Ramblings and thoughts by a Mensch or two.

Monday, November 01, 2004

"Later Bush" and other necessary reading

I came across a site called See Ya Later Bush!, and added the following message (though I've edited it slightly now that I've had a chance to re-read it) to its blog. I encourage anyone else who feels like getting a good Bush rant off their chest to do the same--it felt good. :) If you're considering voting for Bush, then you should really read this site, or you may seriously regret it later (as the world enters WW3, with the US as the Bad Guys).

It seems like the Bush supporters Aren't Listening. Bush either lies constantly or is incompetent. Either way, we know he's not qualified for the post of President of the US. The WORLD knows he's not qualified. In foreign policy, he's pissed off the rest of the world, pouring fertilizer on the roots of terrorism, while making nonsensical arguments like, 'They hate our freedom.' Like hell! They hate our arrogance and our killing and exploitation of their peoples! It doesn't make ANY sense to say they hate our freedoms! Hello!

And as to whether or not Kerry will be able to handle Iraq any better, IT DOESN'T MATTER. If he and Bush plan to do the exact same thing with Iraq, Kerry will still have an advantage--the world mistrusts Bush at the moment, and would be more likely to cooperate with ANYONE else. Further, on the home front Bush is trying to establish an oligarchy--that's rulership by an exclusive class, often those with money, and I DON'T mean those with a little bit of money: If your yearly income after taxes isn't in the 10's or 100's of millions, then you WON'T be part of the elite class, as much as you would like to think you will! So what you say? Well, so much for the American Dream: In Bush's America, everyone will stay where they're at. And guess what? Where they're at will keep sliding down, away from Those On Top. Social Security? He's trying to dissolve it. Environment? He's ready to chew it up and spit it out, as long as someone will pay him for it. Global warming? This one needs a rant all its own, but it will suffice to say that it is NOT controversial within the scientific community. It is only controversial within politics and the general populace, and that because companies like Exxon have been spreading lies about the science.

To summarize: Bush is NOT making us safer. Kerry has a chance of doing it, but will be hampered by the mess Bush got us into. Bush is trashing the environment and stacking the economy for his pals; Kerry will help protect the environment and restore a reasonable progressive tax system. How can any thinking person vote for Bush?

Sunday, October 17, 2004

Programmers as blacksmiths

Recently I stumbled across a three part article: The Blacksmith and the Bookkeeper, Part 1, Part 2, Part 3. The premise is that programming as a profession is doomed to go the way of the blacksmith, that it will create the tools that eventually bring about its end. In the article, Max Goff presents a hypothesis about why blacksmiths faded away while bookkeepers thrive today: In summary, blacksmithing was easily automated, streamlined, or assembly-lined, while bookkeeping required creative application of knowledge. Goff then posits that programming (except for embedded programming) falls into the same general category as smithing: Something that can be easily described and automated. But I think there are essential skills of programmers beyond being able to decipher assembly language or Java or Perl, and that those essential skills will be necessary for quite a long time.

I can easily see how he can come to his conclusion--the IT industry seems to be shrinking at an alarming rate, H1-B's and exported jobs are displacing native workers, and the premium that the average programmer once commanded has dwindled and become much more modest. In fact his conclusions are not unique: Another article in USA Today (Endangered species: US programmers) puts forth similar conclusions. It's not the first time I've encountered this concept. I've fielded questions on this topic from various friends and family members for years, in fact. And every new programming automation tool seems to herald the end of programming; there have been enough "silver bullet" software products and methodologies touted in the last twenty years to slay an army of werewolves, and yet none has lived up to the promises of its press releases.

As someone who has been a professional programmer and software engineer since 1987, I personally do not see the demand for my skills decreasing any time in the near future. Why am I not worried? In part because, as a video game programmer, my skills are in the minority--Goff makes reference to "Embedded Java" programmers in his article as being an exception to the rule, but I would put forth that many more programming specializations are going to need programmers for the foreseeable future.

With the dot com boom, the demand for programmers went way up along with their salaries, and many new programmers were being cranked out by universities. Many more companies than the supply of programmers could satisfy "needed" to have a Web presence as soon as possible, and so the demand created as if by magic a non-sustainable number of extra IT positions. With the bust, the demand necessarily goes down--partly because of market saturation, in that most companies now have a Web presence, and partly because putting an application up on the Web is a mature, understood process, and for a vast majority of typical Web sites, is not innovation--it's often just assembling the correct puzzle pieces at this point. I would guess that even in the heyday of smithing that during, e.g., wartime many more blacksmiths were trained and highly paid to produce weapons and armor than could be supported when the demand for hammered iron was lower. So part of the problem is certainly related to this: There are simply too many programmers for the positions that are available.

So will there be enough jobs for everyone who wants to make a living as a programmer? No, probably not. Which sucks for the thousands who lined up to get CS degrees for guaranteed high pay and job security--another broken promise of the "New Economy." The secret to getting steady work in the field is to find a niche where the programming that needs to be done isn't one that isn't easily generalized. I think this is a corollary to Goff's premise, in fact: If the job you're doing is something repetitive and predictable, if there's no (or very little) adaptation necessary for each new project, then it's going to be in the greatest danger of being automated or eliminated. There's more skill in adapting to a dynamic situation than in assembling components by rote. And having a skill that's in high demand is what raises your paycheck, not something magical about the titles "Programmer" and "Software Engineer". We're not just entitled to a high paycheck due by virtue of being able to speak Java or (in my case) C++. The high paycheck comes from providing a lot of value to a business.

This argues for restricting H1-B access, since the supply is truly greater than the demand for some positions. It turns out, though, that in niche industries like video game programming, where you really do need highly specialized talent that really is hard to find, even today, the H1-B applicant will often be the only one qualified for the position. Not just the cheapest one, but the only one. So it's not a simple issue--preventing H1-B access can prevent some companies from finding employees with the right skills. Which hurts the economy, etc. For a similar reason, video game outsourcing isn't thriving: I know that it does exist, though for the most part it exists as complete game development houses or component providers.

I think that another real problem facing the army of programmers out there right now is that many are working on similar problems, and that those problems are predominantly solved. Most Web sites and custom applications use the same features, many use off-the-shelf back ends with similar collections of components organized in slightly different ways, and one or two programmers can now do in a short time what it once took a small army of programmers many months. Note though that it still does require those few programmers--for the simple reason that programmers are trained to break a problem down analytically and debug it when it doesn't work as expected. Even if the programmers aren't manipulating anything like code, they will still be needed--maybe they'll be much more efficient, but they'll be around. Of course when they're more efficient, there won't be as many jobs...see above.

When a problem domain is well understood, however, it can often be analyzed, packaged, and automated into a wizard that you don't need a programmer for--as Paul Graham describes in his essay Beating the Averages, you can automate the process of creating an entire E-Commerce site. Now his software is used in Yahoo Stores, and while most of the Yahoo stores tend to have a similar look, they look professional and, with a custom graphics layer, would rival many custom-generated sites. In one wizard on a Web site, in under an hour, a person who knows nothing about programming can assemble an entire custom store with inventory management, payments, shipment tracking, and whatever other features Graham's group was able to squeeze in--with no direct programmer interaction at all. You might think I'm undermining my own argument here. But note this is a single problem domain, and however well it solves the Generic E-Commerce Site problem, it won't help in the slightest with creating a piece of software that tracks shipping containers for an export company, or that analyzes communication traffic to optimize switching, or any number of unrelated problems that still will need programmers until those problems are well understood, at which point they could potentially be automated and the programmers move on to new problems. And the Yahoo Store generating software still needs a team of programmers--who maintain 20000+ web sites rather than just a handful.

I do believe that companies are right to not want to pay premium salaries for programmers who are not really creating anything new. So programmers should always endeavor to keep their minds sharp, and always be in the position of creating new things rather than just pushing components around. I'm not against components--use components or any other tool that gives you greater leverage by all means!--just be sure you're personally adding value and not just running wizards. If a programmer isn't flexible enough to be able to adapt to a new industry or specialization, then unfortunately that programmer has become a blacksmith of programming, a specialist fit for one job on a programming assembly line, and unfortunately that's the position that's easiest to outsource or otherwise replace. So what you need to do is either reinvent yourself as a programmer, or reinvent yourself as something else. But don't just feel sorry for yourself that the bandwagon that you jumped on is overcrowded and that people keep falling off as its carrying capacity shrinks.

There are an infinite number of potential problem domains out there--and we're nowhere near putting together a tool that can solve any large fraction of them. To be able to generate a completely new program (presuming that the program is non-trivial, and understanding that what is meant by "trivial" evolves over time), you need to understand the motivations and needs of the people who will be using that program, distilling those concepts into a specification, sub-divide the specification into whatever logical units you have at your disposal, refine the implementation to improve its usefulness, and debug it when it doesn't work quite correctly. And these are the skills that epitomize a programmer or software engineer. I don't care if the "programming" is done by writing lines of code, dragging boxes around, talking into a microphone, or projecting thoughts into a brain-scanning UI. Programming will evolve. The only way to eliminate programmers from the equation entirely is to replace them with human-like AI entities with a breadth of understand of human endeavors, which, if created, would certainly do more than just put programmers out of business. Programming won't be the major that people flock to for easy money, certainly, but its oft-reported imminent death has been greatly exaggerated.

Monday, September 27, 2004

I can talk about my job now!

A few weeks ago I joined a startup that had been funded, but its official goals hadn't been broadcast to the world yet. Well, the time for secrecy is over!

The San Jose Mercury News ran this today:

http://www.mercurynews.com/mld/mercurynews/business/9770737.htm

...and according to Google News it was syndicated in at least 13 other papers. (This one doesn't require a subscription.)

And Gamespot is running this story and interview with our CEO:

http://www.gamespot.com/news/2004/09/27/news_6108681.html

After reading the latter, I was reminded why I decided to join Playfirst to begin with--the excitement and enthusiasm generated by the top tier of this group will carry it quite a ways. $5 million in funding will keep the burden light. And it feels to me like a real market that's just opening up, so the destination is attractive, especially with stock options in the company.

Finally, the Playfirst web site is up, and it looks great!

In any event, that's where I'll be working for the forseeable future. I'm a lead programmer ("Senior Software Engineer") on an internal title right now. It's been fun so far!


Thursday, September 23, 2004

Server Insecurity

This article attempts to chronicle my recent upgrade adventure installing Gentoo Linux/SElinux on my home server. I'm a technical kind of guy, so I'm likely to use highly technical references without realizing it, but I'm trying to keep my tale within reach of non-Linux-experts. My objective is to keep the article accessible to anyone interested, while illustrating why someone might be crazy enough to try to install a hardened Linux build despite the extra effort required.

Set the wayback machine to mid-1998. I was looking through my home Linux server, which was then running RedHat 5.0, if memory serves, when I discovered files on the hard disk that I didn't put there. Since no one else had access to the server (legitimately) , I had been hacked. As a result, I immediately started reading everything I could get my hands on about computer security. The first thing I learned was that the applications I was using with RedHat--SendMail, WS-FTP, and Bind, three very common server applications that were installed by default on that old version of RedHat--had some of the worst security hole records out there. I turned off two of those applications, replacing them with more secure versions: Qmail, a powerful and free email server, and ncftpd, a proprietary but also free FTP server. I didn't find a good replacement for Bind (at the time), so I patched it and crossed my fingers.

About a year later, I found another file I hadn't put there. It looked like I'd been hacked again. I dropped RedHat and switched to a little-known hardened distribution called Trustix. I also found djbdns, a Bind replacement, and managed to get rid of that last major security risk.

Fast-forward to the present: Trustix didn't upgrade to the newest Linux kernels quickly enough, so I decided to try other distributions and settled on Mandrake, which had been good to me so far; whenever I heard about a new exploit or security hole, Mandrake would supply the patch and I'd quickly update my box. Unfortunately, some patches would break things, and it would take a few hours to get things up and running. And because there was that window between when the exploit is discovered and when I patched it, I always had to wonder if someone had broken in and left a trojan on my box. As a result, every new install meant starting over practically from scratch with a virgin system (so that nothing a hypothetical hacker had left behind would persist to the new system). And with a full time job, it's not fun to have to spend that much free time rebuilding my system every year or two.

For over a year I ran (on my private home server) a Mandrake 9.0 Linux box with as much security as I could turn on while still being able to use it. The box did a lot of good work for me -- it stored my MP3 files, operated as a mail server and webmail client, served my domain names, and blocked evil attacks from the outside world from my vulnerable Windows boxes.

However, Mandrake wasn't supporting 9.0 any more, so it was time to upgrade. This time, however, I wanted it to be different. I wanted this upgrade to be the last major upgrade I would need to perform, at least for many years, and I wanted the server files to be safe without me having to worry about whether someone snuck in with an exploit leaving trojans throughout my system.

I'd read a lot about Gentoo Linux, so I thought I'd give it a try. A few features recommended it to me, including the fact that there isn't really a discrete "version" number of Gentoo--when new package versions become available, you can just upgrade--and you can rebuild packages with custom options for the exact system you're building. I also discovered that Gentoo supported SElinux, a package developed by the NSA to minimize (specifically to localize) the potential damage that an intrusion can do. For instance, if your Web server can only read web files and someone breaks in through the Web server, the most that hacker can do is read web files. An over-simplification, but that's the basic idea. Gentoo also has other options for a hardened kernel build (features that prevent some attacks to begin with), which I also turned on.

The only stumbling block I hit getting started was that the normal Gentoo Live CD (the CD that you use to boot up the first time) didn't work with the SElinux build, and it didn't tell me why it wouldn't work--but a little Google searching came up with the alternate SElinux Live CD, and I was off and running. There was also a bit of confusion where my Google search had picked up an outdated HOWTO with broken links, but once I found the correct HOWTO things went a bit more smoothly.

So with an SElinux Live CD, I got a build together and installed my favorite packages--which worked fine until I turned on the SElinux protections. I had enabled the download of "development packages" so I could get SElinux components--not realizing at first that I would get the development packages for everything. These new development packages didn't have updated SElinux rules, so it took a lot of reconfiguration to get the ultra-paranoid SElinux kernel to work with all of these packages. Worse, I had the temerity to want to install packages that had no existing SElinux configurations available at all. It took a lot of work to get all of the settings tuned.

In a nutshell, when you want to make a new service work under SElinux, it's a kind of whack-a-mole game of granting access to each specific feature that the service needs. It's not quite that easy, though, because you also need to create new "security domains" for the new service, and map out how each domain can interact with each other domain...and if you do it wrong, you've just opened up a new potential security hole. I would say that this process is not for the faint-of-heart, and certainly not for the newbie.

Once all of your services have SElinux packages, and you're using the right versions of each, it will be hard to beat the security of SElinux, though. If the Gentoo folks are interested, I'll put together a few packages with my changes in them to help out future SElinux installers.

In any case, my new server is finally up and running. I also have a lot of new features almost for free because of the great Gentoo package system: SpamAssassin helps to deflect spam from my system, ClamAV helps to block viruses before they enter my email box, and Poptop will soon allow me to VPN into my home box to get to my file shares.

I won't say that the new server is bulletproof, because that would be stupid--it would certainly attract more attention than I want trying to prove me wrong, and I would probably be wrong. But considering it's a completely uninteresting personal server without as much as a single credit card number, the level of security I have on it now is enough to quell my fears.

Besides which, just to be extra paranoid, I did a baseline checksum scan of all of the applications on the server, so if someone does someday get past all of these barriers I put up, at least I'll be able to know. Until then, I'm going to sleep a bit more easily.

Saturday, August 07, 2004

Where does all the time go?

It seems like only yesterday that I wrote my last blog entry...but no, it's been well over a month. Somehow having an infant and suffering from sleep deprivation and leaving my job and searching for a new job and rebuilding my home server from the ground up have all combined to make me feel like I'm busy all the time. Funny that.

Wednesday, June 16, 2004

So, WAS I ready for the baby?

There is a baby, and now sleep is a valuable commodity. One may note I haven't posted much on this blog recently--well, writing simply didn't rate against the possibility of sleep.

But, I have a small amount of extra energy this morning, so here are a few thoughts on early parenthood:

At first, it wasn't so bad. My mother-in-law came out from Texas to help, and this was crucial to our continued sanity. Raising an infant past the first two weeks really takes the full time efforts of no fewer than three people, unless you're really lucky or you don't mind letting the poor thing cry. There was at least one night that was very long and stressful--no sleep for either of us--after which we were able to pass our new blessing on to her grandmother for some much needed rest. The rest of the time our house was magically and wonderfully cleaned, breakfast was prepared for us, and laundry went through the machines at a seemingly constant rate. But all good things come to an end, and grandma had to go home; luckily we'd managed to build up a bit of a routine by then, and we're still managing. Though I'm working only half time, from my system at home, so I'm still putting a lot of daddy-time in.

But how has it changed me, or the way I look at things? Aside from attitudes and feelings attributable to sleep deprivation, there aren't any earth-shaking changes to my outlook. Sure, I used to be scared of diaper changing, and now it's really not a big deal. You get over it, eh? But that doesn't strike me as a sign of a major life change. There are the profoundly satisfying moments of connection with my new daughter as she stares into my eyes in a rare quiet-and-awake moment, and there is an awareness growing that the responsibilities for this new life will be with me for a Long, Long, Time. But fundamentally, I feel like the same me I was a couple months ago.

On the other hand, I suddenly have a lot more to talk about with other new parents. Some of my friends don't have children, and when I mention poop color or number of diapers or amount of sleep they look at me rather oddly and try to change the subject. It's easier to hang out with my friends who have children for other reasons as well--if a baby cries, we can look at each other with understanding.

I've known some single folks who look at child problems and responsibilities with a mixture of disgust and pity, so treasuring their freedom that they can't understand wanting to have a child around. But I feel that the rewards are worth the trouble, and that it isn't a sacrifice we're making but an undertaking of monumental proportions with a wonderful prize at the end. Even if that prize is only a smile, for the time being. And even if the smile came about only because of a satisfying poop. It's really only an echo of things to come, as I see it. And I don't just mean more poop, though I expect that will be along shortly as well.

Wednesday, June 02, 2004

We have a baby!

Petra Katharine Mensch was born at 7:04am at Alta Bates in Berkeley. She weighed in at 6lbs., 11oz., and is absolutely beautiful. I plan to talk more about the birth and the first years at my family blog.


Petra (aka the Menschkin) and mommy. Posted by Hello

Sunday, May 23, 2004

"I don't care about all that environmental stuff..."


"I know that most men, including those at ease with problems of the greatest complexity, can seldom accept even the simplest and most obvious truth if it be such as would oblige them to admit the falsity of conclusions which they have proudly taught to others, and which they have woven, thread by thread, into the fabric of their lives."

- Tolstoy

I was talking with a few acquaintances about my new Prius the other day, explaining some of its features (good mileage, cool technology, etc.), when one of them said, "I don't really care about all that environmental stuff, I'm mostly concerned with saving money on gas." I had to wonder: did he really not care about the environment, or was it that he feared being considered an environmentalist by others? Has environmentalism gained an extremist liberal reputation that makes reasonable people act like closet environmentalists rather than being open about their beliefs?

It strikes me as odd not to care about "that environmental stuff." Is he breathing the same air I am? With smog a recurring problem in California and the Bay Area, air quality is hardly a theoretical problem. Is he living in the same coastal region that would be flooded if the polar ice caps melt because of global warming? That topic does seem wrought with controversy, despite the fact that it's scientifically accepted.

Why is it controversial, then? Because large companies with narrow short-term-profit agendas publicize deception and bad science, people get the impression that global warming is debatable. The PBS show Nova has an excellent web page that discusses global warming and presents both sides. Assuming the scientists who express a disbelief in global warming are sincere, it would appear that they are letting their research and even their thinking be driven by political—or simple monetary—motivations. Ironically, or perhaps appropriately, some articles that oppose the pro-environment viewpoint and call into question global warming, its causes or consequences, consider arguments on the other side to be politically motivated, but don't really give a plausible motive or agenda. What possible motivation would these researchers have for using scare tactics or proposing nightmare scenarios? These scientists are sick of being ignored and want people to pay attention to them? It's true that a kook here or there might come up with a ridiculous scenario, but I personally find the consensus of more than a thousand scientists—that global warming is a serious problem, partially caused by human activity—compelling.

It's not easy to predict how an extremely complex chaotic system will respond to large inputs of CO2, and some of the potential results are so catastrophic that even if there's only a 5% chance that something like this could happen, that's too much.

As people realize that they, in fact, inhabit the environment and depend on it for life, I sincerely hope that environmentalism will be considered centrist rather than left wing, accepted as common sense rather than relegated to the closet.

Sunday, May 16, 2004

"What do you do now that you're not working?"

Deborah and I were reading Babycenter, and this is a must read for parents and anxious parents-to-be who need a serious laugh. If you've made some really, really bad mistakes with your baby, this page will show you you're not alone.

As for us, since we don't have a baby to make mistakes with yet, it simply helped us blow off a bit of nervous anticipation about the things that sometimes DO go wrong....

Saturday, May 15, 2004

"Are you ready for the baby?"

People keep asking me this question. In some ways, the answer is yes--we've bought everything that they tell you to buy, we have space set up for changing the baby, we've looked at names. But can one ever be "ready"? I've heard over and over that everything will change, sometimes in subtle ways, sometimes in ways not so subtle, and that it's really impossible to understand what it's like to have a child until you have one.

So my question is this: How can I possibly be ready for something that's allegedly impossible to understand in advance? I've tried to prepare myself for a major change, for something that is a major life-changing event, a rite-of-passage of sorts. But beyond that, I'll just handle things as they come along; I've had good luck dealing with kids in the past, and I've decided to try to trust myself to be a good father rather than to try to worry the situation to death.

As far as being ready--regardless of whether I'm ready, the baby is going to be along any day now. The due date is May 29th; wish us luck!

Thoughts and ramblings...

I've been meaning for a while to set up a blog space online, so here goes. The opinions I post here are my own, and the content will probably be influenced by a few factors: I'm about to become a new Dad, I'm a really excellent programmer, I'm politically left leaning, and I feel that commercialism and corporate control in the US have both gone way too far. I'm a full-time computer programmer at Z-Axis (a video game company), a part-time photographer, a sometimes Linux admin (of my home system), and a full-time student of life.