf 1 - B) Leaf2B(Leaf 2 - B) Leaf3B(Leaf 3 - B) Leaf4B(Leaf 4 - B) RootC(Root C) RootD(Root D) RootE(Root E) Key1A(Key 1-A) Key2B(FORS Root Node) RootA -- Int1A RootA -- Int2A Int1A -- Leaf1A Int1A -- Leaf2A Int2A -- Leaf3A Int2A -- Leaf4A Leaf1A -- Key1A -- WOTS+ Signature -- RootB RootB -- Int1B RootB -- Int2B Int1B -- Leaf1B Int1B -- Leaf2B -- WOTS+ Signature -- Key2B Int2B -- Leaf3B Int2B -- Leaf4B Leaf2A -- RootC Leaf3A -- RootD Leaf4A -- RootE Message(Message) Key2B -- FORS Signature -- Message SPHINCS+ hypertree diagram showing how the inner trees are signed with a WOTS+ signature. The node before the signature is a FORS tree and the message itself is signed with FORS.\n SPHINCS+ is a stateless signature algorithm which is based on a hypertree of keys. The inner trees are signed via WOTS+, using an XMSS signature (which makes the inner trees look like XMSSMT ). The messages themselves are signed via FORS, where the root node of the FORS tree was signed via the prior mentioned WOTS+ signature. FORS is used for the messages to decrease the total number of keys needed since there can be some re-use. WOTS+ is used for the inner trees since those will only ever be used once to sign the root node of the next tree.\nThere are various knobs that can be tweaked for fast signatures (f postfix in the below table) vs small signatures (s postfix in the below table) vs security strength, all sorts of special attacks defended against, hash algorithms that can be chosen, etc, but that\u0026rsquo;s the core of SPHINCS+. This 2 paragraph summary is only able to be so short because of all the prior history that lead up to it.\nSPHINCS+ was designed around the NIST call for proposals for PQC. SPHINCS+ supports 264 signatures and is stateless (per the proposal requirements), which combined with adhering to a standard API for crypto operations, makes it a drop in replacement for classical signature schemes.\n Param Set public key size secret key size signature size SPHINCS+-128s 32 64 8 080 SPHINCS+-128f 32 64 16 976 SPHINCS+-192s 48 96 17 064 SPHINCS+-192f 48 96 35 664 SPHINCS+-256s 64 128 29 792 SPHINCS+-256f 64 128 49 216 Table 6 of the SPHINCS+ Submission. All sizes shown are in bytes.\n Algorithm \u0026amp; Parameter Set Public Key Size Secret Key Size Signature Size Falcon-1024 1793 2305 1280 Dilithium5 2592 4864 4595 Comparison of other NIST PQC Digital Signature choices. All sizes are in bytes. Parameter sets in the table represent the highest security level, which is comparable to the SPHINCS+ parameter sets with \u0026ldquo;256\u0026rdquo; in their name. Data taken from Open Quantum Safe.\n It\u0026rsquo;s worth noting that SPHINCS+ is slower and ends up requiring significantly larger signatures than other PQC choices for digital signatures. Other algorithms are based on fields of mathematics that are believed to be hard for quantum computers to solve and applying them to cryptography. While this is impressive and has been looked over extensively issues may arise later since this is still a developing field. What I like the most about SPHNICS+ is that compared to things like lattice based cryptography I find it more approachable since I have a better intuition, and more experience, around hash functions than I do for lattices. If lattice based cryptography develops core issues later on, this also serves as a safe backup algorithm to switch over to.\nAcknowledgements Special thanks to nightxade for helping improve on my explanation of Merkle Hypertrees.\nReferences The following sources of information were invaluable in putting together this post. I cannot thank the authors enough for the time they put into sharing their material. I apologize for any incorrect statements based on what is likely my misunderstanding of their work. Please note this is provided in addition to any other links earlier in the blog post.\n https://www.youtube.com/watch?v=jiU0ICoiPI0: Introduction to Hash Based Signatures by John Kelsey. This was what allowed me to really understand how SPHINCS+ works and dig into the paper. https://csrc.nist.gov/csrc/media/Presentations/2022/crclub-2022-10-19a/20221020-crypto-club-kelsey-slides-MD-hash-sigs.pdf: Another set of slides by John Kelsey that describes how this all works. https://cryptobook.nakov.com/quantum-safe-cryptography: Discussion of why hash functions are quantum safe https://sphere10.com/articles/cryptography/pqc/wots: Great description of WOTS signatures. https://www.rfc-editor.org/rfc/rfc8391.html: The RFC for XMSS. Wikipedia: My reasonably trusted source for looking up various topics and trying to make sense of them. ","permalink":"https://er4hn.info/blog/2023.12.16-sphincs_plus-step-by-step/","summary":"A walkthrough of the SPHINCS+ PQC algorithm","title":"SPHINCS+ - Step by Step"},{"content":"Deets Elon Musk by Walter Issacson ISBN: 978-1-9821-8130-7\nReview This is a story which humanizes a very controversial man. Elon is someone who has a huge ego, an ability to bullshit and keep that up for years, and a reputation for running people into the ground until they\u0026rsquo;ve burned out. In so many ways he embodies the worst traits of the worst leaders in the tech trade. Yet, he also succeeds. He was a key part of PayPal, he brought back rockets to the US via SpaceX, he made electric cars a new category in the US rather than a tiny fraction of a niche. So much of his wealth comes from enormous, impossible bets on himself. He also embodies the best of startup culture, of hustling, of doing things by any means necessary. As Walter Issacson writes in the closing pages: \u0026ldquo;Do the audaciousness and hubris that drive him to attempt epic feats excuse his bad behavior, his callousness, his recklessness? The times he’s an asshole? The answer is no, of course not. One can admire a person’s good traits and decry the bad ones. But it’s also important to understand how the strands are woven together, sometimes tightly.\u0026rdquo;\nPeople raised in traumatic environments, by hurt people, absorb that pain and pass it on to future generations. Much of Elon\u0026rsquo;s temperament, even parts of his success, is clearly the product of deep rooted pain, and I find that tragic. Seeing his ups, his downs, how all of his success brought him so little joy, helps raise him up from a boogeyman, and down from a mythological figure. His story makes him a human, a mortal like the rest of us.\nOne thing I did find particularly noteworthy in his bio was how he ran projects. That was a central part of his success, at least in his own words, and it is interesting. My own commentary is in line with each statement:\n Question every requirement. Each should come with the name of the person who made it. You should never accept that a requirement came from a department, such as from “the legal department” or “the safety department.” You need to know the name of the real person who made that requirement. Then you should question it, no matter how smart that person is. Requirements from smart people are the most dangerous, because people are less likely to question them. Always do so, even if the requirement came from me. Then make the requirements less dumb. Key here is that every requirement should be questioned and have an owner. I am a big fan of attaching ownership to action items and deliverables. Once things become diffuse they lack any ownership and are never driven to completion.\nQuestioning requirements is important to for getting things out the door. This itself feels like a scrappy, startup mentality. Do the least you can to deliver quickly and fix later.\n Delete any part or process you can. You may have to add them back later. In fact, if you do not end up adding back at least 10% of them, then you didn’t delete enough. Though maybe it\u0026rsquo;s possible to take deleting things too far 🙃\n Simplify and optimize. This should come after step two. A common mistake is to simplify and optimize a part or a process that should not exist. Make things repeatable and possible to follow. Some of the first few steps can be thought of as banging out a proof of concept and this is productizing it.\n Accelerate cycle time. Every process can be speeded up. But only do this after you have followed the first three steps. In the Tesla factory, I mistakenly spent a lot of time accelerating processes that I later realized should have been deleted. I think of this as polish in software engineering. Stabilize the product, make it more reliable, add back in missing features if you can.\n Automate. That comes last. The big mistake in Nevada and at Fremont was that I began by trying to automate every step. We should have waited until all the requirements had been questioned, parts and processes deleted, and the bugs were shaken out. The goal of all good software is to never do it a second time.\n All technical managers must have hands-on experience. For example, managers of software teams must spend at least 20% of their time coding. Solar roof managers must spend time on the roofs doing installations. Otherwise, they are like a cavalry leader who can’t ride a horse or a general who can’t use a sword. This is easier said than done. Reading other peoples reports of Elon many of his hands on ideas were harebrained and slowed down development. But I do believe it is important to have a deep understanding of what you are in charge of. Even if you aren\u0026rsquo;t in the trenches coding, you should know how every component works and be able to understand the complete end to end flow at a technical level.\n Comradery is dangerous. It makes it hard for people to challenge each other’s work. There is a tendency to not want to throw a colleague under the bus. That needs to be avoided. This is ridiculous. The company is never your friend, but it is important to work together and support others. You should challenge your colleagues, but don\u0026rsquo;t stab them in the back.\n It’s OK to be wrong. Just don’t be confident and wrong. Elon does this frequently. Step 2 of his algorithm is literally being confident, deleting too much, and needing to add it back.\n Never ask your troops to do something you’re not willing to do. Agreed.\n Whenever there are problems to solve, don’t just meet with your managers. Do a skip level, where you meet with the level right below your managers. This makes a lot of sense and ties back to needing a deep knowledge of what you are in charge of. Without that meeting with the level right below the managers will not be beneficial. I\u0026rsquo;m also reminded of the opposite of this is in \u0026ldquo;Army Leadership and the Profession\u0026rdquo;, ADP 6-22, : \u0026ldquo;1-68. Direct leaders understand the mission of their higher headquarters two levels up and when applicable the tasks assigned one level down. This provides them with the context in which they perform their duties.\u0026rdquo;\n When hiring, look for people with the right attitude. Skills can be taught. Attitude changes require a brain transplant. Absolutely. You can lead a horse to water, but you can\u0026rsquo;t make it drink. You can teach someone whatever language or tool is in vogue, but you need them to have that intrinsic motivation. As the cool kids say \u0026ldquo;They got to have that dog in them.\u0026rdquo;\n A maniacal sense of urgency is our operating principle. Not only do they got to have that dog in them, it got to be rabid. This actually ties surprisingly well to rules (1) and (2). A sense of urgency allows one to question and delete everything not essential, which in turn helps to get something out the door.\n The only rules are the ones dictated by the laws of physics. Everything else is a recommendation. Great for manufacturing and making physical objects. It does still kind of apply to software. You can understand something, not bother to implement it completely, and come back to improve on it later. If it is possible to do, it does not need to be done the first day.\n","permalink":"https://er4hn.info/blog/2023.11.10-elon-musk-bio/","summary":"Review of \u0026ldquo;Elon Musk\u0026rdquo; by Walter Issacson","title":"(Suggested 📚) Elon Musk"},{"content":"Update 2023-12-16 Hello readers, some minor clarifications to this post. On 2023-12-12 I made it to the front page of Hacker News! As is tradition this made many people upset and and has been widely regarded as a bad move. I want to add a few notes based on feedback I got in: https://news.ycombinator.com/item?id=38614195.\n The author confused Tacit Knowledge with Tribal Knowledge, they are different things! Okay, it\u0026rsquo;s fair that they are defined differently. I will accept that Tacit knowledge is considered knowledge gained through experience, whereas Tribal Knowledge is information not written down that people keep in their heads. However I do not feel that means that Tacit Knowledge cannot be written down nor is it worthwhile to write down what you know. Saying that something is only learnable through experience and cannot be written down means that the ideas can never be challenged nor explained. \u0026ldquo;We will use the database with these settings because I have 10 years of database experience\u0026rdquo; is not testable. Saying \u0026ldquo;We use the database with these settings because it meets these performance criteria and avoids issues with X\u0026rdquo; allows for testing, shares experience, and opens the door to opportunities for improvement. It takes too long to write down documentation! If your work becomes important enough it will take longer to explain it over and over. You can\u0026rsquo;t possibly document everything! I agree, but you can try your best to capture everything that seems important or reoccurring. I\u0026rsquo;ve decided to capture these points rather than re-write my post to acknowledge that they are valuable, but since I object to them, I\u0026rsquo;m not going to change the original content.\nOriginal Post Tacit knowledge, often called \u0026ldquo;tribal knowledge\u0026rdquo; in tech, is prevalent in this industry. Documentation is a common afterthought and is frequently wrong, out of date, or lacking crucial information. New hires join a company and go through onboarding exercises intended to have them learn by doing. Often that learning means asking others when they get stuck. It becomes natural for an engineer to end up having key information in their head. When others need it, the engineer freely shares it. Until, the inevitable happens.\n You need to know something not written down. You won\u0026rsquo;t be able to get an answer for a long time from the person who knows it best.\n The person who knows what you need is not there. Maybe they left the company, maybe they are on vacation. You may really need to know about the whizbang service, but it\u0026rsquo;s been 4 years since anyone last worked on it and no-one remembers how it works. You\u0026rsquo;ve now fallen into the trap of tacit knowledge.\nIt\u0026rsquo;s easy, even efficient, to rely on tacit knowledge early on. It is often called tribal knowledge because it\u0026rsquo;s shared by people close to you, the proverbial tribe. This passing on of knowledge helps bond junior and senior members. The tribe passes this knowledge from seniors to juniors via rituals of song and dance. These songs will take form of video calls, ☕chats, instant message exchanges. Dances transmit information by moving the hand to ctrl+c from a notebook of useful commands, and pressing ctrl+v to send to a colleague. Other more advanced dances involve connecting to a colleagues machine to fix an issue or show a manual setup process that isn\u0026rsquo;t written down. These song and dance routines will hit their limit at some point.\n Graph showing relative time scales for different ways of learning something at work.\n Where sharing tribal knowledge breaks down is at scale. It\u0026rsquo;s faster to shoot someone who knows the answer a message than to read the documentation, but only if that wise sage can respond quickly. If the holder of the knowledge is busy, in another timezone and you missed the end of their day, or are on vacation, you are out of luck until they return. The timezone problem is particularly painful. 3:30 pm pacific has 1.5 hours left in the 9 - 5 working day. But if you need help from someone on the east coast of the US, it\u0026rsquo;s 6:30 pm and they have gone home. That same time is 8 am in Australia, and 4 am in India. If you need help from someone on the other side of the world, you\u0026rsquo;ll be waiting for a while. This doesn\u0026rsquo;t even attempt to account for different countries having their own set of national holidays.\nAs a company scales, reliance on tacit knowledge becomes more of a burden. The amount of time it takes to answer a question is a blocker and needing to ask someone begins to consume more time due to both timezones as well as the busy nature of some senior people.\n Graph showing how it takes a long time to get answers when distributed. Asking a fourth question doesn\u0026rsquo;t even fit on the \u0026ldquo;large, distributed\u0026rdquo; row.\n The longer it takes to get answers, the longer an engineer is blocked. These blockers begin to act as a drag on the ability of an engineer to be productive, and at scale slows down the company itself. Features took longer to ship, bugs take longer to fix. The company itself becomes less nimble and vulnerable to smaller players. This situation always existed, but was exacerbated by COVID and the rise of remote work. Coworkers that used to sit next to each other would now work from home. People moved to different cities, and sometimes moved across timezones. How then, can one try to regain productivity?\n Graph showing how reading docs and watching videos is still slower than asking people who know (and can respond quickly) but far faster than waiting for large, distributed teams to reply to you.\n The answer lies in the original chart: As teams scale up and knowledge becomes more distributed, it is faster to read documentation and watch video lectures than it is to ask others for help. Personally, I am an avid reader and prefer reading (and grepping) for what I need to know. Others learn topics better through video lectures and that is fine. Both have a place, but documentation should always be there because it is easily searchable and easy to reference. By investing the time to create a library of information, both written and video, a middle ground is reached. It will never have that small co-located team efficiency, but it will scale far better than anything relying on tacit knowledge.\nFor those who need help in getting started with writing documentation, a previous blog post of mine discusses that as well. Good Docs Take Great Effort is where I would suggest anyone start when they need to figure out how to write documentation or see where they may improve.\n","permalink":"https://er4hn.info/blog/2023.08.26-tacit-knowledge-dangerous/","summary":"On the dangers of storing everything in your head, at scale.","title":"Tacit Knowledge is Dangerous"},{"content":"Deets \u0026ldquo;Becoming a Technical Leader\u0026rdquo; by Gerald Weinberg. ISBN: 0-932633-02-1 Review Technical leadership is different from more regimented forms of leadership because technical workers are knowledge workers. A worker in the tech industry can be individualistic, with some sporting strong egos and low EQ. They are opinionated and stubborn. If you can figure out how to manage them in groups, they can accomplish absolutely amazing things.\nTo be an effective technical leader one has to master switching between multiple levels of leadership. With your own team, you have to lean into the details and understand each individual as a richly detailed and complex human being. Each person you work with individually has their own thoughts, goals, and motivations. This is called \u0026ldquo;organic\u0026rdquo; leadership in the book. Zooming out, when you work with larger groups and see your teams place in the organization you need to apply structure and rigor. Repeatable processes and clear guidelines work best at a higher level. The book referred to this concept as \u0026ldquo;linear\u0026rdquo; leadership.\nTo be an effective technical leader to your team you need to provide them with \u0026ldquo;MOI\u0026rdquo;. MOI is an acronym which stands for:\n Motivation: Helping others feel inspired to do their work. Organization: Creating an environment in which the team can collaborate in order to do their work. Inspiration: Providing the space where technical workers can explore solutions to problems and come up with the best solution for a problem. Many of the chapters in the book explore how to do this from different perspectives and with different goals. The stories the author uses feel a bit dated, but he closes every chapter with a series of introspective questions for you, the reader, to ask yourself. I greatly enjoyed those questions because they forced me to think about myself more and seek ways to improve myself. It also slowed down my reading to one chapter per week, which I felt was great to give myself time to absorb the contents.\nThe topics above are tied together with interludes describing where power as a leader comes from and how to become a leader. The word \u0026ldquo;manager\u0026rdquo; is not used, with deliberate intent, because this is not a book for managers. Chapter 14: \u0026ldquo;Where Power Comes From\u0026rdquo; discusses this in great detail. The following is not a quote from the book, but an excerpt from my notes on the chapter:\n Power, as a leader, is a result of your ability to influence others. It is not granted by muttering a secret incantation, nor bestowed ritually upon becoming a \u0026ldquo;manager\u0026rdquo;. Power can come from relationships in which people behave as though oriented around a leader\u0026hellip;.\n I felt like this was an empowering thing to realize, because throughout my career I have had to try and be a leader, while rarely operating as a manager or someone placed in a position of organizational power. Seeing that reflected in the chapters of this book made me feel like that was okay and that I didn\u0026rsquo;t need to be in the right place in an org chart to be a leader.\nClosing out this review, I\u0026rsquo;d recommend this book to anyone working in a technical field. Even to those who aspire to be strong individual contributors, it is very hard to escape being a leader. No book is perfect and filled with everything one needs without any junk, but this book has a very high signal to noise ratio.\n","permalink":"https://er4hn.info/blog/2023.08.12-become-tech-leader/","summary":"Review of \u0026ldquo;Becoming a Technical Leader\u0026rdquo; by Gerald Weinberg.","title":"(Suggested 📚) Becoming a Technical Leader"},{"content":"Documentation is one of the important, yet often overlooked, parts of a software engineering project. Good documentation enables users to quickly get started in using the project and answer questions as they arise. Bad documentation and no documentation look very similar; They waste the users time and force them to either read the code to guess at how something works or ask the authors of the project. The authors of the project pay costs for poor documentation as well. Projects that are harder to learn how to use have a harder time gaining traction. Users that are interested, but unable to learn what they need from reading the code, will ask the authors their questions. A project with many users will end up with the same questions being asked every time - a linear penalty for authors who want to focus on developing the project further! Given all this, why is it such a trope of the industry that software engineers write poor documentation?\n Stacked bar chart showing how a project that becomes more popular can result in less time being able to work on it. Escaping this trap is hard, but documentation can help.\n It takes great effort to write good documentation. Unlike other skills learnt in college: algorithms, data structures, hands on experience with the popular programming language of the day, technical writing is not always taught and rarely explored deeply. Understanding the importance of good technical writing is something that engineers don\u0026rsquo;t normally realize until they hit a Senior level. A lack of documentation is also something which fails silently. A syntax error in the code causes the compiler to complain. A program which doesn\u0026rsquo;t work results in a code change, and (ideally) a regression test. A program which doesn\u0026rsquo;t work repeatedly can be analyzed with modern tools for test coverage, static, and dynamic analysis. But what of documentation? Low quality documentation results in people reaching out to ask the author questions. Good documentation results in people not needing to ask the author as much. This is worse than a silent failure, it\u0026rsquo;s practically a perverse effect of doing a good job. Undifferentiated high frequency user interactions are not a good thing. If your users are asking questions instead of requesting features, finding bugs, and getting involved, the project is being held back by the lack of good documentation. To fix this, authors must learn to not only write code, but also documentation.\nWriting Before diving head first into technical writing an author must learn what good technical writing looks like. This is a skill which can be taught, learnt, and practiced. A good technical writer can explain a topic concisely. Good technical writing has intuitions about when to use pictures and when to use words. Words should be used with precision and ambiguity avoided. My favorite resource for learning technical writing is Google\u0026rsquo;s Technical Writer Course: https://developers.google.com/tech-writing. This course offers self paced studies that can help someone understand the basics and how to develop themselves further. From there an author needs to put in the hours. Nothing beats practicing documenting one section of a project, revising it, then documenting a new section.\nWhen I write docs, I find it greatly helps my final output if I keep the following in mind:\nDefine the Audience Every doc should start by defining the intended audience, as early as is reasonable. Defining the audience means stating who is intended to read it and what they are expected to know before reading it. Is the intended audience graphic designers who understand skeuomorphic design principles? Or is it software engineers familiar with distributed systems, git, and sqlite?\nThe purpose of this is to help both yourself and the reader know what to focus on. If you want to discuss, for example, a new type of database index, it will shorten the document if a reader is expected to know both what a database is and how an index is used in a database. It also removes uncertainties from the author about how much detail to go into outside of the intended work to capture. This in turn keeps the doc focused instead of meandering into unnecessary diversions.\nDivide Content Into Sections Technical docs should make finding necessary information easy and straightforward. Full text search is a lovely feature, but a good index can both work faster and let users understand how something works overall. Consider a user who wants to learn about how a build system works end to end. This is all summarized in a single doc. Is it easier if they:\n (a) Have each component of the build system listed in it\u0026rsquo;s own labeled section, with subsections broken out as needed for large components. (b) Have one long doc, with no clearly defined chapters or breaks, that lays out everything. (b) is an extreme example, the technical equivalent of a massive run on sentence, but it is also clearly a bad way to lay out information. (a) is easier to understand, it keeps the information in each section tightly focused, and even reading the index can be instructive for a user. There is also an advantage grouping information into small, digestible, pieces. Understanding technical docs is not like reading a novel for pleasure, boring parts cannot be as easily glossed over. Keeping sections short helps users avoid fatigue, especially in longer documents.\nSummarize the Section, Up Front Don\u0026rsquo;t bury the lede! Put summaries at the start, where they can be quickly seen and read.\n The US military calls it Bottom Line Up Front, or BLUF. People with MBAs call it the Executive Summary. No matter it\u0026rsquo;s name it is a brief summary of what is to follow below. This is a great tool that allows a reader to decide, at the start, if they want to read more below. Every section should start with a summary of what is to follow in it. Every document should start with a brief summary of the sections that will follow and how they will all tie together.\nI didn\u0026rsquo;t mention tl;dr here, because it\u0026rsquo;s the opposite of what is desired. tl;dr is what journalists would call \u0026ldquo;burying the lede\u0026rdquo; when the important parts appear at the end of a document. Summaries should always be at the start.\nUse Pictures Pictures have the ability to convey a large amount of information, in a concise manner. When possible, pictures should be used to explain concepts. This doesn\u0026rsquo;t mean using abstract images to break up walls of text, as Harvard Business Review is frequently guilty of, but to show things that require large amounts of words to explain. One easy example is discussing what a skin condition looks like. You can say rash, such and such shade, size, shape, but it helps to put a picture of it at the top, and then describe in detail with the text below.\n A spool of analog film, unwound. Beautiful, evocative in a non-offensive manner. Barely tied to the subject manner. This would be perfect for HBR. Photo by Denise Jans on Unsplash\n Pictures do not need to be limited to photographs either. Flow charts, sequence diagrams, and Gantt charts are all valid examples of information dense ways to convey information. Information density is the key place to look for when deciding where pictures can help. If a thousand words can be replaced with one picture, add a picture. If a half page of lists can be replaced, that\u0026rsquo;s enough to add a picture. There is no hard and fast rule beyond conveying information in the easiest possible manner to understand.\nEvery picture, even one which seems obvious, should also be captioned. There are two reasons for this:\n Readability: Readers tend to flip through documents looking for information. Their eyes get drawn to pictures and they stop and look at it, ignoring the text around it. Going back to the example of a skin condition, readers may not want to read the paragraphs before and after to learn what condition it is, it is much easier to caption the specific condition being shown in the photo. Accessibility: Being able to see, without any sort of issues such as far sightedness, color blindness, or other ailments is a wonderful thing. Not everyone is able to do so and adding a caption can help make it more clear to others what is being shown. This is most true for people using screen readers, but it applies to many lesser situations as well. Use Lists Lists are another powerful technique to break down text into easily digestible chunks. Keep in mind, technical docs are not novels, they should strive to be concise, focused, and present information in small standalone chunks for ease of reading and looking up key material.\nPlaces where lists are useful include:\n Enumerating a defined set of items Enumerating a defined set of use cases Listing out steps to follow in a process. Anywhere else that a number of elements are being written out. Consider the difference in parsing between: \u0026ldquo;There was a girl, she wore a red beret, carried a translucent umbrella, and had a green and black striped dress. On her feet were black patent leather shoes.\u0026rdquo; This is descriptive, but not a good way to lay out information for easy parsing in a technical doc. Instead consider: There is a girl. She wore: Red beret Translucent umbrella Green and black striped dress Black patent leather shoes While not as poetic this does let her clothing be easily discovered, looked up, even potentially cross referenced against a picture. Precision and Professionalism The final piece of advice on writing technical docs is to pay attention to the words used. As a technical writer it is expected that you write in a direct, precise manner. Writing should also be as international and professional as possible. The reader should not be assumed to be your friend nor from the same region as you.\nPrecision is the opposite of ambiguity and ambiguous technical docs just raise questions as you read them. As an example I will walk through a technical service that encrypts a message.\n \u0026ldquo;The service uses cryptography to protect the message in transit\u0026rdquo; - This is very ambiguous, there are many kinds of cryptography. Does the service sign a message, does it encrypt the message, does it hash the message? \u0026ldquo;The service uses encryption to protect the message in transit\u0026rdquo; - This is more precise, but there are many encryption algorithms out there. Which one is used? \u0026ldquo;The service uses AES to protect the message in transit\u0026rdquo; - This is better, but there are also many possible settings for AES. What is the key size and the mode used for AES? \u0026ldquo;The service uses AES-256-GCM to protect the message in transit\u0026rdquo; - This is precise. It describes concisely the type of cryptography used with all the required settings. A reader can understand immediately what is being done by reading this sentence. The other enemy of technical writers is writing informally. A good technical doc should not have the familiarity of a carnival barker, which is itself a very American saying. The writer should write as though the reader is the defined audience (say, \u0026ldquo;an engineer familiar with distributed systems\u0026rdquo;) and not assume any understanding of:\n Sports - No sayings such as \u0026ldquo;Touchdown!\u0026rdquo;, \u0026ldquo;Doing this is a red card move\u0026rdquo;, \u0026ldquo;Double header\u0026rdquo;, etc. Regional Politics - Avoid anything involving descriptions of your country\u0026rsquo;s politics because they may not make sense to international readers or offend local ones: \u0026ldquo;Two semaphores may interact in a way that causes a deadlock. This is similar to when Republicans control the House and Democrats win the Senate.\u0026rdquo; Sayings in your country or native language: \u0026ldquo;This image processing library can detect itsy-bitsy tell-tale signs of funny money without a cashier needing to dilly dally\u0026rdquo; is not going to make sense to non-native speakers of English. Instead frame it as a more precise \u0026ldquo;This image processing library can quickly detect signs of counterfeit currency.\u0026rdquo; References to the reader: The reader is not a \u0026ldquo;gentle reader\u0026rdquo;, is not \u0026ldquo;going to see it is easy\u0026rdquo;, and should not be told \u0026ldquo;You will feel happy with yourself to know these things\u0026rdquo;. These are technical docs and one should just stick to the facts. Do note that shibboleths of your profession are probably okay, since readers are defined to be members of the profession. This is an example of an okay sentence: \u0026ldquo;The phrase \u0026lsquo;My code base is a mess\u0026rsquo; is so common among SWEs it could be a form of greeting. This tool helps to refactor code and prevent the user from needing to say that quite so often.\u0026rdquo;\nTooling Once one understands the \u0026ldquo;what\u0026rdquo; of good technical writing, the next part is \u0026ldquo;how\u0026rdquo; to achieve that. Documentation is something which should be a part of every feature. If you wouldn\u0026rsquo;t ship without testing, you shouldn\u0026rsquo;t ship without writing documentation. But good docs also need to be kept up to date. Stale docs are poor docs and poor docs might as well be no docs. I\u0026rsquo;ve found the following to be very beneficial in keeping docs useful and up to date:\nKeep Docs Close to Code Many observations here echo what Daniel says in his haxx.se article. He has a very good point here that keeping docs close to the code is very helpful in keeping them up to date. Docs next to the code make it easy to keep them up to date. Authors can update docs as they make changes. Tooling can enforce this as well by requiring that either the doc files are modified or the author at least confirms that they reviewed them and no changes are needed.\nMarkdown is an excellent language to use for doc files stored next to code. It\u0026rsquo;s easy to write, it allows for some formatting, and many tools support working with it. It\u0026rsquo;s also very easy to lint and understand what you will get out of it.\nWYSIWYG is nice if you can\u0026rsquo;t What You See Is What You Get (WYSIWYG) docs, such as Google Docs, are a reasonable alternative to keeping docs in the code. With a richer editor you are making a trade off on one form of ease in updating (seeing it in the VCS as you work) for another (easier editing).\n Graph showing different options for managing docs. Each one has it\u0026rsquo;s tradeoffs in ease of use and ability to express complex details with ease of effort.\n Rich editing experiences for WYSIWYG editors are a very nice bell and whistle because it becomes easy to add formatted text, pictures, hyperlinks, and whatever else you desire, with even more ease and expressivity than markdown allows for.\nInstant publication, as is the case with Google Docs and any other cloud based tool, is another plus. No need to have a pull request, a review, potentially fire a CI job. Just type it out, maybe hit publish, and you are done with an update.\nEase of communication (I swear I\u0026rsquo;m not trying to sell Google Docs specifically) is another benefit. Docs that people can comment on, help update, and revise can keep docs alive as well.\nAlways Make Design Docs Design docs are an important part of any feature and project that is going to be more than an hour of work or involve more than one person. I choose \u0026ldquo;one hour\u0026rdquo; as an arbitrary value, with the intent of saying \u0026ldquo;anything with more than mild complexity should have a clear design.\u0026rdquo;\nWhen working on anything even moderately complex there are multiple moving pieces that may take a long time to properly figure out. If each piece talks to every other piece through an API, that\u0026rsquo;s great! You just need to make sure that both the user and provider of the API do not feel that there is any ambiguity in that API. If that isn\u0026rsquo;t the case, if there are functions calling into each other, running programs, or other increasingly vague connections between pieces, those are all places where issues can arise. If multiple people, perhaps in different timezones, are working on this as well, there are more opportunities for failures in pieces to behave as expected. On top of it, as projects drag on, people may join and leave, and memories can become hazy. \u0026ldquo;Why did we decide on our SQL table having this schema?\u0026rdquo; isn\u0026rsquo;t a question that should ever be asked. It should be evident why that decision was made, even if that table is changed later on.\nThe best way to solve this is to have a design doc that specifies the problem, the solution, and how that solution is to be implemented. Everyone implementing the solution can then work off of it and stay in sync across time and space. Once complete, it forms the basis for any future documentation as well. In many cases, this may be the only documentation for something!\nA picture is worth 1k words Pictures are a fantastic way to convey information that would otherwise be more cumbersome to write out. Protocol exchanges, flowcharts for algorithmic behavior, statistics, can all be easily expressed through pictures. The problem is how to relate those to good technical documentation.\n A mermaid diagram showing a set of actions for Christmas shopping. As of 2023-06-19 this is the default example on https://mermaid.live.\n Oftentimes good technical documentation lacks pictures because they are a pain to edit. Pictures are kept separate from the documentation, and require cumbersome and tedious work such as hand mapping edges to nodes, arranging everything so it doesn\u0026rsquo;t collide, and then remembering to save it somewhere so it can be edited later. It\u0026rsquo;s all a huge pain and leads to pictures either not being done or being left out of date because it is hard to update them.\nAt the same time, it\u0026rsquo;s hard to just read text. Even RFC\u0026rsquo;s, a text only format, benefits from diagrams. To see an example, look no further than the TCP state diagram from RFC9293.\n +---------+ ---------\\ active OPEN | CLOSED | \\ ----------- +---------+\u0026lt;---------\\ \\ create TCB | ^ \\ \\ snd SYN passive OPEN | | CLOSE \\ \\ ------------ | | ---------- \\ \\ create TCB | | delete TCB \\ \\ V | \\ \\ rcv RST (note 1) +---------+ CLOSE | \\ --------------------\u0026gt;| LISTEN | ---------- | | / +---------+ delete TCB | | / rcv SYN | | SEND | | / ----------- | | ------- | V +--------+ snd SYN,ACK / \\ snd SYN +--------+ | |\u0026lt;----------------- ------------------\u0026gt;| | | SYN | rcv SYN | SYN | | RCVD |\u0026lt;-----------------------------------------------| SENT | | | snd SYN,ACK | | | |------------------ -------------------| | +--------+ rcv ACK of SYN \\ / rcv SYN,ACK +--------+ | -------------- | | ----------- | x | | snd ACK | V V | CLOSE +---------+ | ------- | ESTAB | | snd FIN +---------+ | CLOSE | | rcv FIN V ------- | | ------- +---------+ snd FIN / \\ snd ACK +---------+ | FIN |\u0026lt;---------------- ------------------\u0026gt;| CLOSE | | WAIT-1 |------------------ | WAIT | +---------+ rcv FIN \\ +---------+ | rcv ACK of FIN ------- | CLOSE | | -------------- snd ACK | ------- | V x V snd FIN V +---------+ +---------+ +---------+ |FINWAIT-2| | CLOSING | | LAST-ACK| +---------+ +---------+ +---------+ | rcv ACK of FIN | rcv ACK of FIN | | rcv FIN -------------- | Timeout=2MSL -------------- | | ------- x V ------------ x V \\ snd ACK +---------+delete TCB +---------+ --------------------\u0026gt;|TIME-WAIT|-------------------\u0026gt;| CLOSED | +---------+ +---------+ Figure 5 of RFC9293 showing states in a TCP connection.\n Section 3.3.2 of the diagram lists out all the states, it lists how one transitions from one to the next, but the eye is still drawn to this picture more so than the text, because this picture is much easier to read and follow along with. Now imagine what to do if you realize that FIN-Wait-1 needs a transition to LAST-ACK. Try editing the ASCII to add that. Ugh!\nMermaid is a standard, based on markdown, which makes this much easier. Under Mermaid, drawings become written inputs, which are laid out automatically. Mermaid is supported in a number of places including GitHub, VSCode, and many markdown editors. By having the picture be the output of text it becomes easier to both comment on specific problematic elements, as well as make changes with ease.\nHere is Figure 5, redone in Mermaid: Figure 5 of RFC9293, redone as a mermaid graph.\n The code which I used to generate this is below. I used the \u0026ldquo;elk\u0026rdquo; renderer on https://mermaid.live to allow for a better layout in the render.\n%%{init: {\u0026#34;flowchart\u0026#34;: {\u0026#34;defaultRenderer\u0026#34;: \u0026#34;elk\u0026#34;}} }%% flowchart TD CLOSED LISTEN SYNRCVD[\u0026#34;SYN RCVD\u0026#34;] SYNSENT[\u0026#34;SYN SENT\u0026#34;] ESTAB FINWAIT1[\u0026#34;FINWAIT-1\u0026#34;] FINWAIT2[\u0026#34;FINWAIT-2\u0026#34;] CLOSING CLOSEWAIT[\u0026#34;CLOSE WAIT\u0026#34;] LASTACK[\u0026#34;LAST-ACK\u0026#34;] TIMEWAIT[\u0026#34;TIME-WAIT\u0026#34;] CLOSED --\u0026gt;|passive OPEN\\ncreate TCB|LISTEN LISTEN --\u0026gt;|CLOSE\\ndelete TCB|CLOSED LISTEN --\u0026gt;|rcv SYN\\nsnd SYN,ACK|SYNRCVD SYNRCVD --\u0026gt;|\u0026#34;rcv RST (note 1)\u0026#34;|LISTEN LISTEN --\u0026gt;|SEND\\nsnd SYN|SYNSENT SYNSENT --\u0026gt;|CLOSE\\ndelete TCB|CLOSED CLOSED --\u0026gt;|active OPEN\\ncreate TCB \u0026amp; send SYN|SYNSENT SYNSENT --\u0026gt;|rcv SYN\\nsnd SYN,ACK|SYNRCVD SYNRCVD --\u0026gt;|rcv ACK of SYN\\nx|ESTAB SYNSENT --\u0026gt;|rcv SYN,ACK\\nsnd ACK|ESTAB ESTAB --\u0026gt;|CLOSE\\nsnd FIN|FINWAIT1 SYNRCVD --\u0026gt;|CLOSE\\nsnd FIN|FINWAIT1 ESTAB --\u0026gt;|rcv FIN\\nsnd ACK|CLOSEWAIT CLOSEWAIT --\u0026gt;|CLOSE\\nsnd FIN|LASTACK LASTACK --\u0026gt;|rcv ACK of FIN\\nx|CLOSED FINWAIT1 --\u0026gt;|rcv ACK of FIN\\nx|FINWAIT2 FINWAIT1 --\u0026gt;|rcv FIN\\nsnd ACK|CLOSING CLOSING --\u0026gt;|rcv ACK of FIN\\nx|TIMEWAIT FINWAIT2 --\u0026gt;|rcv FIN\\nsnd ACK|TIMEWAIT TIMEWAIT --\u0026gt;|Timeout=2MSL\\ndelete TCB| CLOSED With the above code, try adding a transition from FINWAIT-1 to LAST-ACK. How long will it take you compared to editing an ASCII diagram?\nDocument your APIs, document your functions APIs, the place where others use your work, must be clear to use. Their inputs should be obvious, as should any expected outputs and error conditions. This is an obvious place where docs excel, and where you often see docs. It is still worth mentioning docs because they are essential here.\nWhat is even better is to bring documentation to internal functions as well. By documenting all but the most obvious internal functions, the same purpose is served as in a good design doc. Documented functions let others work on them, or call them, with ease since it is clear what they do. Even if you are the sole author, coming back to well documented functions after months away will make the process of refreshing one\u0026rsquo;s memory easier. For documented functions, these docs should always live in the code, ideally right at the start of the function.\nExamples are 💯 gr8 ✨ There is a joke that a lot of programming is done by copying from Stack Overflow. In 2021, they did the math ™ and determined that it\u0026rsquo;s really really accurate. Some languages, such as Golang and Rust, embrace this and provide support for having examples which can even be run (and altered!) in a web browser. This is really powerful.\nThe best way to get someone to use something is to make that on-ramp of learning as short as possible. If you can provide a working example someone can run in a browser, that is great 🥇 Something that can be copy-and-pasted for running elsewhere, such as a terminal, also good 🥈 If these examples stop being accurate however\u0026hellip; that is bad 😡\nThe best way to ensure an example stays working is via\u0026hellip;🥁 automation! Examples which are co-located with the code can be validated automatically and flagged if they stop working. Golang and some other languages provide this as built in support. For an example see: https://pkg.go.dev/testing#hdr-Examples.\nDocs must be easy to view The harder a doc is to reference, the worse it is. This applies to even the best written docs, that have the most helpful of examples. This is a place where Markdown and cloud hosted docs show their value. They are easy to read, search, and understand. In contrast, languages such as LaTeX and Sphinx are less valuable. Effort needs to be made to even make use of the doc, typically via some compilation steps. Needing to compile a doc before it is usable decreases the ability for a user to get value from the doc.\nWhenever possible, favor styles of documentation that are easy to view. The easier a doc is to view, the easier it is to use.\n","permalink":"https://er4hn.info/blog/2023.07.22-good_docs_great_effort/","summary":"Writing good documentation requires great effort to execute properly","title":"Good Docs Take Great Effort"},{"content":" Two categories of security: The Bodyguard vs The Watchman\n I\u0026rsquo;m going to start by making a bold and sweeping claim: Pretty much every product, feature, and tool in cyber security can be divided into two categories. These are the \u0026ldquo;watchman\u0026rdquo; and the \u0026ldquo;bodyguard\u0026rdquo;. Knowing how these categories work is important, because it lets you determine the best way to solve problems. Like choosing between a hammer and a screwdriver, the right tool is needed for the job. Choosing the wrong one, such as a bodyguard when a watchman is better suited, will result in ineffective or frustrating security controls.\nBodyguards are analogous to their real life counterparts: They stand in between a VIP and all potential threats, shielding the VIP from harm. The VIP can vary from being as big as an entire running operating system, to as small as a single TLS connection. Bodyguards are defined as: That which examines an event, before it occurs, and decides if the event should proceed or not. Examples of bodyguard systems include: anti-virus, login portals, and firewalls. I\u0026rsquo;d even include protocols like TLS or SSH as bodyguards: If the connection is tampered with, the protocol will detect that tampering and handle it appropriately.\nWatchmen, drawing analogies to the real world again, examine the state of the world and make observations based on what they see. One can imagine a night watchman strolling through a warehouse and checking for broken windows to note in their report. Watchmen are defined as: That which examines an event, after it occurred, and decides if it warrants further investigation or not. Examples of watchman systems include: log scanners, systems that measure hashes of files, systems which check configurations across services, AI based intrusion detection systems, and services which rotate keys after confirming a service appears to be behaving as expected.\nThe law of the 🔨 says \u0026ldquo;If the only tool you have is a hammer, it is tempting to treat everything as if it were a nail.\u0026rdquo; As everyone familiar with this saying knows, that does not mean the hammer is always the appropriate solution. If you need to protect a VIP from being kidnapped, a watchman who will radio in an hour after it occurs and say \u0026ldquo;yeep, they\u0026rsquo;re gone\u0026rdquo; is not the correct person for that job. So then why do we keep on ending up with mismatches like these:\n Usage of a break-glass account can only be audited by reading logs for it being logged into. Software on a laptop examines every site you go to and blocks known \u0026ldquo;file sharing sites\u0026rdquo; such as Dropbox, because they could be used to exfiltrate company data. It is my belief that these mismatches arise from a series of people, ending with the end users of these tools, not understanding what is the proper tool for a job. Bodyguards work best when a clear decision can be made quickly. AuthN and AuthZ services fit this well because they don\u0026rsquo;t normally deal with ambiguity. You either can clearly prove an identity and have that map to permissions, or there is a clear failure. Firewalls are another bodyguard style tool because they have clearly defined rules for processing packets. Bodyguards begin to fall apart when there is ambiguity: Trying to decide if a never before seen set of ioctl calls represents suspicious behavior (and should be stopped) is an example where bodyguards fail to work properly. Those decisions are best left to watchmen.\nWatchmen work best at flagging potential issues after they have happened. Log analysis services are a straightforward example. Logs are produced after events occur, and log analysis services read those logs later on to look for suspicious behavior. Any sort of suspicious behavior is then flagged for further follow up by humans. Anything that can be examined after it occurs is a watchman service. Checking for files being changed from their expected value, configuration drift, nearly anything involving using AI/ML to find problems among large amounts of data, these are all watchmen. The key items that separate watchmen from bodyguards are that they operate after an event occurs and they make fuzzy, ambiguous, decisions.\nReturning to the prior examples of mismatches, the vocabulary to describe the issue is now present. Now the question can be asked: What was wrong with them?\nThe first example was a break-glass account that could only be audited by checking logs to see if it was logged into. This is a watchman solution, but it\u0026rsquo;s not the ideal one. Tech analogies follow from the real world and glass is only broken (i) in the event of an emergency, (ii) that breaking makes a noise, and (iii) it is obvious afterwards it broke. (i) is situational and outside the scope of discussion. (iii) is what the logs, mostly, fulfill. That leaves (ii), which is not accounted for. Logs that appear afterwards, and can be tampered with or overlooked, are not a big noise. What should happen is that a bodyguard system will determine if someone is even to be given access to the break-glass account and make a big explicit noise, such as email\u0026rsquo;ing a special alias or explicitly triggering a high priority SIEM event.\nThe second example was a service, running on a laptop, that would block access to \u0026ldquo;file sharing\u0026rdquo; sites to prevent exfiltrating data. This is a bodyguard, which is being forced to make decisions that are not suitable for it. If someone wants to exfiltrate data, there are an infinite number of sites one could visit. An adversary could even create a new site on the fly. Because of this a denylist won\u0026rsquo;t work. An allowlist would only work under limited circumstances where every possible site to be accessed was known in advance. That leaves making a decision by listening in on all interactions with a visited site and making constant judgement calls about if the dialogue was the site is suspicious or not. This has reached fuzzy territory, which is why it is a bad place for a bodyguard. It would be better to accept that exfiltration could only be detected after the fact and rely on watchman services to review the data gathered and decide if further investigations are needed.\nWith this categorization every new security tool can now be evaluated to see if it is a watchman or a bodyguard. After categorizing it can be determined: Is it solving the problem correctly? Is it the right tool? And if not it can be put down and a more appropriate one found.\n","permalink":"https://er4hn.info/blog/2023.04.29-watchman_bodyguard/","summary":"Everything in Cybersec can be divided into two categories: Watchmen vs Bodyguards","title":"Watchman vs. Bodyguard"},{"content":"This is a hot take on Jason Roberts blog post: https://www.codusoperandi.com/posts/increasing-your-luck-surface-area\n\u0026ldquo;Luck\u0026rdquo; is the term used to quantify and measure the outcome of events beyond ones control. Winning the lottery: good luck. Tripping when running and breaking ones leg: bad luck. Luck is typically spoken about like it is something you possess: \u0026ldquo;I have bad luck\u0026rdquo;, \u0026ldquo;I got lucky that day\u0026rdquo;. Superstitious attempts are traditionally made to increase ones luck: A rabbits foot carried around, a horseshoe hung inside the house. Yet the cause and effect between tailsmans and events beyond control cannot be observed. Luck, slippery as it may be, can be increased via carrying out another set of rituals.\nTo begin, one has to view luck as a space on a 2d plane.\n Drawing of a flat plane, with a yellow circle representing ones luck. Events happen outside the plane, pass through, but never intersect the circle.\n Rays, events, fall from outside the plane and pass through it. If a ray intersects with your luck, however it is shaped, that event happens to you. You get a free scoop of guacamole with your burrito, the lights are green your entire commute to work. Luck no longer has bad things under this definition, these are just the positive events you want to happen. But this is still too broad of a definition for luck. The things you can do to increase your luck aren\u0026rsquo;t magic 🔮 The lucky events you can try and have happen more often aren\u0026rsquo;t around fortuitous physical timing, they\u0026rsquo;re around finding chance moments of human connection.\nMany of the lucky breaks that happen in ones life are the result of human connection. Getting the job that you really want, finding an investor for a project, getting that free scoop of guacamole from a friendly restaurant worker, they all involve moments of meeting people and have those people be willing to help you. Having these moments happen to you are something you can control for and try to have happen more frequently. The actions that control the shape of your luck are what you do and how you tell others about that.\nTo create things is to be doing. Building some new database optimization tool, crafting a better mousetrap, recording yourself going through your favorite hiking trail. These are all acts of creativity where you bring something into the world that wasn\u0026rsquo;t there before. Creation can take many forms and even something like reviewing other peoples products is a form of creation. What you are creating is bringing your own thoughts and experiences to someone else\u0026rsquo;s product. This is what a good deal of the influencer industry, for better or worse, is built upon.\nCreation is one axis of luck. The other axis is to tell people about what you are doing. You must share your creations, promote them at events, shout about what you\u0026rsquo;re doing from the rooftops and across the internet. This is because on their own these creations will not be discovered. There are billions of people making hundreds of millions of pieces of their own content. Without telling other people about what you are doing, they will never know.\n Another drawing of luck as a plane. Now this time a ray of human connection has hit the person\u0026rsquo;s luck.\n Now the theory begins to come together. Human beings do not exist in a vacuum. We are pack animals and by working together we are able to achieve things that could never be done alone. The things that a person would desire: Fame, fortune, improving lives around them, are not things done on their own. They need to be shown to people until someone is found who feels the same way as the author about this new thing that has been created. Then, as the author, you\u0026rsquo;ve gained a supporter. This supporter can help you in ways you could do not on your own: They can help promote your work, they can provide you funding, they can help you improve upon your original creation.\n Graph showing how narrow it is to focus on a single axis, and how by focusing on both, more can be achieved.\n It is hard work to do both, but it\u0026rsquo;s essential. Focusing on one without the other limits how far you can go. One can only tell others about something so many times before they\u0026rsquo;ll want to see it. Likewise when one builds in complete isolation, it is hard to say if the thing being built actually solves a problem or is the optimal way to do so. But when both are combined one can create, receive feedback, create more, find supporters, and build further upon their support. It\u0026rsquo;s difficult work to balance, but for those that can the odds of success are vastly improved.\n","permalink":"https://er4hn.info/blog/2023.04.16-luck_through_work/","summary":"How to achieve better outcomes through work","title":"(🔥 Take) Luck Through Work"},{"content":"Deets Design of Everyday Things: Revised and Expanded Edition by Donald A. Norman. ASIN: B00E257T6C Review Design of Everyday Things is a book that feels timeless, in technological terms. It hasn\u0026rsquo;t endured as long as Marcus Aurelius\u0026rsquo; Meditations, but it was published in 1988 and few books from that era are still relevant to a software engineer today. In his book Don discusses Design: What makes it functional, useful, and easy to use.\nLike many books that attempt to predict the future, Don got a number of things wrong. Very few of his postulations about where design could and should go felt like they came true. Where I found the enormous value in his book was from his thoughts on good design. Good design is something which remains timeless and is not a prediction of the future. By trying to follow principles of good design, even someone who is not a designer can make useful APIs, write good documentation, and design useful features.\nMuch of the book is focused on the concept of \u0026ldquo;Human Centered Design\u0026rdquo; (HCD) which states that one needs to put human needs, capabilities, and behaviors first. A thesis of the book is that designs should accommodate those requirements. One of the most important parts of a good design is clear communication when something goes wrong and the user enters an error state. Don puts this well with a powerful quote:\n It is the duty of machines and those who design them to understand people. It is not our duty to understand the arbitrary, meaningless dictates of machines.\n Two powerful concepts stood out for me as I read through the book: conceptual models, and knowledge of an object.\nThe phrase \u0026ldquo;conceptual model\u0026rdquo; entered my mind and kept on rolling off my tongue in later weeks as it would come up in my work. A conceptual model is a simplified explanation of how something works. This could be a product, such as a car. This could be a process, such as how to drive that car from your house to the grocery store and park at the store. Conceptual models are the primary means by which people understand how to use something and are inferred from the device rather than reading manuals or asking experts. It is therefore important to make sure that the correct conceptual model is made clear to the user so that they do not end up with an erroneous understanding.\nKnowledge, and how it exists \u0026ldquo;in the mind\u0026rdquo; vs \u0026ldquo;in the world\u0026rdquo; was a fantastic concept to see elucidated as well. Knowledge of how something works is used in deciding what to do to accomplish a goal. Quoting Don:\n Perfect behavior results if the combined knowledge in the head and in the world is sufficient to distinguish an appropriate choice from all others\n We all have some level of knowledge in the mind when we interact with something. This is based on prior experiences, training, and similar objects. Similarities are tied to conceptual models and are why buttons in software UIs look like buttons in physical objects: so it is obvious you can press them to do something. It\u0026rsquo;s also why software UIs, across products and from competitors, will use similar symbols for saving data, altering fonts, and will often adopt similar layouts for displaying data.\nWith specialized tools knowledge in the mind is not always going to be sufficient to unambiguously distinguish the appropriate choice from all others when a specific goal needs to be achieved. That is where knowledge in the world becomes important. Knowledge in the world covers documentation, examples, and clear feedback from a product when the user appears to be using it incorrectly. Knowledge in the world can often be more important than that in the mind because it can be transferred to others to become knowledge in their minds. Tools which offer numerous different actions or are rarely used also benefit from knowledge in the world because a user cannot reasonably be expected to keep in their mind something they are not using.\nThe book goes into much more than the above, I simply listed my favorite items. It covers the theory of how one interacts with objects and divides that into affordances, signifiers, constraints, and feedback. The different stages of feedback and a user understanding how to interact with something is covered as well. Later on different examples of special cases with controls, preventing undesired actions, and how to guide users to appropriate behavior is discussed.\nThe book closes in the end with a discussion of design changes and overall thoughts on how design can fit into creating new products. I found this to be the weakest part of the book. I suspect, but did not check, that some of these parts are part of the expanded 2nd printing of the book. Many of the thoughts the author had on the future of design did not feel accurate and by the end the author seemed to be wildly waving their hands as they postulated on the future.\nOverall I would consider this book a valuable read. By learning what is in it, even a software engineer can understand how to make what they design more usable and useful for everyone else around them.\n","permalink":"https://er4hn.info/blog/2023.04.02-design_of_everyday_things/","summary":"Review of \u0026ldquo;Design of Everyday Things\u0026rdquo; by Donald A. Norman.","title":"(Suggested 📚) Design of Everyday Things"},{"content":"Load Balancing is an essential part of any scalable service. A single service, say a compute node which counts the number of vowels in a string, can only process so much data at one time. A developer can optimize the code, increase the CPU power, increase available RAM, but eventually limits will be hit.\n Diagram showing a Load Balancer and three possible compute nodes that traffic can flow to.\n At the point that an additional node is created, there needs to be a way to decide where to send traffic. Is the traffic sent to each node, one after the other, in \u0026ldquo;round robin\u0026rdquo; fashion? Or is each node monitored to see how many free resources it has and the one with the most free resources gets the new inputs? Should clients with long running workloads be sent to the same node each time they connect? These are problems which a load balancer provides the solution to.\nMost of the time a load balancer operates as the endpoint that a client connects to, with the compute nodes being opaque to the client. In HTTP APIs this would make the load balancer the HTTP endpoint the client connects to. This allows the load balancer to not only decide where a service request goes, but also make decisions based on the contents of that request. Going back to the earlier example of a vowel counting service the load balancer could examine the size of the request and assign workloads by keeping track of the total amount of characters each node is processing.\nZero trust networking (ZTN) changes this setup by breaking fundamental assumptions. In Zero trust networking, every connection must be encrypted. For the HTTP case this would look like HTTPS, which is HTTP over TLS. Another tenet of ZTN is that only the service that needs the data should see it. Intermediate services, such as a load balancer, should not be able to because that means the load balancer must now be as secure as the end service. If the load balancer is operated differently from the service or run by a different team, this becomes difficult to implement reliably and is a point of failure.\nTLS Termination: To do or not to do? That is the Question. When TLS becomes involved in a load balancer, crucial decisions have to be made. TLS operates by having the client and server, the opposite end points of a connection, establish a secure channel that others in the middle cannot listen in on. Picture showing a client to server TLS connection. The client transports data physically over a load balancer, but the load balancer may not be able to view that data.\n A basic implementation of a load balancer has it act as an end point. Clients would connect to the load balancer and request to use a service. The load balancer would accept the requests, decide what node to send it to, then send the client back the reply. This clashes with ZTN because the load balancer must accept the connection, see what is being sent, then send that onwards to the end server. There may not be that much value in the load balancer seeing this data, for example credit card numbers, but the load balancer now has access to all this sensitive data.\nLoad balancers which support TLS connections and act as the endpoint clients connect to are said to perform \u0026ldquo;TLS Termination\u0026rdquo;. This is because they act as the endpoint (\u0026ldquo;terminating\u0026rdquo;) the TLS connection to fulfill their load balancing activities. Performing TLS termination has several advantages:\n Allows for performing load balancing based on the contents of the request. Can be used to upgrade legacy TLS, based on older protocols and algorithms now considered unsafe, from older clients. Saves end servers from needing to decrypt or manage TLS. What if, however, one doesn\u0026rsquo;t want the load balancer to terminate the connection? The opposite of \u0026ldquo;TLS Termination\u0026rdquo; is \u0026ldquo;SSL Passthrough\u0026rdquo;[1]. With SSL Passthrough the load balancer does not have the ability to view the data being sent, it merely helps route that data to the end server. This fulfills the goals of ZTN by preventing the load balancer from being a place where an adversary could attack and steal the data being transported over it.\nTurning to the OSI Model of network architecture, load balancers performing TLS termination operate at layer 7, the application layer. For a load balancer to function and not require TLS termination, it needs to function at layer 4, transport.\nMy focus for the rest of this article will be on layer 4 load balancing with SSL Passthrough. I think that performing TLS termination is generally a bad practice to follow because of the problem where it causes the load balancer to become just as important to secure as the end nodes working over the sensitive data. If the load balancer and the end nodes are run by different teams, or the load balancer is used to balance traffic across a number of different services, it becomes very easy to lose track of the importance of securing the load balancer. Therefore it becomes important to have load balancing solutions that function at layer 4.\nLayer 4 Traffic Balancing To successfully balance traffic at layer 4, both hardware and software need to be factored into the design. Each has it\u0026rsquo;s own advantages and can even function well on it\u0026rsquo;s own, for a period of time. By going with a hybrid hardware/software model one is able to achieve high resiliency in a load balancing design.\nPlease note that the below discussions are focusing on load balancing within a single site. Multi-site load balancing is more complex and not the focus of this discussion.\nNetwork Router Network routers and switches provide the physical transport over which data flows. There are a number of different ways to achieve this, which rely on assigning all of the end nodes the same IP address. Solutions involving Anycast and BGP over ECMP are covered below.\nAnycast Picture showing a red client node forming an anycast connection to a green server node. Other possible end points are shown in green as well. Picture taken from Wikipedia: By Easyas12c~commonswiki - Wikimedia Commons, Public Domain, https://en.wikipedia.org/w/index.php?curid=53850281\n Anycast IPs are a concept where specially designated IP addresses can go to any number of end hosts that have the same IP address. Routers many hops away from an anycast address are able to handle and route traffic the same as any other IP address. Routers closer to a destination do need to be anycast aware and make a decision on where to send the traffic.\nThere are a few drawbacks with anycast routing that prevent it from being more useful for load balancing situations. The first is that routing is generally stable and results in a client being directed to the closest (in terms of hops or other metrics) location. This means that multiple clients in one location will not be spread across end nodes without additional effort. The next drawback is that routers near the destination must be anycast aware to know how to route the traffic as it gets closer. Finally, anycast is only supported at a protocol level in IPv6. The next section covers how IPv4 deployments can implement an anycast style design using routing protocols.\nBGP With ECMP Border Gateway Protocol (BGP) with Equal-Cost Multi-Path (ECMP) routing is another solution that can implement having multiple endpoints referred to on one IP address. An advantage of this solution is that it will work on IPv4.\n Diagram showing a network setup for load balancing across three servers in one site. Paths for clients flow is shown in yellow and red.\n To set this up each service listens on the same IP address. In the above diagram this is represented via the loopback address of 10.0.0.1. The server each service is running on has it\u0026rsquo;s own individual IP address and they are all connected to a router, designated \u0026ldquo;Foo\u0026rdquo;.\nBGP running on Foo injects the Virtual IP (VIP) of 10.0.0.1 as an advertised IP for clients to connect to. ECMP decides which server is followed to 10.0.0.1: From the perspective of ECMP the multiple services are all one end destination.\nWhen a client, such as Alpha, connects to 10.0.0.1 via Foo, ECMP kicks in and looks at the \u0026ldquo;5-Tuple\u0026rdquo; that comprises the connection. This is:\n Client Alpha\u0026rsquo;s source IP Client Alpha\u0026rsquo;s source port The 10.0.0.1 destination IP The 10.0.0.1 destination port The protocol in use (TCP vs UDP) and uses the hash of this information to select the server to send traffic to. In the yellow path above that is Server One. Server One then sends the traffic to Service One where it is processed. Because this is stable as long as the 5-tuple does not change, this works for TCP connections that send multiple packets. This doesn\u0026rsquo;t provide actual load balancing though. ECMP is a stateless routing strategy that doesn\u0026rsquo;t provide round robin routing. Attempts to balance traffic is done by assuming that the hash will evenly distribute traffic across the paths. If there is an imbalance the only knob one can twist is to change the hash and hope that the new one is more evenly distributed over time.\nOther Hardware Solutions The above solutions are not the only ones out there. There is an entire galaxy of possible hardware solutions, ranging from other protocols, the use of overlays, to specialized load balancing hardware. The ones which I mentioned are merely a couple common solutions that would not raise eyebrows if mentioned.\nOne hardware solution, which is related to a solution mentioned below, is HAProxy’s ALOHA Load Balancer. This is a solution which can be run on either a hardware appliance or as a VM and provides nice 🔔 and 😗🎶\u0026rsquo;s such as a graphical UI that make it easy to maintain over time.\nSoftware Software based load balancing is a solution that brings in it\u0026rsquo;s own tradeoffs. The pro\u0026rsquo;s of software load balancers is that they are cheaper and more configurable than comparable hardware options. The cheapness comes from being able to add new software instances for less cost than new instances of hardware. Configurability comes from software being much easier to add features to and adjust compared to hardware. For open source products, a truly dedicated power user could even add their own feature!\nAnother important feature of software based load balancers is that they are able to perform true load balancing, such as with a round robin strategy. This is due to them being stateful and able to track information such as: \u0026ldquo;I just handed off a new connection to Server Bravo, the next one will go to Charlie\u0026rdquo;. With server health information even more nuanced balancing can be performed.\nA popular tool for performing Software load balancing with SSL Passthrough is HAProxy. This is a open-source tool which allows for various balancing solutions, rich logging, and many other useful features. The passthrough mode is set via mode tcp which forwards TCP connections. HAProxy can be used to perform additional checks, such as validating that the connection is TLS, but those are not required for a basic setup.\nUnfortunately software is not a perfect solution. The biggest drawback of software load balancers is performance. They will always be slower than dedicated hardware and may require expertise and time to tune so they run well. Multiple software load balancers also need to account for the underlying network to allow them to be added and removed.\nHybrid In a hybrid mode, both hardware and software solutions are brought together to minimize the downsides of individual solutions and benefit from the strengths. The downside of software load balancers is that the network needs to be aware of them to properly route traffic among multiple software nodes and allow for individual nodes to be removed as needed. So a basic implementation becomes:\n Diagram showing a router connected to SW Load Balancers. Each Load Balancer is connected to three servers.\n Now either Alpha or Bravo can be removed for maintenance and the router updated to not attempt to route through them. The router may favor Alpha more than Bravo, but that is not an issue. More software load balancer nodes can be easily added, or the ECMP hash algorithm changed, if a subset of software balancers is receiving too much traffic.\nBut what if the router needs maintenance? Now the router has become a single point of failure. So more routers need to be added to allow for removing one. A diagram showing a setup with two routers that a network can access. Each router is connected to the two software load balancers. The software load balancers each remain connected to the three servers.\n By adding a second router that can have traffic sent to it, either router can be used. This means that if one goes away traffic will flow to the remaining one. Now the routers no longer become a point of failure and can be added to distribute load or removed for maintenance. Does this mean that the network node above has a hidden load balancer and it is load balancing 🐢\u0026rsquo;s all the way down? Not at all: Router based solutions are based on advertising routes to the server IP addresses. Each router can do this on their own and other routers connected will choose the best seeming route, therefore there are no additional load balancers required.\nHybrid solutions are the most resilient ways to build out a load balancer. Being the most resilient is not always required though. If a service can handle some amount of downtime, a simple software load balancer may be all that is needed. Cloud only deployments may require their own abstractions to replace the router. The best solution to any problem requires balancing what is present with what is needed. By understanding all the different scenarios and edge cases an engineer is able to make the important decisions to design that best solution.\nConclusion This post began with a problem of needing to load balance encrypted connections. From there tradeoffs of TLS Termination vs. SSL Passthrough were discussed and the author choose SSL Passthrough as the superior solution for Zero Trust Networking. Finally various ways of implementing this were shown where each solution had its tradeoffs. The best solution was then determined to be a hybrid hardware / software deployment.\nFootnotes [1] The reason why \u0026ldquo;SSL\u0026rdquo; is used instead of \u0026ldquo;TLS\u0026rdquo; dates back to when this became a popular feature, i.e. when SSL was the name en vogue for this type of protocol. For whatever reason it seems to perform better in SEO than \u0026ldquo;TLS Passthrough\u0026rdquo;. Special Thanks Special thanks goes out to the following people who helped inspire this article as well as talk with me about the concepts. In alphabetical order, by last name: Jia Chen, Anthony Fok, Arthur Gautier.\n","permalink":"https://er4hn.info/blog/2023.02.18-tls-load-balancer/","summary":"Tradeoffs and considerations when load balancing TLS connections","title":"Load Balancing TLS Connections: Tradeoffs"},{"content":"Intro This was intended to be a short story. Due to an overabundance of enthusiasm and for lack of an editor it became far longer.\nA key theme I tried to cover here was: What is cyberpunk in 2023?\nChapter 1 - Real \u0026ldquo;How many meat buns can I get for these sanitary pads?\u0026rdquo;\n\u0026ldquo;What? None. What am I going to do with that? Do you have any liquor to trade?\u0026rdquo;\n\u0026ldquo;Liquor? Why are you always asking for liquor Hugo? You decide you want to run a bar instead of a bakery?\u0026rdquo; Hector crossed his arms and scowled, the box of pads clung in his left hand as it crossed under his right arm.\nAs the two men haggled, commerce continued behind them. The streets by MacArthur Park were an open air market, filled with makeshift tents and stalls. Hugo was just one of the many vendors bartering, negotiating, and selling their products. Shampoo, razors, food, and clothes could all be found within steps of Hugo\u0026rsquo;s own stall.\n\u0026ldquo;No way Hector, it\u0026rsquo;s been my dream to own a bakery. Alcohol is just better réal, easier to trade and all.\u0026rdquo; The word réal rolled off the mans tongue with a curl on the e, French style. Hugo gave him a small smile. \u0026ldquo;Besides, what am I going to do with pads?\u0026rdquo;\n\u0026ldquo;You live with your mom don\u0026rsquo;t you? I\u0026rsquo;m sure she could use them.\u0026rdquo; Hector twisted the hand holding the box back and forth as he spoke.\n\u0026ldquo;Naw, we\u0026rsquo;ve got plenty at home. I\u0026rsquo;m only interested in réal that I can trade easily. Not everyone has a woman in their life, but people always find a need to drink.\u0026rdquo; Hugo thought briefly. \u0026ldquo;I\u0026rsquo;m looking for razors as well. Small, portable. The guy I buy my flour from is always happy to trade those.\u0026rdquo;\n\u0026ldquo;I get razors I use them to keep my own face looking nice Hugo.\u0026rdquo; Hector frowned. \u0026ldquo;How about paper? Let\u0026rsquo;s do six pork buns for ten dollars?\u0026rdquo; Hector reached into his pocket and pulled out a single bill. It was rough worn and creased, but unmistakably a piece of currency.\n\u0026ldquo;Hector, I would be happy to give you four pork buns for that.\u0026rdquo; The value of paper against réal varied. Paper was easier to transport than trade goods, but also much harder to make use of. Hugo waited for the offer.\n\u0026ldquo;I\u0026rsquo;ll take it. Thanks Hugo. Tell Felix I say hi.\u0026rdquo; Hector handed the bill over to Hugo, who checked the denomination and boxed up the pork buns.\nAs the day went on a few other people stopped by to purchase buns. No-one else had paper to trade and the space below the table in Hugo\u0026rsquo;s stall got more crowded as he accepted toiletries, cigarettes, and a single bottle of rotgut vodka.\nChapter 2 - Home By 3 P.M. Hugo started closing up. He\u0026rsquo;d run out of baked goods to sell and he had plenty of réal to haul home. After taking down the tarp covering his stall and packing everything into his wagon, he began to walk home.\nThe park quickly receded in the distance as he headed down the street. Palm trees, the ubiquitous signifiers of LA as an exotic destination, sagged heavily from their tops. The trunks of the trees blended in with the shades of brown on the buildings Hugo walked by. He read the familiar signs as he passed by each building.\n\u0026ldquo;Park outside pool inside, 85% renter satisfaction rating.\u0026rdquo;\n\u0026ldquo;Owner on the grind wants to build community in 35% cap rate building. We\u0026rsquo;re all going to make it, together\u0026rdquo;\nAs Hugo came to a building, built with brown bricks and surrounded with a metal fence, he read it\u0026rsquo;s sign: \u0026ldquo;Availability! Save on rent with our low cost e-management\u0026rdquo; He slid his key into the building\u0026rsquo;s front door and unlocked it before heading up.\nA second key unlocked the bulky apartment door lock. A disheveled middle aged man was sitting on the couch next to a neatly folded blanket. He wore a collared shirt, greatly rumpled, and simple blue jeans. \u0026ldquo;Hugo, good to see you man! How\u0026rsquo;s sales today?\u0026rdquo; the man asked.\n\u0026ldquo;They\u0026rsquo;re going well Ernie. I got a bottle of Vodka today.\u0026rdquo; Hugo lifted the bottle out of his wagon and showed Ernie.\n\u0026ldquo;Yuck, cheap Russian rotgut. Better off using it to clean floors. Dilute it and add a few drops of scented oil.\u0026rdquo; Ernie made a face as he said it. \u0026ldquo;Which yes Felix, it\u0026rsquo;s not regulation, but getting your certification and working are two different things. You know that.\u0026rdquo;\n\u0026ldquo;Yes yes Ernie. That might work fine at the homes you clean, but I already have an office cleaning certification. They will denylist you on the spot if they catch you with alcohol in a work environment.\u0026rdquo; Hugo\u0026rsquo;s father came out of the adjoining kitchen area. A medium height man, he had a phone in his hand and was scrolling through it. \u0026ldquo;Come here son.\u0026rdquo; Crossing the room he gave Hugo a hug with his free hand, following it up with a kiss on the forehead.\n\u0026ldquo;All these different certifications are a scam anyways.\u0026rdquo; Violet came into the room as well. Hugo\u0026rsquo;s mother, she sported blue hair and was just a little bit shorter than Hugo\u0026rsquo;s father. She too scrolled on her phone. With her free hand she munched on a peanut butter bun. \u0026ldquo;Hugo, these buns are great. I hope you don\u0026rsquo;t mind me eating one. I gave you life after all.\u0026rdquo;\nHugo rolled his eyes. \u0026ldquo;Just one Mom, I brought back some razors like you asked.\u0026rdquo; Violet slipped her phone into her pocket as Hugo handed over a small pack of safety razors. \u0026ldquo;Just so you know, these cost three peanut butter buns.\u0026rdquo;\n\u0026ldquo;Thanks so much sweetie.\u0026rdquo; Violet smiled as she took the razors from him. \u0026ldquo;I hope that you\u0026rsquo;re eating as well. No one trusts a skinny baker.\u0026rdquo; Turning back to the men. \u0026ldquo;Every year, they have us pay to recertify. And then you need a different certification to clean an office than a house? What\u0026rsquo;s the difference anyways?\u0026rdquo;\nThe men chanted in unison: \u0026ldquo;House cleaning focuses on detail. Office cleaning focuses on speed.\u0026rdquo; Ernie high-fived Felix. \u0026ldquo;I am teaching you well my friend.\u0026rdquo;\n\u0026ldquo;Uh-huh.\u0026rdquo; Violet finished the bun and took her phone back out. \u0026ldquo;I have a 6 PM offer for baby sitting. This is a toddler and yesterday I watched over an infant.\u0026rdquo; Violet cocked an eyebrow at the two men and smiled a little. \u0026ldquo;Good thing I don\u0026rsquo;t need separate certifications for those.\u0026rdquo; Swiping her finger across the screen, she accepted the job and put her phone back into her pocket.\n\u0026ldquo;Sure, but you still certify for French every year. It\u0026rsquo;s why you keep on getting those jobs. They think a few hours with you and their child will be multilingual.\u0026rdquo; Felix smiled back at Violet.\nViolet replied back in Chinese. Casually shrugging both her shoulders and with a roll of the eyes she started helping to unload Hugo\u0026rsquo;s cart. \u0026ldquo;Chinese\u0026hellip; is more useful?\u0026rdquo; Hugo struggled to translate.\n\u0026ldquo;You got it right.\u0026rdquo; Violet smiled at him. \u0026ldquo;I\u0026rsquo;m glad you are learning.\u0026rdquo; She moved the items off the cart. The living room had piles of different réal, with some loose attempts to group them by type. Most were in boxes but a few were just left loosely on the ground. \u0026ldquo;Really honey? Caramel corn?\u0026rdquo; Violet lifted up a long plastic bag, sealed at one end with a twist tie. \u0026ldquo;This will only last a few days before it goes stale. You\u0026rsquo;re saving up to open a bakery, not provide a community service.\u0026rdquo;\n\u0026ldquo;I know Mom.\u0026rdquo; Hugo held his hands up in front of him as he explained. \u0026ldquo;I haven\u0026rsquo;t decided what to do with it. I can eat it as a snack or I can put it on top of baked cookies. It will get used.\u0026rdquo;\n\u0026ldquo;I vote for the cookies\u0026rdquo; Ernie said. \u0026ldquo;Seconded\u0026rdquo; added in Felix.\n\u0026ldquo;Hey now, we like you and all, but you\u0026rsquo;ll still have to pay for them. Speaking of which, did that payment go through to the landlord?\u0026rdquo; Hugo inquired. \u0026ldquo;I can\u0026rsquo;t believe they just locked you out of the apartment on the first of the month. Those e-locks on the doors are the worst.\u0026rdquo;\n\u0026ldquo;I know, I hate them. They give us a physical key to open the door and then add some fancy dohickey that keeps us locked out.\u0026rdquo; Ernie frowned. \u0026ldquo;I did pay, I paid on time like I always do. Some fraud mechanism got tripped and the bank won\u0026rsquo;t complete the payment. I spent three hours waiting in the Meta and couldn\u0026rsquo;t get a teller.\u0026rdquo;\n\u0026ldquo;Ugh. Speaking of which, I need to hop in. City Hall is open and I need to get my business permit.\u0026rdquo; Hugo went to the headset in the corner of the living room and put in on. \u0026ldquo;Mom, can you finish unloading? Thanks.\u0026rdquo;\n\u0026ldquo;On it honey.\u0026rdquo; Violet continued unloading items. \u0026ldquo;It\u0026rsquo;s ridiculous that they make you rent the space before you even have the permit.\u0026rdquo;\nAs the headset settled over Hugo\u0026rsquo;s eyes the lights inside it gently came on. White noise gurgled out from the speakers and a logo appeared. \u0026ldquo;Meta Block - The World is Yours\u0026rdquo;.\nChapter 3 - Meta Block The lights turned up to white, then softened to reveal a virtual world. Hugo took a breath and braced himself.\nIf you owned property in the Meta, you\u0026rsquo;d start there. A tastefully decorated apartment, a view from high up, some music playing in the background. Perhaps a virtual dog to run up and greet you. Hugo did not own property in the Meta. His view began on the street, in Founders District.\nA hovering billboard showing a long Japanese eggplant was the first thing he saw. The billboard spoke to Hugo and said \u0026ldquo;Big growth for affordable prices\u0026hellip;.\u0026rdquo;\nAvatars pushed past Hugo. Streams of beings, each heading their own way.\n\u0026ldquo;By God the end of the world is coming.\u0026rdquo; a man in a priests outfit shouted nearby.\nThe avatars looked like whatever their creators wanted. Humans in business suits shared space with masculine looking wolf human hybrids. Cat girls with anime styled blue hair strutted as drones with brains in bubbling tanks flew around them.\n\u0026ldquo;Hey Cutie, I\u0026rsquo;m in MACARTHUR_PARK and I want to meet you\u0026rdquo; said a voice right by Hugo\u0026rsquo;s ear. He didn\u0026rsquo;t turn to see the bot, and sighed at the change in tone and inflection when it said the name of his neighborhood.\nNone of the avatars who actually knew each other spoke on the public chat. Any communication was done over private channels. Some relationships could be inferred if a pair moved in unison, but that was like finding two bubbles that stayed together in a roiling river.\nThe priest continued shouting \u0026ldquo;Save yourself at the Church of Holy Workers. Let not your body rest, but put it to work. Idleness is a vice!\u0026rdquo; The voice reached a crescendo at the end.\nHugo flexed his fingers over the chorded keyboard. Each hand rested on five keys. His eyes were immersed in the screen, so he couldn\u0026rsquo;t look at what he was pressing. The combinations of ten keys he could press at any moment were translated into meanings in the Meta. First he activated the ad blockers. The voices, billboards, and the priest all faded away. Hugo exhaled in relief. Next he filtered out the people he didn\u0026rsquo;t have a pre-existing relationship with. The city blocks faded away to emptiness and Hugo was alone with the buildings and empty streets.\nHugo queried to see how much a taxi would cost. Even in the virtual world, it was too expensive to be worth the time savings. With some final keystrokes Hugo plotted out a route to City Hall. A set of blue bubbles appeared on the sidewalk in front of him and trailed off. Hugo set out and followed the path.\nWith the people and advertisements gone, the buildings themselves stood out in contrast. Many of the buildings were girthy towers, shooting bolt upright with bristling trees lining their bottoms. They came in a variety of colors, many of them with bulbous penthouse suites at the top.\nThe salaciously shaped skyscrapers each had their own set of messages as Hugo walked by each.\n\u0026ldquo;Spacious top level floors provide beautiful views. Ask about our personalized loan program.\u0026rdquo;\n\u0026ldquo;Buy today, sell in a year, retire. Less than 10% of units are available.\u0026rdquo;\n\u0026ldquo;High density housing at low low prices. Save even more with smart contract based dynamic time-division. You don\u0026rsquo;t need to know or see your housemates thanks to award winning multiple access splits!\u0026rdquo;\n\u0026ldquo;Isn\u0026rsquo;t that just a time share?\u0026rdquo; Hugo muttered as he walked by.\nOne of the more tasteful exceptions was a blue, art deco style tower. It\u0026rsquo;s vertical lines rose up and Hugo let his gaze wander over the gold filigree that formed a row over the bottom story and a sun over the entryway. As his gaze reached the end of the building he saw a wolf-human hybrid standing by a simple, one story building next door.\nHugo drew closer and tried to query who the avatar was. With his ad blockers he had to have interacted with it before. It\u0026rsquo;s wolf head, hairy chest, and muscular human arms were not familiar, but appearances were malleable in the Meta. It looked at Hugo and smiled. \u0026ldquo;Hello friend.\u0026rdquo;\n\u0026ldquo;Hello.\u0026rdquo; Hugo tapped and released keys to start a query. \u0026ldquo;I\u0026rsquo;m sorry, I don\u0026rsquo;t recall how I know you.\u0026rdquo;\nThe building behind the avatar was designed as a simple ranch house. Small buildings meant less units to sell on a plot of land. A single occupancy home was a display of wealth in the Meta. The wood walls and simple design was spoiled by the pumpjacks on the front lawn. Their hammer shaped heads bobbed up and down on the lawn. Instead of oil, money emojis were popping into the air and fading away with each up stroke. Hugo realized what the person was: \u0026ldquo;Oh fuck me, a crypto miner.\u0026rdquo;\n\u0026ldquo;How you know me doesn\u0026rsquo;t matter.\u0026rdquo; The avatar glanced over it\u0026rsquo;s shoulder and then back at Hugo. \u0026ldquo;Do you like my house? I bought it myself with the money I earned mining. You know, I teach courses on how to do this yourself. Very affordable.\u0026rdquo;\nThe query returned and Hugo read it\u0026rsquo;s contents. He had once followed this persons online videos on how to make the most of leftovers. \u0026ldquo;That sounds very nice, but\u0026rdquo; Hugo turned and started to leave \u0026ldquo;I\u0026rsquo;ve got to go.\u0026rdquo;\n\u0026ldquo;I know you\u0026rsquo;re in MacArthur Park. That\u0026rsquo;s not a great area.\u0026rdquo;\n\u0026ldquo;Yes, thank you, I know I don\u0026rsquo;t have a VPN. Good job tracing my address.\u0026rdquo;\n\u0026ldquo;You can do better. I live in a great house in the real world. Just try the course, do you want to be poor forever?\u0026rdquo;\nHugo took a deep breath. He turned back. \u0026ldquo;What the fuck am I going to buy with some crypto coins? Nobody takes those in the real world.\u0026rdquo;\n\u0026ldquo;Hugo, language\u0026rdquo; came a muffled voice from the real world.\n\u0026ldquo;Do you take payment in réal? I\u0026rsquo;ve got baked goods, that\u0026rsquo;s my path to success. You want to take those for your stupid course?\u0026rdquo;\nThe wolf face on the avatar smiled languidly and ran its tongue along its lips. \u0026ldquo;Bank only. You know how it is. If you don\u0026rsquo;t have digital money, you don\u0026rsquo;t really have money.\u0026rdquo;\nHugo turned his back on the avatar and followed the blue dots with hurried steps. His face was in a grimace as he went along.\nWhen he reached City Hall, Hugo had calmed down. The virtual building was much the same as the real world. A flat lower story lead to a rising tower. Each side of the tower was flanked by smaller towers. When Hugo stepped inside, it didn\u0026rsquo;t seem anything like a real building.\nA semi circular lobby opened to 6 branching corridors. The walls were a soft green and the carpet on the floor an office taupe. There were no signs nor receptionists. Hugo attempted to pull up directions to the business permits office. A blinking sign informed Hugo that the City Hall of Los Angeles was a premium zone and asked for additional payment. Hugo closed the map and choose a corridor at random.\nAs he walked he passed door after door. Each one was identical: a walnut brown door, the top half having a frosted glass window, and a brass doorknob. The signs on each one were different: Department of Electrical Inspection, Adjunct Office of Fishing Permits, Bureau of Home Agriculture, Main Office of the City Clerk. It went on and on. Nothing was numbered so Hugo couldn\u0026rsquo;t tell if he was making progress or not.\nPassing by the Sub-Bureau of Weights, Hugo saw another corridor open to the side so he decided to go down that. He turned down a hallway, then down another. After some steps he stopped. He was in another T-Junction hallway, standing in front of the door to the Sub-Bureau on Measures. But this was wrong.\n\u0026ldquo;Okay, let\u0026rsquo;s see. I turned right a little past Weights. Then right, right, and I should be back where I started.\u0026rdquo; Hugo stared at the sign that read \u0026ldquo;Sub-Bureau of Measures\u0026rdquo;. \u0026ldquo;This architecture is fucked.\u0026rdquo; he said out loud.\nGlowing, transparent, slightly pink walls surrounded Hugo. A chubby, middle aged woman materialized at a desk in front of Hugo. Her avatar looked at Hugo with mild disdain.\n\u0026ldquo;Language! I told you already\u0026rdquo; said a voice by Hugos ear.\n\u0026ldquo;Sorry mom\u0026rdquo; Hugo replied back. He looked at the woman at the desk.\nThe avatar blinked at Hugo once before answering. \u0026ldquo;Your language is disrespectful towards the people around you, the city of Los Angeles, and is a violation within city property. This is your first warning.\u0026rdquo;\n\u0026ldquo;Okay, okay I\u0026rsquo;m sorry.\u0026rdquo; Hugo raised his hands. \u0026ldquo;You\u0026rsquo;re right, I shouldn\u0026rsquo;t have cursed. I don\u0026rsquo;t get where anything is in this building. It\u0026rsquo;s empty, it\u0026rsquo;s confusing. Can I get a map, or some directions to the Office of Business Permits?\u0026rdquo;\nThe lady at the desk frowned at Hugo then tapped out something on her own hands. Hugo\u0026rsquo;s filtering software was overridden and the corridors were thronged with people. The only open space was that delimited by the pink box he found himself in.\n\u0026ldquo;Sir, the city hall of Los Angeles employs fifty thousand people.\u0026rdquo; This felt like a well rehearsed speech. \u0026ldquo;You are not the only person here and there are lots of other people who need to make use of government services. Furthermore the hall internal is built on a four dimensional design, with rights to that copyrighted by the architect. You are able to purchase a map for a nominal fee.\u0026rdquo;\n\u0026ldquo;It\u0026rsquo;s a virtual world. Why make it so confusing? I just want to get to the office.\u0026rdquo; Hugo was starting to feel like he\u0026rsquo;d made a mistake on how he\u0026rsquo;d started off with this woman.\n\u0026ldquo;Sir, the architecture of this building is an homage to the former real world offices. Now that we are able to streamline services online that building has been put to better use while the government expanded its services to better serve the populace. If we were to allow the hallways to stretch beyond the dimensions of the original building it would reach all the way over to MacArthur Park.\u0026rdquo;\nHugo sensed a chance to reset the tone of the conversation. \u0026ldquo;Oh wow, that would be convenient. I could just walk from my apartment right into City Hall!\u0026rdquo;\nThe avatar blinked once before answering. It had to be a deliberate emote, with her selecting it from her own chorded keyboard. \u0026ldquo;I\u0026rsquo;ve heard of that place. It\u0026rsquo;s rough isn\u0026rsquo;t it? I guess it explains your gauche behavior.\u0026rdquo; There was some sympathy there.\nIt was Hugo\u0026rsquo;s turn to blink, but he wasn\u0026rsquo;t going to express that over the Meta. \u0026ldquo;Ma\u0026rsquo;am, pardon me, but where are you from? MacArthur Park is pretty close to downtown. Don\u0026rsquo;t you work near city hall?\u0026rdquo;\n\u0026ldquo;I live and work in Louisiana.\u0026rdquo; she replied. \u0026ldquo;One of the wonderful things about the online first approach of Los Angeles is that it opens employment opportunities to people like me. I can work for your city while living in an affordable, and safe, location.\u0026rdquo;\nThe aside about a safe location was not missed by Hugo. He tried to reset the tone again and play a sympathy card. \u0026ldquo;Please ma\u0026rsquo;am. I\u0026rsquo;m lost and I really need to get to the office. It\u0026rsquo;s important for my family. Can you help?\u0026rdquo;\nShe looked at him, unblinking this time. \u0026ldquo;I am here to help. In the future just say \u0026lsquo;I am requesting assistance\u0026rsquo; and a member of my office will be here to help you\u0026rdquo;. Her virtual hands flexed, silently clicking along a chorded keyboard of their own, and the world around the pink box blurred as the box speed through the halls. After a moment the box stopped in front of another identical looking T-Junction. The woman and the walls faded away without a goodbye.\nIn front of Hugo stood a door \u0026ldquo;Office of Business Permits.\u0026rdquo; He opened it and went inside.\nChapter 4 - Certificate of Good Standing Hugo looked around the waiting room and blinked. It had chairs, and avatars sat in them. A sign on the wall listed the estimated wait time as \u0026ldquo;1 hr.\u0026rdquo; A receptionist sat patiently at a desk and looked at Hugo but did not make conversation. A bell dinged and one of the avatars evaporated into thin air. The sign on the wall changed to read \u0026ldquo;58 min\u0026rdquo;.\nHugo went over to the receptionist. \u0026ldquo;Excuse me sir, how does this all work?\u0026rdquo;\nThe receptionist looked at Hugo and then at the chairs. \u0026ldquo;You sit in a chair. It doesn\u0026rsquo;t matter which one. Our automated system will then note your place in line.\u0026rdquo; Her voice was puzzled at why he would ask such an obvious question.\n\u0026ldquo;Yes, but, this is the Meta. Can\u0026rsquo;t we just have an appointment and come back when it\u0026rsquo;s our turn? Why wait?\u0026rdquo; Hugo reflected back her same puzzled tone.\n\u0026ldquo;Oh, of course sir.\u0026rdquo; The receptionist perked up, understanding that there was a service she could provide. \u0026ldquo;Appointments cost 5 dollars to schedule. Once you transfer payment over I will provide you with a slot.\u0026rdquo;\n\u0026ldquo;Oh uh\u0026rdquo; Hugo needed to save as much bank as he could for the business permit itself. \u0026ldquo;I have some paper\u0026rdquo; There was an awkward silence as they looked at each other. \u0026ldquo;In the real world of course. How does that work?\u0026rdquo; Another awkward silence ensued.\nThe receptionist finally broke it. \u0026ldquo;Sir, we take an online first approach. We can only accept money transferred from bank accounts or a trusted payment processor.\u0026rdquo; The receptionists fingers clacked over his keyboard and a screen appeared in midair. It showed various logos of banks and payment services. \u0026ldquo;Would you like to pay with any of these services?\u0026rdquo;\nHugo read over them for a moment, to try and save face. \u0026ldquo;No, you know what it\u0026rsquo;s fine. I use different services.\u0026rdquo; He turned around and went to the chair. As he looked at it, an option came up to sit in it. He selected \u0026ldquo;yes\u0026rdquo; and as he shifted into the seat the sign on the wall changed. \u0026ldquo;Your personalized wait time: 1 hr 10 mins.\u0026rdquo;\nHugo shifted his body and stretched a little in the real world. He called out \u0026ldquo;Mom? Dad? Can one of you bring me some pillows? I\u0026rsquo;m going to be here a while.\u0026rdquo; After a moment a pillow was slipped behind his back.\nErnie\u0026rsquo;s voice sounded in his ear, \u0026ldquo;Your dad left for work and Violet is in the kitchen. My shift doesn\u0026rsquo;t start for another hour. You want me to get you some water?\u0026rdquo;\n\u0026ldquo;Thanks Ernie. I\u0026rsquo;ll pass on the water. I don\u0026rsquo;t think I could use the bathroom with this headset on and I\u0026rsquo;m scared I\u0026rsquo;ll lose my place if I take it off.\u0026rdquo;\n\u0026ldquo;Parasites.\u0026rdquo; Ernie clapped him on the shoulder. \u0026ldquo;Stay strong kid\u0026rdquo;.\nBack in the waiting room, time slowly counted down. Sometimes it also went back up, but there was nothing to do but wait. Hugo watched another person go to the receptionist and start shouting after a moment. \u0026ldquo;What do you mean I lost my place in line? My dog needed to be let into the god da-\u0026rdquo; The avatar disappeared before it completed it\u0026rsquo;s rant. Hugo felt glad he had passed on the cup of water.\nAfter around an hour and a half Hugo\u0026rsquo;s personal timer hit 0 minutes. The display on the sign changed to fireworks and after a moment Hugo found his seat was in front of a desk in another room. Yet another avatar, this one in a suit with a pocket square, sat behind another generic desk. \u0026ldquo;Welcome to the business permits office. How can I help you today?\u0026rdquo; Finally, the wait was over.\nHugo stretched his jaw for a moment before answering. \u0026ldquo;I\u0026rsquo;m here to apply for a business permit. I am opening a bakery in Los Angeles.\u0026rdquo;\n\u0026ldquo;Oh wow, a bakery, eh. We can always use more baked goods.\u0026rdquo; Hugo couldn\u0026rsquo;t tell from the tone how the human behind the avatar actually felt. \u0026ldquo;For a restaurant license we\u0026rsquo;ll require a few items. You\u0026rsquo;ll need a food safety certification, employer identification number, let\u0026rsquo;s see,\u0026rdquo; he paused, thinking, actually pulling items from his memory, \u0026ldquo;and what is the name of your business?\u0026rdquo;\n\u0026ldquo;Hugo\u0026rsquo;s Savory Baked Goods. I specialize in savory baked items sir.\u0026rdquo; Hugo was so excited he just started sending in his pre filled out forms before the avatar even asked. Papers appeared on the desk on Hugos side and slid across the table to the office worker.\nThe worker briefly glanced down at them then back to Hugo. \u0026ldquo;Hugo is your first name, yes?\u0026rdquo;\n\u0026ldquo;Yes.\u0026rdquo; Hugo began to feel nervous again. The worker had not even reviewed the forms he had labored over in his spare time.\n\u0026ldquo;We\u0026rsquo;ll require a fictitious business name statement. Not to worry, we can do it right here. It\u0026rsquo;s very simple and has an affordable 100 dollar fee.\u0026rdquo;\nHugo suppressed a groan. The amount of money he had saved up in a bank was limited and this was going to eat into it. \u0026ldquo;Of course, but why? My name is in the business.\u0026rdquo;\n\u0026ldquo;Your first name is. Your family name has to be in there to avoid filing the statement. But like I said, it\u0026rsquo;s very simple to do.\u0026rdquo;\n\u0026ldquo;I\u0026rsquo;ll\u0026rdquo; Hugo breathed in and out \u0026ldquo;make it my last name. Castillo. Castillo\u0026rsquo;s Savory Baked Goods. Why spend money if you don\u0026rsquo;t need to, right? Every last dollar counts.\u0026rdquo; Hugo felt like he didn\u0026rsquo;t belong, but he tried to play it off.\n\u0026ldquo;Yes, every dollar counts.\u0026rdquo; The avatar of the office worker didn\u0026rsquo;t appear to move, but Hugo felt like he had said something that had gotten the mans attention. The avatar caused the forms to levitate in front of him, fluttering back and forth as he reviewed them. \u0026ldquo;Let\u0026rsquo;s see, everything here does appear filled out. MacArthur Park home address I see, right near the Halls physical location. Ah, and it looks like the bakery is walking distance from it. A real community business.\u0026rdquo; The papers stopped floating around, assembled themselves, and laid down on the desk in a neat stack. \u0026ldquo;Unfortunately you seem to be missing a certificate of good standing.\u0026rdquo;\n\u0026ldquo;A what now?\u0026rdquo; Hugo hadn\u0026rsquo;t seen this on the website when he was gathering all of his paperwork.\n\u0026ldquo;A personal certificate of good standing. Proof that you do not have outstanding debts, warrants, and a social media review to ensure you are not associating with known gang members. It\u0026rsquo;s on the LA City Hall website.\u0026rdquo;\nThe avatar\u0026rsquo;s fingers clicked and a screen showed up in front of Hugo. It listed the certificate and the requirements. Hugo\u0026rsquo;s heart nearly stopped when he saw the fee. 1,000 dollars. All of his banked money had gone into saving for the permits and renting a space for the bakery. He could put together some paper money, maybe find some loans, but he didn\u0026rsquo;t have enough to cover the fee.\nHugo held his voice steady as he spoke. \u0026ldquo;I have paper. I can walk it down to city hall in person. What\u0026rsquo;s the procedure for that?\u0026rdquo; There was a brief silence as Hugo added on \u0026ldquo;Sir. Sorry sir, what\u0026rsquo;s the procedure for that?\u0026rdquo;\n\u0026ldquo;Ehm, paper bills.\u0026rdquo; Hugo could sense the person on the other end furrowing his brow. \u0026ldquo;You understand, we are trying to move away from paper currency as part of our modernization process. You would need to go a registered bank, provide paperwork showing the money has a legitimate provenance, then make a standard bank transfer.\u0026rdquo;\nHugo didn\u0026rsquo;t know what to do. He thought about the requirements to show the origin of paper money. He couldn\u0026rsquo;t even show legitimate provenance for the ten dollar bill he\u0026rsquo;d picked up today. Not without first having a business license and then a currency scanner. \u0026ldquo;That\u0026rsquo;s going to be really hard for me.\u0026rdquo; his voice was soft, subdued, when it came out.\n\u0026ldquo;I understand.\u0026rdquo; the office workers voice stayed flat and even. \u0026ldquo;There are some programs to help small business owners get started. I\u0026rsquo;m afraid I\u0026rsquo;ve misplaced them, but, if you can give me your contact details I\u0026rsquo;ll send it your way.\u0026rdquo;\nHugo created a contact card and watched it materialize on the desk and slide across to the man. \u0026ldquo;Thank you for your time today. Sorry to bother you.\u0026rdquo;\nHugo signed off the Meta and took off his headset. Violet sat on the couch looking at him. She\u0026rsquo;d heard each word he said in the office. Hugo could tell from the sympathetic look on her face. Violet gave him a few squares of paper towel and held him as he cried.\nChapter 5 - Opportunity \u0026ldquo;A personal permit of good standing. Huh.\u0026rdquo; Ernie stood on the other end of the vendor stand. He picked at his teeth as people crossed behind him. \u0026ldquo;I haven\u0026rsquo;t heard of that one before. Those parasites will put a tax and a permit on everything they can if it keeps them employed.\u0026rdquo;\nIt had been a few days for Hugo and the initial shock had passed through him. \u0026ldquo;I don\u0026rsquo;t know what to do about it. I close my eyes and I see that price tag he showed me. One thousand US dollars. Even if I had that much paper, how could I make it into Bank?\u0026rdquo;\n\u0026ldquo;You couldn\u0026rsquo;t.\u0026rdquo; Ernie said. \u0026ldquo;Those anti-drug laws. You take paper from the bank, you can trade it around. You want to put it back in the bank, they make you show how you got it. They even make you get one of those serial number scanners if you\u0026rsquo;re a business. It\u0026rsquo;s all a scam.\u0026rdquo; He grimaced. \u0026ldquo;Anyways, look, I appreciate your parents helping me out, but you know them. Goodness of their heart, they won\u0026rsquo;t take anything from me for it.\u0026rdquo;\n\u0026ldquo;Come on Ernie, I\u0026rsquo;ve known you so much you\u0026rsquo;re pretty much an uncle to me. I never heard, did the bank ever tell you why they finally paid the landlord?\u0026rdquo;\n\u0026ldquo;No, they don\u0026rsquo;t have to, so they won\u0026rsquo;t. I\u0026rsquo;m just glad my door opens again and I can put on some of my own clothes.\u0026rdquo; He held up a bottle of cheap vodka, a big one. \u0026ldquo;I found this in a corner of my apartment and I thought your dad could use it. He just got his house cleaning permit and this will go further than some lemon scented all natural spray. How about\u0026hellip;\u0026rdquo; he waved his finger around before settling on a pastry \u0026ldquo;one of those hot dog buns? Got to eat on the run.\u0026rdquo;\n\u0026ldquo;Ernie, I told you, you don\u0026rsquo;t have to do this.\u0026rdquo; Hugo protested.\n\u0026ldquo;Kid, I told you, I got places to be. Let\u0026rsquo;s make this fast.\u0026rdquo; Ernie set the vodka down on the tabletop. \u0026ldquo;Now come on, hand me that bun before I get it myself and violate some food safety law.\u0026rdquo; For all of his bluster, Ernie had a small twinkle in his eye as he spoke.\nHugo lifted the bun up and put it in his hands. \u0026ldquo;Thank you Ernie. Pleasure doing business with you.\u0026rdquo;\n\u0026ldquo;You too kid.\u0026rdquo; Ernie walked off munching the bun. Hugo smiled at him as he walked away.\nAfter a couple minutes Hugo sighed and the smile left his face. He checked his phone. There was a message from a sender he didn\u0026rsquo;t recognize. \u0026ldquo;Hi Hugo - this is Frank from City Hall. We met when you wanted to get your business license. Can we talk in person?\u0026rdquo;\nHugo remembered the avatar at the desk and how he\u0026rsquo;d mentioned an assistance program. He licked his lips and texted back: \u0026ldquo;Yes, that would be wonderful. Do I meet you at City Hall in person?\u0026rdquo;\n\u0026ldquo;No, we\u0026rsquo;ll meet at Dancing Goat Coffee, tomorrow at 10 am. Bring a pastry.\u0026rdquo; A picture of the mans face was attached. Middle aged, and white, he had a goatee and large bags under his eyes. He wasn\u0026rsquo;t smiling in the photo.\nThe next day Hugo came into Dancing Goat. A few blocks from City Hall, it felt excessive for a coffee shop. Hugo looked around at the mid-century furniture and polished stone coffee tables. A yellow neon sign next to some ivy said \u0026ldquo;hello sunshine\u0026rdquo;. For an extra 2 dollars he could have something called \u0026ldquo;myracle mylk\u0026rdquo; in his coffee instead of the soy milk he was used to. Looking around he saw Frank at a table. Frank waved and smiled briefly. \u0026ldquo;Hugo, get yourself something to drink.\u0026rdquo; he pointed at the counter.\nHugo went over and paused looking at the counter. He\u0026rsquo;d had coffee at home plenty of times. Sometimes when his mom had a great day she\u0026rsquo;d take him to Starbucks for a frappuccino. He\u0026rsquo;d never seen anyone lay out coffee beans from different parts of the world in separate display tins. Each one had little plastic figurines of goats mixed in with the beans.\n\u0026ldquo;Hi! What are you in the mood for today?\u0026rdquo; Hugo stopped trying to figure out if a bean from Guatemala looked different from an Ethiopian bean and looked up at the barista. Smiling and young, with perfect white teeth and curly hair peaking out from under her cap, she exuded energy. A nametag pinned to her apron read \u0026ldquo;Whitney\u0026rdquo;.\n\u0026ldquo;What\u0026rsquo;s good here?\u0026rdquo; Hugo sounded out each word slowly as he scanned the menu. Charcoal latte\u0026rsquo;s couldn\u0026rsquo;t possibly taste good. He wasn\u0026rsquo;t quite sure what would go into an espresso tonic. An ordinary coffee was there, but it felt like ordering that would signal he wasn\u0026rsquo;t sophisticated.\n\u0026ldquo;The rose latte is my favorite\u0026rdquo; the barista replied. She nodded a couple times as she mentioned how it \u0026ldquo;had a light taste and good balance.\u0026rdquo;\n\u0026ldquo;Okay, I\u0026rsquo;ll take that. How much is it?\u0026rdquo;\nThe barista blinked at him. \u0026ldquo;What sort of beans sir?\u0026rdquo;\n\u0026ldquo;Oh! How about Guatemalan.\u0026rdquo; Hugo replied back. He still had the ten dollar bill in his pocket so he took that out to pay.\nThe barista took it and put it into the currency scanner. A laser whirled along the bill and the readout listed it\u0026rsquo;s characteristics:\n $10 bill Genuine FENTANYL DETECTED The last line blinked on the screen. Hugo looked back at the barista and blinked. He rubbed his hand on his pants.\nThe barista shrugged. \u0026ldquo;It\u0026rsquo;s weirder if nothing is detected.\u0026rdquo; She put the bill into the till and handed him back some change. Raising her eyebrows she leaned in a little \u0026ldquo;I wonder what drugs are on these?\u0026rdquo; Hugo laughed and dropped a couple single bills into the tip jar.\nThe drink looked exciting when Hugo got it. Rose buds added bright red spots on top of a layer of thick white foam. The drink itself felt warm in his hands.\nSipping the latte he joined Frank at the table. A rose petal got stuck on his lips and Hugo put it back in the cup. As he sat he put the bag with pastry down as well. Frank looked him up and down. \u0026ldquo;You\u0026rsquo;re skinny for a baker Hugo.\u0026rdquo;\n\u0026ldquo;I\u0026rsquo;m just getting started. Come see me in five years.\u0026rdquo; Hugo smiled and pushed the bag across the table. \u0026ldquo;This is a pineapple bun. There\u0026rsquo;s no pineapple inside, that\u0026rsquo;s just the name, cause\u0026rsquo; of the texture. It\u0026rsquo;s a sweet bun.\u0026rdquo;\nFrank pursed his lips and looked inside. \u0026ldquo;Thanks.\u0026rdquo; He took it out and started eating it. \u0026ldquo;Didn\u0026rsquo;t you want to call yourself a savory pastry shop?\u0026rdquo;\n\u0026ldquo;Well, I\u0026rsquo;m the best at savory pastries, but who doesn\u0026rsquo;t like sweets?\u0026rdquo;\n\u0026ldquo;You\u0026rsquo;re unfocused Hugo.\u0026rdquo; Frank set down the bun, half eaten. \u0026ldquo;But you got heart. I wanted to talk to you about your permit issue. You seem like you don\u0026rsquo;t got a lot of savings to get this business started. That true?\u0026rdquo;\n\u0026ldquo;The permit of good standing? Yeah, I mean, I\u0026rsquo;ve heard of that for a business, but never for a person. I don\u0026rsquo;t get it, I never even saw it on the site when I was putting the documents together.\u0026rdquo;\n\u0026ldquo;Yea, good standing, that\u0026rsquo;s the one.\u0026rdquo; Frank paused. \u0026ldquo;How much does this bakery mean to you?\u0026rdquo;\n\u0026ldquo;It means the world Frank. I\u0026rsquo;ve watched my parents work gig jobs ever since I was little. I really want to own my own business. If I can pull this off and really earn some money, I won\u0026rsquo;t be like them. I can save more and I can even help them pay the rent. Maybe someday we\u0026rsquo;ll even own a house to live in.\u0026rdquo; Hugo leaned across the table towards Frank. As he talked about owning a house, the corners of his eyes turned up.\n\u0026ldquo;Hmm.\u0026rdquo; Frank leaned back a little. \u0026ldquo;So what would you say to picking up some extra work?\u0026rdquo;\n\u0026ldquo;Would that help?\u0026rdquo; Hugo furrowed his brow. \u0026ldquo;I mean, I need this permit. But when you said there is a program, I thought it would be, like, a scholarship.\u0026rdquo;\n\u0026ldquo;A grant? No, this isn\u0026rsquo;t communism. I work with some people, and they need help with conducting some business. You\u0026rsquo;ll get paid in Bank. Save up enough and you can pay for your permit.\u0026rdquo; Frank tore of a piece of the pineapple bun and eyed Hugo.\n\u0026ldquo;Okay.\u0026rdquo; Hugo thought about it. \u0026ldquo;And what does this involve?\u0026rdquo;\n\u0026ldquo;It\u0026rsquo;s pretty easy. My colleagues have paper. Much like yourself, they need Bank. Unfortunately, converting it requires a lot of time and energy. That\u0026rsquo;s where you come in. You follow?\u0026rdquo;\n\u0026ldquo;Uhh, you want me to fill out the forms that say where the paper came from?\u0026rdquo; Hugo wasn\u0026rsquo;t sure where it was going.\n\u0026ldquo;No kid, forms take a while. Sometimes the bank freezes assets. The loophole is, if someone buys something from you, they can pay you in Bank. Now, a pastry isn\u0026rsquo;t worth that much\u0026rdquo; he held up the remaining quarter of the bun \u0026ldquo;but with enough paper you can buy bigger things. Booze, clothes, maybe even some jewelry. Then you sell it to someone else. Bam, you made bank.\u0026rdquo;\n\u0026ldquo;That doesn\u0026rsquo;t seem quite legal.\u0026rdquo; Hugo was sitting up straight now. He worried that he was being tested somehow. Maybe the permit of good standing had a test where you had to refuse to do something illegal?\n\u0026ldquo;Look, I work with people in cash businesses. They have a need to pay their rent, just like you. These permits are a pain. Currency scanners charge monthly fees. And for what? You and I both know these drug laws are bullshit. I saw you get nervous with that cashier lady when your bill came up dirty. She still took it didn\u0026rsquo;t she?\u0026rdquo; Frank leaned in himself. \u0026ldquo;I\u0026rsquo;m just trying to facilitate free trade and help people out. Let\u0026rsquo;s give this a try. I\u0026rsquo;ll give you a hundred dollars. Buy me a bottle of liquor from the store across the street.\u0026rdquo; Frank reached into his jacket pocket and took out an envelope. He placed it in front of Hugo. \u0026ldquo;I\u0026rsquo;ll be right here. Don\u0026rsquo;t take too long.\u0026rdquo;\nHugo sat there, thinking. This felt like it was going to far to be a test of his character. He reached over and looked inside the envelope. Several paper bills were inside it. He looked up at Frank, who smiled with his teeth closed and nodded. Hugo closed the envelope and thought. He thought about his parents, and about the constant struggle to make rent. He thought about wanting to prove that he could be successful. He got up and crossed the street.\nBuying the alcohol couldn\u0026rsquo;t have been easier. Hugo went and pointed to one behind the counter. The cashier didn\u0026rsquo;t bother asking for ID and scanned the money in. Drug alerts flashed on the scanner as the cashier bagged the bottle and handed it back to Hugo. Each exchanged a \u0026ldquo;have a good day\u0026rdquo; and Hugo crossed back.\nHugo placed the paper bag on the table next to his pasty bag. Frank took the alcohol out and placed it where he could get a clear picture with his phone. \u0026ldquo;Hugo, you\u0026rsquo;ve done this before. You send me your bank account. I take a picture of what I am buying from you and send you the money. Show me your code.\u0026rdquo;\nHugo too out his phone and thumbed through it to reveal the QR code for his bank account. Frank scanned it. \u0026ldquo;Now read me your verification phrase Hugo.\u0026rdquo;\nHugo thumbed his phone again, revealing a set of five random words. \u0026ldquo;sierra kilo hotel golf X-ray\u0026rdquo;.\n\u0026ldquo;That\u0026rsquo;s not what I have. Shoot, I think my phone picked up the menu code on the table here.\u0026rdquo; After trying a second time, the phrase matched up. Frank tapped out some numbers and then hit send. He looked Hugo in his eyes. \u0026ldquo;This is part one. Now I need you to send the money to someone else.\u0026rdquo;\nHugo looked at his phone and saw he\u0026rsquo;d received ninety dollars. \u0026ldquo;This isn\u0026rsquo;t the full amount Frank. You gave me a hundred.\u0026rdquo;\n\u0026ldquo;I know what I gave you. This isn\u0026rsquo;t about haggling for the best price. You want to make sales, and the fastest way to do that is to sell at a discount to the real value.\u0026rdquo; Frank held up a QR code on his phone. Hugo scanned it and read back the code. It belonged to a business named \u0026ldquo;Comprehensive Dental Solutions\u0026rdquo;.\nFrank gave him a tight lipped look. \u0026ldquo;Okay, now this is the important bit. You need to wire them seventy dollars.\u0026rdquo;\nHugo punched in the numbers on his phone and hit send. \u0026ldquo;Okay, that\u0026rsquo;s done. What happens to the remaining twenty?\u0026rdquo;\n\u0026ldquo;That\u0026rsquo;s yours Hugo. You\u0026rsquo;re working with us now. You\u0026rsquo;re going to be doing this a few times. Not with me, but just like this. We\u0026rsquo;ll tell you where to buy and where to sell. This will just be a little while, until you have enough saved up.\u0026rdquo;\nFrank put the alcohol in his bag and gathered up his possessions. He stood up to leave. \u0026ldquo;Where is a good place for us to find you?\u0026rdquo;\n\u0026ldquo;I run a stand by MacArthur park. Maybe your associates can\u0026rdquo; Hugo paused, uncertain, \u0026ldquo;buy some pastries?\u0026rdquo;\n\u0026ldquo;Oh one of those unlicensed stalls? I know where that is. We\u0026rsquo;ll be by.\u0026rdquo; Frank smiled and nodded at him, then left.\nHugo finished his coffee and looked at the dregs of the rose buds at the bottom. Soaked with foam and coffee, the buds looked like they had fallen to the ground and gotten covered in dirt. Hugo placed his coffee cup in the trash and left.\nChapter 6 - Earning The man at the stall didn\u0026rsquo;t smile. He didn\u0026rsquo;t even try to have any sort of greeting. He came up, somber faced, in his black leather jacket and blue jeans. His conversation opener was \u0026ldquo;Hugo.\u0026rdquo; He then pointed at a random pasty and ended the conversation with \u0026ldquo;that one.\u0026rdquo; Hugo bagged it and took the roll of money from the man. Getting him to take the pastry and not just shove money at him on the street had been a victory.\nHugo stuck the money in his pocket and worked for a bit longer before wrapping up the day. After heading home Hugo slipped into his bedroom and counted it out. A thousand dollars. He checked his phone and a message blinked on it.\n\u0026ldquo;Locations are attached to this message. You\u0026rsquo;re going to get a watch. Tell the store clerk you want a \u0026lsquo;big bling deal\u0026rsquo;.\u0026rdquo; A map showed a pawn shop and what looked like an apartment building. As Hugo read it, a countdown timer started. He had one hour before the message went away. That would be plenty of time.\nHugo came into the pawn shop and looked around. He found a pair of watches that added up to around the amount. Pointing them out, he asked the clerk to ring them up. When he pulled out his cash, the clerk glowered at him.\n\u0026ldquo;No paper transactions over fifty dollars. Store policy.\u0026rdquo; The clerk tapped the sign with his finger and started to put the watches back.\n\u0026ldquo;Hey, wait a minute.\u0026rdquo; Hugo stopped him and remembered the last part of the message. \u0026ldquo;I heard this was a good place for a..\u0026rdquo; with a pause \u0026ldquo;big bling deal.\u0026rdquo;\nThe clerk looked him up and down and grimaced. \u0026ldquo;Do you not know how to work that into a normal sentence? Fucking hell man. And why didn\u0026rsquo;t you start with that?\u0026rdquo; He reached under the counter and brought out a wristwatch with a giant face. It\u0026rsquo;s bezel and bracelet were covered in jewels.\nHugo looked at it. \u0026ldquo;It\u0026rsquo;s not running.\u0026rdquo; He pointed to the stopped second hand.\n\u0026ldquo;That\u0026rsquo;s not the point. Give me the paper.\u0026rdquo; The clerk held out his hand.\nHugo handed the paper over and waited for the clerk to bag up the watch. The clerk nodded at it and finally pushed it towards him. Hugo pocketed the watch and left to find the buyer.\nLooking up the address on his phone, it seemed familiar. Everytime was different but this place he\u0026rsquo;d been to before. After knocking on the door a man opened up and let Hugo inside. \u0026ldquo;Hey, Paul right?\u0026rdquo; Hugo said. \u0026ldquo;Good seeing you again.\u0026rdquo;\nPaul was unshaven and wearing a white tank top. He glowered back at him. \u0026ldquo;Yea, listen, let\u0026rsquo;s get this over with.\u0026rdquo; Hugo set the watch down on the table, gave Paul a smile, and gestured with his hand.\n\u0026ldquo;What the fuck kid. Give me your account details.\u0026rdquo; Paul looked at Hugo like he was retarded.\nHugo took out his phone and frowned. \u0026ldquo;I gave them to you last time, you should have it saved.\u0026rdquo; He thumbed out the QR code and held it up for Paul.\n\u0026ldquo;Look, I don\u0026rsquo;t save evidence on my phone. I\u0026rsquo;m not stupid. The police come looking, I\u0026rsquo;m not going to have a bunch of goddamn evidence all lined up for them.\u0026rdquo; Paul took a picture of the watch.\n\u0026ldquo;Uhh Paul, don\u0026rsquo;t you want to check the confirmation code?\u0026rdquo; Hugo looked at his phone \u0026ldquo;Did you get Whiskey Oscar Echo\u0026hellip;\u0026rdquo;\n\u0026ldquo;What the fuck, do you see any other QR codes around you? Are people putting QR codes in my home, which I live in? Do you not think I can point my phone at yours? I scanned your damn phone it\u0026rsquo;s the only thing with a code in here!\u0026rdquo; Paul\u0026rsquo;s eyes were bugging out at this point.\n\u0026ldquo;Yea okay look it\u0026rsquo;s cool.\u0026rdquo; Hugo held his hands up, calmingly, and his phone dinged.\n\u0026ldquo;I gave you your money, get lost.\u0026rdquo; Paul pointed towards the door.\nHugo kept his hands up as he went to the door, lowering the one not holding the phone to open it. After stepping outside he checked his phone. Six hundred dollars. He sent all but fifty of it to the account Frank gave him. \u0026ldquo;Jesus Paul. You sent me the money. The banks going to hold onto those records forever. What evidence are you hiding? And what are we doing where the police are going to care about it? They don\u0026rsquo;t care about anything less than millions.\u0026rdquo; The questions were rhetorical. Paul wasn\u0026rsquo;t around and Hugo was talking to himself as he headed back home to get some rest.\nWhen Hugo came in through the door to the apartment he found his mom yelling at his dad.\n\u0026ldquo;Oh look Felix, our door still opens, our son can still come home!\u0026rdquo;\nFelix sat on the couch, looking down and playing with his hands. \u0026ldquo;Ernest said it would be fine. That he\u0026rsquo;d done it all the time.\u0026rdquo;\nViolet sounded out each word as she spoke. \u0026ldquo;You put it in a different goddamn bottle\u0026rdquo;. She threw her hands up as she turned to Hugo. \u0026ldquo;Your father has gotten himself kicked off the gig network. I\u0026rsquo;m going to have one hell of a time making rent on my own.\u0026rdquo;\n\u0026ldquo;Dad\u0026rdquo; Hugo looked at his father as he sat there forlornly. \u0026ldquo;What happened?\u0026rdquo;\n\u0026ldquo;I used the bottle of vodka for cleaning. Just like Ernest said. Dilute a bit, add some lemon scented oil.\u0026rdquo; Felix didn\u0026rsquo;t look up. \u0026ldquo;But I didn\u0026rsquo;t put it in a spray bottle. I kept the bottle of vodka and would just put a little on a rag. I didn\u0026rsquo;t think they would care.\u0026rdquo;\n\u0026ldquo;Oh dad, you absolute idiot\u0026rdquo; Hugo sat on the couch and hugged him.\n\u0026ldquo;They reported me Hugo. Took a picture of it for evidence. Not only did they kick me off the network, they charged me the fee they refunded to the homeowner.\u0026rdquo;\nViolet sighed and went over to Felix. She hugged him and put her forehead on his. \u0026ldquo;Yes Felix, you are an absolute idiot. Now we have to deal with this.\u0026rdquo;\n\u0026ldquo;I don\u0026rsquo;t know what to do now. Gig work was steady. I can\u0026rsquo;t use them as a reference, not after this though.\u0026rdquo; Felix paused and thought. \u0026ldquo;It will be a while before I can find a job elsewhere. I\u0026rsquo;m sorry, I really made a mess of things.\u0026rdquo;\n\u0026ldquo;Mom, Dad, it\u0026rsquo;s going to be okay.\u0026rdquo; Hugo paused.\n\u0026ldquo;I know honey. I\u0026rsquo;ll work some extra shifts. Felix can cook and clean around the house. We\u0026rsquo;ll trade in some of your réal for bank.\u0026rdquo; Violet smiled at him.\n\u0026ldquo;No, it\u0026rsquo;s going to be okay. I can cover rent this month.\u0026rdquo; Hugo looked at both his parents. They stared back, confused.\n\u0026ldquo;Hugo son, I know you\u0026rsquo;ve been going out a lot, but you haven\u0026rsquo;t been coming back with a lot of stuff.\u0026rdquo; Felix said. \u0026ldquo;How would you have that much bank?\u0026rdquo;\nViolet furrowed her brow and frowned at Hugo.\n\u0026ldquo;I have the bank, okay. I have it, I\u0026rsquo;ll transfer it, we\u0026rsquo;re going to be fine this month.\u0026rdquo; Hugo got out his phone and sent the money to the family account. Both Felix\u0026rsquo;s and Violet\u0026rsquo;s phones dinged. They checked them and looked at Hugo.\n\u0026ldquo;How?\u0026rdquo; was Violet\u0026rsquo;s first response. \u0026ldquo;Honey, is this money clean?\u0026rdquo;\n\u0026ldquo;Please don\u0026rsquo;t ask me about it. I don\u0026rsquo;t want to discuss it.\u0026rdquo; Hugo replied evenly.\n\u0026ldquo;Son, what have you been doing at night?\u0026rdquo; Felix asked. \u0026ldquo;Please don\u0026rsquo;t tell me you\u0026rsquo;ve been dealing drugs. That is dangerous stuff.\u0026rdquo; He began to sound worried.\n\u0026ldquo;Like I said, I can\u0026rsquo;t discuss it.\u0026rdquo;\n\u0026ldquo;Hugo, you need to tell us where this came from. What are you doing?\u0026rdquo; Felix was sounding more frantic than when he talked about his firing.\n\u0026ldquo;I have some money and I can provide for you guys. I\u0026rsquo;m an adult. I can provide too.\u0026rdquo; The last part came out louder than Hugo intended. He stopped and looked down.\nHugo\u0026rsquo;s parents looked at each other. Violet responded after a moment. \u0026ldquo;You know we love you. This means a lot to us right now. We have to worry though. You mean so much to us.\u0026rdquo;\n\u0026ldquo;I know. You mean a lot to me too.\u0026rdquo; Hugo hugged both of them. \u0026ldquo;I\u0026rsquo;m going to bed.\u0026rdquo;\nHugo got up and left the room. He sat on his bed for a bit listening to his parents worry to each other about the source of the rent money. \u0026ldquo;I thought it would be different.\u0026rdquo; he whispered to himself. \u0026ldquo;I thought they\u0026rsquo;d be more proud.\u0026rdquo; He pulled out his phone and sent Frank a message. \u0026ldquo;I\u0026rsquo;m going to need more jobs. Something came up.\u0026rdquo; He then laid down and went to sleep.\nChapter 7 - Big Purchase The next few months operated on a steady rhythm. Hugo would run his stall until lunchtime. About once every week one of Frank\u0026rsquo;s associates would drop some paper off. After closing down his shop, Hugo would go through the process to trade the paper for some trade goods, then sell them to get digital bank. He\u0026rsquo;d forward the bank, minus his cut, to Comprehensive Dental Solutions. Sometimes he\u0026rsquo;d grab a coffee with Whitney at The Dancing Goat. She was pretty fun to talk to, even though Hugo didn\u0026rsquo;t get romantic vibes from her.\nAfter the end of one of those excursions, Hugo came back into the family apartment. It was evening and near the end of the month. Before he even came into the house, Hugo had already forwarded some bank to help with the rent.\nFelix was sitting on the couch when Hugo came in. He put down his phone and looked at Hugo with a serious face. \u0026ldquo;Hugo, we love you and this really helps. But I have my own job as well. Selling fast noodles is steady. You don\u0026rsquo;t have to worry.\u0026rdquo;\n\u0026ldquo;I\u0026rsquo;m not worried, Dad.\u0026rdquo; Hugo replied. He put down his backpack and sat on the couch next to his dad. \u0026ldquo;I want to help out. I want to be a man, just like you.\u0026rdquo;\nFelix patted him on the shoulder and smiled. But his smile was thin and worried. \u0026ldquo;You\u0026rsquo;re still saving up for your bakery right? Whatever this is, can you stop it afterwards?\u0026rdquo;\nHugo assured him he could. They made small talk and Hugo went to bed.\nThe next day Hugo watched his usual contact approach his stand. He was carrying a small paper baggie in one hand. \u0026ldquo;Oh, did you stop at another stand?\u0026rdquo; Hugo asked, attempting once again to strike up conversation.\n\u0026ldquo;No.\u0026rdquo; The man, Hugo still didn\u0026rsquo;t know his name, put the paper bag on the stand and then grabbed a pastry off the tray.\n\u0026ldquo;Hey, you can\u0026rsquo;t do that. I handle the food.\u0026rdquo; Hugo started to protest.\nThe man looked Hugo in the eye for a moment and nodded once, briefly. \u0026ldquo;Good luck. You make good bun.\u0026rdquo; He walked off without any elaboration.\n\u0026ldquo;What the heck\u0026rdquo; Hugo muttered and thumbed open the paper bag. He stopped and closed it quickly. Then he opened it once more and looked at the quantity of money inside. He closed it quickly and shut down his stall.\nAs he walked back home he messaged Frank: \u0026ldquo;Is this the right amount? I think your man overpayed.\u0026rdquo;\nThe reply arrived before Hugo made it home. \u0026ldquo;It\u0026rsquo;s correct. You\u0026rsquo;re going to be buying a car. Pick up and drop off are attached. Be there at 10 AM tomorrow. You\u0026rsquo;ll drive it straight to the drop off, no stops.\u0026rdquo; Hugo frowned and assessed the pick up location. It was in Lebec. Nearly 75 miles north of him, and in the mountains outside of Los Angeles. He could take a bus there, but it was going to take several hours.\nHugo left his stall contents in the living room and briefly waved at his parents as he went into his room. After closing the door, and locking it, he counted the money out on the bed. Seventy thousand dollars. This was an enormous amount of money. \u0026ldquo;I could start my own bakery tomorrow with this. And help with rent.\u0026rdquo; Hugo muttered to himself. \u0026ldquo;What have I gotten myself into?\u0026rdquo;\nLaying down in bed, Hugo kept on thinking about the next day. He got up and laid out some clothes he could layer. He laid back down. After a while, unable to sleep, he double checked the bus route he would take tomorrow. He got up and rechecked his clothes. He made sure the bag of money was at the bottom of his backpack. Finally he slept.\nChapter 8 - Drive Hoping off the bus in Lebec, Hugo looked around. He\u0026rsquo;d arrived by the post office. A single story building, the post office had enough space for 30 cars and 5 spots taken up. It looked like the biggest parking lot he could see as he turned around in a circle. Dirt lots, their dimensions delimited by wooden posts and chains, marked other properties. Dirt hills, the plants on them dead, were all he could see in the distance.\nHe breathed in the cold air and shifted his backpack around. His breath turned into mist as he exhaled. A man in the parking lot was sitting on the hood of a car, smoking a cigarette. The car sat on the far end of the lot, away from the other cars parked closer to the post office. Despite the cold, he was wearing a tank top, emblazoned with gold baroque patterns and a drawing of Medusa in the center. He wore large sunglasses, so big they obscured the middle third of his face. Seeing Hugo looking at him, he waved.\nWalking over, Hugo looked at the car. It looked like an older Mustang, white with a boxy exterior. \u0026ldquo;Hey, nice car.\u0026rdquo; he said as he got closer.\n\u0026ldquo;Hugo.\u0026rdquo; The man had an accent that sounded Eastern European. \u0026ldquo;You got the money?\u0026rdquo;\nNodding, Hugo took the bag out of his backpack and handed it over. The man didn\u0026rsquo;t bother checking its contents as he pulled a set of car keys out and handed them over.\n\u0026ldquo;Do you, uh, need a ride?\u0026rdquo; Hugo asked awkwardly. He looked around and didn\u0026rsquo;t see anyone else watching them. The ground was flat and visible for a mile around, excluding the few buildings nearby.\n\u0026ldquo;To the city? No.\u0026rdquo; The sunglasses hid whatever expression the mans eyes had. They were so large Hugo couldn\u0026rsquo;t even guess what expression his eyes had. His mouth was flat and neutral. \u0026ldquo;Don\u0026rsquo;t stop driving.\u0026rdquo; With that said, the man walked off.\nHugo got in and started the car. He didn\u0026rsquo;t have a license, much less a car, but his dad had taken him driving a few times before. He did a couple loops in the parking lot to get familiar with the Mustang and it\u0026rsquo;s throaty growl before going back on the highway towards Los Angeles.\nDriving back he thought everyone was taking the \u0026ldquo;don\u0026rsquo;t stop\u0026rdquo; too seriously. \u0026ldquo;What if I need to pee?\u0026rdquo; he laughed as he speed through the mountains. \u0026ldquo;I don\u0026rsquo;t think they\u0026rsquo;d be okay if I just let it rip all over these leather seats!\u0026rdquo; He knew the perfect place to stop too. He pulled out his phone and texted Whitney to see if she was working today.\nPassing by The Dancing Goat, Hugo was unable to find parking in front. He pulled into a nearby parking lot and then realized his issue. You can\u0026rsquo;t show off a car to someone in a parking lot a block away from them. Hugo snapped a photo of the car with his phone, then went into the cafe.\nWhitney smiled and waved as Hugo came into the shop. Turning to her co-worker she said she was going to take a 10 minute break. A few minutes later she was sitting with Hugo at a table with a couple coffees.\n\u0026ldquo;So, Hugo, where\u0026rsquo;s this hip car of yours?\u0026rdquo;\n\u0026ldquo;It\u0026rsquo;s uh, I couldn\u0026rsquo;t get a parking spot in front. It\u0026rsquo;s in a parking lot, but I took a picture of it.\u0026rdquo; Hugo pulled out his phone and showed it to her.\n\u0026ldquo;Wooah, nice\u0026rdquo; Whitney practically whistled when she saw it. \u0026ldquo;My dad loves muscle cars. He\u0026rsquo;s always tinkering with his vintage Shelby on the weekends.\u0026rdquo; Her eyes danced as she looked at him and leaned in. \u0026ldquo;What kind of a loan rate did you pay for that? It\u0026rsquo;s such a splurge.\u0026rdquo;\n\u0026ldquo;Oh, it\u0026rsquo;s\u0026rdquo; Hugo couldn\u0026rsquo;t come up with anything \u0026ldquo;no loan, all cash.\u0026rdquo;\n\u0026ldquo;No way! When did you get the money together for that? That\u0026rsquo;s, what, a 40k car?\u0026rdquo; Whitney looked very impressed.\n\u0026ldquo;Well, uh, where there\u0026rsquo;s a will, there\u0026rsquo;s a way.\u0026rdquo; Hugo laughed awkwardly. They made some small talk for the next few minutes, but in the back of Hugo\u0026rsquo;s mind he thought about how much he\u0026rsquo;d paid for it. That wasn\u0026rsquo;t a discount on it\u0026rsquo;s value. That was almost twice what it was worth, brand new.\nFinishing up with Whitney he headed back to the parking lot. Entering the stairwell he passed a man at the bottom, playing on his phone. The man watched him as he walked by and didn\u0026rsquo;t say anything. Coming to the floor where he\u0026rsquo;d parked, Hugo saw a startling sight.\nSeveral police officers were by his car, which had the trunk popped open. A wrapped bag was on the ground next to the car. Hugo stood by the stairs for a moment, his heart pounding, and then he turned around. The man from the bottom of the stairs was there and he had a gun out. It was pointed at Hugo.\n\u0026ldquo;LAPD, hands up and get on the ground!\u0026rdquo; the gun was aimed at Hugo\u0026rsquo;s chest and the man had a two handed grip. Hugo turned back towards his car and saw that the officers searching it where also brandishing their firearms. Surrounded, he put his hands up and slowly got to the ground.\nChapter 9 - Dirt He\u0026rsquo;d been sitting at the desk in the interrogation room for nearly 20 minutes before his interrogator came in. Hugo knew that because the only thing to do was look at the clock. He would have liked to pace around, but being handcuffed to the desk prevented him from doing so. Cameras stared down from several angles, silently judging him as their red LEDs blinked on and off. Nervously, Hugo tapped out a rhythm with his feet.\n\u0026ldquo;You\u0026rsquo;re in big trouble Hugo Parrish. Big fucking trouble.\u0026rdquo; His interrogator was the person who\u0026rsquo;d pointed the gun at him in the stairwell. The man was wearing a police badge with \u0026ldquo;DETECTIVE\u0026rdquo; emblazoned in letters along the top.\nInside his head, Hugo thought \u0026ldquo;My parents are going to be so disappointed in me.\u0026rdquo; Externally, he just nodded. \u0026ldquo;I know.\u0026rdquo; He\u0026rsquo;d had a while to think. Something was in that package in the trunk of the car. He didn\u0026rsquo;t know what, but he must have been followed for the police to have gotten into the trunk when he stopped.\n\u0026ldquo;You had a lot of, what do you people call it, réal, in the back of the trunk.\u0026rdquo; The detective paused and waited for Hugo to respond.\nHugo had never been arrested, but he had seen Goodfellas. That scene where the protagonist gets arrested and doesn\u0026rsquo;t say a thing. Hugo also said nothing and looked up at the cameras. He noticed the lights had stopped blinking on the cameras. \u0026ldquo;Great, recordings off, now I\u0026rsquo;m going to get beaten.\u0026rdquo; he thought to himself.\nAfter a couple minutes of silence the detective resumed. \u0026ldquo;We got a whole kilo in there. Enough opioids to kill 50 million people. You don\u0026rsquo;t work with us, you\u0026rsquo;re never going to be a free man.\u0026rdquo;\nNow Hugo had to roll his eyes. \u0026ldquo;Look man, I know you cops like to make up numbers, but 50 million is a lot of people. What, I\u0026rsquo;m going to kill the whole state of California? There\u0026rsquo;s nothing in the car that could do that.\u0026rdquo;\n\u0026ldquo;Don\u0026rsquo;t play dumb shitbird. You know what was in there, just like you know you\u0026rsquo;re working for the cartel.\u0026rdquo;\nHugo paused. What were they trying to pin on him? \u0026ldquo;I\u0026rsquo;m not working for any cartel. I have no idea what you\u0026rsquo;re talking about.\u0026rdquo;\n\u0026ldquo;Come on Hugo. Comprehensive Dental Solutions. CDS. Cartel de Sinaloa. Could you have been more obvious?\u0026rdquo;\nHugo felt himself break out in a cold sweat. He decided to keep on channeling Goodfellas and not say a thing.\n\u0026ldquo;We\u0026rsquo;ve been following you for a while. You transported that carfentanil in the watch. It must\u0026rsquo;ve been a hit, because you\u0026rsquo;re now transporting a whole bunch in that car we just impounded.\u0026rdquo;\n\u0026ldquo;I don\u0026rsquo;t know what\u0026rsquo;s in that car, but fentanyl is not going to kill 50 million people.\u0026rdquo; Hugo responded evenly.\n\u0026ldquo;Carfentanil. Surely they tell you what you\u0026rsquo;re transporting. One hundred times the strength. Top notch réal, réally.\u0026rdquo; The detective chuckled at his play on words. \u0026ldquo;You get that to a safe spot, you can cut it real nice, and make a whole mess of money.\u0026rdquo;\nThe detective paused and looked at Hugo. \u0026ldquo;And you do need money. Your alcoholic dad losing his job couldn\u0026rsquo;t have been easy. We have a whole lot of dirt on you-\u0026rdquo;\n\u0026ldquo;My father is no alcoholic.\u0026rdquo; Hugo stood up, his voice and posture firm. His hands made fists as they wrestled impotently with the handcuffs keeping him from slugging the detective.\n\u0026ldquo;Sit back down now or I\u0026rsquo;ll knock your ass to the ground\u0026rdquo; the detective shouted back.\nHugo glared back at him, defiant. \u0026ldquo;You take back what you said about my father.\u0026rdquo;\n\u0026ldquo;We have a picture of him at work with a vodka bottle. We know he was laid off. We know you paid the rent. We know every damn bit of how you interact with the system.\u0026rdquo; The detective was practically frothing at the mouth. \u0026ldquo;You think we\u0026rsquo;re stupid? We pay the corporations and they gladly hand it over. The Infoshare program is the greatest goddamn thing to happen for policing in this country and we have you dead to rights. Don\u0026rsquo;t fuck with us.\u0026rdquo;\n\u0026ldquo;The only reason you can even afford to pay for all that is because you\u0026rsquo;re nickel and diming people like me for everything. I just wanted to run a bakery. What the hell do I need a personal certificate of good standing for? When does it ever end with you parasites?\u0026rdquo; Hugo was leaning over the table, shouting back at the detective.\n\u0026ldquo;What the hell is a personal certificate of good standing? I\u0026rsquo;ve never heard of that.\u0026rdquo; The detective shook his head and squinted at Hugo.\nHugo paused. A few moments passed and he sat down.\n\u0026ldquo;We have the dirt on you kid. You\u0026rsquo;re going to go away if you don\u0026rsquo;t fix this. Don\u0026rsquo;t you think you should call someone?\u0026rdquo; The detective reached into his pocket and handed Hugo back his confiscated phone.\nHugo raised his phone up, facing away from the detective. He unlocked it and looked at the screen. He didn\u0026rsquo;t know what to do. He tried to think which of his parents would be home now. He thought of which one might take the news better. Then he saw he had a message from Frank. He opened it and read it as the 5 second timer counted down before it was destroyed. \u0026ldquo;I heard what happened. Help is on the way. Don\u0026rsquo;t tell them anything, don\u0026rsquo;t talk to anyone.\u0026rdquo;\nHugo locked the phone again and set it facedown on the table. \u0026ldquo;No, I don\u0026rsquo;t think I should.\u0026rdquo; He looked down at the table himself and waited.\nChapter 10 - Reveal The lawyer calmly weaved his car through the freeway traffic. \u0026ldquo;It wasn\u0026rsquo;t cheap to get you out Hugo. I should tell you, my boss is pretty upset.\u0026rdquo;\nHugo stared out the passenger window. The setting sun was shining in his face, but with the haze he was in he didn\u0026rsquo;t feel compelled to block it. \u0026ldquo;Why\u0026rsquo;d you spend so much on me then?\u0026rdquo;\n\u0026ldquo;Liability purposes.\u0026rdquo; The lawyer was an African American man in his mid forties. With his tweed suit, wireframe glasses, and succinct speech, he looked like he did insurance law. Not, whatever branch of the law even attempted to cover what Hugo was caught up in.\n\u0026ldquo;So what now?\u0026rdquo;\n\u0026ldquo;You meet the boss. He\u0026rsquo;s spent a lot on you. He\u0026rsquo;ll want to see how he can recoupe his investment.\u0026rdquo;\nThe rest of the ride passed in silence until they arrived at an office building in the downtown Fashion district. A metal gate opened to give them access to an underground garage. A guard station stood before the elevator leading up and out of the garage. A guard came out and called the elevator for them. Hugo noticed that the guard was resting his hand on the handgun holstered at his hip. Inside the guard station he could see an assault rifle in an open weapons locker.\nIn silence they all rode the elevator up. Two stops were lit up. At the first the guard told him \u0026ldquo;You\u0026rsquo;re the second stop\u0026rdquo; and rested his hand on Hugo\u0026rsquo;s shoulder.\nThe only thing the lawyer said to him was \u0026ldquo;Good luck\u0026rdquo; and with a brief nod he left.\nMoments later the elevator arrived at its second stop. Hugo walked down a well lit hallway with plants and generic corporate paintings. At the end of the hallway was a double set of wood panelled doors. The guard opened the doors and gestured at Hugo to walk through. As Hugo entered the room the door was shut behind him.\n\u0026ldquo;Hugo, come in! Take a seat.\u0026rdquo; A smiling man gestured at a chair in front of his desk. Hispanic looking, and well into middle age he looked bland. He had a fat face, and a thick mustache. The top of his head was well advanced into male pattern baldness and he wore a loose fitting white dress shirt with no tie or jacket.\nHugo sat down in the chair.\n\u0026ldquo;I have to tell you, those cops are a real pain in my backend. Given what you were caught with, it took a very big payment to get them to release you.\u0026rdquo; The man emphasized the word \u0026ldquo;very\u0026rdquo; when he spoke.\n\u0026ldquo;I thought that the lawyer got them to drop the charges.\u0026rdquo;\n\u0026ldquo;Hugo, don\u0026rsquo;t be naive. There\u0026rsquo;s things you can and can\u0026rsquo;t say and that\u0026rsquo;s what I pay Paul to handle. At the end of the day, all they want is a bribe. I view myself as a facilitator of commerce. My business turns loose paper into approved banked money. Sometimes the police ask questions so we give them some of that money and they buy their wife a handbag and send their kids to college. It\u0026rsquo;s a great system and it works well.\u0026rdquo;\n\u0026ldquo;Ok. So then Mr..\u0026rdquo; Hugo paused.\n\u0026ldquo;Luis.\u0026rdquo;\n\u0026ldquo;Mr. Luis, why the drugs?\u0026rdquo; Hugo finished.\n\u0026ldquo;Ah, well, I facilitate commerce. Normally I help my clients manage their paper, but sometimes I help with associated shipping issues. This one client has been experiencing some supply chain issues so they wanted to explore alternatives. I\u0026rsquo;m a local to the area so they asked for my help.\u0026rdquo;\n\u0026ldquo;So then.. the watch with all the diamonds on it?\u0026rdquo;\n\u0026ldquo;Shiny pieces of glass.\u0026rdquo; Luis waved his hands dismissively. \u0026ldquo;The key part was the product that was placed in the case of the watch. We had to take a couple parts out to fit the product in, but it was very easy to transport.\u0026rdquo;\n\u0026ldquo;Why have me go to the pawn shop then? Why did I go so far north to get that car?\u0026rdquo; Hugo didn\u0026rsquo;t understand why he was involved in this. \u0026ldquo;Why didn\u0026rsquo;t you just mail everything?\u0026rdquo;\n\u0026ldquo;Cutouts and jurisdictions Hugo.\u0026rdquo; Luis leaned in as he explained what role Hugo had played. \u0026ldquo;You were a cutout, a person who acted as the middleman because our chemist friends could not be seen directly talking to us or the client. The watch as a means of transport worked well. It passed through a couple of hands and performed well. Unfortunately we hit issues afterwards.\u0026rdquo; Luis frowned at this part, but paused rather than elaborate.\n\u0026ldquo;And the car?\u0026rdquo; Hugo persisted.\n\u0026ldquo;Jurisdictions. At that point the LAPD understood what was going on and they wanted a very large bribe.\u0026rdquo; Luis emphasized the word very as he spoke it. \u0026ldquo;But that wasn\u0026rsquo;t going to happen without evidence and there are rituals one must observe. The LAPD can only operate within the city, and they can only enter private property\u0026rdquo; Luis waved his hands around \u0026ldquo;with a warrant. Now, they trade information with their friends in the sheriff\u0026rsquo;s department as well. Some of the best customers of my clients live in LA county, outside of the city. But Lebec, where you got the car, is outside of the county jurisdiction. A demon may have absolute power inside it\u0026rsquo;s circle, but it cannot leave it.\u0026rdquo;\n\u0026ldquo;Then why not call the FBI? Or get a warrant?\u0026rdquo;\nLuis leaned back in his chair and crossed his arms. \u0026ldquo;You\u0026rsquo;re not following along Hugo. These police are not interested in the rule of law. They want to support their families. Warrants, Policía Nacional, those things just let you close cases and tick some numbers off. If all they care about is metrics, they may as well crack down on unlicensed pasty stalls to get their numbers up.\u0026rdquo;\nHugo digested this information. As he did so Luis leaned forward \u0026ldquo;So why did you stop at that parking lot? What did you do?\u0026rdquo;\n\u0026ldquo;I uh, met a friend for coffee. I thought she might be impressed by the car.\u0026rdquo; Hugo shifted uneasily in his seat.\n\u0026ldquo;And this friend\u0026rdquo; Luis raised his eyebrows \u0026ldquo;what is her name?\u0026rdquo;\n\u0026ldquo;Claire\u0026rdquo; Hugo lied.\n\u0026ldquo;Claire. Is she pretty?\u0026rdquo; Luis had a conspiratorial smile and a small twinkle in his eye. He\u0026rsquo;d said the last bit softly, like a friend would ask about an exciting first date.\n\u0026ldquo;She is\u0026rdquo; Hugo swallowed \u0026ldquo;a friend.\u0026rdquo;\nLuis kept his pose and soft tone. \u0026ldquo;Your coffee date, your platonic coffee date, cost us a lot of money. And the policía, they decided to burn the drugs before you left. They sent me a video.\u0026rdquo; He leaned back and typed some lines on a keyboard. The video monitor behind Luis lit up and showed a brick of white powder being incinerated into black ash. The video ended after a few seconds and then resumed from the beginning. \u0026ldquo;Hugo, these supply chain issues are going to be bad. That is enough product to last the Southern California client base for three years. And here it is being incinerated because you had to get coffee with your platonic friend.\u0026rdquo; Luis yelled out the last words, curling his lips at the word platonic as he screamed.\nThe door burst open and Hugo turned around. The guard was coming in with his pistol drawn and aimed at Hugo. Hugo raised his hands in the air and as he opened his mouth Luis spoke \u0026ldquo;Not now, not now. It\u0026rsquo;s fine. We\u0026rsquo;re just talking. As you were.\u0026rdquo; he waved the guard away. \u0026ldquo;Hugo, please sit back down.\u0026rdquo; Hugo realized he was in an awkward half standing pose and slowly lowered himself back into the seat. He breathed in and out until his heart-rate became normal. As he breathed Luis talked.\n\u0026ldquo;I look up to other businessmen. I try to study their lessons. Bill Gates would say \u0026lsquo;It\u0026rsquo;s fine to celebrate success but it is more important to heed the lessons of failure.\u0026rsquo; and I believe there is a lot of wisdom in that.\u0026rdquo; Hugo chewed on his upper lip as he looked at Luis. \u0026ldquo;You\u0026rsquo;ve learned a lot working for us and if we just got rid of you we\u0026rsquo;d lose those lessons and training. Honestly, I hold Frank more responsible for this than yourself. He should have taught you better. You\u0026rsquo;re going to get your bakery. And you will be a part of our enterprise. The way it works will be very simple. You take paper for your pastries. You have a business license and a currency scanner so converting it into digital bank is very easy. You\u0026rsquo;ll buy supplies from a company we own, say flour at ten dollars a kilo\u0026rdquo;\n\u0026ldquo;That\u0026rsquo;s a five times markup!\u0026rdquo; Hugo exclaimed.\n\u0026ldquo;Yes, that\u0026rsquo;s how we make money off of this.\u0026rdquo; Luis explained patiently. \u0026ldquo;and we all profit off of this. The money we will bring in for you will let you continue to have a margin and even make a fair amount for yourself.\u0026rdquo;\nHugo leaned back in his chair. \u0026ldquo;So, you\u0026rsquo;ll pay for the personal certificate of good standing then?\u0026rdquo;\nLuis threw back his head and laughed. \u0026ldquo;Is that what Frank told you? He still uses that one?\u0026rdquo;\nHugo was unsure how to respond. \u0026ldquo;Yes?\u0026rdquo; he said after a moment.\n\u0026ldquo;Hugo,\u0026rdquo; Luis chuckled \u0026ldquo;there is no such certificate. It\u0026rsquo;s a test that we use to check for credulous targets. Like those Nigerian prince emails with all the typos in them. If you\u0026rsquo;d looked around the official web site you would have failed to find anything about that.\u0026rdquo;\n\u0026ldquo;This is fucking bullshit!\u0026rdquo; Hugo shouted back. \u0026ldquo;I only did all of this because I thought I had no other choice. Fuck this, fuck you.\u0026rdquo;\n\u0026ldquo;No other choice? You didn\u0026rsquo;t need to open a bakery, you wanted to.\u0026rdquo; Luis smirked back at him. \u0026ldquo;The moment you transferred that first bit of money, we had you.\u0026rdquo;\n\u0026ldquo;You don\u0026rsquo;t anymore. I want out. I\u0026rsquo;m done with this.\u0026rdquo; Hugo looked Luis in the eyes as he said it.\nLuis stopped smiling and typed a few commands into his computer. The monitor behind him lit up with photos. \u0026ldquo;I can\u0026rsquo;t force you to work for us. But this isn\u0026rsquo;t the sort of job you resign from. I want you to see what happens to people who try to leave.\u0026rdquo;\nThere were dead bodies in every photo. Some of the bodies had bullet wounds, others were just a broken leaking mess. One person lay face down on a carpet, an axe sticking out of their back. Their hands were in front of them like they had been trying to crawl away. As he took it all in, Hugo saw a child in one of the photos, maybe 9 years old.\n\u0026ldquo;We won\u0026rsquo;t stop with just you. We\u0026rsquo;ll go after your Felix, your Violet. Yes, I know their names. We\u0026rsquo;ll even go after your Claire.\u0026rdquo; Luis looked at Hugo and held eye contact as he calmly spoke.\nHugo saw a familiar face on the monitor. \u0026ldquo;Is that Paul?\u0026rdquo;\nLuis glanced behind him. \u0026ldquo;Yes, that\u0026rsquo;s Paul. He was always such a hothead.\u0026rdquo; He turned back and gave Hugo a sad half smile. \u0026ldquo;I need to hear you tell me, are we going to be able to work together?\u0026rdquo;\nThere was nothing else that Hugo could say. He hung his head down and a \u0026ldquo;yes\u0026rdquo; escaped from his lips. After a moment the yes was followed by a \u0026ldquo;sir\u0026rdquo;.\nLuis leapt up and reached across the table. He grabbed both of Hugo\u0026rsquo;s hands in his own and pumped them up and down enthusiastically. \u0026ldquo;Yes! Wonderful! I am so happy.\u0026rdquo; The sadness was gone, replaced with joy and enthusiasm. Hugo looked up at Luis and saw the photos still hovering on the monitor. \u0026ldquo;When I was a young man in Columbia, I heard someone I look up to say \u0026lsquo;All our dreams can come true, if we have the courage to pursue them\u0026rsquo;. Shortly after that I left for America and began my Black Market Peso Exchange. It was a crowded field then, but I stuck to it and adapted as the market and customers changed. I believe you can do this to. You\u0026rsquo;re going to buy your parents a house, you\u0026rsquo;ll even be able to buy yourself a second home in the Meta. Just get up, work hard every day, and you\u0026rsquo;ll achieve every dream you\u0026rsquo;ve had.\u0026rdquo;\n\u0026ldquo;How long is this going to go on for? Is there a time when I can say I\u0026rsquo;ve made enough for you and enough for me?\u0026rdquo; Hugo couldn\u0026rsquo;t stop looking at the dead bodies.\n\u0026ldquo;I\u0026rsquo;ve been in this business for 38 years Hugo. As I learned from Paul Graham, \u0026lsquo;If you can just avoid dying, you get rich\u0026rsquo;. Don\u0026rsquo;t worry about stopping. Just try to avoid dying.\u0026rdquo;\n\u0026ldquo;Paul Graham? Is he a\u0026rdquo; Hugo wasn\u0026rsquo;t sure the word to use. \u0026ldquo;A mob boss?\u0026rdquo;\n\u0026ldquo;What? no. He\u0026rsquo;s a venture capitalist. A very wise man who publishes his lessons for success, for free, so that the rest of us can learn from him. You should read his essays. You might learn something for your bakery.\u0026rdquo; Luis released his hands from Hugo\u0026rsquo;s and sat back down in his chair. A few keystrokes turned the monitor behind him off. \u0026ldquo;Go on, get going, you need to choose a location for your bakery. I want it up and running by next week.\u0026rdquo; He waved Hugo away. Raising his voice he called to the door \u0026ldquo;Excuse me! This young man is ready to get going.\u0026rdquo;\nThe door to the office was opened by the guard. His gun was still in the holster, and his hand still rested on it.\nHugo got up, and swayed a little bit as he stood. He realized his legs still felt weak. After a moment he was able to walk and he left through the office door.\nChapter 11 - Bakery Hugo wiped a cloth across the glass counter. Beneath the glass pastries lay on display. Puff pastries, Empanadas filled with chicken, Russian Piroshki\u0026rsquo;s, and Chinese beef buns all lay on plates, with neatly labeled signs showing their prices.\nThe door jingled as it opened and a customer came in. \u0026ldquo;Welcome! Welcome!\u0026rdquo; Hugo looked up smiling. Frank had come in and he looked like he\u0026rsquo;d been in a car accident. His face was bruised and his left leg was in a cast. He had a crutch under his right arm and a paper bag in his right hand.\n\u0026ldquo;Hugo.\u0026rdquo; was all Frank said. He looked grim.\n\u0026ldquo;What happened to you man? Did you get into a car accident? I tried texting you when I had my grand opening. This has been amazing. I would never have wanted things to happen this way but now that it-\u0026rdquo; Hugo stopped as Frank raised his hand.\n\u0026ldquo;I\u0026rsquo;m here to pickup my special phone order.\u0026rdquo; Frank set the bag down on the counter.\nHugo looked inside and saw it was stuffed with cash. \u0026ldquo;Yea, totally, I\u0026rsquo;ve got it right here.\u0026rdquo; Reaching under the counter he pulled out and set down a large, flat, box. \u0026ldquo;Are you going to be able to manage with the crutch? I put in a little bit of everything here. Let me know what you like best. Actually, do you need me to help you take it-\u0026rdquo; Frank raised hand once again.\n\u0026ldquo;No. I don\u0026rsquo;t. I just want to get going.\u0026rdquo;\n\u0026ldquo;I hear you, it can\u0026rsquo;t be easy getting around with that leg. I\u0026rsquo;m sure you\u0026rsquo;re busy. I\u0026rsquo;ll just ring you up and be on my-\u0026rdquo;\n\u0026ldquo;Hugo, don\u0026rsquo;t waste my time ringing me up. You idiot.\u0026rdquo; Frank spit out the last part. \u0026ldquo;Just ring it up later. Luis put me on one of his performance improvement plans because of what you did. I\u0026rsquo;d say I hope you screw up and he does it to you, but please don\u0026rsquo;t. He\u0026rsquo;ll probably kill me first.\u0026rdquo; Frank grabbed the box and turned it on it\u0026rsquo;s side to fit it under his arm.\n\u0026ldquo;Oh, no, Frank, you need to keep it level\u0026rdquo; Hugo reached out his hand. \u0026ldquo;You\u0026rsquo;ll damage the pastries if they crush each other. I\u0026rsquo;m so sorry he did that to you. I\u0026rsquo;m so sorry.\u0026rdquo;\nFrank looked at Hugo with a manic gleam in his eyes. \u0026ldquo;Damage the pastries huh? Wouldn\u0026rsquo;t want your precious pastries to be harmed would I?\u0026rdquo; He kept the box sideways and hobbled out the store. \u0026ldquo;Be seeing you around Hugo\u0026rdquo; he called over his shoulder as he left.\nAs he left, Frank walked to a trash can right in front of the store. He tried to shove the pastry box into the opening, but the box was too big. Frank started pushing, then punching, with his free hand to get the box in. Finally he used his elbow to slam the last bit of the crushed box through the hole of the trash can. He turned, looked at Hugo, gave him the finger, and limped off.\nHugo sat on the chair behind the counter, his mouth open in shock. \u0026ldquo;I guess I should really think about the margins for those special orders.\u0026rdquo; he mused to himself. \u0026ldquo;I don\u0026rsquo;t think it will matter what I put into them.\u0026rdquo;\n","permalink":"https://er4hn.info/blog/2023.01.14-cert_good_standing/","summary":"In near-future cyberpunk Los Angeles, a young man tries to open a bakery","title":"(Creativity ✏) Certificate of Good Standing"},{"content":"We live today in a golden age of CVEs. Never before have so many cybersecurity issues been so visible, documented, and available to those that want them. The pickaxes, shovels, pans, and sieves for mining new CVEs are also becoming more prevalent and easier to use with each passing year. Any aspiring security researcher can grab their equipment and stake their claim on the first ripe piece of code they find.\nWhat is a CVE? Before getting into the current day, it\u0026rsquo;s worth backing up a few steps and understanding how we got to this point. Sure, there are these things called CVEs. They are presumably bad and a chart measuring the amount per year goes up and to the right. What are they and why does that matter?\n Chart showing the number of CVEs issued per year. One could draw a trend line, but it\u0026rsquo;s pretty clearly going up each year. Taken from https://www.cvedetails.com/browse-by-date.php.\n CVE stands for Common Vulnerability and Exposure. These are colloquially known as \u0026ldquo;security bugs\u0026rdquo; or \u0026ldquo;vulnerabilities\u0026rdquo;. Every CVE has a unique number associated with it that allows for identifying it. Examples of CVE\u0026rsquo;s include CVE-2014-0160 and CVE-2017-5753. The first set of numbers is the year issued and the second a counter of issues for that year. CVEs are issued by the MITRE (pronounced \u0026ldquo;my-ter\u0026rdquo;, like the pope\u0026rsquo;s hat) Corporation, which is a very interesting group out of the scope of this article.\nMITRE does not perform much in terms of vetting how bad a security vulnerability is nor even have a strong interest in knowing details about the issue. MITRE does however provide a definition of a vulnerability. A vulnerability is defined (source) as \u0026ldquo;A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components\u0026rdquo;. With that in mind, what then are confidentiality, integrity, and availability?\nConfidentiality is the ability for restricted information to only be viewed by an authorized party. When sending credit card numbers over the internet, confidentiality is the property which keeps those numbers from being seen by everyone along the way. Confidentiality also applies to data at rest. Unless you are authorized to, you probably don\u0026rsquo;t know what most of your coworkers make or their medical histories.\nIntegrity covers the ability to modify data. Going back to an example in confidentiality, your medical records can only be changed by authorized people such as your doctor or a nurse during your visit. Integrity also applies to data being transmitted, such as over the internet. It\u0026rsquo;s a separate property from confidentiality because even if the contents of a message are not, it can still be changed.\nAvailability determines if something, such as a program or a cloud service, can be used. Back to medical records, if the computer holding them is disconnected, the medical records have lost availability. If two people are communicating over a radio and the signal is jammed, the signal has lost availability.\n Picture showing medical records and the potential negative impacts to them.\n The impact of these issues, as well as how hard it is to carry out an attack, is summed up in a measurement called the Common Vulnerability Scoring System, or CVSS for short. This ranges from 0 - 10, with 10 being the worst. There is also a CVSS vector, which briefly describes the values that go into the score. Many organizations like to assign deadlines to how long a security issue can remain in a system, based on how high the score is.\nMarketing of CVEs Marketing is a controversial topic among software engineers. So many ads cite cutting edge this, innovative that. There are many SWEs who would say that good products should stand on their own. Some famous people within the industry might be a tad blunt about it and say \u0026ldquo;The innovation the industry talks about so much is bullshit\u0026rdquo; (Linus Torvalds). However, the positive take on marketing is that it allows people who would otherwise not know about a product to discover it and learn about how it can help them. Marketing has also wormed it\u0026rsquo;s way into CVEs and the security world.\nStarting roughly with the Heartbleed issue in 2014, a number of security vulnerabilities have been marketed towards others. Some high profile examples include Meltdown, and DROWN. My personal favorite is \u0026ldquo;😾😾😾\u0026rdquo;, which can be pronounced as \u0026ldquo;thrangycat\u0026rdquo; as in \u0026ldquo;three angry cats\u0026rdquo;. What\u0026rsquo;s worth noting is that all of the names and logos assigned to these are ways of delivering information about the vulnerability, outside of the CVE regime. Each of these issues was reported to MITRE, received a CVE ID, a CVSS score, and was tracked by it\u0026rsquo;s CVE ID.\nThe purpose of coming up with names, logos, and web pages to promote the security vulnerability is to make it more accessible to others. A conversation or message about \u0026ldquo;Are you vulnerable to CVE-2016-0800?\u0026rdquo; is not that memorable and would get lost in the noise of everything else going on. Asking \u0026ldquo;This DROWN attack seems pretty serious? Are we at risk of DROWNing?\u0026rdquo; is better able to get people\u0026rsquo;s attention. For truly risky issues marketing provided a positive factor in getting people\u0026rsquo;s attention. It also gave the tech press an easy on-ramp to cover high severity issues since headlines like \u0026ldquo;Are your vendors causing you to DROWN?\u0026rdquo; practically write themselves.\n DROWN with it\u0026rsquo;s logo contrasted against the CVE. Which do you find more memorable?\n The downside of the rise of CVE marketing is that it also gave a pathway for companies and people to advertise themselves. Heartbleed.com is registered and run by Synopsys, which sells CVE detection and remediation tools. 😾😾😾 is used to advertise how Red Balloon Security can help you discover and fix security issues. Other items may be created by individual security researchers to not only get the word out on the issue, but to also get the word out on who they are. Over time this can develop into a perverse incentive to try and market issues, even mild or non issues, because it helps market either yourself or your employer.\nDiscovery of CVEs Marketing is only one of the reasons why so many more CVEs are being discovered and reported. Another major reason is that tools for discovering CVEs have become much more accessible and easy to use. Running static and dynamic analysis tools against products can quickly shake out the low hanging fruit of security vulnerabilities. As tools improve, the CVE fruit becomes lower and lower until you can just reach out and pluck some fresh CVEs off the tree.\nStatic Code Analysis Static analysis of code covers what can be discovered without running code. There is an enormous amount of information that is possible to discover without even running something. By looking at compiled objects, or full images, one can discover:\n The set of installed binaries, scripts, and libraries. This is enough to cross-reference against CVE databases and find known issues. Saved values, such as strings. Strings with high entropy values (they look very random) or in specific formats (a string like \u0026ldquo;ghp_abcdefghijklmnopqrstuvwxyzABCD012345\u0026rdquo; can be recognized as a Github access token from the \u0026ldquo;ghp_\u0026rdquo; prefix) can be examined to see if they are secrets used for authentication or cryptography. Graphs of how functions interact with one another can be built and used to determine how a system interacts, without even running a single line of code. Linters, when run on source code, can uncover issues via examining the code. Problems such as reading uninitialized values, broken control flows, possible null pointer exceptions, and other issues are discoverable when using a linter. It is truly exciting how much can be done in static code analysis without needing to run anything. Any of the above examples is enough to uncover serious issues in a piece of software and this is all possible without even running the software. More advanced researchers can use tools such as disassemblers to go into the details of how functions work and uncover issues that way.\nDynamic Code Analysis Dynamic code analysis is a set of more advanced techniques to analyze running code. With dynamic code analysis the code to be examine is \u0026ldquo;instrumented\u0026rdquo; so that all of the interesting bits can be measured and analyzed as the code runs. One downside of this form of analysis is that it only covers what the code does when it is being examined, whereas static analysis covers everything that the code can possibly do. This is still able to yield powerful results.\nThe main purpose of dynamic analysis is to be able to find unintended behaviors in the running code. These include things like:\n Accessing data outside of an intended buffer. Using variables before their value has been set. Freeing memory twice. Race conditions in how different portions of the code interact with one another. A special kind of dynamic analysis is fuzz testing. In fuzz testing a set of normal inputs are \u0026ldquo;mutated\u0026rdquo; by having their bits randomly changed to create an input that is just a little bit different from the original input. This mutated input is then fed into the program and the result is observed. Any unexpected behavior such as a crash or an issue listed above is treated as a success. Advanced fuzzers also monitor how changes to the input alter the flow of code and target the mutations for maximum effect.\nSwords into Plowshares Let Us Beat Swords Into Ploughshares by Evgeniy Vuchetich. Located outside of the United Nations in New York City.\n  they shall beat their swords into plowshares, and their spears into pruning hooks; - Isaiah 2:4 (excerpt)\n The prior sections showed the varied and powerful weapons that attackers have available to them when discovering security vulnerabilities. I focus on the defensive end of security (\u0026ldquo;blue team\u0026rdquo; as it is sometimes called) and I am most interested in how I can effectively defend the software which I am responsible for.\nThe wonderful answer is that the swords can be beaten into plowshares. Nearly every tool discussed in the prior sections can be used during software development to discover and fix issues, often before the product even leaves development. This gives a path forward for blue teams to help their side build higher quality products. What\u0026rsquo;s more, the tools can all be integrated into continuous integration and build pipelines.\nA typical strategy may be as follows:\n Linters and secret sniffers run over source code prior to merges. These items check for issues such as keys saved, or quality control issues with the code itself. The final built image is inspected to determine the set of final packaged items. This is becoming more popular and standard in the industry as a Software Bill of Materials, or \u0026ldquo;SBOM\u0026rdquo; for short. Call graphs for functions can also be built at the end of the build. Tooling for these is not as standardized and does not work as cleanly for tracing calls across files as SBOMs, at least at the time this article was written. During testing, dynamic analysis tools can be used when the test code is running. These tools will flag any issues found. When combined with test coverage tooling, it is possible to have a high level of confidence in issues being discovered. Finally, fuzz testing can be done as an extra testing step once all other tests pass. Fuzz testing works best when combined with coverage checking as well, to ensure that the input corpus results in reasonable coverage, in a reasonable amount of time. Any issue the above tools find can be used to trigger failures in a build, or to hold a release until triaged and resolved. By implementing this strategy, defenders can be confident that the attackers will have all obvious venues closed off to them. A strong defense will prevent CVE numbers from going up, since the issues can be caught before release.\nAs an added benefit, detailed test coverage and fuzz testing will also help to improve the overall quality of the product, ensuring that as much code as possible is tested and that accidental malformed inputs are handled appropriately.\nSummary This article started with a discussion of CVEs and how more and more are getting discovered each year. From there it moved into what drives the discovery of CVEs. Building a reputation was one factor, but a far larger factor was the sheer number of tools developed at discovering CVEs. Finally, the article ends with a happy note: defenders can protect themselves with the same tools that attackers use.\nAs a postscript, I\u0026rsquo;d like to thank Ren Lee at https://pid.ren/ for inspiring me to write this up.\n","permalink":"https://er4hn.info/blog/2022.11.27-golden_age_cves/","summary":"Why are there so many CVEs?","title":"The Golden Age of CVEs"},{"content":"\u0026ldquo;Nice shot, nimrod!\u0026rdquo; A silly rabbit named Bugs Bunny taunts a chubby, bald, hunter.\n\u0026ldquo;ooh, you wascaly wabbit. I\u0026rsquo;ll get you next time!\u0026rdquo; Elmer Fudd retaliates and waves his gun about in frustration.\nSchoolchildren around the United States watch and use \u0026ldquo;nimrod\u0026rdquo; afterwards as an insult. A nimrod is someone incompetent, an idiot who consistently gets basic things wrong. That\u0026rsquo;s what Elmer Fudd always does, so that\u0026rsquo;s what the children learn. A few pay attention during Bible study later and learn that \u0026ldquo;Nimrod\u0026rdquo; was a mighty hunter and king. Those children learn what irony is.\nOver time some actions become detached from their original context within a broader culture. They become a scene, which floats adrift and takes on a life of its own. These scenes develop their own interpretations and meanings. Below are a few of the ones I\u0026rsquo;ve noticed. Feel free to write in with more.\nOedipus A man kills his father and has sex with his mother. A classical Greek play, many people have heard of \u0026ldquo;Oedipus\u0026rdquo;, the protagonist of \u0026ldquo;Oedipus Rex\u0026rdquo;. Sigmund Freud comes up with the term \u0026ldquo;Oedipus Complex\u0026rdquo; to describe the psychological desire of a male child to do the same as Oedipus, citing jealousy. People use \u0026ldquo;mother f*cker\u0026rdquo; as an insult when taunting one another in the schoolyard. It becomes a part of the cultural milieu, at least in America.\nYet, that is not what the original play was about. Oedipus never desires to kill his father nor marry his mother. He was adopted, in secret, as a baby and learned of the prophecy surrounding him as an adult. He fled from his adoptive parents, thinking he would bring harm to them and having no desire to do so. The original play was about how one cannot avoid their fate. At the end Oedipus is horrified by his actions, stabbing his own eyes out rather than witness the horrors he has wrought.\nThe \u0026ldquo;No Cuts\u0026rdquo; Sword Princess Mononoke, a popular Japanese anime movie by Studio Ghibli, is being prepared for American release. Voice actors are being lined up to dub the characters words into English. Marketing and promotions are being decided on for American audiences. Hayao Miyazaki, the notoriously perfectionist director behind the movie sends a gift to the studio preparing the movie. It is a katana and a simple note is attached: \u0026ldquo;no cuts\u0026rdquo;.\nUltimately the movie is released with no cuts made to any of the scenes. The movies is a success and fans debate the meaning of the sword and note afterwards. Was it a threat should changes be made? A request with a thoughtful gift for a wall? People opine on how the director of Studio Ghibli must be very controlling to just send something like that out of the blue. The sword and note become a story passed around message boards, a tale about the importance of controlling how others express your vision.\nThe sending of the sword capped off a disappointing moment almost as long as the history of the studio. \u0026ldquo;Ghibli\u0026rdquo;, an Italian word, refers to a dry dessert breeze. This is also where the name of the entry level Maserati cars comes from. Studio Ghibli was founded, and named, after their first successful movie \u0026ldquo;Nausicaä of the Valley of the Wind\u0026rdquo;. The movie was recut and heavily edited for American audiences as \u0026ldquo;Warriors of the Wind\u0026rdquo;. The editing job was so bad that the recut movie lost its main protagonist, it\u0026rsquo;s themes, and didn\u0026rsquo;t even have voice actors that understood the plot. From that point Studio Ghibli refused to allow any edits to be made to their movies. So when an American producer (the infamous Harvey Weinstein) suggested cutting a few parts of Princess Mononoke, he got a sword and a note: \u0026ldquo;no cuts\u0026rdquo;.\nHow many times Japan comes up in futuristic dystopian Sci-Fi Cyberpunk. The name of the genre evokes all sorts of imagery: powerful corporations, internet metaverses, neon lights, rogues unable to work a steady job and who live on the edge of the law. Then there is the kanji everywhere. The rise of Japan as a world superpower. The dominance of Japan holds true across so many games and shows: Shadowrun and all the best technology coming from Japan, Weyland-Yutani corp in Aliens, and the imagery of Blade Runner. Even in 2020 Japanese corporations play the antagonists in Cyberpunk 2077. But why is Japan, of all places, such a success story in dystopian fiction?\nThe 80\u0026rsquo;s in the United States was a very different time from today. Ignoring the cocaine and disco, the economic and political elements of the world felt like cyberpunk. Regan was busy deregulating industries and granting more power to corporations. Japanese companies were doing amazingly well too, to the point that Rockefeller center in New York City was bought, outright, for $1.4 billion by a Japanese real estate company. The success of the Toyota Camry, Sony Walkman, Hitachi\u0026hellip; massage wand, and Toshiba semiconductors had American corporations on the defensive, cargo culting every Japanese business practice that they could. Into those times swept William Gibson with Neuromancer.\nGibson\u0026rsquo;s novel was what defined the cyberpunk genre, and it wasn\u0026rsquo;t about a world removed from our own. It was a look at what many thought would be the future. People at the time did think that computers were going to be virtual fully immersive experiences. When the man in the Oval Office is saying he wants to deregulate and shrink government wherever he can, it seemed natural that corporations would surpass the government in power. And during Japan\u0026rsquo;s \u0026ldquo;miracle\u0026rdquo; period of economics, the Imperial Palace in Tokyo was worth more than all the combined real estate in California.\nTime moved forwards and with it a lot of things changed. Japan\u0026rsquo;s economic miracle turned out to be a bubble. The balance of power between governments and corporations swung back towards regulation. Neuromancer, however, remained a classic of literature and created the cyberpunk genre. It influenced many other works around it, and the symbology those works spawned remained with us over time.\nTilting at Windmills Don Quixote is often considered the first \u0026ldquo;modern novel\u0026rdquo;. It\u0026rsquo;s main character created the use of the word \u0026ldquo;quixotic\u0026rdquo; when he tries to charge down a windmill, claiming it is a giant and is oppressing the people. He is told it is just a building, yet he charges at it, and is knocked by a passing vane of the windmill onto the ground. His actions become a common phrase meaning \u0026ldquo;to use time and energy to attack an enemy or problem that is not real or important.\u0026rdquo; (cited from Merriam-Webster dictionary).\nWhen Miguel de Cervantes wrote the plot, the early 1600s were a very different time from today. So much has changed that a reference one may not pick up today would have been very obvious to a reader from those days. In the year 2022, windmills are used to generate electricity. In the 1600s windmills were used to grind grain.\nThe people who operated the windmills were called \u0026ldquo;millers\u0026rdquo; and they were an important profession at the time. Grinding grain was a tedious process, involving hours of hard effort to do by hand. A miller with his (yes, this was the 1600s) windmill would be able to quickly grind the grain. Grinding grain was essential for baking bread, which made the miller a key part of any town. It also made for a convenient chokepoint to collect taxes and fees. Millers would weigh the sacks of grain and take a portion for themselves. The lords in charge of the region would also collect a tax from the miller. Millers gained a reputation for either being patsies of avaricious lords or dishonest thieves themselves, in either case taking larger portions than was warranted for their services.\nLooking upon the windmills with this context, Don Quixote\u0026rsquo;s words suddenly seem less like ramblings of a confused man, and more of a criticism about the role the windmills played in society. Even his attempt to challenge the windmill and being knocked flat on his back takes on a deeper meaning. Personally, I am reminded of cloud computing services.\n","permalink":"https://er4hn.info/blog/2022.11.06-context_matters/","summary":"Context matters, but can be lost with time","title":"Context Matters"},{"content":"I recently spent some time learning about the practical implementation details of Merkle trees. One thing that I found underdocumented and required some thinking was the concept of \u0026ldquo;second preimage attacks\u0026rdquo; against Merkle trees. This is an attack which requires changes to the naive design for implementing this tree. I am documenting it here in hopes that it will be more clear to others implementing it.\nA Merkle tree is a type of tree in which every leaf node is the hash of a block of input data. Every branch node is the hash of the concatenation of its child values.\n Picture of a Merkle Tree. Taken from https://en.wikipedia.org/wiki/File:Hash_Tree.svg and licensed under CC0. This example is vulnerable to a second preimage attack.\n Merkle trees are useful because they allow for the efficient verification of large amounts of data. To verify, from the picture above, that L1, L2, L3, and L4 were all received successfully, the Top Hash is all that is needed. This is bog-standard hashing and not impressive. Where this becomes valuable is if you start with the Top Hash and want to validate the contents of L1 through L4. Making it more complex, each of the data blocks can be received independently of one another. This is a common situation in file sharing protocols such as Bitorrent and DC++.\nTo check each of the data blocks a validator needs to know their corresponding leaf node from the tree. L1 corresponds to Hash 0-0 such that if you know the value of Hash 0-0 the validator knows they received L1 successfully. However all that the validator is starting with is the Top Hash. With the Top Hash however you can work your way down the tree. Assuming the hash algorithm is a cryptographic hash, and collisions are infeasible, it is possible to validate Hash 0 and Hash 1 by checking that the hash of their concatenation matches the Top Hash. By repeating this it is possible to work ones way down the tree, even in environments where the validator may not trust the other party telling it the branch and leaf hash values. Other clever optimizations exist, a reader can check Wikipedia or read a textbook for more information.\nSecond Preimage Attack All this brings us to the second preimage attack. A second preimage attack is as follows: Given a hash function H() and two inputs x and x' where x != x', H(x) = H(x'). Hash functions such as SHA-256 have second preimage resistance, the discovery of x and x' being difficult, as a core property.\nIf a Merkle tree is implemented naively, with a single function such as SHA-256 being used for every node, it is vulnerable to a second preimage attack. That is the implementation as shown in the picture above. Assume for the purposes of this attack the attacker knows every value in the Merkle tree: top hash, hash 0, hash 1, hash 0-0, etc. An adversary can now create a new data block E1 = Hash 0-0 + Hash 0-1.\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); graph BT TopHash(\"Top Hash: Hash_F(Hash 0 || Hash 1)\") Hash0(\"Hash 0: Hash_F(Hash 0-0 || Hash 0-1)\") Hash1(Hash 1) Hash1 -- TopHash Hash10(\"Hash 1-0: Hash_F(L3)\") Hash11(\"Hash 1-1: Hash_F(L4)\") Hash10 -- Hash1 Hash11 -- Hash1 Hash0 -- TopHash subgraph Data Blocks E1[\"E1: Hash 0-0 || Hash 0-1\"] L3 L4 end L3 -- Hash10 L4 -- Hash11 E1 -- Hash0 An illustration of the attack. \u0026ldquo;||\u0026rdquo; is used to represent concatenation and Hash_F represents the hash function.\n When a victim comes looking for the tree values that correspond to top hash the adversary can provide Hash 0, Hash 1, Hash 1-0 and Hash 1-1. These values will all be validated as being under top hash. The trap is now sprung. Instead of providing Hash 0-0 and Hash 0-1 the adversary claims that Hash 0 is a leaf node. There is no information about the depth of a tree or leaf vs. branch nodes stored in a naive Merkle tree implementation. The attacker then provides E1, L3, and L4 as the data blocks. L1 and L2 have been lost and a second preimage attack has occurred. It is possible to also carry this out to not provide L3 and L4 as well, allowing for an attacker to carry out a complete second preimage attack with no knowledge of the L data blocks.\nDefenses There are several possible defenses against a second preimage attack. Some of these are as follows:\n Mix information about the node type into the hash: This is what is done for Certificate Transparency (https://datatracker.ietf.org/doc/html/rfc9162) where 0x00 is prepended to leaf nodes. 0x01 is prepended to branch nodes. I like this approach because it is straightforward to implement. See below for a description of why it works. Require a defined depth: Agree upon a depth that the tree must have. A data block is valid if and only if the nodes leading to the leaf, which has the hash of the data block, are of the defined depth. This works for trees that can be of a uniform depth, i.e. chunks of a large file. This does not work as well for other situations, for example if the Merkle tree is over a filesystem and branch nodes represent folders that can be arbitrarily nested. Why does prepending information work? Under Defenses I stated that prepending information on if a node is a leaf or branch fixes the second preimage attack vulnerability. This section explores why that is the case.\nFor this section I will define two new hash functions, based on the prior hash functions.\n Hash_L for the Leaf nodes. This is defined as Hash_L = Hash('A' || Input) Hash_B for the Branch nodes. This is defined as Hash_B = Hash('B' || Input) A simple tree now looks like the following:\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); graph BT TopHash(\"Top Hash: Hash_B(Hash 0 || Hash 1)\") Hash0(\"Hash 0: Hash_B(Hash 0-0 || Hash 0-1)\") Hash1(\"Hash 1: Hash_B(Hash 1-0 || Hash 1-1)\") Hash1 -- TopHash Hash10(\"Hash 1-0: Hash_L(L3)\") Hash11(\"Hash 1-1: Hash_L(L4)\") Hash00(\"Hash 0-0: Hash_L(L1)\") Hash01(\"Hash 0-1: Hash_L(L2)\") Hash00 -- Hash0 Hash01 -- Hash0 Hash10 -- Hash1 Hash11 -- Hash1 Hash0 -- TopHash subgraph Data Blocks L1 L2 L3 L4 end L1 -- Hash00 L2 -- Hash01 L3 -- Hash10 L4 -- Hash11 Binary Merkle tree with 4 data elements. Each hash is either Hash_L for leaf nodes or Hash_B for branch nodes.\n To make this example more real, I will assign values to each of the nodes and calculate the hashes based on that. I will use SHA-256 as the hash function of choice.\n L1 = \u0026ldquo;Foo\u0026rdquo; L2 = \u0026ldquo;Bar\u0026rdquo; L3 = \u0026ldquo;Baz\u0026rdquo; L4 = \u0026ldquo;Qux\u0026rdquo; Hash 0-0 = Hash_L(L1) = SHA-256(\u0026quot;AFoo\u0026quot;) = c394c83b94a489485a0ea7dbfd43d6b18a7cd6ef7a4d607f5c667e978a232d07 Hash 0-1 = Hash_L(L2) = SHA-256(\u0026quot;ABar\u0026quot;) = 2fa32a6f44e6ed4e6357e25c7fae397d51028cbb1ea527f1831439eaeefdb64a Hash 1-0 = Hash_L(L3) = SHA-256(\u0026quot;ABaz\u0026quot;) = bf2d89291058bc1e2e5cd3255dcc3d0d39eb1a54623c268e9adf892b903f38e7 Hash 1-1 = Hash_L(L4) = SHA-256(\u0026quot;AQux\u0026quot;) = eb5e40d6a93d1db9ab45db84465bd5809064741588415d46c817b3bdd338ce1f Hash 0 = Hash_B( Hash 0-0 || Hash 0-1 ) = SHA-256(\u0026quot;Bc394c83b94a489485a0ea7dbfd43d6b18a7cd6ef7a4d607f5c667e978a232d072fa32a6f44e6ed4e6357e25c7fae397d51028cbb1ea527f1831439eaeefdb64a\u0026quot;) = ca10d813fdb6e755f9a0984b53a7600c49b2fc6aaba028ddc90b8d4a7b766242 Hash 1 = Hash_B( Hash 1-0 || Hash 1-1 ) = SHA-256(\u0026quot;Bbf2d89291058bc1e2e5cd3255dcc3d0d39eb1a54623c268e9adf892b903f38e7eb5e40d6a93d1db9ab45db84465bd5809064741588415d46c817b3bdd338ce1f\u0026quot;) = a9d8f95ea21aff1147359ca4a040f39aa21fc951e942466b0861bf14486db4f5 Top Hash = Hash_B( Hash 0 || Hash 1 ) = SHA-256(\u0026quot;Bca10d813fdb6e755f9a0984b53a7600c49b2fc6aaba028ddc90b8d4a7b766242a9d8f95ea21aff1147359ca4a040f39aa21fc951e942466b0861bf14486db4f5\u0026quot;) = c21243ead9185756bac406d7c6132479c27a0f3bfbd378ffbd28b3596ba7a313 So now the Top Hash is known to be c21243ead\u0026lt;etc\u0026gt;. What happens when an attacker creates E1?\nvar config = { startOnLoad:true, theme:'dark', align:'center' }; mermaid.initialize(config); graph BT TopHash(\"Top Hash: Hash_B(Hash 0 || Hash 1)\") Hash0(\"Hash 0: Hash_L(Hash 0-0 || Hash 0-1)\") Hash1(\"Hash 1: Hash_B(Hash 1-0 || Hash 1-1)\") Hash1 -- TopHash Hash10(\"Hash 1-0: Hash_L(L3)\") Hash11(\"Hash 1-1: Hash_L(L4)\") Hash10 -- Hash1 Hash11 -- Hash1 Hash0 -- TopHash subgraph Data Blocks E1[\"E1: Hash 0-0 || Hash 0-1\"] L3 L4 end L3 -- Hash10 L4 -- Hash11 E1 -- Hash0 Attempting the second preimage attack with the Hash_B and Hash_L functions.\n The important part to note here is that Hash 0 no longer has child nodes. That means that it\u0026rsquo;s hash function has changed from Hash_B to Hash_L. This in turn means that the new value of Hash 0 is SHA-256(\u0026quot;Ac394c83b94a489485a0ea7dbfd43d6b18a7cd6ef7a4d607f5c667e978a232d072fa32a6f44e6ed4e6357e25c7fae397d51028cbb1ea527f1831439eaeefdb64a\u0026quot;) = 1d0048fc197f5848147a93f19ef7ce1107e2df37ca0d2b6c5cc2c2ada004d5aa. This is different from the original Hash 0 and will fail a verification when combined with the Hash 1 value to check against Top Hash. This simple change has removed the attack vector.\nReferences https://en.wikipedia.org/wiki/Merkle_tree#Second_preimage_attack https://crypto.stackexchange.com/questions/2106/what-is-the-purpose-of-using-different-hash-functions-for-the-leaves-and-interna I found it confusing that the author of the question described this as \u0026ldquo;two different hash functions be used\u0026rdquo;. I think a better wording would be \u0026ldquo;why would I prepend different data for the node type\u0026rdquo;. ","permalink":"https://er4hn.info/blog/2022.10.08-second_preimage_on_merkle_tree/","summary":"How second preimage attacks work against Merkle trees","title":"Second Preimage Attack against Merkle Trees"},{"content":"Deets The Cuckoo\u0026rsquo;s Egg by Clifford Stoll ISBN: 0-385-24946-2 Review The Cuckoo\u0026rsquo;s Egg was one of the formative novels of my childhood. Opening in Berkeley California a couple years before my birth, some accounting irregularities are discovered in the computer system. In those days users were charged for the amount of time they spent on a computer and this was initially assumed to be a bug in the accounting software. Clifford \u0026ldquo;Cliff\u0026rdquo; Stoll, astronomer in training and sysadmin to pay the bills, is asked to look into this.\nWhat Cliff discovers is beyond what anyone could imagine. In scenes that feel too implausible if they were not real, Cliff discovers the irregularity is caused by a hacker creating an unauthorized account and using the computers as a jumping off point for stealing sensitive military information as well as accessing further military systems. Aghast, Cliff tries to find who to report this to. The FBI doesn\u0026rsquo;t care, because nothing classified was taken. The CIA and NSA aren\u0026rsquo;t sure who is in charge.\nFinally the agencies recognize that this is a problem and something has to be done. Everyone converges on what to do as Cliff goofilly stumbles through meeting people. In one of my favorite scenes he is invited to the CIA. There he finds a set of stamps for CLASSIFIED, EYES ONLY, NO FORN, TOP SECRET, and all the other fun designations. He stamps them on some blank papers and, oh no, is caught on the way out.\nCliff proves much more adept in tracking down the hacker than he does at smuggling papers out of the CIA. Through sleuthing he is able to discover the hacker is coming from East Germany and puts together enough honeypots to track down the person\u0026rsquo;s real identity. The culprit is caught in West Germany, put on trial, and Cliff later writes a book about it.\nIt was a fascinating story to me for a number of reasons. Growing up near Berkeley and having my own fascination with computers, it felt relatable. Cliff was someone who was passionate about learning, he lived his personal life outside of this quest, and he made everything sound so fun. As I became more interested in cybersecurity the principles of what Cliff was doing made more sense as well. Cliff would debug and understand the attack. From there during an attack Cliff would log what happened and trace backwards to discover the attackers identity. Even information such as timezones could be inferred from noting connection times. All these techniques would be refined, scaled, and automated to form the modern cybersecurity companies and technologies that exist in the world today. It was both a glimpse of the future and a story that made me believe I could be a part of it.\nAs an addendum I later learned that Cliff sells Klein bottles through https://www.kleinbottle.com/. In my order notes I wrote to him about how much his book meant to me. He was kind enough to write back a few messages and send some pictures of the packaging process. The Klein bottle sits on my bookshelf today as a happy memento.\n","permalink":"https://er4hn.info/blog/2022.09.16-cuckoos_egg/","summary":"Review of \u0026ldquo;The Cuckoo\u0026rsquo;s Egg\u0026rdquo; by Clifford Stoll","title":"(Suggested 📚) The Cuckoo's Egg"},{"content":"Web3 without Blockchain Web3 does not require Bitcoin, Ethereum, nor any other blockchain\n It\u0026rsquo;s my prediction that Web3, the decentralized internet, will arrive. It will not involve blockchain accounting though. Decentralization has the wonderful property of being highly available and I think that is the killer feature. Blockchain technologies are something that will be forced to take less and less of a leading role as peoples desire for decentralized applications grows since it is the antithesis; slower than other databases, and requires high levels of connectivity to function.\nThe main problems with blockchain based technologies are throughput and cost. By their nature blockchains are slow; only a limited number of transactions can be processed each second. As the size of the userbase grows the wait to completion for transactions increases. Blockchains are also expensive; forward looking market dynamics prop up the cost of transactions beyond their intrinsic value. The actual cost of compute is pretty low. Given a fixed cost for a physical computer, compute just requires electricity. Renting machines in the cloud is more expensive, but still much cheaper than blockchain solutions.\nThe core desire for Web3 is to have organizations (\u0026lsquo;decentralized autonomous organizations\u0026rsquo; or DAOs) and applications which do not have central authorities. This lets anyone participate and prevents dissidents from being removed from platforms due to political, legal, or moral reasons. I don\u0026rsquo;t think the lack of removability is a great thing, but I will leave that debate to people who have thought about this more than myself. I will however note that, much like in Ursula Le Guin\u0026rsquo;s The Dispossessed, society as a whole can still choose to shun those they find unsavory.\nThe above goal is also the extreme example. Decentralized applications can also be used as \u0026ldquo;local-first software\u0026rdquo; which is a concept that has users keep their data on their local devices. Updates can be pushed out to cloud services or shared directly with other users, but this is not required. An example today is email clients. Your phone (or similar computing device) downloads the latest emails. At your leisure, even without internet connectivity, you can review those emails. You can write responses which will be sent when you have internet connectivity in the future. Solving for the extreme goal will also make this one possible to solve for, so the extreme goal is the one to focus on.\nNo Gods or Kings, only Cryptography With the extreme goal of no central authorities in mind, what technical hurdles are there? In Cloud services storage and compute are the two key resources. Storage is the concept that there is some data with an identifier stored somewhere. Given that identifier it should be possible to retrieve it. Compute is the concept that inputs go into a function, processing happens, and outputs come out.\nI will posit that storage is largely a solved problem. Technologies such as Bitorrent exist in the present day that allow for many people to host files, people lacking the file to request it, and then become hosts themselves. The InterPlanataryFileSystem (IPFS) moves beyond that to form what amounts to a global network. The more popular something is the more mirrored it can be. Incentive structures need to exist to ensure works are mirrored across multiple sites, but those are human details and this is an engineering approach I am trying to solve for.\nCompute is where Web3 becomes more unsolved. Data needs to go in, be processed in some way, and provided as a clear representation. On top of that applications processing and displaying the data can operate. In the present day a Web3 solution may look like:\n Lifecycle of a DAO and DAPP on Ethereum\n A DAO is formed and tokens issued on Ethereum. Tokens are sold for money and are used to perform compute activities / vote on matters in the DAO / gain fractional shares of income, etc An application is created and state is stored within the application: In a video game this may look like a players inventory or where they are in a game level In a social media application this may be a users IPFS media they uploaded and a set of other users media they have commented on. Currently application interactions suffer from the above problems of being slow and expensive. There is also a third issue in that the entire state of the blockchain, including other applications, must be stored. In order to process transactions for a social media app, you must also read and process transactions for your competitors social media apps, fintech apps, games, etc. Forming your own blockchain leads to other issues in that a small enough blockchain is vulnerable to a large enough attacker. If you can afford one server for your application and an attacker can afford two, your attacker is now in control of your application. If the problem with compute can be solved, applications can be sped up, and Web3 can be more viable as a future. Following below I posit a way to speed up compute while remaining decentralized. The following technologies are used to do so:\n Decentralized Identifiers (DID): A scheme in which every entity can have one or more identifiers that represent their identity. These are decentralized in that the entity can choose who will attest to their identity. In the current day centralized identifiers are limited to things like \u0026ldquo;Sign in with Google/Apple/Facebook/Twitter\u0026rdquo;, etc. DID allows any entity to attest to an identity in a more free-form manner. Merkle Trees: Used in blockchains as well these allow for batching together multiple pieces of data under a single identifying hash. Merkle trees can have multiple levels, each one having its own identifying hash. Each hash serves to represent all data stored under that node. Every entity (person, thing, even a place) can have one or more DIDs.\n In this scheme everyone using Web3 has their own DID. Every person, IoT dohickey, pet, DAO, and application has their own DID. Entities can have more than one DID as well.\n Data goes into Schemas, that force a version and constraints on the data. Schemas exist inside namespaces, tied to DIDs, to be possible to reference over time.\n Each DID can publish schemas for data which they control. A schema describes the name and type of each variable. Additional information such as restrictions on values or descriptions of the variables use are possible as well. A schema is similar to a database schema. Schemas each have a name and version associated with them. Once a schema has been published it can have data published into the schema as well. Data is also versioned with each insertion, update, and deletion operation resulting in its own version. Data and Schemas can also be namespaced to form a set of items, with an implicit namespace for the top level DID. All data transformations are signed with a key registered in the DID so it can be verified to belong to the owner.\n Tree of updates to versioned schemas to namespaces.\n Data transformations, version changes to schemas, etc, can now be aggregated as elements of a merkle tree. Information not needed can just be referenced by the tree hash, while needed information can be requested and expanded out. This allows for performing operations over time such as requesting to see data at a particular time via something such as : Namespace XYZ, namespace version ABC inside that, data with transactions XYZ within that.\nEvery time that data is changed, that change is represented as a \u0026ldquo;transformation\u0026rdquo;. The transformation type applied is recorded as part of the transformation metadata. There are two types of transformation:\n 🔮Oracles: The oracle transformation is an opaque operation where the data transformation is applied with no information about the source of the data. 📰Published Versioned Algorithm (PVA): The PVA transformation is a transparent version of the transformation. A versioned algorithm, itself a type of versioned data, is referenced along with input arguments. The final output is the data transformation. By necesity there will almost always be oracle transformations. Inputting data for the first time, data from non-Web3 sources, etc, will be oracle operations. PVAs allow for performing complex operations in an open and verifiable manner. An example is providing a PVA to update data from one schema to another. In an ideal world oracle transformations would be used as little as possible to keep an application fully transparent. Some applications may derive their value from hidden state however, and make use of oracle updates to avoid revealing secret algorithms. Propagating Changes In order to sync data, clients can request the current Merkle root of the applications they are interested in. Clients can then compare that with their own merkle root and expand as needed to find the set of Merkle nodes they do not know about and sync those down. Clients do not need to sync down unrelated state, such as other applications, as would happen on more traditional blockchains. Providing up to date access to application compute state or storage could be a pay-as-you-go service in the future.\nClients can also submit their own data to applications. This would involve speaking to the application via an API to submit client signed data. The application would then choose how to handle it and publish updated data signed by both the application and the client.\nIt\u0026rsquo;s also possible to imagine a more \u0026ldquo;decentralized\u0026rdquo; solution where clients could just submit data transformations directly to an application without requiring the application to sign it itself. Such submissions would still need to be gated by an API, but would not require the application to sign off on it. This would improve the decentralized property, but at the cost of not allowing for easy moderation.\n Pushing updates out through nodes\n In order to propogate updates servers hosting a decentralized application would need to know other servers hosting the application and either push or pull the transformations as needed in order to keep everyone up to date. Security, the lack of changes on transformations, comes from both validating signatures for both the application and the client as well as making sure that the merkle roots from multiple servers agree. The latter option, multiple servers having the same root, is important to make sure that transactions are not being dropped. These are less strong guards than those that blockchain solutions impose and are in-fact more similar to x509 certificate transparency logs. It is my belief that these are sufficient for most uses. Anything that requires absolute guarantees should probably have some form of real world legal contract associated with it.\nThe above solution is no doubt something that others have noddled on, and it does away with a lot of the basis of Web3 with regards to currency. Micropayments, complete lack of central control, complete prevention of changing past values, are all features of blockchain that I believe to be more trouble than they are worth due to technical and political issues. What I have tried to do is carve away some features and present something that is faster and usable in the present day.\n","permalink":"https://er4hn.info/blog/2022.09.08-web3_future/","summary":"How to have decentralized connectivity without the pain of blockchain","title":"(Predictions 🔮) Web3 will arrive without blockchain"},{"content":"Deets Help! I have a Manager by Julia Evans Available at https://wizardzines.com/zines/manager/ Review Help! I have a Manager! is a Zine by Julia Evans. Julia typically designs short, illustrated, guides to computer science concepts like Linux tools, how containers work, DNS, and other similar subjects. This zine has her branching out to covering how to work effectively with your manager. It is a zine on soft skills.\nI was drawn to this guide because these conversations are a weakness of mine. I was never sure what to talk about with my manager and when I began to oversee others I likewise struggled with what to do in a one on one. The importance of holding those meetings was clear, how else can you check in with someone, but what to do in them was less clear to me. I wanted to avoid awkward silences and a problem I\u0026rsquo;ve heard referred to as \u0026ldquo;big eyes looking at little eyes\u0026rdquo;.\nThis zine was very helpful at making me feel more effective in these conversations. It sets up what to expect from your manager and how to work with them to achieve your own goals by using positive examples. There are lots of suggestions about topics to discuss, areas to focus on, and why your manager would be interested in particular topics.\nBy making use of this guide I was able to avoid silences and understand each of my team members goals. That in turn opened up opportunities to help them improve and understand their current morale. I would suggest that anyone, manager and non-manager, get a copy of this for their own use.\n","permalink":"https://er4hn.info/blog/2022.08.28-help_i_have_a_manager/","summary":"Review of \u0026ldquo;Help - I Have a Manager\u0026rdquo; by Julia Evans.","title":"(Suggested 📚) Help - I Have a Manager!"},{"content":"Deets Presentation Patterns by Neal Ford, Matthew McCullough, and Nate Schutta ISBN: 978-0321820808 Review Presentation Patterns is a book about, 🥁, crafting better presentations. Presentations consist of a topic, a set of items to discuss, and ideally some sort of visual slide based elements to go along with it.\nThe \u0026ldquo;patterns\u0026rdquo; the book refers to are formats a presentation may take. There are good patterns such as \u0026ldquo;Fourthought\u0026rdquo; or \u0026ldquo;Context Keeper\u0026rdquo;. There are bad patterns such as the \u0026ldquo;Bullet Riddled Corpse\u0026rdquo;. The names are distinctive and each pattern contains information on how to best use its strengths or how to get out of being trapped in a bad pattern. Reading the book once tells you about the different patterns and lets you pattern match your own work as you build out slides.\nThe starting parts of the book on how to plan out a presentation are what I found the most useful. They are foundational, as a well planned out presentation is going to be much more important than any slides or ad-libbed talks that follow. Presentation Patterns goes into detail on all the elements required to have a smooth sounding and persuasive presentation.\nThe patterns themselves can feel hit or miss. The names are cute, and it is great to recognize if you are building the dreaded \u0026ldquo;slideument\u0026rdquo; to pass around. The best use of the book after it is read is to have a physical copy. If you feel stuck on how to lay out content you can flip through the various patterns to see something that looks good. You\u0026rsquo;ll see the (bad) anti-patterns as well and be able to course correct yourself in time.\nTakeaways To help others decide if the full book is worth their time, here is my overall summary of the book contents:\nBefore doing a talk, research the audience. Learn the expected attendees and their expected skill level, attitude, knowledge, community, and shared vocabulary.\nPrepare to engage with the audience for the presentation. A good slide deck is only one part of the means of engagement. It may be the least important part of the engagement as well. A good presentation should leave the audience feeling like they learned something new.\nBefore beginning a presentation go through a few stages:\n Ideate - figure out what you want the overall theme and topics to be. Capture - lay out those concepts and items in a way that makes sense Organize - figure out the best outline to show those ideas Design - actually begin putting the presentation into a slide deck After that, be prepared for multiple rehearsals. A talk may have to be done 4 times in advance before it is ready. During those four iterations you should focus on a specific set of items:\n Find out how the talk sounds, pace the content, pace the timing, and figure out problems. Focus on the presentation. Look for delivery and appropriateness of content. Focus on pacing more and check that the presentation seems like it is in a good place. Do some fine tuning. The rehearsal before the real thing. A good rule of thumb is you will spend one hour preparing for each minute of presentation.\nPlan on 10 - 20 minutes of material at a time before needing to give the audience a \u0026ldquo;break.\u0026rdquo; The break comes in the form of a joke, a story related to the topic, getting audience members to participate, etc.\nA good presentation should have 3 topics or major themes. If you are building up a presentation as a narrative arc, this can be 3 acts, with the final one providing the key takeaways that resolve the tension of the first two.\nAvoid live demos except under specific conditions (listed below). Aim for pictures, or pre-recorded video if at all possible.\nWhen discussing topics the audience may not know about, give a brief (1 minute) overview of it before going into the detail. Try to research beforehand the audiences skill level.\nPlan to arrive early and \u0026ldquo;warm up\u0026rdquo; the audience with light conversation to get them prepared to listen to you.\nAlways act as a leader to your audience. You are there to make effective use of their time and educate them. Do not sell yourself short or focus on problems. Make effective use of time and focus on providing value to them.\n","permalink":"https://er4hn.info/blog/2022.08.28-presentation_patterns/","summary":"Review of \u0026ldquo;Presentation Patterns\u0026rdquo; by Neal Ford, Matthew McCullough, and Nate Schutta.","title":"(Suggested 📚) Presentation Patterns"},{"content":"Deets slide:ology by Nancy Duarte ISBN: 978-0596522346 Review slide:ology is one of the frequently referenced books on how to build, not great slides, but great presentations. A common point of confusion is that slides are the important bit and that a meeting is just an effort to read off slides emailed in advance or after. This is not true and is a myth slide:ology works to dispel.\nSlides are the visual elements that give a presentation more impact than oration. Slides provide guidance to the current talking points, they share images that evoke emotions. Slides can hint towards where the presentation is going next or illustrate how the different points are connected.\nslide:ology provides a general overview for how to arrange information in slides. Discussed inside is how to plan out what to put in a presentation, and therefore a slide. Displaying data, tips on coherent design, and the few places animations are acceptable are all covered inside.\nMy overall feeling on slide:ology is that it is very valuable, but mostly at the start. The first few chapters discuss very useful information on how to build and arrange slides. Highlighting key data, avoiding information overload, and other key tips are very useful.\nAs the book goes on, around the halfway point, I see the utility of its contents begin to fall off for me. Duarte is a professional with artistic abilities and a design team. Much of her advice around things like proper use of animation or custom 3D designs feel like concerns that I would not have in my normal presentation building. Some of the content even begins to feel like it is there to pad the page count.\nThe first half alone is well worth the price of purchase however. I would recommend getting this book as a physical copy since it is very visual and worth flipping through different sections as you are building your own slides.\n","permalink":"https://er4hn.info/blog/2022.08.28-slideology/","summary":"Review of \u0026ldquo;slide:ology\u0026rdquo; by Nancy Duarte.","title":"(Suggested 📚) slide:ology"},{"content":"Deets The Dark Forest by Liu Cixin ISBN: 978-1784971595 Review The Dark Forest is book two of the Three Body Problem trilogy. Covering mankinds first contact with a hostile alien race, the trilogy is really about people and governments. All good sci-fi should reveal more about humans than it does about aliens with pew-pew laser guns, but The Dark Forest does a great job at this.\nI was not a big fan of the Three Body Problem, the first novel in the series. I didn\u0026rsquo;t understand the rave reviews, but I am glad I made it to the second novel. Upon reflection I think that I didn\u0026rsquo;t enjoy the first novel because I lacked the context to understand it. The first novel opens with the Chinese Cultural Revolution. Elements of the Red Guard are turning upon each other and laying siege to those deemed insufficiently ideologically pure. Later the protagonists father is beaten to death during a struggle session after her mother gives evidence against the father. These tragedies lay the groundwork for the later events that result in hostile aliens sending out their armies to invade Earth.\nIf I had a better understanding of modern Chinese government and history I think that the points the first novel was making would have been more clear to me. Lacking those contexts it felt like a relatively straightforward story, with elements of Chinese life loosely interlaid on top. I found Lu\u0026rsquo;s writing of characters to be wooden and lacking in an inner life as well, so the novel fell flat for me.\nThe Dark Forest has a concept in it that I find much more relatable: Technofetishism. The belief that the shiniest, newest, technology is sufficient in order to overcome all obstacles. I am a technology cynic and I don\u0026rsquo;t trust new things. The novel laid into that theme as well over and over. What mattered most in the end is understanding others and out-thinking the enemy, a difficult task when engaging with one much superior to yourself. The ending itself made the hair stand up on the back of my head, even thinking about it today still does that. I would compare it to the reveal at the end of The Usual Suspects, in that it is hinted at over and over, but still masterfully executed in its reveal.\nLiu\u0026rsquo;s characters still come across as wooden and their motivations are rarely strongly expounded on. In a novel whose premise that the only place aliens cannot see is inside ones mind, the lack of clarity into the minds of the characters feels like a big miss. Overall the strength of the subject matter is what lets the novel remain strong and an enjoyable read to the end.\n","permalink":"https://er4hn.info/blog/2022.08.28-the_dark_forest/","summary":"Review of \u0026ldquo;The Dark Forest\u0026rdquo; by Liu Cixin.","title":"(Suggested 📚) The Dark Forest"},{"content":"Deets The Real Life MBA by Jack and Suzy Welch ISBN: 978-0062362803 Review One of the inspirations for this blog came from picking up and reading The Real Life MBA years ago. I was young, I was having trouble managing the transition from being an engineer on a team to being a leader on teams. I felt inadequate without having been trained on the \u0026ldquo;business\u0026rdquo; and \u0026ldquo;soft\u0026rdquo; skills I had not considered important. The Real Life MBA gave me confidence that I could do well in my job without needing a formal degree to do so.\nThe book overall is fairly simplistic. The advice is not deep and historians may notice that much of what is said does not match what Jack Welch did. Jack Welch will be a controversial figure for a long time to come, but his legacy as a person is not the subject of this review. Where this book excels is in providing a set of basic principles for being a useful leader. As long as you don\u0026rsquo;t expect deep stories based on experiences, your expectations should be properly calibrated.\nTakeaways These are my notes from reading the book. They are provided to help others decide if the full book is worth reading:\n Build your brand: Be known as a good person to everyone. Don\u0026rsquo;t be unscrupulous since that will cause others to react poorly to you. Have a social media presence that displays who you are as well. Having a clear mission is important. This gives others something to align themselves around. The best thing a manager can do is remove obstacles. When dealing with someone you don\u0026rsquo;t understand, make it clear you don\u0026rsquo;t understand and dig into the details until you do. Find what you are most effective at and passionate about. This is your \u0026ldquo;Area of Destiny\u0026rdquo; and leaning into it is where you will be the most effective. Principles by Ray Dalio mentions this as well. One ancillary point that Dalio makes is that you should surround yourself with people who are strong in places you are not. This leads to you having a more effective team. ","permalink":"https://er4hn.info/blog/2022.08.28-real_life_mba/","summary":"Review of \u0026ldquo;The Real Life MBA\u0026rdquo; by Jack and Suzy Welch.","title":"(Suggested 📚) The Real Life MBA"},{"content":"This hot take comes from: Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks which I was introduced to by Faster Yet Safer: Logging System Via Fixed-Key Blockcipher.\nThe core concept from these papers is how to create tamper evident logging. Proper logging is essential to detecting what happened during a cyber incident. By reviewing the logs one can determine malicious intent as well as what occured. The problem is logs are saved, often in userspace, and are vulnerable to tampering. A related problem is an attacker whom delibertly filters out messages that would have otherwise been recorded during their attack, thus filtering out the evidence of the attack occuring.\nThe point of time in which these attacks can occur is referred to in the paper as the \u0026ldquo;danger zone\u0026rdquo; and the proposed solution is KennyLoggings, which is a play on his song \u0026ldquo;Highway to the Danger Zone\u0026rdquo;. Terrible naming conventions that collide with celebrities on Google, oy vey.\nThe core algorithm of KennyLoggings is that each log message has an authentication tag attached to it. If the tag does not match the message, you know that the log was tampered with. This tag is generated by having the kernel store a current key K in the kernel. K is used as the secret key in an HMAC function to hash the log. Thus:\nHMAC(K, log_message) = authentication_tag The key K is then moved to the next value via a second function, such as a hash function. Thus\nHASH(K) = K and the full algorithm looks like:\nK is initialized at a value known to authenticator and kernel for each log_message: HMAC(K, log_message) = authentication_tag add authentication_tag to log_message HASH(K) = K This is assumed to take place in the kernel, with K kept secure from userspace. The authentication_tag calculation and association must also happen at the same time as the log message is generated by the kernel.\nThere are some details around securely erasing the prior K, pre-computing values, which hash and hmac functions to use, performance, etc, that I am leaving out and are in the full paper. What this stripped-down description serves to show is that with this solution in place every log message now has a tag. Verifying the logs involves starting at the initial K value and calculating what the expected authentication_tag should be for every log along the way. This mechanism has a side effect that logs cannot be filtered out once the kernel has output them, every log seen has to be saved to prove that nothing was filtered by an attacker.\nIf an attacker attempts to tamper with the logs, they will hit the following issues:\n Remove/Filter logs: This will cause the K value to diverge from what is expected, causing the authentication_tag check to fail. Change prior log messages: This will cause the authentication_tag check to fail due to altering the input to the HMAC function. Add log messages in the past: Even if the attacker gains the current K value they cannot turn back the hash function to generate prior K values, and therefore cannot add new logs in the past. This does require that the initial K value be securely stored. Loss of control of this value means that any logs associated with the value cannot be validated. Overall this is a novel scheme which shows evidence of log tampering without requiring specialized hardware. It is worth noting that this does nothing to prevent logs from being removed from a system. If an attacker is able to delete logs, normally stored in userspace, those will still be gone. But gaps in a system can now be detected.\nThe papers mention other alternative approaches involving using novel data structures to show other means of implementing tamper evident logging. One worth noting is \u0026ldquo;Efficient Data Structures for Tamper-Evident Logging\u0026rdquo; since the Merkle tree construction described shows how some data can be removed over time in a manner which allows for only authorized removals while not breaking subsequent verifications of the data.\nOne unfortunate issue with the scheme is that K must be known to the validator. This can create scenarios where the value is lost or used to create false logs by an untrustworthy validator. There are some alternative schemes which rely on the use of assymetric cryptography to generate the authentication_tag. These solve the issue with untrustworthy validators but are also much slower to generate each tag, thus impacting the overall logging throughput of the system.\n","permalink":"https://er4hn.info/blog/2022.08.18-kennyloggings/","summary":"Software implementation of tamper evident logging","title":"(🔥 Take) KennyLoggings - Tamper Evident Log"},{"content":" Torment Nexus, defined. Taken from https://twitter.com/alexblechman/status/1457842724128833538?lang=en\n Please write to me with times you have seen a Torment Nexus be created:\n(This is all a set of spoilers for books and movies. Some spoilers may be a somewhat sketchy take on the novel for the sake of fitting into my narrative)\n Metaverse: From Neal Stephensen\u0026rsquo;s \u0026ldquo;Snow Crash\u0026rdquo; the Metaverse was a virtual reality world that let the poor, and outcasts, of society express themselves online in ways they could never afford to in the real world. This was exploited by an evil billionaire who used memes to attempt to control the world. Sometime during reading the book Mark Zuckerburg would decide \u0026ldquo;this is the future\u0026rdquo; and rename Facebook to Meta. Surveillance Tech: JRR Tolkein\u0026rsquo;s Lord of the Rings featured a device known as the \u0026ldquo;Palantir\u0026rdquo;. This was a crystal ball that would show the user whatever they wanted to see in the world. It was possible for Sauron to get the Palantir stones to show true, but misleading, images to track users of them. Peter Thiel would think \u0026ldquo;this is perfect\u0026rdquo; as he named his surveillance analytics company after it and sold it to police and military for use in managing civilian populations. Artificial Intelligence: The Terminator series of movies featured an antagonistic artificial intelligence known as \u0026ldquo;SKYNET\u0026rdquo;. After gaining sentience SKYNET decides to destroy humanity and causes a series of devastating wars. \u0026ldquo;I like the war and destruction bit\u0026rdquo; said someone at the NSA as they chose that name for their automated terrorist identification program. Panopticon: Jeremy Bentham, the founder of utilitarianism, came up with the concept of a \u0026ldquo;Panopticon\u0026rdquo; in 1786. The concept was a prison where prisoners would not know if they were being observed, and would have to behave as though they were under constant observation. This was designed with the best of intentions and nuanced guardrails were a part of the design to ensure humane treatment of the prisoners and accountability of the guards. Subsequent implementations of the panopticon would cause Jeremy Bentham to coin the phrase \u0026ldquo;sinister interest\u0026rdquo; when describing how \u0026ldquo;the vested interests of the powerful would conspire against a wider public interest\u0026rdquo;. Amazon would sell devices such as Ring and create grocery stores like Amazon Fresh. The former would become a clear example of sinister intent after Ring recordings were repeatedly turned over to police without a warrant. The latter enabled a hedonistic grocery store experience, where you could eat items before even hitting the checkout stand, confident in the knowledge that you were being watched and billed appropriately. ","permalink":"https://er4hn.info/blog/2022.08.23-tormentnexus/","summary":"The torment nexus as a repo of tech ideas.","title":"Times the Torment Nexus has been created"},{"content":"The Lord of the Rings is one of the most influential and popular fantasy novels of all time. In nerd and geek culture LOTR is a cultural reference just about everyone will understand. References to lord of the rings abound in the tech industry as well. Peter Thiel named his surveilence company \u0026ldquo;Palantir\u0026rdquo; after the all seeing orb from the novels. The Salesforce tower in San Francisco celebrates Halloween by displaying the \u0026ldquo;Eye of Sauron\u0026rdquo; from it\u0026rsquo;s top. Google Maps, at one point, had a little easter egg where it would not display walking directions from \u0026ldquo;The Shire\u0026rdquo; to \u0026ldquo;Mordor\u0026rdquo;.\nThe irony of how much people in the tech industry identify with Lord of the Rings is that many of us are orcs. The degraded, dirty, monsters and foot soldiers of the series antagonists. Perhaps not everyone in the industry, but I identify myself as an orc.\n Myself and some others trying something new\n LOTR is a novel which shows a world that has slowly lost its glory over time. The greatest of times were in the past ages. Elves once ruled as the dominant species, magic was more prominent, and great artifacts were created by the most talented of prior ages. As time went on the world gradually got worse. Melkor, the Lucifer of Middle-Earth, conspired to destroy artifacts such as the Two Trees. He also waged destructive wars and personally slew heros.\nBy the time of the events in the novel, the world is in what is referred to as the \u0026ldquo;Third Age\u0026rdquo;. Magic is gradually fading away from the world. Man, a short lived and corruptible species, is dominant. Even the threats that are faced are shadows of their former glory. Sauron was the lieutenant of Melkor. Sauron, the antagonist of the series, barely exists on the world as a broken body relaying orders from his fortress. Smaug, the dragon of The Hobbit, is the last of it\u0026rsquo;s kind and size. And even Smaug was a small drake compared to it\u0026rsquo;s parents of legend.\nThen come the Orcs. Corrupted elves and men twisted by Melkor. The Orcs had lost the beauty of the natural world and their bodies, but they were clever and crafty. They did not make beautiful things, but they made machines with wheels, engines, and tools. In Isengard the Orcs built factories and furnaces to craft and churn out parts for their war effort. The Orcs often functioned as foot soldiers, violent and incohesive, pressed into service, but they shared something in their nature with the people of today.\nThe Orcs were able to survive in harsh conditions that tested the abilities of the Free Elves, men, and dwarves of Middle-Earth. In the plains around Mordor the Orcs used volcanic ash to grow food. They built machines and factories to overcome their problems. The orcs did not wait around for ancient prophecies to defeat their foes nor search for their arms and armor in old caves that their ancestors lived in.\nTolkein wrote about the Orcs, Isengard, and his view of the world as a reaction to the circumstances of his own life. He lived in the countryside and greatly enjoyed the pastoral life. He served in the first World War and saw firsthand the horrors wrought by new machines of war. It is very likely that the pollution from English factories blackened the skies where he lived as time went on. Tolken had a great deal of reverence for the past and history as well. It shows through in his detailed weaving of mythological creatures, Christianity, and all the other elements he put into Middle-Earth. In his own life he was someone who refused to speak anything but Latin in church, long after others had switched to English. It was natural that the Orcs would be monsters and enemies in his stories.\nYet, in the Orcs, there is also something to be admired. They were builders and creators in a world that demanded accepting the status quo. With their factories and tools the Orcs bent the land and matter to their will. Magic was not used by them to perform their works, but intelligence and cunning and understanding of the systems of the world. When the rest of the world looked backwards the Orcs looked forwards.\nThe tech industry is one which is also built on the overturning of the prior order. To be successful and celebrated in tech, you have to launch a new startup and disrupt the prior order. If you can craft something which is 10x better than what was before, people will use your product instead of the old thing. Tech constantly pushes forwards the limits of what is possible. Artifical intelligence based image generation, microchips, always-open online stores, games, cars with electric engines, even the original combustion engine car were disruptors of what was there before.\nThe sterotype of the 90s was that a software engineer is going to look like an Orc as well. Diminutive, shy, but crafty, was the popular description of a SWE. It\u0026rsquo;s no longer as true, but tech is not a field that naturally attracts the backslappers and lifes of the party.\nThe negative externatilies Tolkein hated are also unfortunately true within my industry. The rise of tech lead to the creation of more and more pieces of disposable junk. Intel contributed to Superfund sites throughout the South Bay Area with their disposal of toxic chemicals down the sink, until the melting of sink pipes indicated they had a problem. Companies such as Meta, Uber, PayPal, Amazon, and Google distorted markets, behaved irresponsibly with data, and harmed the occassional person. Often this was not intentional, but a side effect of the dual mentalities of \u0026ldquo;growth at all costs\u0026rdquo; and \u0026ldquo;move fast, break things\u0026rdquo; that they espoused as they operated.\nI\u0026rsquo;m not the only person to have come to this conclusion. \u0026ldquo;The Last Ringbearer\u0026rdquo; covers very similar themes, though presented as a story. I also want to stress that I do not hate the world of Middle-Earth. The Hobbit was one of my favorite childhood tales. There is something wonderful about a wizard showing up at the house of a homebody and telling him \u0026ldquo;come on loser, we\u0026rsquo;re going to rob a dragon\u0026rdquo;.\n","permalink":"https://er4hn.info/blog/2022.08.09-orc_selfidentity/","summary":"I identify as an Orc","title":"I am an Orc"},{"content":"The inspiration for this hot take is here\nOnce again, Daniel J Bernstein, abbreviated DJB, is suing the US Government. The first time around was about declaring software protected speech under the first ammendement. This was an important case that lead to reducing controls on encryption and relaxing the hold ITAR had on exporting strong cryptography.\nThis time around is different. DJBs second lawsuit against the US government involves the governments failing to properly respond to a Freedom of Information Act (FOIA) request. DJB wants to better understand the relationship between the NSA and NIST when it comes to post-quantum crytography, due to the prior relationships in other forms of crypto.\nA large part of the article covers the history of involvement between the NSA and NIST. It mostly appears accurate, to my understanding, and is well worth reading. The one part that I would quibble about is his tying of the OPM hack (see \u0026ldquo;If the Chinese government stole millions of personnel records from the U.S. government,[\u0026hellip;]\u0026rdquo; section) to weak cryptography. As I understand it that hack was related to poor use of authentication and authorization controls, not delibertly weakened cryptography.\nOverall my big conclusion from his article is that the Google / Cloudflare project to combine classical and post-quantum crypto was a good call. The combining of different algorithms was done so that even if the post-quantum algorithm had issues, the classical algorithm would prevent the message being broken. Since the algorithms were not fully vetted during the experiement in 2019, that made a lot of sense. Given the suspicisions that DJB is raising about the NSA delibertly weakening post-quamtum crypto, this technique may continue to be used far into the future.\nI had long been annoyed by TLSv1.0 using both md5 and sha-1 in it\u0026rsquo;s pseudo-random function since it felt like a lot of fuss to combine both. With the history of DJBs article laid out and the benefit of time it makes a lot more sense why these sort of multi-algorithm combinations are used.\nRegardless of how many algorithms are combined to encrypt a single message in the future, I look forward to seeing how this lawsuit plays out.\n","permalink":"https://er4hn.info/blog/2022.08.05-djb_vs_usgov/","summary":"DJB sues the US Gov, Round 2","title":"(🔥 Take) DJB sues the US Government, again"},{"content":"When starting on something, it is important to have a vision of what you want to accomplish. The vision describes why you are doing this. Vision is not concerned with the implementation details. The next level down from vision is the mission. Mission is what you intend to achieve. In the mission you must describe what is in the scope of the mission and what is out of scope. Next, below mission, is strategy. Strategy is how to achieve the mission. Strategy involves looking around at the state of the world and deciding, based on data and analysis, what to concretely do.\nWith that framework laid out, why am I starting a blog? I am doing it because I believe that my thoughts have some value. The best value comes from having thoughts which cross the divide from being wisps of vapor to having palpable form. Those two sentences are my vision. If I really wanted to pare it down, I could just keep the first sentence.\nThe mission to achieve my vision is to force myself to give form to my thoughts. I want to elaborate on ideas that persistently bounce around my head and lay them out in a way which dives into the details of them and makes them feel real and meaningful. If I describe a new technology or a paradigm of engineering, it should be possible to build off of it. When describing a book, the value proposition of reading the book and what I got from it should be clear. I do not want to use this blog to shitpost, that is much more fun on social media where people can reply and have emoji reactions. I don\u0026rsquo;t want to use this blog to journal the minuate, anxieties, and ennui of my life, I have a private journal for that. Finally, I don\u0026rsquo;t want to use this blog to share short snippets of thought. What I write here should have some substance.\nThe final item to follow through on this is: why the blog? Why not use Twitter, Facebook, TikTok videos set to music that imparts an atmosphere of profundity? The answer to that, the strategy in using a blog format, is that I want to own the content and have it exist in the form which I choose. Placing this content on social media platforms encourages me to use the platform in the way that the platform is structured and gatekeeps who can see it. Neither of those qualities are, at present, of any interest to me.\nTo conclude, I am excited to see if my statements have any purpose.\n","permalink":"https://er4hn.info/blog/2022.08.03-purpose/","summary":"Why am I doing this?","title":"Statement of Purpose"}]