Hartbleed and You: Nontechnical Summary

If you work at a technology company and have seen a lot of ragged faces today on whoever is responsible for your company's security, there's a good chance that CVE-2014-0160 is to blame. Better known as The Heartbleed Bug, this security vulnerability is a bug in an application called OpenSSL that is the centerpiece for a lot of the secure communication that happens on the internet.

I thought it'd be helpful to put something out there quick and dirty bullet-point summary for the non technical users, so you can understand what's going on, how it affects you, and what you can do to protect yourself. So, here's we go:

  • Heartbleed is a bug in software used to secure a lot of communications on the internet, including those you make to websites like Google, Facebook, your bank, your VPN connection to work, etc.
  • As a result of this bug, someone could read information off of the computer providing that service (e.g. your bank's web server). They could also access a particular piece of information that gives them access to read all communication in the future, too. This piece of information is called the private key.
  • As a result of this discovery, two things are happening across the internet. First, servers are being upgraded with new versions of the relevant software to eradicate the bug. Second, system admins are generating new private keys and certificates to go with them. Once these are in place, it means that if some malicious person obtained a private key, that it will no longer do them any good. New communications will use a new key.
  • Various websites will be advising you on how you should protect yourself. Some will advise you change your password. Two factor authentication - where to login you're required to have your password and a code generated on your phone - will protect you even more. Evaluate what changes you need to make on a case-by-case basis.

So, there you go. That's your quick summary of what's been going on in Internet land for the past 24 hours. As a side note, Anchor Tab's servers were all upgraded last night shortly after I found out about the bug. I'm currently generating a new SSL certificate for the site, and hope to have it in place in the next few hours.

Now go give your nearest system administrator a hug.

March 2014 GAODP Update: Announcing Scorecard

Greetings friends. This is the March 2014 update for the Georgia Open Data Project.

For those of you who are unaware, last summer I started the ball rolling on this project, called GAODP for short, which is engineered to open up data about the state and local governments in the State of Georgia. Underfunded technology departments and a need to focus on more pressing matters of government often mean that data about the state and its municipalities is very difficult to get your hands on in a form fit for data analysis. So we took matters into our own hands. Earlier this year we launched an API for the Georgia General Assembly. News flash: we're not stopping there.

This month's updates includes a few interesting tidbits. In summary, this update includes:

  • Announcement of our first user-facing website: Scorecard.
  • Announcement of our new logo!
  • General news about GAODP.
  • A short anecdote about why what we're doing matters.

Feel free to skip ahead if any section starts to bore you. You won't hurt my feelings. Let's get started.

Announcing Scorecard

First up! It is with pride that today I announce the first application built with our General Assembly API. The GGA Scorecard.

A screen short of the GGA scorecard application.

A screen short of the GGA scorecard application.

The GGA Scorecard is a simple, in-browser application that allows you to view the voting history of each member of the General Assembly organized by how they voted. Want to know what a particular member has been for or against during their tenure in the General Assembly? Here's your resource for finding that information. Additionally, for each vote we provide a link to the details of the vote on the General Assembly's website so you can get more information.

Oh, by the way, it also works pretty well on phones, too.

You'll notice that, despite its name, Scorecard doesn't actually score or rank members of the General Assembly. The true score of any member of a legislative body is always determined by looking at how they voted on what. How you interpret that information determines their score. So, in a way I've opted to solve the general problem here, and provided you with a scorecard of sorts that works for everyone: the trick is you get to determine whether a particular vote adds or subtracts from their score.

This is a very basic, but powerful, example of what is possible as a result of the effort put into the GGA-API. Information that was not easily retrievable from the General Assembly directly is now easy to find through us. This application took me four hours on a Saturday afternoon to build. Using the data sources provided by the General Assembly directly it could have easily taken weeks.

I hope for two things with the release of Scorecard: First, that people would find it useful. Second, that it would inspire people to build other great things with the data sources we're cultivating at GAODP.

We Have a Logo!

After months of being without a brand of any kind, the gracious Andi Mints was kind enough to lend some visual finesse to our humble effort. Ladies and gents, I present the official mark of the Georgia Open Data Project.

If anyone is looking for someone to do some branding work for them, I highly recommend Andi. I'm thrilled with the work she's done for us, and she's a joy to work with.

General News

Next I wanted to take a minute to give a few brief updates on what's new at the Georgia Open Data project. I'll keep these short and sweet.

  • Known Issues in the GGA-API: There will always be defects, issues, and shortcomings in any data source. Here are a few key pain points we're seeing as of March 2014. Please chip in if you think you could tackle either of them!
    • House Votes aren't auto-importing. This is likely related to the fix for Senate votes that I mentioned below. I've already spent some time working on this without any workable solution. It's next on my bug hit list.
    • We need some sort of automated heuristics to detect import faults. Right now, the only way we find out that imports are broken is someone tells us. We need to implement some sort of automation that sends off emails when things on the GGA-API server look suspicious (e.g. no data for a particular category for a few days).
  • We now have a Twitter account! You can follow us on Twitter. We're @gadop. The account will be tweeting as changes are made to our code and as we have announcements relevant to the project.
  • GGA-API supports JSONP. This is a bit technical, but if you're looking to integrate GGA-API with an app on your server, you can now do so using the JSONP method. Just add a callback query parameter to any request. This change was introduced in d38a95d83f.
  • Member votes are now partially denormalized. You get some basic details about each of the votes the member participated in. We did this primarily for Scorecard's benefit, but we thought others would find it useful as well. You can get the old behavior back by adding normalize=1 onto the end of your query. This change was introduced in e040062839.

Why We're Doing GAODP

It occurred to me not long ago that there are a handful of people who are following along with GAODP who don't quite understand it. So, I wanted to take a minute to share with you an explanation of why I started GAODP and why you haven't, and likely won't, see many flashy whiz-bang new things geared towards end-users from me personally.

This month it came to my attention that State Senate votes were not being imported from the Georgia General Assembly's servers. This is a huge chunk of data to just go missing. After doing some digging I found that the endpoint (the source of data) on the General Assembly's servers required me to ask for a specific branch's votes. If I didn't mention a specific branch, it would just give me votes from the House of Representatives without indicating that something was wrong.

So no big deal, I think. I'll just add something that asks for each branch and then I'm done. So I did. Then it still didn't work. Regardless of what branch I asked for, I always got House votes. After about five hours I found out what was wrong. In the request that I sent to the General Assembly's computers, I was specifying the ID of the legislative session followed by the branch that I wanted data for. Their systems require me specify the branch before the legislative session ID or it just sends me House votes.

This is the sort of nonsense that will send developers into a rage quicker than a red sheet will a bull. In the list of things that shouldn't matter in 2014 THE ORDER IN WHICH I SEND THINGS IN A REQUEST RANKS PRETTY HIGH. To make matters worse, it now looks like House votes are no longer being imported correctly. So, in pushing a quick fix for the Senate bug, I broke House imports.

This is exactly the sort of nastiness that we hope to alleviate for people who are interested in writing applications that use data from the Georgia General Assembly. I hope that by giving people an easier option and lowering the barrier to entry that more people will choose to spend a few hours building something interesting with it. I hope that using data about the activities of the Georgia General Assembly will be easy for people who build software. Because my time is limited, I will continue to focus my efforts on making that dream - that level of data accessibility - a reality.

As of today if you understand some JavaScript and have a few hours you can build something that produces useful, actionable information for voters. Such a low barrier to entry for building applications that use this data is a big deal, and I can't wait to see what you do with it.

Service Protection Plan

Last week I found out there was a $4 charge on my bill under the TV category titled the "Service Protection Plan." The Comcast site on seemed to be related to maintenance of wiring. That seemed wrong because it seemed to me that sending someone out to investigate wiring issues is something that I absorb in my monthly service fee. Turns out I was wrong. I can either pay $4/mo or pay $60 per visit.

What a farce.

At some point there's going to be a startup that starts eating the lunch of companies like Comcast. I don't know what their tech will be or how they'll get around the current local monopolies that are in place for cable and phone companies. But I do know what it will be that differentiates them from the old guard.

They'll understand customer service.

End of song.

Georgia House Bill 907

At the end of January, Creative Loafing published an article talking about taxi companies who were unhappy that Uber and Lyft are able to skirt around requirements that taxi companies have been required to adhere to for years ("Atlanta's taxi industry declares war on Uber, Lyft"). At the start of February, House Bill 907 was introduced in the State House of Representatives. Ultimately, this bill would require Uber, Lyft, and other similar services to be party to the same broken medallion system that, in my opinion, is broken.

The current medallion system is a relic of an age before GPS tracking, comprehensive background checks, and the ability to request a specific driver using an handheld device connected to the internet. It introduces artificial scarcity because the city of Atlanta only issues a fixed number of medallions, and all of those have been issued. (There are some the city is holding onto, but don't intend to let go.) Page two of the CL article goes into it more in depth, but the implementation of this bill would result in shutting down Uber and Lyft in Atlanta.

This afternoon, I wrote an email to my State Representative to express my disagreement with the bill. That email is reproduced below with the representatives name and my addressed removed. If you, like I, disagree with the implementation of this bill, I encourage you to do the same.

Below is my email.

Dear Representative ________,

My name is Matt Farmer. I’m a constituent in the district you represent in the Georgia House of Representatives. I’m writing you today to discuss House Bill 907, introduced earlier this month.

This bill, as I’m sure you’re aware, would require services such as Uber and Lyft to be held to the same expectations as Taxi companies. I am sympathetic to the plight of the taxi companies. The way medallions are managed in the City of Atlanta makes their job more difficult than it has to be, and it’s frustrating to find that a competitor has come in and found a way around those restrictions. However, HB 907, which seeks to solve this by expanding the broken system, isn’t the answer.

Ultimately, my issues with the bill are as follows:

  • The Taxi companies, despite what they say, do not seem to provide the same quality of service as Uber and Lyft. I believe can receive a higher quality of service, a cleaner car, and a more friendly experience from the drivers those companies employ than I can from that of any of the taxi services in Atlanta.
  • HB 907 expands a broken system based on the artificial scarcity of medallions, placing a “first-come first-served” dynamic on the market. This is a principle that implements a “first-come first-served” dynamic on the free market, will stifle innovation, and ultimately hurt the market as a whole.
  • Taxi companies argue that new car services are less safe than their taxi alternatives. As someone working in the technology industry, I have no reason to believe this is the case. If anything, I find them to be more safe. Drivers for these services are constantly monitored via GPS with a high degree of accuracy while they’re on the clock. They are background-checked, and insured.
  • Only one sponsor on the bill lives inside the perimeter of Atlanta (Representative Oliver of the 82nd). The rest of the sponsors, including Representative Powell, are from areas not serviced by these companies. Not having constituents who live in the urban Atlanta area means they are not accountable to the people who this bill will affect the most.

An honest conversation needs to happen about whether or not the restrictions that were places on car services in the past are still needed for the safety of the public. In a day and age where I request a car, can see that car on a GPS as it arrives, see the picture and name of my driver, am I more likely to be the victim of a crime? Or, by no longer hailing the first car that happens to drive by, have we eliminated the danger that medallions and other regulations were intended to protect us from to begin with?

I would argue that we have, but regardless it’s a discussion worth having on a broader level. And, after that conversation, we then have the opportunity to have the discussion over the best way to protect the public while allowing the most amount of free market competition. But I don’t think any system based on an artificial scarcity is the one that’s the best for our market, and the expansion of such a system can only be harmful.

Sincerely yours,

I will post here if I get a response that's interesting from them. Please encourage your representatives to strike down this law as well. Let's do a solid for Uber and Lyft. They've done a solid for us by showing us that grabbing a ride in a city where we do too much driving on our own doesn't have to suck.


It Doesn't Matter If There's a Bubble

There's a new four letter word in the technology world these days, especially around startups: bubble. David Pollak is a colleague of mine who I deeply respect. We work together on a few different projects, including Lift. Last summer, he had the following conversation on Twitter:

This past week I got to spend a few days at An Event Apart Atlanta. I hope to write up some useful thoughts from my time there soon, but during the conference I started following Jared Spool on Twitter. (Long overdue, I know.) Jared is a pioneer in the area of usability and design. For my non technical readers, that means he's one of the people influential in encouraging designers and engineers to build products in a such a way that you don't hate them (more than you already do).

Jared had this commentary in response to the WhatsApp acquisition by Facebook:

This actually sparked a few heated conversations, including contributions from Luke W, another one of the speakers at AEA Atlanta. You can read the threads off shooting from Jared's tweets here and here. I'm not sure whose numbers are correct (I'd like to assume Reuters but meh mainstream media), but either way the number is pretty large. Facebook is the same company who, not too long ago, purchased Instagram for $1 billion. There are plenty of people who advocate for these acquisitions. There are plenty of people who balk at them. The thing that rubs me is that this isn't just a story of one company who has just gone on a spending spree.

I generally give companies the benefit of the doubt in these cases. It's a poker game of sorts and I choose to assume they've got reason to believe a full house is coming on the river and, that if it doesn't, they already have the two pair. What concerns me is that Facebook's story as of late isn't unique. Today, Simple was acquired by BBVA. This is one of the acquisitions that do make sense and the price tag on them also seems high, but not entirely unreasonable. But then I look at Atlanta favorite Pardot, which has changed hands not once but two times: once when Pardot was sold to ExactTarget and once when ExactTarget was sold to Salesforce. Oh hey, by the way, Salesforce took out a loan to make that happen.

It's no secret to anyone following this blog that I have some pretty strong feelings about startup culture and entrepreneurship. I need to reread some of the things I write periodically to remind myself that these things matter to me, because it's easy to get absorbed in my day-to-day. I'm still playing in the kiddie pool of entrepreneurship, but I don't kid about wanting to be involved in home grown businesses in Atlanta that are in it for the long haul. One major reason for that is this: companies who are successful over longer periods are an indicator of stability. Contrary to that, lots of companies changing hands and companies changing hands multiple times in a year are signs of instability.

Now, instability isn't always bad. I'm no economist, but I can see that in controlled doses it's actually quite beneficial both on an individual level and a collective level. It's a byproduct of a free market. What concerns me, not being an economist, is when I see price tags in multiples of billions for companies like WhatsApp and Instagram. I get that "the answer" is they're buying access to the users for ad purposes, but I've run enough products to know that you also get a lot of leeches who will never click an ad. (I'm one of them.) I know that, and I just think "there's no way their users are worth that number." It would seem I'm not the only one.

Once again, I'm not an economist. Neither is David or Jared, to my knowledge. It's entirely possible "bubble" isn't the correct technical term for what we're seeing in these acquisitions. But for me, personally, that matters very little. What matters is the level of instability that I perceive and where that level sits in relation to the level that I think is safe. I'm equally vulnerable to pay cuts and down sizes if there's an acquisition in Silicon Valley that goes bad. So when I see these deals being cut left and right, I start to get a little apprehensive because in my head it becomes less a matter of if a deal goes bad, but when. Then, suddenly, I'm far more likely to check on my hand of trip jacks than I am to raise.

No matter how you slice it, going to work for any new company requires tolerating a certain degree of risk. When it's a company younger than 2 years, you can multiply that by about 2 for a normal person and about 10 for a person like me. In my head, it was quite a lot of risk to go work for OpenStudy, the first startup I worked at. I don't regret a minute of it to this day. I have taken that leap of faith since and will do it again for the right opportunity. Unless, of course, there are exacerbating circumstances that amplify my perception of risk. Say, oh, I don't know... let's just pull an example out of thin air here... acquisitions with a price tag I can't quite wrap my head around, perhaps? Yeah, that might do it.

Here's the deal, whether or not we're in a bubble is an economic point worth debating in the court of economics. But much like a court of law, there's a difference between what the people who are experts on the subject think and the court of public opinion. When I see people, deeply intelligent leaders in this industry that I hold in high regard, expressing doubt, even if halfway in jest, over the stability of the industry we're working in - I start to arch my eyebrow up a few more inches. It doesn't help that I've already had the thought myself a few times before I read these tweets. The longer that doubt percolates and spreads, the more people who may decide to avoid the risk. If that number grows high enough, things get interesting. Unfortunately it won't be in a "Man, I want to watch that movie again" kind of interesting.

Today there is already a disparity between the demand for engineers and the supply of them. This is true especially in startups, which tend to be more picky. If that supply fluctuates enough due to engineers (like myself) feeling there's more risk than they'd like to accept, the falling supply could force companies to pay money they don't have to get any engineers, making them, in turn, appear less likely to pay back loans or investors when you look at their balance sheet. Which could, in turn, lead to the very effect we'd fear from a bubble: an industry-sweeping devaluation. (This is, of course, assuming Congress doesn't screw the entire US economy, which may not be a safe bet either.)

So, by now you may have an idea of where I'm going. I think the headline of this post sums it up best in one sentence: It doesn't matter if there's a bubble. It does matter that the people who are working in the industry are perceiving instability, it's making them nervous, and the counterarguments they're being presented aren't calming that nervousness.

The truth is the situation I've described above was a bit dramatic and would be a perfect storm, but it wouldn't be the first one we've faced as an industry or as a country. If we want to avert it, the companies making these moves need figure out how to stop giving off the impression to industry professionals of the irresponsible young teen with their first credit card. I, and others, have yet to be convinced this isn't the case.

You may be right. There may be no bubble, for some technical definition of the word. But feeding me a surface level marketing argument or just saying "No, there is no bubble" doesn't convince me there isn't something wrong. I still think there's something that smells, and that smell is going to make me a bit uneasy until its origin is discovered or it goes away. Right now that level of unease is only so high that I'm just writing about it, but if companies don't soon figure out a way to satiate our desire for a good explanation as to how these numbers makes sense they might find it impossible to do later on. Engineers who would be perfectly willing to be brave under other circumstances might decide to play it safe. Then we might all be holding a four high anyway, a hand born entirely out of a nervous perception than an actual problem.