Vote early (not often)

Early voting sign in Andover, Massachusetts (AP)
Early voting sign in Andover, Massachusetts (AP)

I just did early voting for the first time this morning. It was easier than I expected.

My town offers one early voting location, in Cary Memorial Hall. I found a parking space in front (reserved for early voters) and entered the lobby, where there were about twelve other voters reading signs and standing in line to check in. About eight more were already inside voting.

I was given a ballot and an envelope that the poll worker marked with my precinct number. I voted, then signed the envelope and wrote my address on the outside, sealing my ballot inside. I turned in my ballot to a sealed box; because the ballot was sealed, there was no scantron and no counter, so I can’t tell you which voter number I was.

From a security perspective, the voting process seems no more or less secure than regular voting. It’s possible that someone could give a poll worker someone else’s name and street address, thus blocking their attempt to vote (just as they could on Election Day). It’s also possible that someone could register under their own name and then write someone else’s information on the early voting envelope and thus invalidate both ballots. But I think both outcomes are unlikely to be practiced at scale.

Massachusetts passed legislation in 2014 requiring that early voting be offered, and this is the first presidential election in which the law goes into effect. I’m hopeful that it will spark higher turnout. I’m wearing my “I Voted” sticker with the same goal.

The day after the election?

The New Yorker: Donald Trump and the Day After the Election. This is the thing I find most horrifying about the coming election: the prospect that in his ensuing tantrum, Trump will cement what a big part of the electorate already fears, that democracy is broken. When in fact, the most probable outcome is that democracy will be proven to work.

Leonard Cohen, as usual, is way ahead of us:

Everybody knows that the dice are loaded
Everybody rolls with their fingers crossed
Everybody knows that the war is over
Everybody knows the good guys lost
Everybody knows the fight was fixed
The poor stay poor, the rich get rich
That’s how it goes
Everybody knows

But also:

It’s coming to America first
The cradle of the best and of the worst
It’s here they got the range
And the machinery for change
And it’s here they got the spiritual thirst
It’s here the family’s broken
And it’s here the lonely say
That the heart has got to open
In a fundamental way
Democracy is coming to the USA

Friday Random 5: Dry the Rain

An odd grab bag of stuff for an odd grab-bag of a day. But as the morning fog and rain burns off before the afternoon clouds roll in (feels a little like Seattle!), it’s a good day to strap the headphones on for a little Random 5.

Radiohead, “4 Minute Warning”: A song from the “Disk 2” companion to In Rainbows, it’s like a lot of the songs on that masterwork: pretty and conventional on the surface, shot full of existential dread underneath.

Nick Drake, “Know”: Speaking of existential dread, this bare guitar-and-voice track from Pink Moon carries the same emotional payload as Drake’s devastating “Black Eyed Dog,” without the comforting John Fahey-inspired solo guitar work. The repeated guitar figure comes across as accusatory and mocking as the narrator sings “You know that I love you/You know I don’t care/You know that I see you/You know I’m not there.” Is the narrator accusing? Stalking? Dead? A great track for Halloween.

PJ Harvey, “Hanging on the Wire”: Another pretty song of despair, this one from the battlefield. The technique is offputting for me, which may be why I never cottoned much to this album.

Nada Surf, “Here Goes Something”: Lovely, optimistic track from an album I’ve slept on a bit. Lucky isn’t as unabashedly brilliant as Let Go or The Weight is a Gift but there’s some really good stuff on it.

The Chieftains & Kevin Conneff: “The Green Fields of America”: No, I know. But come back. This isn’t the typical Chieftains track, heavy with tin flute and bonhomie (though I like a lot of those tracks too). This is a solo song by Kevin Conneff about the Irish immigrant experience, and it’s totally devastating. Must listen.

The Airport years

I installed a new Airport Extreme (6th generation) on our home network yesterday. We haven’t run Cat5 through our whole house the way we did in Arlington, so our primary FiOS WiFi router has to live in the basement right next to the FiOS network box, and its signal is unacceptable in about a third of the first floor and almost all of the second.

We had been limping along with an Airport Express in the upstairs bedroom as a second network, but it didn’t really have enough signal strength to solve the problem. I experimented with substituting in our old Airport Extreme (dating from around 2007), but it had weird range problems, with range and signal strength dropping unexpectedly. So we decided to bite the bullet and get a new router.

Man, am I glad we did. The range and speed from the new router are incredible; I even get WiFi out at the kids’ bus stop now. And things that used to give the old network fits, like running the microwave, are no longer an issue.

I was talking about it with Lisa last night and we realized that we bought our first AirPort router before most of the planet had WiFi. We had the original “flying saucer” model back in the fall of 2000—so long ago, the base station had a dial-up modem in it. We’ve come a long way.

What is free?

My company, Veracode, published our most recent State of Software Security Report yesterday (disclaimer: I’m one of the authors). The report mines data from hundreds of thousands of application scans to paint a picture of the risk profile of software.

This year we included data on risk from open source components. The idea is that it’s common, especially in Java development but also in Javascript, Python, PHP and other languages, to use libraries and frameworks that were developed by the open source community for certain foundational parts of the application’s functionality. Why write a new object persistence layer (to pick one example) when you could simply use a free off-the-shelf one and focus on writing the actual behavior of the application?

Turns out there’s one major issue with this approach: all software, even open source software, is buggy, and some of those bugs are vulnerabilities: they can be exploited to compromise the confidentiality or integrity of the data the application accesses, or impair the availability of the application itself. And widely shared components create a big target of opportunity for attackers, who can focus on finding vulnerabilities in the shared components for a payoff of attacking hundreds or thousands of applications.

The open source community generally stays on top of fixing these vulnerabilities as they’re discovered. Look at any popular Java framework like Struts or Spring—you’ll see dozens or hundreds of point releases fixing all sorts of defects, including security vulnerabilities. So what’s the problem?

The problem is that developers don’t upgrade to newer versions of the components they use. From the developer’s perspective, there’s almost zero benefit, and a high downside, to a component upgrade: it takes time out from developing features that the business has asked for, and there’s a non-zero risk that upgrading the component will break functionality in the application. From their perspective, the possibility of a hack via the component is remote, so the upgrades don’t get done.

This attitude makes sense in the short term, but in the long term is fatal for security. Because vulnerabilities do get found in older components. The best description I’ve heard of this phenomenon comes from Josh Corman (who says he heard it from someone at Microsoft): “Software doesn’t age like wine, it ages like milk.” As developers widely adopt components, the attack surface for newly discovered vulnerabilities in those components becomes broad indeed.

It’s not open source’s fault, but I do think it reflects a misunderstanding of the cost/benefit analysis for using open source. Yes, open source is free of commercial licensing fees, but it is not free of downstream maintenance costs. It’s as if someone gave you a car. Just because it’s free doesn’t mean you don’t have to periodically change the oil.

Likewise, developers who adopt open source components should set expectations with the business that they’ll need to reserve some of their development time for basic maintenance, like component upgrades. Doing so proactively helps improve predictability—and avoid the likelihood of having to do an emergency update that disrupts the roadmap.

Hacking away

It was an incredibly busy last couple of days, to the point where I couldn’t even think at some points. The older I get the more I learn things about my cognitive style. Things like: there’s a point beyond which I can’t multitask any more, where adding additional things to the “to do” list simply adds anxiety. Where the startup time for thinking about any additional item is more than the time allotted to work on any small item.

I don’t know when my multitasking muscles got so flabby.

It’s Veracode‘s Hackathon, meaning Thursday and Friday (and Monday) we all are encouraged to work on something outside our normal work responsibilities, whether for fun or for something that moves the company forward or both. There have been patents and product features that have come out of these hackathons, as well as … more explosive experiments.

But this afternoon is the best part of it, when I get to bring my kids to the office to work on their own hacks. When my daughter was six she made LED throwies; there have also been programming classes and giant fort construction events. I hear tell there might be an egg drop this afternoon. Can’t wait.

“Uncontrollable innovation”

New York Times: Why Samsung Abandoned Its Galaxy Note 7 Flagship Phone. Like John Gruber, I am curious about the closing quote, from Park Chul-Wan, the former director of the Center for Advanced Batteries at the Korea Electronics Technology Institute:

“The Note 7 had more features and was more complex than any other phone manufactured. In a race to surpass iPhone, Samsung seems to have packed it with so much innovation it became uncontrollable.”

Uncontrollable innovation? That’s an interesting claim.

I think the thing that’s forgotten here, as in so much of the smartphone feature war, is that features aren’t useful if they can’t be used, or safely manufactured, or if they don’t meet a customer need.

It doesn’t sound to me like the problem was out of control innovation. It sounds to me like the problem was an engineering culture that created a product that was untestable, and a management culture that made it impossible to react rapidly to new developments in the marketplace.

Hacking the legal system for reputation repair?

Eugene Volokh and Paul Alan Levy, Washington Post: Dozens of suspicious court cases, with missing defendants, aim at getting web pages taken down or deindexed. Brilliantly slimy hack of the legal system and search engine infrastructure. Google won’t take down search results without a court order? Sue an imaginary defendant with a similar name, get him to settle, and use the settlement to get the pages taken down.

Rehashing the Brahms

Photo courtesy Boston Symphony
Photo courtesy Boston Symphony

This performance of the Brahms Requiem was unique in a lot of ways for the TFC: luminous piano and pianissimo singing, intricate moving lines, and of course our hashed formation. I thoroughly enjoyed singing Saturday but had some difficulties on Thursday and Friday; I think the novelty of singing hashed made it challenging for me to relax sufficiently to provide the right level of vocal support for piano singing, and as a result I had tightness of the voice that affected my high range. But all’s well that ends well, right?

Review time! Generally the reviewers were receptive to our hashed approach, with one significant exception.

David Weininger for the Boston Globe, “BSO stages fruitful dialogue between past and present“:

The Tanglewood Festival Chorus, prepared by guest conductor Lidiya Yankovskaya, generated plenty of power but didn’t exhibit the kind of precision and command evident in previous performances. There were messy entrances, unsteady pitch, and blurry diction. The dynamics were mostly limited to loud and soft, without much middle ground, and balances between chorus and orchestra were sometimes askew.

Georgia Luikens for the Boston Musical Intelligencer, “Widmann and Brahms Obsess Over Death“:

The Tanglewood Festival Chorus, expertly prepared by Lidiya Yankovskaya, brought out this humanism. From the opening “Selig sind…”, the propulsive certainty of faith and hope kept growing. This nuanced take included polished solos from baritone Thomas Hampson and soprano Camilla Tilling. The special qualities are rather difficult to quantify; it goes beyond great musicians making great music. Rather, there was a meditative quality to the more circumspect passages. While the first half of the fourth movement was glorious, the true range of the TFC emerged in the sixth movement, “Oh death where is thy sting?” where the full power and force of this mighty chorus came into full cry. Any choir can sing loudly, but even in the most fortissimo passages, this choir enunciated with precision and control, yet they never lost sight of the narrative.

Aaron Keebaugh for Boston Classical Review: “Nelsons, BSO explore contrasting takes on the eternal from Widmann and Brahms“:

The heroes of this performance were the singers of the Tanglewood Festival Chorus. Prepared by Lidiya Yankovskaya, the ensemble found the soft elegance and stirring emotionalism of Brahms’ score. There were a few tentative moments in the final chorus “Selig sind die Toten,” where the soft passages suffered from some unfocused attacks. But elsewhere the ensemble sounded at its full, resonant best, singing with warm buttery tone in the most famous movement, “Wie lieblich sind die Wohnungen,” where the serpentine lines crested and broke over one another like waves.

Jonathan Blumhofer for Arts Fuse Boston: “Concert Review: Boston Symphony Plays Widmann and Brahms at Symphony Hall“:

The biggest reason for this owes to the excellence of the TFC’s singing throughout the evening: it was warm, focused, and perfectly blended. Excellently prepared this week by Lidiya Yankovskaya and singing with the music in front of them (a departure from the John Oliver days of total memorization), the Chorus sounded notably confident and, even if enunciations of certain words (like “getröstet” in the first movement) were, to begin, questionable, the group gained in Germanic fluency as the piece progressed.

Cocktail Friday: The Farmer’s Daughter

img_6592

This week’s Cocktail Friday post is a day late, but better late than never. I want to talk about three things today: this cocktail, applejack, and recipe sources.

The Farmer’s Daughter also goes by the name of the Honeymoon, and a fine cocktail for an autumn evening it is, with the apple playing nicely against the Curaçao (not blue Curaçao) and the sweetness alloyed by the lemon. It’s what the doctor ordered and a lovely way to use applejack.

Speaking of which: what is applejack anyway? Time was, you wouldn’t have had to ask that question. Because it was easy to make from cider, it was a hugely popular colonial beverage and was made throughout the colonies, though Laird & Company, the oldest licensed distillery in the United States, was the main source for years. Their applejack was so well known, George Washington is said to have asked Robert Laird for the recipe. (Ironically, while it was originally distilled in New Jersey, they now source the apples and make the product right in the Shenandoah Valley of Virginia.)

This brings us to the last point: sources. Most days you’ll see me post recipes from a variety of sources, but I often find my way to a cocktail recipe through one of a few iPhone apps. This one was indexed in Martin’s New and Improved Index of Cocktails and Mixed Drinks, a fantastic app that not only has thousands of recipes but also tells you which of them you can make with the stuff in your bar. The recipe also pointed to one of my favorite non-digital sources of cocktail lore, Ted Haigh’s Vintage Spirits and Forgotten Cocktails, pictured above. I won’t say it’s the most essential cocktail book you’ll ever own, but for sheer pleasure of reading and thoroughness of research it’s well worth it.

As always, if you want to try the recipe, here’s the Highball recipe card. Enjoy!

new-note

Our brickbuilt future

Fan-built massive Lego spaceship from BrickCon 2016; photo courtesy Tom Alphin/Flickr
Fan-built massive Lego spaceship from BrickCon 2016; photo courtesy Tom Alphin/Flickr

Having fun paging through Tom Alphin‘s photos from Seattle’s BrickCon 2016. I think if you had showed me this much Classic Space LEGO in one place as a kid, my head would have exploded.

Is that a Lego wave motion gun on that thing in the background? I’d love more pictures of it.