A few highlights from books I have recently read

Post date: Jan 19, 2014 9:24:29 AM


  • Do everything you can not to attach your self esteem to your startup (you’ll fail, but try anyway).
  • Work in such a way that when the dust settles you can be proud of the choices you’ve made, regardless of the outcome.

Software quality

  • Here is one example of an ironic piece of waste: Sam Leffler's graphics/libtiff is one of the 122 packages on the road to www/firefox, yet the resulting Firefox browser does not render TIFF images. For reasons I have not tried to uncover, 10 of the 122 packages need Perl and seven need Python; one of them, devel/glib20, needs both languages for reasons I cannot even imagine.
  • Unixen—something that would take just a single flag to the ld(1) command—the Peter Principle was applied and made it libtool's job instead. The Peter Principle is indeed strong in this case—the source code for devel/libtool weighs in at 414,740 lines. Half that line count is test cases, which in principle is commendable, but in practice it is just the Peter Principle at work: the tests elaborately explore the functionality of the complex solution for a problem that should not exist in the first place. Even more maddening is that 31,085 of those lines are in a single unreadably ugly shell script called configure. The idea is that the configure script performs approximately 200 automated tests, so that the user is not burdened with configuring libtool manually.

Tor Deanonymization

  • This paper explores Tor’s vulnerability to traffic correlation attack
  • Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network
  • Work by Murdoch and Danezis show that traffic correlation attack scan be done quite efficiently against Tor [29].

HTML5 vs Native

  • If you have a unique service, e.g. a specialized enterprise app, HTML5 could be ideal, a convenient way to build quickly and portably. But if you want your user experience to really excel, native is still king – for now.

MongoDB (Kristina Chodorow)

  • “MongoDB: The Definitive Guide by Kristina Chodorow and Michael Dirolf (O’Reilly). Copyright 2010 Kristina Chodorow and Michael Dirolf, 978-1-449-38156-1.” - Whole book read, not many high lights becaue it's hard to find those things that especially should stand out from from this kind of large documentation. Generally indexing, cursors, queries, arrays, collections, backups, dumping and restoring, sharding, error handling, autosharding, shardkeys, schema, object mapping, etc.
  • named blog.posts and a separate collection named blog.authors. This is for organizational purposes only—there is no relationship between the blog collection (it doesn’t even have to exist) and its “children.”

Hallam-Baker Prismproof

  • "Internet Engineering Task Force (IETF) Phillip Hallam-Baker Internet-Draft Comodo Group Inc. Intended Status: Standards Track September 11, 2013 Expires: March 15, 2014 PRISM-Proof Security"
  • Second there is currently no infrastructure for determining that an SMTP service offers STARTTLS support or to validate the credentials presented by the remote server.
  • At present Internet communications are typically sent in the clear unless there is a particular confidentiality concern in which case techniques that resist active attack are employed. A better approach would be to always use encryption that resists passive attack, recognizing that some applications also require resistance to active attacks.

The Phantom Protocol

  • "The Phantom Protocol Version: 0.82 2011-05-24 1(68) White Paper:"
  • After all, this might not happen at all (especially judging from the (un)success rate of various attackers trying to disrupt miscellaneous controversial distributed networks on the Internet to this date).
  • Theoretically Secure Anonymization
  • Known Weaknesses In this section, some of the known weaknesses and avenues of attacking the protocol will be presented and summarized.

Remote (Jason Fried)

  • If you ask people where they go when they really need to get work done, very few will respond “the office.” If they do say the office, they’ll include a qualifier such as “super early in the morning before anyone gets in” or “I stay late at night after everyone’s left” or “I sneak in on the weekend.”
  • Don’t believe us? Ask around. Or ask yourself: Where do you go when you really have to get work done? Your answer won’t be “the office in the afternoon.”
  • Is that overpriced apartment, the motorized sardine box, and your cubicle really worth it still? Increasingly, we believe that for many people the answer will be no.
  • Every day this kind of remote work works, and no one considers it risky, reckless, or irresponsible. So why do so many of these same companies that trust “outsiders” to do their critical work have such a hard time trusting “insiders” to work from home?
  • A stuffed backlog is a stale backlog.
  • That’s just it—if you can’t let your employees work from home out of fear they’ll slack off without your supervision, you’re a babysitter, not a manager.
  • In talking to a project manager without tech chops, programmers can make a thirty-minute job sound like a week-long polar expedition,
  • If you treat remote workers like second-class citizens, you’re all going to have a bad time.
  • There’s also the annoyance of having every debate end with “John and I talked about this in the office yesterday and decided that your idea isn’t going to work.” F**k that.
  • When New York City’s subway system was plagued by crime and vandalism in the 1990s, New York’s Police Commissioner William Bratton forced his commanders to use the subway. When they saw with their own eyes how bad things were, change soon followed.
  • If the company is full of people whom nobody trusts to make decisions without layers of managerial review, then the company is full of the wrong people.
  • The fact is, it’s easy to turn work into your predominant hobby.
  • The only reliable way to muster motivation is by encouraging people to work on the stuff they like and care about,

Software Defined Perimeter

  • "CLOUD SECURITY ALLIANCE Software Defined Perimeter, December 2013"
  • SDP mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, OS & application vulnerability exploits, password cracking, man-in-the-middle, cross-site scripting (XSS), cross-site request forgery (CSRF), pass-the-hash, pass-the-ticket, and many others (see NIST, SANS, and more).

That's all highlights from my Kindle so far. But I'm sure there will be more. I'm now using 1-2 hours daily to read more stuff.