Other writing: February 2024

Posted on March 7, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Open source projects don’t exist separately from the outside world — You do your community a disservice when you treat open source as a noble pursuit that’s separate from the noise of daily life.
Prioritizing your tasks with the Eisenhower Matrix — The Eisenhower Matrix is a simple framework for prioritizing your tasks by determining a task’s importance and urgency.
Improvement requires context — If you swoop in uninformed, you might make some correct decisions, but you’ll probably make more wrong ones. (I’m looking at you, Elon.)
Every project is a software project — It’s a good reminder that our audience is broader than we might think and we should act accordingly.

Kusari

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices (ghostwrite) —Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.
Unpacking the Kusari Score (ghostwrite) — Cut through the noise to prioritize which vulnerability gets fixed next.
Unpacking the Kusari “Effort to Fix” Capability (ghostwrite) — Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.
Analyzing third-party risk in open source software — Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?
Addressing third-party risk in open source software — Once you’ve discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

GUAC

I finally cancelled my Washington Post subscription

Posted on March 3, 2025 by Ben Cotton

Last week, I cancelled my subscription to the Washington Post after its owner made clear that he is going to influence the editorial direction. The news side, they say, remains un-influenced. Even if that’s true, my money is somewhat indistinguishable. I can’t say “I’m subscribing to support the journalists only.” If Jeff Bezos wants to talk free market, I will be a free market actor. I still pay for great journalism from Marketplace, NPR, WIRED, The New Yorker, Ars Technica, and my local “retired” reporter/columnist. Plus the okayish journalism from two local papers squeezed to near-death by Gannett. The billionaire can do without my $120/year.

At the risk of turning Blog Fiasco into “Ben’s Collection of Open Letters”, I wrote this to WaPo’s support when I cancelled:

Since the “other” option in the subscription cancellation workflow doesn’t provide a text field, I thought I should take a moment to let you know why. I am an ardent believer that journalism is worth paying for. I am not an ardent believer in oligarchy. If Mr. Bezos chooses to put his thumb on the scale of the Post’s opinion page, then he doesn’t need help from my money. Jeff Bezos could fund the Post’s operational losses for the next century and only lose less than 5% of his net worth. I considered cancelling my subscription after the Post did not make an endorsement in the presidential election, as many others did. Ultimately, I chose not to because I understand that the reporters and editors doing the daily work don’t control what the executives do. But I can no longer contribute to this in good conscience. Democracy may die in darkness, but oligarchy blows out the candles.

Shortly thereafter, I got a canned reply:

For 138 years, The Washington Post has committed its pages to covering and holding power to account. Our Newsroom remains dedicated to independent reporting and fact-based journalism. Our Opinion pages will now focus on the pillars of free markets and personal liberties, two underserved viewpoints in the current market of ideas and news opinion. We look forward to continuing to be a publication for all of America.

Bullshit. Blink if you need help, customer support rep.

A letter to Purdue’s president

Posted on February 28, 2025 by Ben Cotton

I sent the following email to Mung Chiang, the president of Purdue University, last Wednesday. As of publication, I have not received a reply from his office.

President Chiang,

I write to you as a two-time Purdue alumnus, former staff member, and Lafayette resident. Like many, I am concerned about the abrupt cuts in federal funding and the state and federal attacks on diversity, equity, and inclusion. This not only affects an institution that I hold dear, but it harms the long-term future of society at large.

To that end, I am disappointed that Purdue has not taken a more vocal position. I understand and respect the desire to stay out of politics. But I am not asking the University to weigh in on what the top marginal tax rate should be. Purdue only stands to lose if the federal government continues to renege on commitments to funding. How can the Purdue One Health Initiative hope to be successful in an environment where science is ignored in favor of political loyalties and the NIH is being slashed?

How can Purdue continue to attract the best for its faculty, staff, and students when any effort to reach out to and support under-indexed people is forbidden? Research shows that diverse teams produce better results, so DEI programs are materially beneficial as well as ethically right.

I appreciate that what I am asking will draw unwanted attack, but it’s in the best long-term interests of the university to take a stand. As we remind ourselves in the opening line of “Hail Purdue!”: to your call one more we rally.

Yours,

Benjamin Cotton
BS 2006
MS 2014

Should we care where EF5 tornadoes have gone?

Posted on February 24, 2025 by Ben Cotton

Anthony W. Lyza, Harold E. Brooks, and Makenzie J. Krocak have an early-access paper in the Bulletin of the American Meteorological Society wondering where the EF5s have gone. This paper is an interesting look at the extended “drought” in the strongest category of tornadoes. The title of my post is not questioning the value of their work, but the paper does make me wonder about the value of tornado ratings for the general public.

Ratings for research and forecasting

There’s certainly value for scientific research and forecasting. Because ratings are assigned based on damage, which is what people ultimately care about, there are benefits in being able to use large data sets to find patterns. “Which environments tend to produce more destructive tornadoes?” is an important question to know the answer to. The more warning we can give (at least to some extent) of the possibility of strong tornadoes, the more time people have to take appropriate precautions.

Of course, the EF rating system has flaws. Damage assessment, while greatly improved over the years, still involves subjective decisions. In addition, binning a spectrum always results in some funkiness (that’s the scientific term). The difference between 165 and 166 mph wouldn’t meaningfully change the damage caused by a tornado, but — assuming we could accurately measure tornadoes in order to rate them — would be the difference between and EF3 and EF4 rating. And there’s the question of whether or not six ratings (and the location of the boundaries) is the “best” approach. To wit: there are a variety of different categorizations of the ratings. Are any of them better suited?

Ratings for the public

But even with the value for science, do tornado ratings provide value to the public? As I wrote eight (!!) years ago, “even though the U.S. has avoided major hurricanes, it has not avoided major damage.” Even though, unlike hurricanes, tornado ratings are based on damage, the impact to people’s lives doesn’t necessarily correlate to the rating. If your house is destroyed, does it really matter if the tornado was rated EF4 or EF5? Your house is still destroyed. Even an EF2 or EF3 can render well-built homes unlivable.

Shrug emoji

Like Lyza et al, I have questions, not answers. The public knows about EF ratings, thanks t movies like “Twister” and “Twisters”. That bell can’t be un-rung. There’s a certain degree of American competitiveness involved, too. But maybe it’s time to stop making a big deal of it?

Rights for others are about us, not them

Posted on February 21, 2025 by Ben Cotton

This is a post about my personal philosophy because I feel like it’s important for us to think about the reasons behind how we view the world.

I sometimes see people express indignation when criminals get civil rights protections or when non-citizens get the rights enumerated in the Constitution. I can understand the reasoning, but it doesn’t fit with my principles for governance. I believe that the rights we give to the others within our society are about us, not them.

Many of the rights are fundamental human rights that should apply to everyone, of course. Let’s consider those a given for now.

The rights that criminals, or suspected criminals, receive are not for them. They’re a protection for us against ourselves. It should be hard for the government to convict someone of a crime, because that protects all of us from malicious prosecution and persecution by hostile governments. And our prisoners should be treated humanely, even the ones who have committed the most heinous of crimes. It’s not because they deserve it. It’s because we want to be a just and merciful society.

Extending rights to non-citizens is a direct reflection of how the Constitution was written. The Constitution does not grant rights so much as list a subset of rights that the government can’t (or can conditionally) curtail. The idea of American governance is that the government derives its authority from the people, and thus only can do what it is permitted to do. The Constitution largely refers to “people”, not “citizens” for a reason.

What it comes down to is that I want my government to reflect the world I want to live in, regardless of how others behave or what they “deserve.”

I still haven’t forgiven Peter Jackson

Posted on February 17, 2025 by Ben Cotton

It’s been a long week but I wanted to keep on my twice-per-week publication schedule, so I’m publishing a meaningless rant.

Over the holidays, my wife decided she wanted to watch the Lord of the Rings movies again. I hadn’t seen them since they were in theaters. It turns out I still hold a grudge against Peter Jackson. The movies are great as movies, and it’s hard to adapt a dense, six-book series into three movies. Even when the movies are 3+ hours each. But Jackson did my favorite character dirty.

The defining feature of Faramir is that he is not Boromir. Where Boromir is brash and aggressive, Faramir is deliberate and levelheaded. Boromir wanted to take the ring to Gondor to aid in the defense of the city, but Faramir had no such desire. But not if you watch the movies. Faramir is basically a second Boromir. I can’t forgive that; he’s my favorite character in the series.

On a related note, my favorite scene is “the scouring of the Shire.” As much as I wish we could have seen that, I understand cutting it from the movies. I can forgive Peter Jackson for that choice. I’m apparently never going to forgive him for what he did to Faramir.

What is art?

Posted on February 14, 2025 by Ben Cotton

So much of the discussion about generative AI has had to do with art, whether visual or text. Art is a key part of our humanity; giving it over to a machine seems to deprive the art of its human element. But what is art?

Jim Grey wrote that “art is having something to say and successfully saying it.” He wrote that (paraphrased) art comes from intent, not luck. Making a great photograph by accident being creative, not artistic. But I don’t think they’re separate.

I’ve had conversations with people where I’ve essentially told them “I’m just making something for work” undervalues their creativity. Art for hire is still art.

Last summer, Ted Chiang had an article titled “Why A.I. Isn’t Going to Make Art” in The New Yorker. He wrote “Generative A.I. appeals to people who think they can express themselves in a medium without actually working in that medium.” I’ve resisted using ChatGPT and friends for many reasons, but one of those is because I am a writer. It’s part of who I am. It’s part of my family tradition.

I write prolifically not just to share my ideas, but my expression of those ideas. If I had ChattyG write my ideas, the result would be meaningless to me. Much of what I write is crap (this post included, perhaps), some is damn good. The choices and effort I put into writing make the work mine and help me hone my craft. Constraints force choices, which make the words mine. Nobody makes exactly the same choices I do.

So yeah, I think Jim is right: art is having something to say and saying it. I don’t know that it matters if I say it successfully or not, though. Not all art is good, but that doesn’t make it less art.

Keeping in touch with everyone you ever met

Posted on February 10, 2025 by Ben Cotton

In my post last week on my shift in social media habits, I wrote in a comment “the idea that we can keep some semblance of connection to everyone we’ve ever met is a pretty recent phenomenon. I wonder if it will last.” My friend Chris O’Donnell (who may or may not be the actor), wrote in reply

I’ve been questioning if keeping in touch with everyone you’ve ever met is actually a good thing. Also, I downloaded my friend list on Facebook (actually screen scrapped it as requesting it from FB only got me 10 names). Then I put it in a spreadsheet and went through all 258 names and rated then as yes or no on “would it really bother me if I never spoke to them again?”

Only 78 people passed the test. I’m considering if I could just check in with them via text or email occasionally.

I’ve been thinking about that. I am, as America sang, “one poor correspondent…but that doesn’t mean you ain’t been on my mind.” I’m the sort where once you become one of My People, you’re My People forever. I might go years without an interaction, but when I do, it’s like no time has passed. Just Friday I texted a friend that I hadn’t talked to in months because a USC basketball player’s surname was the same as her given name.

For the entirety of human history, people came and went from our lives, and only a few that went maintained some kind of connection. In the last two decades, that has changed. Not only has social media allowed us to stay in touch, but we even take our phone numbers with us. Your phone number used to indicate where you live, now it indicates where you lived when you got your first cell phone.

There’s an unprecedented permanence in casual relationships. I think I fall on the side of liking it. It allows me to remain at least passively connected to people I cared about without having to make the choice that “yeah, their presence in my life is actually done now.” Perhaps that’s a personality flaw of mine. Time will tell whether or not this is good for society, but in the short term, I think we need all of the connections we can get.

A shift in my social media habits

Posted on February 7, 2025 by Ben Cotton

Amazingly, it’s been slightly less than a month since Mark Zuckerberg decided that hate speech is good and facts are bad. As you may recall, that decision led me to create a Bluesky account. It also led me to dramatically reduce my Facebook and Instagram use, although the latter was pretty sporadic to begin with. In that time I’ve noticed a definite shift in how I use social media.

For one, I’m just on it a lot less. It doesn’t take long for me to get caught up on Bluesky and Mastodon. I follow almost no one on Pixelfed so far, so that’s quick, too. This leaves me with a lot of time to do other things. For example, I successfully completed the “read every day in January” challenge on The Story Graph for the first time this year. There were a few days where I’d just do a couple of pages or a few minutes of an audio book in order to check the box, but most days I read for an hour or so. I’m also writing more, as evidenced by the number of posts on this blog lately.

Twitter always felt like the most natural platform for me, since it favors short shitposts. My brain makes so many of those. For some reason (perhaps because my network was mostly people I knew through my professional work), I never felt as comfortable doing that on Mastodon. But on Bluesky, it’s like the good old days.

Surprisingly to me, I’ve cross-posted a lot more than I thought I would, thanks to Openvibe. I’m normally opposed to cross-posting, but since Mastodon and Bluesky are largely the same format, I guess my aversion is lessened. Some stuff still goes to one or the other, but I really expected myself to always direct posts to a single choice. I’m still learning about myself at the age of 41.

I haven’t completely abandoned Facebook (and you are not invited to argue why I should), but I only check it briefly every few days. Years ago, I had gotten my usage to near zero, but then Twitter went to hell and Facebook had the largest share of my People™. Surprisingly, simply removing the app shortcut from my home screen has kept me from opening it out of boredom. Now when I go to Facebook, it’s because I’m actively choosing to check in.

Partially as a side effect of the smaller networks on the platforms I use and partly because of intentional choices, I find myself doomscrolling less. I’m following a lot fewer journalists and Online Political Opinion Havers than I did in the old days. I have enough ways of finding out what new terrors appear every day that I not need to immerse myself in it. That seems to have helped my mental state quite a bit (duh, right?).

By the way, did you know I have a weekly-ish newsletter? Subscribe if you’d like. If you have one, let me know and I’ll subscribe to yours.

Other writing: January 2025

Posted on February 3, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Reviewing open source trends in 2024 — How well did I capture trends in open source for 2024? I think I nailed it.
The “O” in “FOSS” doesn’t stand for “obligation” — We need to motivate the behavior we want to see instead of being upset when it doesn’t happen.
Prioritizing work in the project with the MoSCoW method — The MoSCoW method is a simple, easy-to-use method for prioritizing work by putting into one of four categories.
CalVer is many schemes — You need to clearly indicate how you identify your releases. Simply saying “CalVer” does not set clear expectations for your users.

GUAC

GUAC Update: December 2024
January 2025 Community Meeting
GUAC v0.13.0 released
GUAC’s 2024 in review — 2024 was a big year for GUAC: from joining the OpenSSF to three keynote mentions at KubeCon NA, with a ton of releases and community growth in between.

Kusari

Stick a Pin in It: Managing Dependencies for Supply Chain Security — Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.