Why subscribe to a newsletter you don’t read?

Why would you subscribe to a newsletter that you don’t read? I mean, maybe you intend to. Maybe it’s sitting there in your inbox unread just waiting for you to get around to it Real Soon Now. Or maybe you filter it off to some folder where email does to die. I get that. I do that all the time.

No, what I’m thinking about is the case where an obvious spam account signs up for a newsletter. As of this writing, my newsletter has 283 subscribers — a number that has grown 27% in the past month. But only 40 people at most have ever opened it. The number of opens has stayed relatively constant even as the subscriber count has gone up.

So why do I think the accounts are spam? For one, there’s the fact that most of them haven’t opened any newsletters. Sure, maybe there’s a reason for that. But also they look…spammy. The addresses are often yahoo or other domains that have fallen out of favor. The names represented by the addresses don’t look like the names of people I know. I can’t imagine why people I do know read my newsletter, nevermind why strangers would. Taken all together, I feel safe calling many of these accounts spam.

But to what end? I understand spam accounts on Twitter liking random posts in the hopes that someone will look at the profile and click a link to whatever thing someone’s trying to peddle. Or maybe follow the account and get clicks that way. That makes sense to me. But what can a spammer do with a newsletter subscription? Is it a really crappy denial of service attack? Do they hope that after a few years my subscriber list will exceed Mailchimp’s free tier? Maybe it’s done to hide nefarious activity in a flood of confirmation emails. That seems like the most likely answer, but it doesn’t seem very efficient. Then again, I’m not a spammer, so what do I know?

What if we never used the phrase “common sense” again?

On Tuesday night, I heard my local NPR station interviewing a newly-elected representative. At one point, he made some reference to “common sense” policies. I don’t even remember what they were talking about, but it doesn’t matter. When someone says “common sense”, what I hear is “I don’t have any substantive arguments in favor of my position.”

This is not unique to one political party, or even to politics as a whole. In any field, “common sense” is a shorthand for “this is the only reasonable position and you’re unreasonable if you disagree with it because I said so.”  In most situations where “common sense” is deployed, reasonable people can disagree on what the sensible approach is.

In addition to silencing dissent, the phrase “common sense” also oversimplifies most issues. What seems like an obvious solution on the surface may not fit the underlying complexity. Life is rarely as simple as it seems.

If it’s really common sense, it should be easy for you to explain why. So let’s all agree to never use “common sense” again.

If everyone followed good password advice, we’d be less secure

Passwords are hard. To be useful, they must be hard to guess. But the rules we put in place to make them hard to guess also make them hard to remember. So people do the minimum they can get away with.

Earlier this week, security company Webroot took a look at the unintended consequences of password constraints. The rules organizations set in order to ensure passwords are sufficiently complex reduce the total number of possible passwords. This can make automated password guessing more

Good passwords are easy for the user to remember and hard for computers and other humans to guess. Let’s say I wanted to use a password like 2Clippy2Furious!! Various password checking sites rate it highly. It’s 18 characters long and contains upper- and lower-case letters, digits, and special characters. But because it contains consecutive repeating letters, some companies won’t allow it.

Writing for Webroot, Randy Abrams says “it’s length, not complexity that matters.” And he’s right. That’s the point behind the “correct horse battery staple” password in XKCD #936. So let’s all do that, right?

Well…it’s not so simple. If I were trying to brute force passwords, and I knew everyone was using four (or five or six) words, suddenly instead of “CorrectHorseBatteryStaple” being 26 characters, it’s four. Granted, the character set goes from 95 to (using /usr/share/dict/words on my laptop) 479,828. “CorrectHorseBatteryStaple” is many powers of 10 more secure if the attacker doesn’t know you’re using words.

And let’s be real: they don’t. This hypothetical weakness has a long time before it becomes a real concern. Don’t believe me? Just look at the password dumps when a site gets hacked. There are a lot of really bad passwords out there. If we took all the constraints off (except for minimum length), people would just use really dumb, easily-guessed passwords again. But it amuses me that if everyone followed good password advice, we’d actually make it worse for ourselves. Passwords are hard.

Sidebar: Yes, I know

The savvier among you probably read this and thought “it’s better to use a random string that you never have to memorize because your password manager handles it for you. Just set a very long and memorable password on that and you’re good to go.” Yes, you’re right. But people, even those who use password managers, will often go to memorable passwords for low-risk sites or passwords they have to use often (e.g. to log in to their computer so they can access the password manager). 

The future is browseable

Browsing and searching are not the same thing. Anyone who has sat on the couch trying to figure out what to watch on Netflix knows this. With so many choices available, there’s bound to be something

Seth Godin wrote a blog post about this recently. How do we find what we didn’t know we wanted to find? We’re pretty bad at this in the digital world, but truth be told, we’re not that great at it in the offline world, either. At least, I don’t think we are.

I love going to my local library. Books smell amazing and even though I have this annoying tendency to buy a book that I know I’ll only read once, the public library’s collection dwarfs my own. But when I don’t really know what I want to read, I just sort of wander the shelves and judge books by their covers. Or their spines, in most cases.

Amazon is one of the few sites that seems to tackle this really well. Their recommendations aren’t always on the ball, but I’d rate them well overall. Having enough data to tell me what people who bought one item also bought is a huge part of making good recommendations.

I would have loved a similar recommendation engine was when I was putting together my plan of study for graduate school. I essentially had the entire University course catalog at my disposal. If I could make the case to my committee that it was a good course for me to take, it was all mine. But with so many courses to choose from, how would I know what to pick? I was forced to browse manually, but a recommendation engine would have really helped.

That’s one reason I like traditional radio stations and services like Pandora: I don’t have to search. I can start with a general genre of music I want to listen to and then I get to browse. I credit Pandora with the tremendous broadening of my musical tastes that happened in the late ‘aughts.

I look forward to a time when browsing is easier. Just think of the undiscovered gems we’ll find.

I (will, pending approval) have a new employer (again)

Note: this is an entirely personal post and does not represent Red Hat or the Fedora Project in any way.

This is not a repeat from August 2017: my employer is about to be acquired. The news that IBM is spending $34 billion to acquire Red Hat came as a surprise to just about everyone. As you might expect, the reaction among my colleagues is widely varied. I’m still trying to come to terms with my own emotions about this.

Red Hat is not just an employer to me. I’ve been applying for various jobs at Red Hat over the last eight years or so. When I got hired earlier this year, I felt like I had finally obtained a significant professional goal. I’ve long admired the company and the people I know that worked there. I saw Red Hat as a place that I could be happy for a very long time.

But I don’t have a crystal ball. So sometime in the second half of next year, I’ll be an IBM employee. Leadership at IBM and Red Hat have said the right things, and the stated plan is that Red Hat will continue to operate as an independent subsidiary. I have no reason to doubt that, but the specifics of the reality are still unknown. It’s a little bit scary.

It makes sense that we don’t have any specifics yet. The plans can’t really be formed until the folks who would work on them can be told. So almost everyone is just coming up to speed, and the next few months will start bringing some clarity. And even more has to wait until the deal actually closes.

My first reaction was “oh no, my health insurance is going to change again.” After having roughly five insurance plans in the last five years, the idea of updating my information with all of my providers yet again is — while not particularly difficult — kind of annoying. My second reaction was “couldn’t they have waited a few years so I could accumulate more stock?”

So what does this all mean? I really don’t know. Ben Thompson is not optimistic. John “maddog” Hall is taking a positive approach. But most importantly, my friend and patronus Robyn Bergeron is reassuring:

So for now, I’ll go about my day-to-day work. Fedora 29 released on Tuesday. We’re hard at work on Fedora 30. In a few months, I’ll know more about what the future holds. In the meantime, I’m proud to be a Red Hatter and a member of the Fedora and Opensource.com communities. Here we go!

Other writing: October 2018

Where was I writing when I wasn’t writing here?

Stuff I wrote

Red Hat/Fedora

Stuff I curated

  • Forge Your Future With Open Source — VM Brasseur’s excellent book on becoming an open source contributor is done. I reviewed this book and I can tell you it is absolutely worth a read, even if you’re an experienced contributor. Buy it on Amazon (affiliate link) or directly from the publisher.


A new triple constraint

The idea of a triple constraint is well-known, even if people don’t think of it by that name. “Fast, easy, and cheap: choose two. In project management, the relationship between scope, cost, and schedule is sometimes called the “iron triangle”. But recently Seth Godin published a blog post that got me thinking about a new triple constraint.

Profitable, difficult, or important?” Godin asks.

Profitable, difficult, or important—each is an option. A choice we get to make every day. ‘None of the above’ is also available, but I’m confident we can seek to do better than that.

Godin never says this, but success generally means sacrificing one of those three for the other two. Of course, you can be successful with one or none, but not more than three.

Where’s your evidence, Ben? I have none; this is a hunch. In an ideal world, your work would be all three. But the reality is that doing all three of them is exceedingly difficult. Sometimes the best way to win is knowing what you can lose.

The role of privatized weather warnings

Last week, the Washington Post‘s Capital Weather Gang blog ran an article titled “U-Md. used a private company for a tornado warning. That can be problematic.” They’re right, but the point gets lost in the article. By presenting a laundry list of the times AccuWeather got a forecast wrong and ignoring missed warnings from the National Weather Service, the post ends up reading like a hit piece.

I am unabashedly a National Weather Service fanboy, but I see an important role for the private sector in the weather ecosystem. Despite my general dislike for AccuWeather, I have no problem with universities working with them. They can provide a degree of hands-on service that the NWS is not equipped to provide. This includes warning-like products to augment the NWS products.

My only objection is to the use of “watch” and “warning”. It’s hard enough to get the public to understand these terms. Adding similarly-named products from other sources will not help. A Weather-Ready Nation requires a cooperative effort between public and private sector meteorologists. Private companies are free to give their customer severe weather warnings, I just wish they’d use a different name.

You are responsible for (thinking about) how people use your software

Earlier this week, Marketplace ran a story about Michael Osinski. You probably haven’t heard of Osinski, but he plays a role in the financial crisis of 2008. Osinksi wrote software that made it easier for banks to package loans into a trade-able security. These “mortgage-backed securities” played a major role in the collapse of the financial sector ten years ago.

It’s not fair to say that Osinski is responsible for the Great Recession. But it is fair to say he did not give sufficient consideration to how his software might be (mis)used. He told Marketplace’s Eliza Mills:

Most people realized that we wrote a good piece of software that we sold in the marketplace. How people use that software is … you know, you really can’t control that.

Osinski is right that he couldn’t control how people used the software he wrote. Whenever we release software to the world, it will get used how the user wants to use it — even if the license prohibits certain fields of endeavor. This could be innocuous misuse, the way graduate students design conference posters in PowerPoint or businesspeople use Excel for all conceivable tasks. But it could also be malicious misuse, the way Russian troll farms use social media to spread false news or sew discord.

So when we design software, we must consider how actual users — both benevolent and malign — will use it. To the degree we can, we should mitigate against abuse or at least provide users a way to defend themselves from it. We are long past the point where we can pretend technology is amoral.

In a vacuum, technological tools are amoral. But we don’t use technology in a vacuum. The moment we put it to use, it becomes a multiplier for both good and evil. If we want to make the world a better place, we cannot pretend it will happen on its own.