Tuesday, March 16, 2021

A list of really cool new tools through the past 40 years.

Here is a non-exhaustive list of all the cool new tools I've had through the years that were good enough that I still remember them.

 PKzip - way faster and better compression that previous things like ARC. The first version control I did was project01.zip, project02.zip, etc.


SideKick - Being able to pop up and edit underneath a running MS-DOS program was a game changer for me


Turbo Pascal - Being able to compile programs in less than a second in MS-DOS was *magic*, compared to 15min - hour waiting for the compiler queue on the VAX at school, only to find out you had an error.


Backpack Portable Hard drive - A piece of hardware, but being able to boot a floppy and have 100 megabytes of storage instantly available was like magic.


EDwin - TurboPower Software - the first text editor (that I used) that could record and playback macros, I did all kinds of cool stuff with it.


GoBack - A system tool that kept all the changes to your hard drives.. the salesman demo involved deliberately infecting a system with a virus... then undoing it via GoBack.  Unfortunately the wrong people decided it was too slow and "optimized it for speed", which killed the ability to undo virus attacks.


MultiLink - Allowed running of multiple MS-DOS users with serial terminals, usually a Wyse 60.


The $25 network - Allowed the very slow emulation of networking, with just plain old serial ports and cables. Saved hundreds of dollars if you only need a file now and then, back when Arcnet cards were about $100.


Delphi - GUI development for Windows that just works, and like Turbo Pascal, compiles in a blink.  Drag your components into a form, hook up the events, make a report or two, and you're done.


Microsoft Office - This one is way under-rated


  Microsoft Excel - Reactive programming, comprehensible by humans and accountants.


  Microsoft Word - The outliner is quite useful for keeping track of tasks, and the details of projects


  Microsoft Access - being able to do a forms based database with nice reports, master/detail records all with zero SQL required is powerful stuff


  Microsoft Exchange/Outlook - Exchange is *the world's best database* disguised as a task manager/calendar/email server/client.  You can make offline changes, and they just work consistent with expectations.


WebDAV - Uploading by just copying to a folder in explorer was far more intuitive than FTP.


Mercurial - Being able to keep old versions without sucking up the hard drive was very nice.


GIT/GitHub - Being able to keep all versions, branches and push them almost instantly to the web.


Python - The ability to get a lot done in almost no code is very powerful. It's too bad that there's no good GUI for it that works as well as Delphi.


VMware - Ersatz Capability Based Security - The virtual machine gets a set of resources, and nothing more. It'll do until we get better Operating Systems.  Being able to save a machine as a file is a very powerful thing.


ThumbsPlus - A photo organizer from Cerious Software, keeps thumbnails in a database, does tagging, etc.


Picassa 3.0 - Killed by google, does local photo management, with local facial recognition, helped me tag the more than 10,000 photos of my daughter. 8)


Hugin - Panorama alignment software - very handy for my experiments in virtual focus/synthetic aperture photography, and for doing landscapes.


GIMP - Orders of magnitude better than Microsoft Paint


WSL - Windows Subsystem for Linux - Allows me to run Ubuntu and Windows programs at the same time. VScode supports running you compiled code in Linux, while it lives in Windows... wizardry!

Thursday, February 25, 2021

Praise for the humble wallet.

 I have a wallet, it was given to me, it is a good, but worn wallet.  I keep money, ID, and a few important pieces of data in it.  The technology of the wallet has yet to be replicated on my computer.

You see, I can take money from my wallet, and hand it to another person, and they could put it in their wallet... they could just run away with it... but the largest amount they could cause to be lost from my wallet was decided by me, in advance, at my discretion.

On this spiffy computer, however... there is no wallet, nothing comes close.  There is no way for me to take a file, and give access to that file to a program, without giving that program access to everything that the computer associates with me. There is no way for me, in advance, at my discretion, to trust only a limited and carefully chosen subset of what is in my computer, to a program.

You can't do it on Linux, you can't do it on a Mac, you can't do it in Windows.

*A technically savvy person could point out that he could tell the computer not to allow access to everything but that file... but that's hardly the same thing, is it? I don't require a skilled banker to limit which notes I pull from my wallet, why should I require a system manager to do the simple task of picking a file?

This is, in my mind, collective insanity.

I have hope, however... in a few years, a system which has been in the works for a long time, called Genode will be available which actually lets you decide what you want to do with your computer, without the programs you run being able to override that decision, or get confused, and lose your data.

Until then, here's to the humble wallet, a technology not matched by the latest products of silicon valley!

How to win the war for general purpose computing.

 We're losing the war for general purpose computing.


We need to secure our computers before the war is lost and we no longer have them to secure.


The root cause (in my estimation) is a failure to use multilevel secure systems, such as the never shipped GNU Hurd, or the hopefully soon to be approachable, and steadily progressing Genode project. (German engineering to the rescue)


Back in the 1980s, it was possible to secure a computer using nothing more than MS-DOS and a few write protect labels. The hardware supported read-only mode on the storage media, and the media was easy to copy.  Everyone had multiple copies of their OS, and their data.  Copies were a few minutes investment, even on a machine with only one floppy disk. (You swapped A: and B: in the same drive, the OS kept track of which was which)


With this setup, you never had to worry about bricking your hardware, or losing your data. You could run ANYTHING in perfect safety.



In our current environment, our systems are so complex, there are nooks and crannies for malware to be implanted at almost any level. Thus the operating system, unlike in the MS-DOS days, MUST NOT let any program have direct access to the hardware, ever.  The defaults fail on Mac, Linux, Windows, and MS-DOS was merely a program loader.


Multilevel Secure Systems do this, they are also known as Capability Based systems... unlike the capabilities used in "apps" like "can this app know your location", in capability systems, they are fine grained access to a file or other resource. The capabilities are granted by the user, through a system supplied dialog box, rather than the application supplied dialog in Windows, Linux, etc. This means that apps in a Capability Based system can't go rogue and plant bugs in the firmware, etc.  Capability Systems make it possible to have actually secure computing once again.


If we can get capability based computing into the mainstream, then it becomes possible to experiment on our computers without fear.  It becomes possible to surf the net without fear, and the people won't have to stay in walled gardens to feel safe.

We can turn this around, but capability based computing is a required step

And most people have never heard of it, nor used it on a computer.


We've all used capabilities in real life though... they're called wallets (or purses).  A coin or dollar note is a capability. I was taught to deal with them at a very young age, as I'm sure were most of you. 

Computers can make it as easy, drag and drop, or file dialogs (called PowerBoxes in secure systems) make it work the same way, from a user perspective.


Sunday, February 21, 2021

If Germans are good at engineering, how come they don't dominate computer operating systems?

I recently came across a Quora question:

If Germans are good at engineering, how come they don't dominate computer operating systems or mobile operating systems?

As a native citizen of the United States, I can categorically state that I know of no widely used operating system in the US that even stands a chance of being made secure. The widespread risk taking “cowboy” attitude in the US that leads to fast innovation also leads to things like the Challenger Disaster. There were layers of management at NASA who weren’t engineers, but thought they were because they could run an Excel spreadsheet, and they had been “lucky” so far, which prevented them from learning otherwise.

There will, in about 5–10 years or so, be a complete change in the basis of operating systems worldwide.  The cowboy attitude that Linus Torvalds managed to build into Linux, with his worldwide following, has gathered another layer of people who because they can run a C compiler and make, think they know what they are doing.

In the Shuttle Disaster, the would be engineers thought that they could measure the amount of erosion of O-rings, and the probability of failure was linearly proportional to the amount of O-ring eroded. Because there were multiple rings, and only the first had eroded a maximum of 33%, they thought the had a 1 in 1000,000 odds of failure.


 The original engineers knew better, and documented their findings… if ANY erosion occurred, they indicated it was a need for a COMPLETE REDESIGN of the system because it had already failed.


In the case of Linux, there is an assumption that an operating system can be build in one large piece, a monolithic kernel, and that the users can’t be trusted. Smart and careful system administrators, and reliable careful application programmers with layers of firewalls and sandboxes can keep things safe.  If the stack is breached, they add more layers of protection.


The original engineers had built a system called Multics, and in response to some failures of computers to live up to their promises during the Viet Nam conflict, had designed a system which carefully protected itself at all layers by default. This was the multi-level secure model of computing, also known as Capability Based Security.  A process in such a system can only access the resources it has been given a capability to access, and NOTHING ELSE. 


They considered it imperative to reduce to as small as reasonably possible the amount of code that runs with full privilege to do anything what so ever, that code then manages everything else, and grants NO privileges by default. (The entire Linux kernel, on the other hand… is the kernel, millions of lines of code, any of which could take it all down).

There are some small pockets of sanity in the US, but they are unknown to most of the IT community here, and unfortunately, don’t even seem to be the system vendors of choice for our security agencies.


In Dresden, there are a team of programmers at work, slowly and methodically to build the now academic concept of a capability based operating system into a production ready operating system that is actually secure by default. They are a few years away, in my opinion, but should be gathering traction quite quickly once the need for their system is realized.

Genode is the system, and Genode Labs is the company funding the work.


I don’t work for Genode Labs, I’m not paid, and receive no compensation from them what-so-ever.  I just want sanity to prevail in the end, and they seem to be the best chance of getting it to happen.


Sunday, February 14, 2021

Racket - A new language for me

 One of the big problems in programming is to get a good fit between the ideas in your brain, and the written code the computer knows how to deal with... if you can translate between the two effectively, you'll be a productive programmer.

Certain languages appeal to me, others "smell bad". C, C++, etc have always smelled bad to me. I love Pascal, and the simplicity of forth, basic, assembler, etc.  Python is ok.

Pascal for me, is very easy to write in.  It matches the way I think.

However, there are a set of problems that just don't match the tools that Pascal provides. This is why I learned Python a while ago.  I find myself learning Racket.  It has tools for letting you match more than one type of problem with appropriate language.

For example, you can write programs in it,  and it has a layer you can add on top for making documents. It allows you to build languages within its language.

It's my first day, but it looks very promising.

Thursday, January 21, 2021

AGI as used car salesman

 "In the end, it will turn out that the AGI (Artificial General Intelligence) Singularity was canceled because Silicon Valley decided to turn this new super intelligent God into a better used car salesman, instead of using it for the good of humanity." - Me It is becoming apparent that the tech giants want to keep the cool toys for themselves, instead of letting all of us have a go. GPT3 is so big that you have to have infrastructure to support it. The era of the home experimenter has effectively been closed. Silicon Valley will monetize the heck out of Artificial Intelligence when they finally realize it... and it will be turned into a better used car salesman.... something we loath, don't trust, but in the end are forced to deal with in order to do commerce.
You can purchase a subscription to Singularity-Prime for $199/year.

Sunday, January 10, 2021

Computation isn't as safe as a table lamp, yet.

 Computation doesn't have the equivalent infrastructure as table lamps yet.


Testing / Certification: 

A table lamp will be UL/CE approved. This means it will be tested in such a manner that normal use and abuse will not cause unexpected side effects.  Knocking a UL approved lamp off a table will not cause your house to get burned down.  A light bulb of rated capacity will  not cause a short circuit. Normal wear and tear will not cause it to become unsafe.


Outlets: A table lamp plugs into an outlet, of a standard size and characteristics. The outlets are a standard interface that is often nation or region wide. The voltage and current that can be delivered through an outlet are standardized, as is the nature of the loads which may be plugged into it.  The outlet itself, and the housing, and wiring are well regulated.


The outlet is connected to a circuit, and a circuit breaker (or fuse). These devices completely and permanently interrupt the delivery of voltage for a number of standard conditions, including over-current, and also ground faults.


The circuit breaker, or fuse socket, is part of a standard and well understood panel, which is designed to allow a variety of options in deployment, with electricians able to configure them in a wide variety of applications.  Yet, the user of a breaker of fuse panel is protected from the voltages and power inside, and given a standard and easy to understand model of how power is distributed, and controlled.  In fact, some advanced users can use the panel to disable part of their local power network to allow maintenance and modification in a safe manner.


Breakers and fuse panels allow for *lock out*, which will physically prevent the reapplication of power, while maintenance is ongoing.


Power feeds include metering, and themselves are driven from a circuit, and the system is designed in much the same way as the residential and business circuits, but on a larger scale.


Not only all of those are true, but there is more


Circuit breakers and fuses on devices, etc.. are all designed to be coordinated. The smallest fuse/breaker in the chain from source to load should always trip first. This prevents a scenario such as the one where a person plugging a defective toaster into an outlet brings down the entire power grid.


Circuits and power routing have well separated areas of concern. There is no way that a power system problem can directly cause problems with the sewers or other infrastructure, other than failing to deliver power.


Our software infrastructure lacks all of this sophistication and standardization. You can plug in a fan made 100 years ago into a modern outlet, and it will work.  You can't even run an MS-DOS program from the 1980s without resorting to an emulation layer.


You can know that same fan will not cause Russian bots to be able to control the power grid. Nothing plugged into an outlet can ever give you control over the grid.  The same is not true of software, no matter how carefully constructed. We're still at the stage where a bad program can take out its host operating system, and then the network its on.


To say we need more skilled programmers, better aware of the security implications of their work, is to insist that we could run a power grid without circuit breakers in every home. 


The operating system has the job of protecting the network and its users and applications from each other.  There is no equivalent to circuits and breakers.  You can't run a program, and know that it will only consume X amount of CPU, network I/O, or RAM, unlike the outlet limited to 15 amps.


You can't be sure that a program won't have side effects. Plugging in a bad toaster in the kitchen shouldn't effect a circuit in the garage. The damage should be limited by default. None of our Operating Systems do that.


Computation lacks maturity, especially our operating systems. We have no stable standards for anything important.


That, in my opinion.. is the real root issue of almost all problems with computers, software, and security.

Friday, January 08, 2021

Watching the Power Grid in the Eastern USA

 There is a very nice ongoing effort at the University of Tennessee Knoxville to monitor the US power grid.  http://fnetpublic.utk.edu/


The video is 10 years old, but depicts a box with GPS timekeeping, and sampling the normal outlet, with Ethernet to report to the server.  https://www.youtube.com/watch?v=9Vt2OlVoBJc


One of the best real time views, is this view of the phase across the US.  http://fnetpublic.utk.edu/anglecontour.html


Sunday, January 03, 2021

Dusting off the archives, Teco/2 lives again

Long ago, I was a professional programmer for a large chunk of time. I worked in Turbo Pascal, and later Delphi under Windows. I wrote code that looks surprisingly good after 30 years.

One of the things I wrote, was an implementation of TECO, and editor I learned to love at Rose-Hulman. I did it back then mostly for nostalgia, as I continue to do it now.

I've dusted it off, and got it running on my machine under Windows 10. I've also posted the source and a "release" to GitHub.

Let me know if you try it, and I'm up for adding to it.

Who else wants to jump ship from Facebook?

 I hate Facebook, though I use it regularly. I'd like to jump ship... I see this blog, your blog, and an RSS reader as a lifeboat we can share to abandon ship and lead others away.  Who else is with me on this?

I'll check my RSS feeds at least daily... add your feed to the bottom if you want to add me and do the same. I will promptly delete spam as soon as I find it, of course.

Now, as for what RSS reader to use, I don't know... I'm tempted to code something myself. For now I've decided to try out FeedDemon.

My RSS feed is here.