Here I am, sitting at my favourite pub in Melbourne drinking an expensive pint of craft beer and not really caring that much about the cost that much because so far this month because I've spent a grand total of $0 on rent.  I'm half a pint into authoring this blog post, and, for the first time in an extremely long time, I'll likely have quite a few (TM) because it's nice to treat yourself from time to time and this blog post is long overdue.

Money is strange with this lifestyle - how you look at and allocate money is just so completely different. An expensive taxi trip home won't be required because I can walk home from the brewery because home is where you park it. Tonight my house is parked just outside of the local Jarcar as tomorrow I need to pick up a multi-meter to figure out why the fan in the composting toilet isn't working.

toilets

Everybody poops, even women. Fancy that. Anyway in the spirit of best toilet humor Mr 6 can muster: what did the poop say to the pee?

Geoffrey Huntleyghuntley

Adjusting to this lifestyle hasn't been easy - truth be told it has taken a full year of learning through failure what is about to be shared with you. I'm three years in on the journey of #vanlife - a full year was spent on construction and it has taken another year on top of this living the nomadic lifestyle before I've become comfortable.

It's not an easy life, but it's a smart one. As we head into the inevitable recession that is ahead of us a great deal of Australians are now struggling to find affordable housing.

Last year a $400-a-month single room that had been retrofitted with a shower went viral and highlights the absurdity of the situation aka why the younger generation is screaming bloody murder. Australia isn't quite at the "crackshack or mansion" phase that Vancouver went through but we are close...

$400 a week to shower in the living room as Adelaide’s rental crisis deepens

What an agent has described as a “great-sized modern bathroom,” one Twitter user has suggested is a “perspex sh****g cube in the middle of your kitchen.”

ABC News

Since then the housing crisis in Australia has only gotten worse...

Anyway, people still routinely ask me how long I see myself working from a van even though I've covered this question in the blog post below which breaks down the math and logic of why deploying $912,382 in capital into a single asset class as your sole investment is a terrible idea.

how long

People routinely ask me how long do you see yourself living in a van for so let’s unpack that question shall we?

Geoffrey Huntleyghuntley

Since authoring above there have been some pretty major updates that I haven't shared here yet - I've secured a parcel of land on which I'll be building a forever home for my children and myself.  Whilst the DA isn't in yet as I'm still chewing on details of the design here is a sneak preview of what I've been considering if I build a house...

If life progresses as planned, then I'm going to be building on below. Would you believe the total cost for 2HA of land with these breathtaking water views and sunsets/sunrises was $170,000 AUD? Again, there are so many better choices than buying a place in Sydney if you think outside of the box.

If like many Australians, you have been feeling helpless on the topic of housing I hope above gives you some inspiration. Let's face it, thanks to the pandemic our country remains divided between those who can work remotely (the laptop class) and those who cannot.

If you currently have the ability to work remotely then you should hunt and grab these opportunities whilst they still exist because they won't last long as the younger internet native generations - who will work remotely by default - will enter the workforce and likely do what I've done.

a new chapter: full-time working from a van in a forest

For many people, the year 2020 will go down as a moment in time of hardship in their lives but for me, the year 2019 was dramatically harder as it was the realization that a long-term relationship wasn’t going to work out...

Geoffrey Huntleyghuntley

Until the house is complete I've been working remotely from my house on wheels and being actively involved as a father in my children's lives - as much as humanly possible - hopping in and out of Sydney to care for them and taking them on more grand adventures around Australia during school holidays. It would be so easy to go full nomad and do big trips around Australia (or the world) without them for extended periods of time but that would not right (tm) as kids need fathers in their lives.  Every dollar I don't spend on rent is one that can be reinvested back into my kids lives - both short-term (providing for them / enabling weekend quality time / nice holidays) and long-term (building them a house).

So here's a breakdown of everything I've learned about this lifestyle...

the basics

Fit in. I can't believe I need to say this but it's important to fit in. Always be mindful that people will treat you differently if they perceive you as a visitor/traveler that is freecamping. If you are in the country then some steelys and old jeans will go along way. If you are in the city then wear nice shoes, and clean clothes and look the part. If you are in the outer suburbs of a city then a dirty af flouro (ps. never wear a shiny vest) is a fantastic way to disappear.

equipment

The best way to prepare for this lifestyle is to start on the journey towards being a prepper. If you aren't familiar with the topic then below is a good introduction to the topic.

Figuring out what to pack is something that is incredibly personal and is best learned through experience. After many iterations of overpacking and underpacking I've settled on these items as my "must have":

• My compositing toilet.
• A full set of DeWALT power-tools - including a reciprocating saw (with plenty of metal and wood blades) and bolt cutters for emergency situations.
• A Hultafors Hultån Hatchet.
• 4WD recovery skids, snatch straps and an assortment of towing accessories, spare water and diesel.  
• A Honda 2200 watt 240v EU2200i generator and spare petrol jerrycan.
• A OZtent RS-1 Series II Swag + Oztent RS-1S King Single Stretcher.
• A OZtent Screen House Hex.
• Two Helinox Chair One XL's, a Helinox Savanna chair and a Helinox Table One.
• A Coleman Powerhouse 2 Burner Dual Fuel Stove, bottle of shellite and a cast iron pan.
• An Instant Pot Duo 3L pressure cooker (only 700watts during the first couple of minutes!)
• Leather gloves to reduce burn injuries when working with fireplaces and BBQs.
• Firestarters, waterproof matches and ciggie lighters which are all kept separate from each other.

cooking

There are BBQs literally everywhere in Australia. If you are cooking meat, pull it out of the freezer in the morning, whack it on the dashboard and you'll have an early dinner in no time at all.

Democracy sausage - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

If you are after inspiration then "Xtreme Gourmet: High Energy Light Weight Recipes for Outdoor Enthusiasts by Sonya Muhlsimmer" is very good (tm). It is the only cookbook that you will need and the recipes are tasty af.

Xtreme gourmet

High energy, lightweight recipes for the outdoor enthusiast

Xtreme Gourmet

safety

Safety truly is never guaranteed in life but situational risks related to vanlife can be mitigated:

• If something doesn't feel right then move on. The advantage of a portable lifestyle is that it is portable. If you get a funny feeling, then act upon it by moving on.
• Always park your vehicle towards the exit so you can just drive away.

In my travels I've never come across anything that made me feel unsafe however I'm not a woman...

Use Emergency SOS on your Apple Watch

With Emergency SOS, you can quickly and easily call for help and alert your emergency contacts from your Apple Watch.

Apple Support

Consider sharing your location with friends and family, investing in an Apple Watch with LTE, installing a SPOT Trace satellite GPS tracker on your van and stuffing Apple Airtags inside of all your high-value items.

Whatever multi-purpose tools you choose to keep around for self-defence, you should be planning to use the tool in your van, so plan accordingly. If someone is attempting to murder you, legality is the last thing that should be on your worry list. As the saying goes, it's better to be judged by 12 than carried by 6.

sleep

Quality of sleep matters. If you aren't getting good sleep then you won't be able to do good work. If you are unable to sleep due to concerns or thoughts about safety then that's a sign to move on. Saving money on rent is a nice life hack but if doing so hinders your ability to do good work then make changes such as working from a van park for a couple of weeks to rest up.

work

If you are working remotely like I am, then where you will work should be a primary concern.

This lifestyle is nice but it isn't a holiday.

I used to get huge anxiety about the topic of internet connectivity but that has been largely resolved with the addition of mounting a Starlink dish onto the top of my van.

There are six internet links on my office on wheels. Seven when Starlink arrives.

Is this the best internet in Australia?

Geoffrey Huntleyghuntley

Knowing that I'll have internet connectivity literally anywhere in Australia has been a huge game-changer. I often find myself at a campground sharing out my internet connectivity with remote workers in exchange for a few cans of beer. Lack of internet connectivity (Starlink fixes this) has been the #1 thing holding back this lifestyle.

cold weather

If you are heading to the snow or anywhere below 6c consider that your lithium batteries won't be able to charge until they heat up. Ration your power consumption when in cold weather climates.

water

Carry spare water with you. It is within the realm of possibility that your primary water tank will break (like mine did recently) or become contaminated.

hygiene

If in a forest - showering isn't really required too often but if you find yourself located near a city then there are standards to maintain. Base yourself where there's easy access to a shower. See below for ideas...

ablution

If you have been thinking about taking on #vanlife then the topic of keeping clean seems daunting at first but in reality, it’s quite simple...

Geoffrey Huntleyghuntley

wikicamps app

In Australia there's a mobile application called Wikicamps which is "the ultimate camping companion" but the problem is that everyone knows about the application. Spots that are listed are overrun with people and filled with trash.

There are extreme chances of getting fines if you urban camp at any spot listed in the Wikicamps app. Especially if it is a beachside location.

When I first started out Wikicamps was the bible, over time I've learned how to spot good spots by driving with Google Maps Satellite imagery and have discovered secret spots around Australia of which knowledge of their whereabouts I'll take to my grave. 🙃

state forests

The rules and regulations vary from state to state but camping in State Forests is generally limited to a maximum of four weeks.

If camping in a forest, carry a UHF radio (so you can communicate with logging trucks/there maybe no be mobile reception) and keep a careful eye on the weather report/fire risk briefings. Forests are microclimates in themselves and conditions can change from safe to unsafe in hours.

Other aspects to consider include:

• Where is the nearest hospital? Do you have first aid and at min a snake bite kit?
• Are you carrying powered and unpowered tools and have the capability to clear a tree that is blocking the road?
• Don't park under trees. It doesn't take much wind to crush your van and spoil your day.
• Where possible, use a lightweight stove for cooking. If you must build a fire, please follow the fire regulations, be conservative in your use of fuel, and ensure your fire is completely out before you leave.

Camping | ForestrySA

View our forest campgrounds ForestrySA manages three designated campgrounds in the Mount Lofty Ranges – Kuitpo Forest’s Chookarloo and Mount Crawford’s Chalk’s and Rocky Paddock Campgrounds. Forest visitors wishing to use a campsite for day visits will also be required to book and pay for their site…

ForestrySA

country towns

Country towns are where it is at. You'll always find friendly faces and the facilities that councils in the city never deploy - such as dump points to empty your toilet or places to refill your water. Keep an eye out for showgrounds for a cheap way to camp for circa $10/night with power.

The Caravan Motorhome Club of Australia is the peak body that runs the initiatives to encourage country towns to deploy infrastructure. I recommend becoming a member.

beach towns

The east coast of Australia has plenty of beach towns with spectacular views but the endless summer days of waking up to sunrises at the beach are over as the locations have been unfortunately abused. The majority of beachside locations now have 1P and 2P parking signs with rangers that patrol them at night and in the morning who are structurally incentivized to slap you with a "no camping" fine.

If you want to live the Instagram beach lifestyle then do it doing the day. Head to the beach to go for a swim and use the beach shower facilities as needed then head to some other urban or industrial area away from the beach foresaw.

cities

Cities are hard work, are stressful and it can be quite hard to get a good night of sleep. You'll need to build up a network of friends in each city to make this work as simple everyday tasks such as finding a place to wash your clothes can be quite daunting in Sydney (everywhere that has been gentrified no longer has a laundromat)

Keep an eye out for gyms (showers), swimming centres (showers), McDonalds (24/7 store / emergency place to work from / toilets). Parks usually have BBQs and are great places to work from during the day but terrible places to free camp as are likely to have parking limitations and are monitored by local councils.

on "no camping" fines

One is able to sleep in vehicles in Australia (ie nothing that prohibits this activity at a federal level) and states such as New South Wales actively encourage pulling over as part of road safety. It's worth doing research into the topic on a per-state basis as the topic can be rather grey.

If you are "pulling on over for a rest" in a different spot every night  are you really camping or are you having a rest stop mid-way through a large drive to a destination? 🙃

Stop Revive Survive - Fatigue - Staying safe - NSW Centre for Road Safety

NSW Centre for Road Safety

Some councils and city's actively prohibit free-camping and these policies are enforced by council rangers who have a burden of proof to establish that you were camping. The way they do this is by evidence gathering -  recording registration numbers during the afternoon then coming back first thing early in the morning  and specifically wearing body cameras, asking questions, and hoping you self-incriminate

352 fines: pensioner’s fury as Noosa clamps down on ‘illegal camping’

A pensioner couple is furious for being treated “like criminals” in Noosa Council’s crackdown on illegal camping that has seen hundreds of fines issued. Eddie Argall and wife Gail were hit with a $275 fine by council officers “banging on our door” at 4am when their motorhome was parked on a resident…

Sunshine Coast NewsKat Donaghey

Let's pick apart the case of Eddie and Gail from the above story who say they were hit with a $275 fine by council officers ‘banging on their door’ at 4 am when their motorhome was parked on a residential street.

“We thought we were being broken into to be faced by two very aggressive council officials who were not prepared to listen or understand our situation,” he said. “We were issued with an on-the-spot fine of $275.”

The Sunshine Coast approached Noosa Shire Council for comment as part of publishing the story and the community services director told the Sunshine Coast News that:

“Eddie also confirmed he did not have a booking for the motorhome for two nights while visiting the area, including the night the illegal camping infringement relates to”

In addition to this...

Ms Contini said a review of body camera footage of the interaction showed council officers had been ‘courteous and professional at all times’.

Eddie and Gail, if you ignored the rangers then they would not have had enough proof to issue the fine. Sure, an RV on a suburban street is a red flag to a bull but who is to say if you are staying inside the RV or sleeping in the house you are parked next door - "we are in town visiting friends" but all that goes out the door when you self-incriminate whilst likely wearing PJs.

Eddie told the Sunshine Coast News that the ‘aggressive’ officers refused to hear their excuse and his attempts to have the fine waived — even providing a medical letter — were rejected.

have a plan b

Again, quality of sleep is what matters, if you are having difficulties getting to sleep or are getting concerned about your surroundings then it's important to move on.

The lifestyle is portable, one should always have a plan-b, and plan-c and be prepared. Here are some alternatives...

• Stay at a caravan park.
• Stay at a friend's place.
• Stay at a service station (fill up with fuel and ask if can grab a couple of hours rest // find a truck stop)
• Stay at a showground (if country town based)

Back in 2004, I created a content delivery network and one of the world's first video blogs which peaked as the 1901st most visited website in the world and was interviewed by the Washington Post, and the BBC and was published in various newspapers at a ripe age of 20.  

The 2004 Indian Ocean earthquake and tsunami archive.

The 2004 Indian Ocean earthquake and tsunami archive.

Geoffrey Huntley

Waveofdestruction.org was created on December 28, 2004, to serve as a central location for all videos/photos related to the tsunami. Word spread quickly and much of the content was featured in newspapers and on network TV, current affairs and news programs worldwide.

The website was featured in a TED talk as an example of "when social media became the news". The 2004 Indian ocean earthquake and tsunami was a moment that demonstrated how the internet can surpass, or at least complement, traditional news media – even in terms of delivering multimedia content.

From their own correspondent

Aid agency workers are increasingly acting as reporters and filmmakers for the UK media - often without credit. Should we be concerned? Glenda Cooper reports.

The GuardianGlenda Cooper

Today we accept social media as the defacto default as a primary source of information but before the tsunami, the media outlets were number 1. The year 2004 was a time before YouTube, Twitter, Instagram and social media in general but the exact same techniques and lessons from 18 years ago I still use today to grow something from nothing.

growth doesn't happen without deliberate design

Waveofdestruction.org had a simple start. When I launched the domain wasn't even registered. Videos and photos of the tsunami were appearing online and I was fortunate enough to have colo-space, a couple of spare bare metal machines (Pentium 3s with IDE hard drives!) and plenty of bandwidth.

As YouTube, Twitter, and Instagram didn't exist people were hosting this content on their own ISP web hosting. Back then internet service providers gave their subscribers circa 100 MB to 200 MB of storage. Unfortunately, the amount of bandwidth allocated to each account was very tiny so as soon as a new piece of content came available it soon disappeared from the internet.

So, I started mirroring the videos and photos on my bare-metal servers and set up a content delivery network consisting of rsync mirrors to other people's computers and serving content via BitTorrent as well as direct downloads.

One of the key things behind the growth of the website and the creation of awareness of the website was raw http logs.

raw http logs are an untapped goldmine

When someone visits a website a request is sent to the webserver as follows

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

Where /apache_pb.gif is the resource that was requested and http://www.example.com/start.html is where the traffic was coming from.

Most people reach for traditional tools such as Google Analytics and the like when doing marketing activities today but this is the wrong approach.

If you are building developer tools understand that your target demographic typically uses Adblock browser extensions or blocks JavaScript which means that unless you study the raw http logs then you won't be getting a proper understanding of where your traffic is coming from.

understand where your traffic is coming from

As traffic started flowing in. I spent many sleepless nights using bash, grep and tail to monitor where traffic was coming from. When a new referer came through I went to the community and origin of the traffic and engaged them there where they are.

Eventually hopping between these communities to post updates when new media was discovered became too time intensive so a decision was made. I broke existing links and redirected all traffic back to the Waveofdestruction.org homepage which essentially inverted the flow of traffic and established the website as the central authority for all matters related to the tsunami.

what to look for

Over 18 years have passed since the creation of that website but to this day I still reach for raw http logs first because the insights they reveal are powerful and they represent the whole truth.

Today, I'm going to reveal one of the tricks and things I look for in raw http logs as part of my day-to-day when working with clients.

If you are building a product that targets the enterprise understand that the enterprise typically either self-hosts its infrastructure or purchases products from SaaS vendors.

If the enterprise company self-hosts its infrastructure then you need to keep an eye out for the following http referer strings:

• jira.[*.]companyname.com
• gitlab.[*.]companyname.com
• github.[*.]companyname.com
• confluence.[*.]companyname.com
• wiki.[*.]companyname.com
• *.corp.companyname.com
• *.int.companyname.com
• *.aws.companyname.com
• sharepoint.[*.]companyname.com
• intranet.[*.]companyname.com

If the enterprise company purchases products from SaaS vendors then understand that it's common for these SaaS vendors to create tenants for each one of their customers under a unique cname that is typically the name of the customer. Keep an eye out for the following http referer strings.

• companyname.zoom.com
• companyname.webex.com
• companyname.atlassian.net
• companyname.feishu.cn

identify enterprise buying intent

By keeping a careful eye on http referer traffic it is possible to create a feedback loop from marketing that helps sales teams with their planning, measure lead interest and help with timing (or approach of) sales-related activities to close deals. Here's how.

• If you see http referers from zoom/webex/feishu then people are aware of your product and are discussing your tool internally within their enterprise.
• If you see http referers from confluence or sharepoint then you potentially have an internal advocate within the company who has started a discussion about your tool. If that advocate links to particular pages then this information should be fed back to product managers to help prioritise the product roadmap (ie. which features should be developed or which web browsers should be supported) and to the sales team to help with measurement if a lead is hot or cold.
• If you see http referers from Jira, GitLab or GitHub then congratulations. The enterprise company has moved past discussion and into action. They are either starting a proof of concept (and someone has been tasked with the installation/configuration of your product) or are moving towards a production installation. Feed this information back to your sales team.

automate it in the simplest fashion possible

Over at https://github.com/ghuntley/mops you'll find an implementation of the above which uses the Gitscraper pattern to download and process raw http logs, extract the identifiers of interest and store the daily diffs as Git commits via GitHub Actions.

GitHub - ghuntley/mops: marketing operations

marketing operations. Contribute to ghuntley/mops development by creating an account on GitHub.

GitHubghuntley

i still use these same techniques today

The year 2004 was a time before YouTube, Twitter, Instagram and social media in general but the exact same techniques and lessons from 18 years ago I still use today to grow something from nothing:

• launch with the smallest possible thing.
• sleep before a product launch and don't sleep for 72+ hrs when there's a fish on the line.
• go to where people are talking about you and engage in their community where they are.
• look for growth opportunities through studying http referer logs and execute.
• share insights found through studying http referer logs with other people to help them do their job.

Thanks for reading, I hope these grep filters help you win/close more sales and with demonstrating value that is measurable and that isn't a vanity metric.

I'm currently looking for my next role in developer marketing/developer relations/developer experience engineering. If you’ve got a position in mind or an interesting project you want to get off the ground send an email to ghuntley@ghuntley.com for a confidential discussion. Thank you.

Here I am, without my van, on the opposite side of the world, sitting at IHOP in Austin, Texas, and the story of how I ended up here is a strange one. It has now been just over a month since I left Gitpod, a company I thought I would be with for a very long time...

and I wouldn't be here where I am in Austin, Texas, without Gitpod. Back in June, the CEO of Gitpod tasked me with investigating another company called Coder which recently launched a new remote development product offering...

Coder - Remote development on your infrastructure

Coder - Remote development on your infrastructure

HashiCorpKevin Fishner

and I liked what I saw so much that I knew I needed to part ways with Gitpod because Coder's go-to-market approach made much more sense to me as in this economic climate, enterprise companies want a singular tool that works for all software development scenarios - including windows desktop development, macOS mobile development, and data science (ie access to beefy GPUs).  

integrate don't dictate

The key to winning the valuable enterprise market is to integrate with how enterprises currently work, minimise the amount of people/process change required and thus de-risk the political costs for a products internal advocate.

Gitpod is designed to run in Kubernetes, which constrains their product offering to software developers who use containers, and I don't think this is the right approach. Coder's original product offering was similar to Gitpod - shipping a Kubernetes-based solution on-prem - but Coder's new offering is a game changer.

Instead of dictating a way of work (reproducible ephemeral development environments) that involves people change and constraining software development scenarios to only what is possible via docker containers, Coder integrates with enterprises existing investments in Terraform.

By leveraging Terraform, Coder lets developers run any IDE on any compute platform, including on-prem, VMWare ESXi, AWS, Azure, GCP, DigitalOcean, Kubernetes, Docker, and more, with workspaces running on Linux, Windows, or Mac.

Coder consists of two parts: a command line application and a provisioner portal that is self-contained within the CLI. You can take Coder for a spin via

# install the coder CLI
$ curl -fsSL https://coder.com/install.sh | sh

# launch the provisoner portal
$ coder server
Coder v0.9.2+cb62e16 - Remote development on your infrastucture
Using built-in PostgreSQL (/Users/ghuntley/Library/Application Support/coderv2/postgres)

View the Web UI: http://127.0.0.1:3000
2022-10-07 15:53:47.567 [INFO]  <./provisioner/terraform/serve.go:102>  

==> Logs will stream in below (press ctrl+c to gracefully exit):

or as a docker container

$ export CODER_DATA=$HOME/.config/coderv2-docker
$ export DOCKER_GROUP=$(getent group docker | cut -d: -f3)
$ mkdir -p $CODER_DATA

$ docker run --rm -it \
  -v $CODER_DATA:/home/coder/.config \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --group-add $DOCKER_GROUP \
  ghcr.io/coder/coder:latest

Docker - Coder OSS main docs

Install Coder with Docker / docker-compose

CoderCoder

Once the self-service portal is running, software developers can create workspaces from templates authored by the template administrator. In the enterprise scenario, these templates would most likely be co-authored by the SRE team responsible for maintaining production infrastructure under configuration management via Terraform.

By reutilising existing, proven industry standards such as Terraform, enterprises can provision an exact copy of production infrastructure for each developer.

Workspaces on Coder go beyond compute. There are over 2000+ Terraform providers in the world right now which can be wired in as a development environment dependency. With Coder, template administrators can specify which tfvars developers can configure  (ie. deployment region) whilst enforcing tfvars that cannot be changed (ie. firewall ACLs)

which looks like this behind the scenes...

variable "zone" {
  description = "What region should your workspace live in?"
  default     = "us-west-2"
  validation {
    condition = contains([
      "ap-northeast-1",
      "ap-northeast-2",
      "ap-northeast-3",
      "ap-south-1",
      "ap-southeast-1",
      "ap-southeast-2",
      "ca-central-1",
      "eu-central-1",
      "eu-north-1",
      "eu-west-1",
      "eu-west-2",
      "eu-west-3",
      "sa-east-1",
      "us-east-1",
      "us-east-2",
      "us-west-1",
      "us-west-2"
    ], var.region)
    error_message = "Invalid region!"
  }
}

and over at https://github.com/denbeigh2000/coder-templates/tree/master/aws-spot-nixos you'll find an example of a full-blown workspace template.

a change in perspective

I still think reproducible developer environments are indeed a sleeper technology that’s going to ramp up for a decade in usage until, one day, everyone will be “behind the times” if they’re not already using them. Still, my viewpoint on the definition of what a development environment is has changed.

a development environment is the entire ecosystem of development dependencies required to develop an application

That means all dependencies, including the configuration of cloud compute (see below for a deployment graph of what a customer of Coder does as a bare-min on a per developer basis), identity providers and database-as-a-service offerings...

and that change of perspective is the other reason why I moved on. I'll be at Kubecon North America in a couple of weeks and am available if folks wanna pick my brains further or catch up for beers. Thanks for reading :)

ps. If you work at a company whose product offerings can be defined via a Terraform provider, I would love to work with you on collaborations and partnerships. Email me at geoff@coder.com or DM me on Twitter 💜

A couple of moments ago, I finished reading the article by Rob O'Leary about the pervasive data collection done by Visual Studio Code. Now that I'm no longer an employee at Gitpod, I'm finally able to author a blog post freely about something that has been troubling me for quite some time...

Whilst Visual Studio Code is "open-source" (as per the OSD) the value-add which transforms the editor into anything of value ("what people actually refer to when they talk about using VSCode") is far from open and full of intentionally designed minefields that often makes using Visual Studio Code in any other way than what Microsoft desires legally risky...

In this blog post, we explore the ecosystem of open-source forks, revisit the story so far with how Microsoft has been transforming from products to services, go deep into why the Visual Studio Code ecosystem is designed to fracture, and the legal implications of this design then discuss future problems faced by the software development ecosystem if our industry continues as-is on the current path...

By the end of this blog post, I hope more folks understand that by using anything other than the official distribution of Visual Studio Code provided by Microsoft (or GitHub via Codespaces) that it is easy to expose yourself or your company to legal risks similar to incorrectly using Docker Desktop or the Oracle JDK...

Docker Now Requiring Paid Subscription for Large Businesses

Docker has introduced a new Subscription Service Agreement which requires organizations with more than 250 employees or more than $10 million in revenue to buy a paid subscription, starting at $5 per user per month. Additionally, Docker has launched a new Business subscription plan for larger organi…

InfoQSergio De Simone

Oracle Java License Change: Everything You Need to Know

In this blog, we’ll explain the Oracle Java license change and demonstrate how DRS can help you bypass unnecessary costs.

BlogJeremy Moskowitz

visual studio code is now seven years old

Visual Studio Code was released 7 years ago and is fast becoming the de facto standard editor that people use when doing software development. Sure there's also the JetBrains product suite, Emacs, Neovim, XCode and Visual Studio [for Windows and Mac], but VSCode is likely installed on your computer right now.

The source code has been released by Microsoft under the open-source MIT license, but the product available for download (Visual Studio Code) is licensed under this proprietary license. This small distinction matters a lot and is the primary mechanism that Microsoft uses to fork open-source communities.

This comment from a Visual Studio Code maintainer explains the process of how Microsoft generates its builds:

When we [Microsoft] build Visual Studio Code, we clone the vscode repository, lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license.

In the broader community, there are two leading distributions based on the MIT source code: vscodium & openvscodeserver.

vscodium is an oss desktop distribution

Members of the free software community became concerned by the usage of the proprietary license and launched the VSCodium project as a community-driven, freely-licensed desktop distribution of Visual Studio Code in binary form. The project automatically follows the upstream open-source (MIT) project and generates binary builds without the telemetry found in the official releases.

The VSCodium follows the same process outlined by the Visual Studio Code maintainer:

When you [VSCodium] clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a “clean” build, without the Microsoft customizations, which is by default licensed under the MIT license

Rob is correct with the following statement from his blog post on telemetry:

However, VSCodium can’t shut out all the data collection as it is the same codebase. And since extensions act independently with regard to data collection, you still need to be mindful of what extensions you install.

VSCodium does an extremely good job at disabling data collection, but due to not being licensed by Microsoft under the proprietary license VSCodium is not able to connect to the Microsoft Visual Studio Code Marketplace and suffers from the ecosystem fracture by design problem...

openvscodeserver is an oss server distribution

OpenVSCodeServer is similar to VSCodium in that is also not allowed to connect to Microsoft Visual Studio Code Marketplace and suffers from the same ecosystem fracture by design problem. The project is a company-driven, freely-licensed server distribution of Visual Studio Code in binary form that is the backbone of Gitpod. The project is primarily maintained by four Gitpod employees (Anton / Filip / Jean Pierre / Huiwen) and automatically follows the upstream open-source (MIT) project. The distribution has some minor overlay customisations in the gp-code/main branch and also does not have the telemetry found in the official releases.

From Theia to OpenVSCode Server - A history of Cloud IDEs

Background story about the last four years improving the editing experience of Cloud IDEs.

A history of Cloud IDEs

IDEs that are not subscriptions are a dying breed

Circa 9 years ago, Microsoft started an internal transformation in how they delivered software to customers. Instead of directly (ie. in-house) employing quality assurance teams who were dedicated to testing software builds, Microsoft switched to a model based on sprint-based development work and rolling releases with feedback from telemetry data that is gathered from Insider Builds of Microsoft's software.

Former Microsoft Employee explains why bugs in Windows updates increased - gHacks Tech News

Has the number of bugs in Windows updates increased in the past couple of years? If so, what is the reason for the increase in bugs?

gHacks Technology NewsMartin Brinkmann

At the same time, wider organisational changes took place in the form of functional restructures, which transitioned Microsoft into becoming a services company. Their Azure cloud-computing offering during this period has grown into a legitimate challenger to Amazon's cloud-computing offering called AWS.

“One Microsoft” vision in 2020 hindsight

Lessons drawn from articles about Microsoft’s 2005 and 2013 restructuring and how the company has revitalized itself to stay competitive…

MediumVic Danh

The biggest side effect of this change for consumers was that instead of delivering installable products that could be run on-premises, Microsoft, in true Microsoft form of moving ever so slowly and doing it over a generation of people so as not to spook them, has been transitioning their customer base into consumers of services offered by Microsoft.

This same transition has been happening across the board in the developer tooling space as a whole. IDEs that are not subscriptions are a dying breed unless you make a ton of money from something else (ie. Apple and the AppStore, which funds the development of Xcode)

So why am I bringing this all up? It's because Visual Studio Code is a ramp to move the developer tooling ecosystem towards an end-to-end consumable services model of software development tools, and GitHub Codespaces is a white label of an existing service called Visual Studio Online aka Microsoft Dev Box aka Microsoft Azure DevTest Labs.

DevTest Labs | Microsoft Azure

Get fast, easy and lean dev/test environments with Azure DevTest Labs. Set up development and test environments, minimise waste with quotas and more.

Microsoft Azure

GitHub is a white label for existing Microsoft tech

Microsoft acquired GitHub circa 2018 and in 2019 Microsoft released the Visual Studio Online product that included a component for hosting your own "codespace" locally. Since then, everything has moved to GitHub, including the team that made Codespaces, and that component is used on the servers GitHub deploys to. Thus GitHub Codespaces is a devdiv project that now belongs to GitHub.

You can now try Microsoft’s web-based version of Visual Studio – TechCrunch

Earlier this year, at its Build developers conference, Microsoft announced that it was working on a web-based version of its Visual Studio IDE. At the time, Visual Studio Online went into a private preview, open to a select number of developers. Now, at its Ignite conference, the company has opened…

TechCrunchFrederic Lardinois

GitHub’s Engineering Team has moved to Codespaces | The GitHub Blog

Over the past months, we’ve left our macOS model behind and moved to Codespaces for the majority of GitHub.com development.

The GitHub BlogTanmayee Kamath

There have been numerous restructures within GitHub, but the most notable is the one that occurred on the day that Nat Friedman retired as the CEO of GitHub. On that day, when everyone was focusing on Nat's retirement, Scott Gu sent this email internally within Microsoft announcing the restructuring of how GitHub reports to Microsoft...

Julia Liuson promoted to President of the Microsoft Developer Division, which now includes GitHub

The mission of the Microsoft Developer Division is to earn the trust and love of developers across all languages and platforms and make them successful as they build the applications of the future. DevDiv today includes our developer tools and services including Visual Studio, Visual Studio Code, NET and C#, TypeScript, and the OpenJDK. Our Azure Developer SDKs, as well as our Azure Application Development PaS and Serverless offerings (including our Azure App Services, Functions, Logic Apps, API Management, Dapr, Redis Cache, Spring Cloud services, etc.) are also part of this organization.

I'm very pleased to announce the promotion of Julia Liuson to President, Microsoft Developer Division. As part of today's changes, Thomas Dohmke, CEO of GitHub, will report to Julia going forward, as will Julia's existing DevDiv reports.

Julia has been instrumental in Microsoft's adoption of open source, and in the transformation of Microsoft's developer strategy. As the leader of DevDiv, she helped guide the open sourcing of -NET (which now runs on every major OS platform), as well as the creation and open sourcing of Visual Studio Code (now the most popular development tool in the world). She initiated our deep engagement with the Python community, including hiring Python creator Guido van Rossum to Microsoft, and her team now delivers the most widely used Python developer tooling in the world (with VS and VS Code) as well as delivers runtime performance for the broader Python community. She started the OpenJDK effort at Microsoft, which is now used broadly to run Java workloads on Azure. And over the last 9 months she has led our Azure Application Developer PaS and Serverless offerings and has helped drive to make these services great for developers using all languages, tools, and platforms.

Under Julia's leadership, the Developer Division team has undergone a significant cultural transformation and is guided by consistent cultural values: diversity & inclusion, customer obsession, data-driven, and quality-driven. The pervasiveness of these culture attributes is evident through the success of products like Visual Studio and Visual Studio Code, which have experienced more than 16x usage growth since 2014 (and are now used by the majority of developers in the world).

I deeply admire how committed Julia is to team culture, mentorship, and how she helps generate opportunities for others to succeed. She is an avid supporter of MakeCode (which is also built by her team) as an investment to help kids learn programming and pursue computer science in earty education. Julia was one of the first women at Microsoft to be promoted to Corporate Vice President of Engineering leading development teams at Microsoft, and she is a mentor and sponsor to women and men across Microsoft today. She received the Asian American Executive of the Year award in 2013 and was inducted into the Women in Technology International Hall of Fame in 2019.

Please join me in thanking Julia for the outstanding leadership she provides, and in congratulating her on the well-deserved promotion and expanded remit.

Instead of GitHub reporting directly to Scott Guthrie, GitHub now reports to the person who looks after numerous products within the developer division. Julia Liuson was an interesting choice because she was the person that weeks before the promotion who implemented last-minute changes that fractured the .NET community...

Can we trust Microsoft with Open Source? - Dusted Codes

Oh boy, what a week of .NET drama again. Not bored yet? Read on, but for this one you’ll need some ...

Dusted Codes

Microsoft reverses controversial .NET change after open source community outcry

The decision follows weeks of unrest in the .NET community.

The VergeTom Warren

Sources at Microsoft, speaking on condition of anonymity, told The Verge that the last-minute change was made by Julia Liuson, the head of Microsoft’s developer division, and was a business-focused move.

an ecosystem that is designed to fracture

I used to think GitHub Codespaces would help popularise Gitpod but now realize it is the other way around. Gitpod is currently permitted to exist in the Visual Studio Code ecosystem to popularise GitHub Codespaces, and Microsoft can step in at any moment to create legal crises that strategically divide the market from a business perspective because like Apple and their AppStore: it is their ecosystem that they control and they are in absolute control.

Meanwhile, from a product perspective, people will try out Gitpod and, unfortunately, experience product papercuts in the expected value of Visual Studio Code and how users expect the product to function because the developer experience of Gitpod can never match the seamless developer experience of Visual Studio Code or GitHub Codespaces because the Visual Studio Code open-source source code is a venus fly trap that is designed to fracture and lure people in...

but it would be wrong to single out just Gitpod here. Any company (Gitpod, GitLab, Datacoves, OpenBB, Foam, et al) that adopts the Visual Studio Code open-source source code and attempts to compete with Microsoft or GitHub will face the problems outlined above and will be unable to legally offer services for the following programming languages using the functionality that Visual Studio Code users expect and have become accustomed to unless they develop their own tooling (which as of this blog post none have done so):

• Microsoft .NET C# (fsharp is completely open and does not have these issues)
• Python (general purpose and data science markets)
• Project Jupyter (as in nearly the entirety of the data science market)
• C or C++ (general purpose, enterprise and industrial hardware markets)
• and I suspect 🔜 Java (general purpose, enterprise and data science) will be next once the Microsoft tooling catches up with the tooling offered by RedHat.

According to the latest TIOBE index of programming languages popularity above are five of the most popular programming languages/ecosystems, and Microsoft has near control of the seventh most popular language - JavaScript (via TypeScript).

Microsoft can easily fork open-source communities by changing towards proprietary defaults ("strategically divide the market") as Microsoft has already done twice so far. The way Microsoft forks open-source communities is by releasing Visual Studio Code extension updates that make their proprietary offering the default once they have managed to capture enough adoption...

Open Source VS Code Python Language Server Dies, Replaced by Proprietary Pylance -- Visual Studio Magazine

Microsoft officially pounded the last nail into the open source Microsoft Python Language Server coffin, replacing it with the company’s proprietary Pylance extension for coding with Python in Visual Studio Code.

Visual Studio MagazineDavid Ramel

While the company isn't forcing users to switch to its new proprietary language server -- pointing to an open source alternative -- it's the new default.

The move affects millions of developers, as the Python extension is by far the most popular tool in the VS Code Marketplace, having been downloaded nearly 50 million times, about twice as much as the next most popular extension: Jupyter.

The "switching of defaults" that occurred in the Python community is taking place right now in the .NET community...

Announcement: A roadmap update on the VS Code C# extension · Issue #5276 · OmniSharp/omnisharp-vscode

Over the past several months, the .NET team has evaluated ways to evolve the .NET tooling ecosystem and incorporate more capabilities into VS Code. Currently, the C# experience in VS Code is powere...

GitHubOmniSharp

Even if Gitpod, GitLab, Datacoves, OpenBB, Foam, et al were to develop "Open.NET"

Open .NET

What would .NET look like without Visual Studio? Open .NET has 13 repositories available. Follow their code on GitHub.

GitHub

or similar tooling alternatives to the proprietary extension offerings created by Microsoft to enforce their commercial strategy, users will experience friction in the form of having to wire in different product-specific configurations on a per-platform basis and then dealing with the headaches of user support/training related to topics of how the "official" ms-dotnettools.csharp functions vs the open alternative (if it is ever built) and topics of feature/configuration disparity.

1. desktop configuration

// devcontainer.json
"customizations": {
    "vscode": {
        "settings": {},
        "extensions": [ "ms-dotnettools.csharp" ],
        "devPort": {}
        }
    },

2. Gitpod web configuration

// gitpod.yml
vscode:
  extensions:
    - // some open tooling that doesn't exist yet

Whereas if a user stays within the official ecosystem created by Microsoft via the desktop edition of Visual Studio Code produced by Microsoft, then the same configuration that works on the desktop edition just works when someone or their team goes to try out or adopt GitHub Codespaces.

vs a single source of truth configuration that just works

// devcontainer.json
"customizations": {
    "vscode": {
        "settings": {},
        "extensions": [ "ms-dotnettools.csharp" ],
        "devPort": {}
        }
    },

If Gitpod, GitLab, Datacoves, OpenBB, Foam, et al were to attempt to bypass these restrictions by offering ms-dotnettools.csharp post move to LSP Host via their service, then they would receive a very nasty legal email from Microsoft's lawyers.

The same is also true for customers of these competitive cloud development environments if they were to manually install these extensions into these platforms, the customers would be in breach as the license of these extensions is very clear that they are only licensed for installation in official builds distributed by Microsoft:

You may install and use any number of copies of the software only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code, Azure DevOps, Team Foundation Server, and successor Microsoft products and services to develop and test your applications - https://marketplace.visualstudio.com/items/ms-vscode.cpptools/license

okay, so how do we fix this?

The future of software development tooling that is being built is closed as fuck, and people seem to be okay with it because select components meet the OSI definition whilst missing the bigger picture that the compositional graph of components does not.

Open-source was created as a financial weapon to destroy proprietary on-prem software and to ensure file formats (eg. msword doc vs msword docx) remained open for mixing between different pieces of on-prem software. Open-source as a financial weapon is also why making money from open-source is so god damn hard.

Funding Open Source: How Webpack Reached $400k+/year

Webpack’s Sean Larkin on growing the project’s budget with crowdfunding, sponsorships, grants, partnerships… and pure love.

Open CollectiveAlanna Irving

Maybe we need a new movement (or revisit past ideas from the 70s) that focuses on ensuring the openness regarding freedoms of computing (😉) that combat proprietary SaaS offerings? idk.

When I see people arguing over open-source vs non-opensource in 2022, I feel like people are completely missing the bigger and more pressing issues at hand, like how the Visual Studio Code ecosystem has been designed...

The fracturing ecosystem problem is one of the reasons I created Gitpod's Open-Source Sustainability Fund. Paying for resources that are being consumed broadens the list of people who can do open-source. Additionally, money enables open-source maintainers to buy services and outsource activities that do not bring them joy.

In the very short period of time (1.5yrs) I was at Gitpod, over $32,000 USD was distributed to maintainers of language server tooling in the open-source community.

Gitpod Open-Source Sustainability Fund

The truth is free software isn’t free. Hours have rates. Rates require payment. What if the high achievers that our digital society is built upon were empowered to become independent artists?

I hope other companies follow Gitpod's lead and support the high achievers that our digital society is built upon by enabling them to become independent artists that build truly open ecosystems

Gitpod raises $22,600 at DevX Conf to give to Open-source maintainers

The talks from DevX Conf are now available for viewing and USD $22,600 is being distributed to Open-source projects that conference attendees voted for.

DevX Conf wrap & distributing USD 10k of open-source funding

As part of Gitpod’s Open-Source Sustainability Fund initiative attendees of DevX Conf were able to decide where USD 10,000 of funds (the profits from DevX Conf plus an additional donation by Gitpod) were to be distributed. Here’s the breakdown how the fund was split and our retrospective on running…

Gitpod has already partially resolved the marketplace problem for the Visual Studio Code open-source ecosystem by creating the OpenVSX project and gifting it to the eclipse foundation

Open VSX

VS Code is used by more than 50% of all developers worldwide. Its extension protocol enabled the broader developer community to create over

but the biggest challenge for Gitpod, GitLab, Datacoves, OpenBB, Foam, et al lies ahead - developing open language tooling for each community where Microsoft has forked the communities over to proprietary language servers...

Thanks for reading; please discuss on the tweet below 👇 🧡

Don’t build your castle in other people’s kingdoms – How To Market A Game

How To Market A Game Feel Confident marketing your gamezukalous

edit: 31st of August 2022 - Green0Photon from /r/programming has a good summary:

In short, this is what Microsoft did:

• Created VSCode and made it the best and open-source IDE that everyone would jump to first.
• Make a proprietary free distribution of it, along with proprietary free extensions for the various languages.
• Make those extensions the best version possible and slow down focus on open source ones, often deprecating them.
• Now you have to use the closed form of VSCode to have the best experience by quite a bit.
• Everyone else using VSCode as a platform can't keep up because Microsoft fractured their community -- and your VSCode product is now just an ad for a similar Microsoft product that doesn't have all the papercuts.

edit: 16th December 2022

GitLab has launched their own offering based off VSCode (MIT) which suffers from the same problems as everyone else who uses VSCode (MIT) in that VSCode (MIT) is designed in a way that makes your product a walking, talking, advertisement for GitHub Codespaces....

A first look at the new GitLab Web IDE and remote development experience

The next-generation GitLab Web IDE, available to everyone, will enable faster and more efficient contributions right from your browser.

GitLab

edit: 13th October 2023

Google's soon-to-be-launched "Project IDX" offering is based on VSCode (MIT) which suffers from the problems above. If you want to develop .NET, and Python and have the expectations that the Visual Studio Code LSPs will work there - forget it. Not possible, not legal.

Hello there! First, you have made the correct decision to visit Sydney, it's a pretty chill place for tourists. To help you fall even more in love with the city, I have provided you with a list of awesome things to do.

coffee

Australia has some of the best coffee in the world, that is if you know where to find it. If you're on the run and can't venture to a specific cafe, then choose any place that serves pablo and rustys or campos coffee.

Avoid any establishment that serves "grinders coffee" as that coffee is terrible and the food could be questionable. Grinders is manufactured enmass by cocacola.

Most folks drink warm milk aka the flat white; when buying for another Aussie, it's typically the safe default.

I'm pretty particular when it comes to coffee, as when brewed with high-quality beans and by an on-point barista, coffee is a tasting experience similar to scotch or wine. Make sure you drop on by espressory and ask for Peter to brew you something special by hand - either a V60 (ie no milk) or an espresso using beans from their friends and family collection that are sourced from micro-roasters around Australia.

If you are willing to trek then I recommend also grabbing a cup at SingleO.

beer

If you are in the CBD and want to optimise on beer quality, in order of my preference, look no further than:

• https://thenoblehops.com/
• https://www.hartspub.com.au
• https://beerdeluxe.com.au/

If you are looking for a place on the weekend and are up for a quick detour out of the city, then Batch Brewing offers an excellent hipster brewery experience. Thes suburb of Marrickville is where you will find all the craft brewers.

How Marrickville became the craft beer capital of Australia

The inner west suburb has become Australia’s craft beer capital as the industrial sprawl of low rent warehouses provides innovative brewers with boundless opportunities.

Good FoodBiance Hrovat

bars

• There's a rooftop bar on top of the Glenmore with spectacular views of the harbor, their beer selection is generic but it's a great place to meet people.
• For a more traditional pub and grub experience with great beer head on over to Harts.
• For scotch nothing beats The Baxsters Inn.
• For eSports teleport to Spawn Point.
• If it's late and everything is closed in the city or you are after a pizza dive bar, pinball and live music experience head on over to Frankies.

food

Definitely grab a steak sandwich at The Grounds of Alexandria, korean bbq chicken at Naruone and a beef laska from malaychinese. For an all-in-one champange, chicken, rap and sneakers experience head on over to Buttered. If a ten-course tasting menu is your thing then you'll feel right at home at Quay or Rockpool. Had too much beer and feel under the weather? Head on over to Harry's Cafe de Wheels and order a curry tiger pie with peas and mash.

things to do

Take the ferry over to the zoo, the views are spectactular.

Rahul Nath has some excellent suggestions for trips around Sydney and the areas surrounding at:

• https://rahulpnath.com/blog/one-day-trips-around-sydney/
• https://rahulpnath.com/blog/trips-for-the-long-weekend-around-sydney/
  
  

As hacker summer camp swings into full gear, I reflect upon the time where I was arrested under suspicion of transforming a Hong Kong university mail server into a 0-day warez site and almost spent time in hacker winter camp. I was, fortunately, 13 at the time and last week I turned 40 which means I've been on the internet now for 29 years...

You know that opening scene of Hackers where journalists are chasing a young kid around trying to get a media scoop? Yeah, that happened to me...

This scene in hackers hits close to home; as a young child reporters camped outside of my family home in Hong Kong and ended up filing a story which listed my fathers name, who his clients were and not long afterwards we left the country.

That moment in time had a profound impact on my life but it wasn't until seven years later when the operation buccaneer investigation became public and arrests were made that I realised just how fucking dumb I had been.

An undercover operation began in October 2000. On December 11, 2001, law enforcement agents in six countries targeted 62 people suspected of violating software copyright, with leads in twenty other countries.

Operation Buccaneer - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

Warez Leader Sentenced to 46 Months (May 17, 2002)

You see. Michael Kelly aka "eRUPT" from DrinkOrDie, AMNESiA, CORP, RiSC who ran the botnets for those warez groups taught me software programming.

Michael, I wouldn't have become a software developer without your help but I'm glad our relationship never extended past yourself answering questions related the programming language Tcl and teaching me how the software 👇 that likely provided encrypted communications for the groups worked.

RUPTBOT.TCL

GitHub Gist: instantly share code, notes, and snippets.

Gist262588213843476

Eggdrop - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

Where ever you are now, thanks I guess? Hope all is well. I'm not even sure you knew I was 13 or if you even remember me. I'm 40 now and it has been over 24 years now since I was involved in any form of internet shennigangs and to be clear I had no affiliations with the previous mentioned groups but, at 13, I did however turn that mail server (which had oh so much disk space) into a 0-day site.

Back in 1995 the internet was different. It really was the wild west and tbh you would be hard pressed to find anyone who is currently in a senior technical leadership capacity who doesn't have a story similar to above.

# "hacking like it's 1995"
echo "+ +" >~/.rhosts

Back then infosex knowledge was, typically, sourced through IRC and the following three publications:

.:: Phrack Magazine ::.

Phrack staff website.

2600: The Hacker Quarterly - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

and motivations were about exploration, sharing of knowledge and fucking with people for fun. My favourite exploit of all time to this day still remains the 2B2B2B41544829 attack where people, such as myself, would configure eggdrops to automatically issue the following command which would cause peoples modems to disconnect from the internet upon joining a commmunity chat server.

# if you didn't know their IP address
/ctcp #windows PING +++ATH0

# if you knew their IP address
ping -c 5 -p 2B2B2B41544829 <target IP address>

2B2B2B41544829 was a crude way of filtering the community and ensuring only technical people who knew how to configure an eggdrop instance / IRC bouncer or that had an ISDN or OC3 connection could participate. In the places I hung out as a young kid we used it to combat the Eternal September phenomenon:

Eternal September - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

If there were technical folks we wanted to evict from the community then reflection based attacks such as Smurf and Fraggle were used instead until they deeply understood that they were no longer welcome.

smurf.c

GitHub Gist: instantly share code, notes, and snippets.

Gist262588213843476

Etcetera/fraggle.c at master · fffaraz/Etcetera

My collection of useful code snippets/recipes/scripts/macros for my everyday tasks - Etcetera/fraggle.c at master · fffaraz/Etcetera

GitHubfffaraz

but the internet and the infomation security sector has changed (and matured) so much since then but two things remains true.

hacking should not be a crime...

researchers don't owe you shit

Again and again, I see these words of "being responsible" when disclosing security research being cargo culted in our industry but I think the term is bullshit because it absolves the company with the problem of responsibility.

Something I've been pondering about for a long time was what if instead of "responsible disclosure" as the industry standard it was "responsible resolution"?

That one small flip - switches the responsibility from the researcher to the company to resolve. If the company does not resolve the problem within a community accepted timeframe then said company is deemed as being irresponsible. Over time companies that are deemed irresponsible would face higher and higher cyber insurance premiums and thus would be incentivised to actually fix their shit.

Time, again and again I see companies trying to funnel security researchers into a process with non-disclosure agreements that involves jumping through numerous hoops all whilst forgetting that researchers don't owe you shit.

If you want to keep the abba singing haxors at bay, the #1 thing any responsible company can do is to serve them with gold fucking platter service.

and have the following patterns configured. If you don't have them then sorry your company is not responsible and you don't have a leg to stand on until they are..

website.com/.well-known/security.txt

security.txt

A proposed standard that allows websites to define security policies.

security.txt

DNS Security TXT

dnssecuritytxt

A standard allowing organizations to nominate security contact points and policies via DNS TXT records.

DNS Security TXT

website.com/security

Your company website should have all topics related to security in a single place and the page should be designed for the personas of CISO (customer) and "I've found a security issue and need to contact someone" (white-hat hacker).

I suggest using /security as the URL because it's guessable.

website.com/security/report

A place where people can submit reports. Can be a redirect to your email address found in the security.txt or to a bug bounty platform if you decide to head down that route (but remember; security researchers don't owe you shit and seniors will often just leak the tea to the press upon sight of a bounty platform).

website.com/security/policy

If you don't have a policy then start the journey at

Policymaker: Open-source vulnerability disclosure program policy, security.txt, and DNS Security TXT generator - Part of the @disclose_io Project.

Disclose.io policymaker

Part of the @disclose_io Project.

Please customise the above as needed. At Gitpod, I added a paragraph nudging security researchers that they should do their research on the self-hosted edition of Gitpod (because it is the same codebase as Gitpod) and provided clarity as to which systems are in scope.

I suggest using /security/policy as the URL because it's guessable and builds on the /security convention.

website.com/security/thanks

Whitehat security researchers start at the bottom, typically running nessus scanners against infrastructure against "an agreed scope of machines" (lol). The way to escape out of the hell that is authoring pentest reports is through collecting citations that researcher can put on their resume that acknowledges that they did indeed find a security issue and that the person is in good standing with the company.

By offering a wall-of-fame, you make it easier for researchers to stay in good standing, become a desirable company that security researchers want to work at, and offer a service that can help juniors grow through the ranks in the infosec industry.

I suggest using /security/thanks as the URL because it's guessable and builds on the /security convention.

security@example.com

This one is simple but I see it get fucked up again and again. The security@ email address should be staffed and triaged by engineers. The email address should NOT go to physical building security - use something like facilities@example.com for that. 99.99% of media incidents and PR crisises due to researchers being unable to contact the company could have been adverted with this advice alone.

safe harbor provisions

The laws are murky when it comes to responsible disclosure security research but by shipping a safe harbor provision in your security policy (/security/policy) you will assist security researchers caught in the gulf between legality and disclosure.

If you are unfamiliar with the concept then drop by below.

The disclose.io Project

Open-source tools for a healthy Internet Immune System.

disclose.io

publish your company in the dio database

Did you know there is a database that security applicances, whitehats and professionals turn to when they discover something that just isn't right? It's open-source and your company should be in it!

be accessible and be a desirable place to work for

Send your employees to hacker summer camp and encourage them to attend those random ass vigils for cockroaches. By being actively known in the community (and it is incredibly small) and accessible many public relations issues can be mitigated. It also doubles as a way to build out a talent pipeline you can hire from for your current (or future) security program...

🙇‍♂️ thanks for reading...

I was asked recently on the topic of leadership. In short, I’m an avid fan of servant leadership - being selflessly 100% focused on helping folks within my team / being a janitor.

What is Servant Leadership? - Greenleaf Center for Servant Leadership

Greenleaf Center for Servant Leadership

Back circa 2018, I joined an AI startup in Sydney that brought me in to serve an existing team. The people within the team were freaking brilliant but misunderstood (literal mathematicians and a comp sci professor who published a paper contesting the Church-Turing thesis).

The Church-Turing Thesis confuses numerical computations with symbolic computations. In particular, any model of computability in which equality is not definable, such as the lambda-models underpinning higher-order programming languages, is not equivalent to the Turing model. However, a modern combinatory calculus, the SF-calculus, can define equality of its closed normal forms, and so yields a model of computability that is equivalent to the Turing model. This has profound implications for programming language design. - Barry Jay, Jose Vergara

What followed was some of the most emotionally stressful yet rewarding work I’ve ever done. We managed to partially flip the organizational culture around through clarity and being consistent in communication which resulted in other engineering teams coming to us for advice, education, and mentoring.

The key to making the transformation happen was selflessly serving the team and removing historical leadership debt. Upon reviewing the quarterly reviews for the last couple of years it became clear that they weren’t even provided with the right tools by their employer to do their job. They are mathematicians - they needed whiteboards to do their job.

The people within the team had been clearly communicating but the existing leadership structures had not been listening. So I ordered two of the biggest 7m long whiteboards possible and asked the facilities team to get them mounted on the back office wall. Heck, I don’t even know if what the employer did was completely legal because the building is heritage listed 🤫

Unfortunately, as with startups, market conditions changed and the company almost went under due to serious financial mismanagement. Unfortunately, the actions taken by leadership involved letting go of many many many teams - including mine - whilst I was on a flight to Seattle. Imagine my surprise and reaction (👇) only to find that out I was also being let go as well.

Trapped in Seattle and unemployed, I could only think of one thing - getting these people placed and employed again at companies as soon as possible.  And that’s what I did.

To this day, I miss these people every single day. I miss that team. My time with them changed me, and exposed me to high engineering standards, academia and fringe compsci.

I’m not saying I’m a good manager or leader - mistakes were made - but with that team, I deeply gave a shit and I think that’s ultimately what matters.  If people can feel that you care through your actions then the rest flows from there.

If you are a senior engineer who is considering switching please know that leadership is a completely different skill from engineering however learning the skillset will make you a better person and engineer. All senior engineers should do a tour of duty - even if it’s a once-in-a-lifetime pendulum experience where you end up going back to being “just an engineer".

Here are some resources I highly recommend:

The Engineer/Manager Pendulum

Lately I’ve been doing some career counseling for people off Twitter (long story). The central drama for many people goes something like this: “I’m a senior engineer, but I’m thin…

charity.wtfmipsytipsy

All Podcasts | Manager Tools

Manager Tools

Mentoring

Back in 2013, I stumbled upon this blog post[https://brendanforster.com/2013/11/mentoring/] by Brendan Forster[http://twitter.com/shiftkey] which fundamentally changed my career trajectory.Knowing that there was a human I could turn to ask questions related toopen-source made all the difference.…

Geoffrey Huntleyghuntley

The Situation-Behavior-Impact Feedback Tool: Providing Clear, Specific Feedback

Use the Situation-Behavior-Impact (SBI) feedback model to give feedback that is focused, specific and objective.

Mind Toolsthe Mind Tools Content Team By the Mind Tools Content Team

Use the SCARF Model to Understand Our Individual Triggers

Using SCARF to Collaborate with and Influence Others[7] We’ve known for a long time that our assumptions, emotions, world views, and paradigms influence our behavior. The latest research in neuroscience tells us that our neurobiology is what drives our behavior and defines how we, as leaders, make m…

Systems Building Resource Guide | Office of Child Care

As I look towards the future and what comes 🔜 I hope above provides clarity about my views on the topic of leadership. If [actually, because I'm human, when] I fuck up know that I deeply give a shit and make-up chicken salt is available in boundless quantities upon request.

As the saying goes, all good things come in threes:

• Last Friday, I submitted my resignation to Gitpod and signed with my 🔜
• On Saturday, I finally, after time apart due to COVID19, met in person with someone who will always be a special someone in my life
• Yesterday, I submitted an application for a house in Sydney and commited to my children that I would seek 50/50 shared care

and I hope the saying is true. Gitpod supported me during a really tough period in my life and together we took awareness of Gitpod from 0 to 1.

Oh wow! You will be missed, but I'm truly happy for you identifying and taking an exciting new opportunity. Thank you so much, you have played an important role with some of your moves (e.g. the cake and all the activities around the codespaces launch were genius and super important for Gitpod)

Gitpod shipped GitHub a launch cake for Codespaces

This is a story about a cake. Following a long-standing tradition in technology, we decided to send an edible Gitpod workspace to GitHub’s San Francisco office.

There's still alot of work to be done at 'pod but, for now, it's time to go because I can't say no. My kids come first, always, and now I can provide for them even better. Maybe our paths will cross again in the future but the chapter is coming to an end on the 19th of August.

A transition plan has been provided to my 1-up and I'm hoping it get's greenlit. There's one killer thing that Gitpod needs, that the community desires and I think it's possible to get it shipped in the next two weeks.

Let's go.

McDonalds in Australia do a decent cup of coffee. It’s not great but it’s consistently decent so I often start my day with a cup. Due to my travels around Australia in a decked out van I have seen how many McDonalds operate and just how many of these terminals are left fucking unlocked.

Underpaid staff who used to do ordering have been replaced with these self-service kiosks and a process that is based off to tickets. This process completely falls apart when the ticket printer runs out of paper and as McDonalds does A LOT of orders the printers run out of paper often. From what I've observed staff across Australia are leaving the Kiosks unlocked to make it easier to replace the paper.

Inside a kiosk is a standard x86 computer NUC with exposed USB ports. Now I’ve learned since my youth but part being a hackerman is having keen observations for really dumb stuff that can be leveraged and you never lose that skill even after you cease practicing. It’s like travelling to a new town with a skater boi - always looking for new lines to skate.

Three days ago at the Blaxland store my spider senses started tingling when I noticed something quite alarming. It turns out that these kiosks run windows as administrator, touch screen input is enabled and in the recovery operating mode the general public can run any application 😬

So why am I concerned? Why should you care? There are payment terminals attached to these kiosks. If someone installs malware on here - just insert a usb stick or use the recovery mode - then tada we have the next generation of atm skimming.

Revealed - the machines behind the EFTPOS scam

The skimming scam that has stripped almost $5 million from WA bank accounts was due to old EFTPOS machines easily hacked, a senior industry insider says.

WAtodayChalpat Sonti

Today at another McDonald's I observed the entire bootstrap process and can confirm that the kiosk indeed is responsible for installing “custom firmware” on the card reader and as user interaction is enabled, it is, in theory, possible to force the terminals into recovery mode when they boot by tapping on the screen...

McDonalds your processes are faulty in the following ways:

• The kiosks are built with the design of “they are physically secure so it’s okay to run as administrator”. This is NOT okay.
• The kiosk user interface has error modals which block visibility of what someone’s order number is which creates customer confusion and process dysfunction with people picking up orders that aren’t theirs cause they don’t know what their order number is. Which results in underpaid staff leaving the machines unlocked so that doing a task that they do often can be done easier.
  

Anyway, so here I am sitting here with my cup of so-so coffee and pondering that it is inevitable that these terminals will be used for financial crime in the future whilst opsec (store employees and kiosk machines running as administrator) remains so relaxed.

Knowing all of above I no longer use these Kiosks and recommend you don't either.

What someone does with this knowledge is left as an exercise to the reader but it would be delightful to see b-sides talk where someone who has legally obtained one of these terminals up on stage just as Barnaby Jack did with ATM's in 2013 at DEFCON.

ps. If you made it this far then maybe you would also enjoy the following...

what if instead of “responsible disclosure” as the infosec standard it was “responsible resolution”?

As hacker summer camp swings into full gear, I reflect upon the time where I was arrested under suspicion of transforming a Hong Kong university mail server into a 0-day warez site and almost spent time in hacker winter camp. I was, fortunately, 13 at the time and last week

Geoffrey HuntleyGeoffrey Huntley

I'm saddened by the need to author this blog post about a product that I once loved. For the last eight months I've been traveling around Australia in a custom built van with a Denon 4 controller connected to two SOUNDBOKs v3 speakers

and life has been pretty freaking good lately. Instead of maintaining open-source software I've been playing tunes to groups of people as the sun goes down and

hacking the firmware of the Denon Prime 4 to make it possible to SSH into the device and run custom binaries. The van build is now complete and it is amazing, so amazing that SOUNDBOKS themselves followed me on social media and sent across the following DM...

However this is where the love ends as last week SOUNDBOKS pushed out a "mandatory firmware update" to all users of their speakers without an accompaning changelog of explanation why it was mandatory.

After the firmware was installed onto both speakers I noticed something odd. The output dB has decreased and when turned to "11" (yes, that's an actual featute) the speaker output power which used to be outright amazing is now just meh and is what "5" was before the firmware update...

Now, as a reminder - I own two speakers - both speakers have had their performance nerfed by this firmware update. Concerned I posted my findings to Reddit and the SOUNDBOKS Facebook group and it turns out I'm not the only one...

I just updated it to 2.1.1 and i’ve noticed both the loudness being reduced and my precious Bass as well. I am truly disappointed and am thinking about sending it back and demanding a refund. I definitely didn’t pay 900 Euros for this beautiful speaker for it to be nerfed aber 5 months … screw that. - Keanu

I will agree that the output is less after the update. I’ve only had my soundboks3 for a week and prior to the update it was significantly louder - Joseph Thomasson

I just tested my SB3 which I had not updated yet, and it’s clearly louder than my friend’s who updated to latest version - Luka Gotsiridze

I’ve had the impression that max volume is reduced, but sound quality at higher volumes is improved. Wish I could test two speakers running different firmware side by side. - Middle_Name-Danger

I've the same impression. Saldly a friend did the update also already. MHHV-niddl

Alarmingly one of the employees replied back with "we are aware that the update is damping their sound more than it it should".

Okay - holy fucking shit - I have some questions...

1. why would a firmware update to a speaker dampen sound in the first place?
2. why reduce the performance of the speaker by almost half?
3. what is in the firmware update and where is the changelog?
4. how did this get past QA? is everything okay internally within the company?

On the last point - it turns out things are not well (tm) at SOUNDBOKS and they announced a battery recall program last week:

• https://www.consumeraffairs.com/news/soundboks-recalls-bluetooth-speakers-with-lithium-ion-batteries-040722.html
• https://www.soundboksrecall.expertinquiry.com

However I suspect, that the true answer "behind the sound dampening" lies in the fautly design of the charger/battery system on the Generation 3 SOUNDBOKS.

It is a fact that AC charger does not supply enough amps to run the speaker purely off mains power when running at "5" (pre-firmware update) which manifests with the speakers going "pop" and powering off thus it is not possible to run the speaker purely off mains power.

To use the speaker past "5" (pre-firmware update) one needs run purely off battery power. Okay, so now you might be wondering - what happens if the charger and battery is connected at the same time? The SOUNDBOKS v3 destroys the battery and reddit is filled with stories that prove it.

When I first purchased these speakers - circa 8 months ago - at a total cost of $3198 AUD - there was no information provided that the speakers cannot run off mains power and cannot be run "past 5" (pre-firmware) update.

Over the last month SOUNDBOKS has been quitely rolling out updates to their website and marketing materials with ever increasing verbosity and as of a couple days ago there is now a brand new dedicated "battery help" page on their website.

I suspect, that in the latest firmware update, SOUNDBOKS fixed their issue of batteries being cooked by running systems above 5 (pre-firmware update) by recalibrating the volume by making what was 11 now 5 aka deceptive and dodgy af business practices.

Concerned - I took the speakers into my local forest, cranked both to 11, slapped on some dark berghain techno, measured the output with a decimal meter and here's what I found.

The speakers which used to do 126db at 11 (pre-firmware) and last a couple hours can now only output 90db (post-firmware) and the battery life now lasts significantly longer - which to be clear - is a bad thing.

So, I thought my van was "complete" but it turns out I'm going to be returning them to JBHIFI if a suitable resolution and explanation from SOUNDBOKS is not provided.

Does anyone have any recommendations for what to get instead of SOUNDBOKS for my van? Let me know on Twitter.

For some, this is the consulting version of Siberia; lost in a hopeless no-man’s land. Without a plan, you'll have very little to do and what you are assigned is often either busy-work or unfulfilling at best. Like a utility player on a sports team, you are sitting in reserve waiting until your skills are needed for another project. It doesn't have to be this way tho. Here are some of the things that you could be doing:

1) Self-promotion: make sure folks know what your interests are, and the sales team know what style of engagements are appealing to you. When was the last time you took an account manager out for coffee or ran a knowledge sharing brown bag? Did you learn something cool yesterday? Run a brown bag or author a thought piece.

2) Helping out: Use the standup to signal that you want to pair with folks. Your peers, state and national leadership teams have a bunch of things they always need help with. Consulting typically involves aspects of leadership, and that can be tiring. Recharge by helping others achieve their goals. It's quite rewarding.

3) Shipping: Create something small, ditch all of the traditional best practice guidelines such as test-driven development or CI and hack away in notepad on a web-server. Get your idea live by the end of the day - i.e. https://noyaml.com/ Taking something from concept to production in a short period is a rush, and I find that the energy compounds. Done right you'll have something to do a brown bag on or show at the next standup.

4) Course-based learning: It's not for me, but if it works for you then awesome. Just make sure you ship something or use the Feynman technique so that time doesn't go to waste.

5) Social: take the opportunity to get out into the field and see folks who you usually don't usually get to spend time with. That includes peers within your company and the broader community - ie customers.

6) Go wide (or deep) on foundational topics like systems administration which like software development the Single-responsibility-principle is everywhere; you're always fighting state. If you are sick of technology churn then why not master a foundational computer science topic or study a foundational academic paper? - https://github.com/papers-we-love/papers-we-love

7) Recharge, consulting can be stressful. Use this time to reflect, replenish and action whatever tasks are outstanding so that you can focus 100% on your next client when they come along.

Earlier last year I added a /new page to my website at https://ghuntley.com/new/ as a productivity shortcut and partly out of necessity of doing software development from an iPad.

Reflections on software development from anywhere on an iPad

The Macbook Pro M1 is the software development laptop of choice yet I love my iPad considerably more. I’m all in with my thin client for hipsters. Here’s what I’ve learned over the months and how my baremetal homelab in the sky is setup.

Geoffrey Huntleyghuntley

It's not actually a "page" as per say, it's a redirect to the following URL https://gitpod.io#github.com/ghuntley/new which provides a temporary ephemeral computer via Gitpod that is customised to my liking. It's a simple link, easy to type, easy to remember and it get's typed often.

Think of it as "dotfiles" but "for computers". Zach Holman authored Dotfiles are meant to be forked back in 2010 and that blog post had a profound impact on my career as it was my first pull-request and gateway into the wonderful world of GitHub.

Dotfiles Are Meant to Be Forked

Written pieces, talks, and other bits by Zach Holman.

Zach Holman!Zach Holman

By taking lessons learned from the infrastructure-as-code movement and upgrading the dotfiles pattern into full blown Docker images then utilising products such as Gitpod to consume, build and execute the Dockerfile then I no longer need to worry about the security of my endpoint when playing with open-source software created by complete internet randoms.

$ sudo rm -rf / === npm install

In what seems like a long time ago, in part because it is, I learned thecatastrophic capabilities of this command the hard way and I’m sure folks myvintage have similar stories as it’s essentially a right of passage in thesysadmin world. Back in 1996, I was 14

Geoffrey Huntleyghuntley

Each new environment is sandboxed and completely disposable - freeing me of concerns of accidentally bricking my local computer, open-source supply chain attacks or a desktop folder full of junk source control checkouts. These days instead of opening a new Windows Terminal, iTerm2 or Blink session I head to my /new.

GitHub - ghuntley/new: Ephemeral terminals in the sky

Ephemeral terminals in the sky. Contribute to ghuntley/new development by creating an account on GitHub.

GitHubghuntley

Above you'll find the source code to my personalised ephemeral computer which uses nix (because really good reasons) but if nix isn't your thing then I encourage you to roll your own. There are three components to a /new:

1) .gitpod.yml

## The 'image' section defines which Docker image Gitpod should use. 
##
## By default, Gitpod uses a standard Docker Image called
## 'workspace-full' which can be found at
## 'https://github.com/gitpod-io/workspace-images'

image:
  file: Dockerfile

## The 'tasks' section defines how Gitpod prepares and builds
## this project or how Gitpod can start development servers.
##
## With Gitpod, there are three types of tasks:
##
## - before: Use this for tasks that need to run before init
##           and before command. 
## - init:   Use this to configure prebuilds of heavy-lifting
##           tasks such as downloading dependencies or compiling
##           source code.
## - command: Use this to start an application when the workspace
##            starts.

tasks:
  - name: nix
    command: |
      direnv allow
  - name: tailscaled
    command: |
      sudo tailscaled
  - name: tailscale
    command: |
      sudo -E tailscale up --hostname "gitpod-${GITPOD_WORKSPACE_ID}" \
                           --authkey "${TAILSCALE_AUTHKEY}"

2) Dockerfile

FROM ubuntu

# https://twitter.com/mitchellh/status/1491102567296040961
RUN sh <(curl -L https://nixos.org/nix/install) --daemon

3) Webserver redirect

If the computer definition is hosted at https://github.com/ghuntley/new then https://gitpod.io/#https://github.com/ghuntley/new is the link that would be the redirect destination.

Software in 2022 is overwhelmingly built with little to no consequence and is made up of other components which are overwhelmingly developed by unpaid volunteers on an AS-IS basis that are being financially neglected.

Systemically, I'm concerned that there is a lack of professional liability, rigorous industry best practices, and validation in the software industry which contributes to why we see Boeings flying themselves into the ground, financial firms losing everyone's data day in and out, and stories floating around our industry publications about people being concerned about the possibility of a remotely exploitable lunar lander on Mars.

There's a heap of [comical?] tropes in the software industry that are illogical/counterproductive to the advancement of our profession and contribute to why other professions think software developers are a bunch of immature spoiled children that require constant supervision.

If I type "Anyone can be a builder" into Google here's the first result...

In Australia, if you want to work as a builder or tradesperson you must have a licence or be registered (depending on your state or territory). Before you apply for your licence or registration you will need to gain a combination of experience, technical qualifications, skills and knowledge.

If I type "Anyone can be a vet" into Google here's the first result...

Things I Wish I Knew Before I Became a Veterinarian. Training to become a veterinarian takes almost as much time as becoming a human doctor, and it's just as involved.

If I type "Anyone can be a software developer" into Google here's the first result...

Anyone Can Be A Software Developer — It’s Not Magic. You don’t need to be a hacker or ninja to solve coding problems in the real world

No other profession that I'm aware of trivializes their profession to the degree that software does. Software practitioners should be licensed and be bound by a professional ethical code where violation of said code would result in the revocation of the license to practice software engineering.

Engineers, Ethics, and the VW Scandal

Case points to the need to move away from a compliance mindset and towards better ethics integration in engineering education

IEEE SpectrumPrachi Patel

Iron Ring - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

Over the last decade, there has been an insatiable appetite for people with any software development skills and unfortunately, the supply of apprentices has outstripped that of master craftsmen which has put the software industry on a path of normalizing the practice of inexperienced people being led by other inexperienced people.

To make matters worse companies often do not provide time for teaching or personal development which fuels a culture of resume-driven development and importing fast fashion into employers without sound engineering due diligence.

Inexplicably institutions that used to pass down the knowledge of actual master software craftsmen no longer do so because they care more about broader appeal/adoption to serve marketing goals instead of attracting big brains to the ecosystem and upskilling the existing community.

There's way too much focus on producing level 100 to level 200 content out there in the world right now ("this conference talk could have been a blog post") and nowhere near enough master software craftsman content. David, Joe, and Immo are right on the money 🎯 with their comments that one of the best ways a company can stand out from the crowd in 2022 is by publishing / lifting up deeply technical content.

Channel 9 Index

GitHub - papers-we-love/papers-we-love: Papers from the computer science community to read and discuss.

Papers from the computer science community to read and discuss. - GitHub - papers-we-love/papers-we-love: Papers from the computer science community to read and discuss.

GitHubpapers-we-love

Unfortunately, resolving access to high-quality knowledge and experienced mentors won't help because software practitioners keep doing (or enabling) stupid shit that damages our reputation...

A trope I saw, again and again, in my consulting days is our industry's fascination with producing squirrel burgers.

What's a 🐿🍔 you might ask? Here let me explain with a story...

It's 10:38 pm on a Saturday night in downtown Seattle, Washington and you are very hungry. After wandering up and down the streets you stumble upon a Shake Shack that's open and accepting orders! (woo woo)

After some pondering, you add a double beef SmokeShack burger, with fries and a vanilla shake to your order cart and gleefully mash the green "Let's do it!" button.

The cook comes over and asks for $18.87 USD. After opening your wallet you discover that you don't have enough money to pay for the order.  The cook can see the look of disappointment building up in your eyes and knows what's coming next...

You: Hey, Cook. I've only got $2 and I'm really hungry. Is there any sort of special you can do for me?

The cook looks at you up and down and heads towards the storeroom. Moments later the cook reappears and says...

Cook (aka Software Developer): I don't have anything in the storeroom available but if you want, I can ignore industry best practices and cook you up a squirrel burger.

Hell yeah! Eager for getting any form of food in your tummy you hand over all your money to the cook and grab a seat whilst you wait for it to be cooked.

The cook (aka software developer) heads out back and ventures way past the storeroom, down the street with a spatula (his tools of the trade) in hand, scrapes up some roadkill, throws it onto the hot plate, and cooks it for the client...

Anyway, thanks for reading. I'm blogging more and tweeting less, so if you want to learn about sweet places to visit in Australia, working remotely from a van, or more about doing software development from an iPad enter your email address to be notified when future blog posts ship.

Back in 2013, I stumbled upon this blog post by Brendan Forster which fundamentally changed my career trajectory. Knowing that there was a human I could turn to ask questions related to open-source made all the difference.

Ever since then I've been setting aside time for coffee catchups with anyone and everyone. By design, I'm super accessible. If you ever need to catch up about anything then below is how you can contact me.

Email: https://ghuntley.com/contact
Calendar: https://ghuntley.com/meet

Yes, it's that simple. I do however ask that you read below before booking a slot of time.

find yourself a better mentor

Wait, what? Yes, there's lots that I can teach but the best mentors are people who do not call themselves a mentor. Have a read of this essay. Derek is right on the money when he says:

“the standard pace is for chumps” — that the system is designed so anyone can keep up. If you’re more driven than most people, you can do way more than anyone expects.

This principle applies to all of life, not just school.

There’s no speed limit | Derek Sivers

Whether you’re a student, a teacher, or a parent, I think you’ll appreciate this story of how one teacher can completely and permanently change someone’s life in only a few lessons.

Derek Sivers

6 things I wish I knew the day I started Berklee | Derek Sivers

This is a talk I gave to incoming first-year students at Berklee College of Music today: September 5, 2008.

Derek Sivers

Here's an open secret...

Open-source is one of the best ways to learn but the advice people give in this space is terrible.

In nearly every other profession other than software development there are immense barriers to getting started. If you want to build a physical bridge then you'll need expertise, equipment, and money.

In the world of software, all you need is time and the knowledge that there are people who build digital bridges (open-source maintainers) who are itching for people to help them out.

The formula is to success shockingly simple yet few do it because it requires a longer-term horizon...

• Turn up and introduce yourself
• Share the intentions that you wish to help out.
• Start helping out and ask for help.
• Keep turning up, document everything, and be the project's janitor (that's actually what an open-source maintainer is).
• Catch up for beers with your new friends.

stay away from contributing to the big projects

Brand name projects such as Kubernetes, et al sound shiny and but it will be hard to build personal relationships. Identify what the founders of these projects are doing right now - 9 times out of 10 they have already moved on to "something more interesting". Go join them on that voyage instead.

you will fuck up

own it, learn, grow and adapt. I still vividly remember the moment in time where Ani 🚨🚔 arrested me in Slack 🚨🚔 for pushing to master. The lesson here was twofold:

• One should not push to master (use pull requests)
• One should not be able to push to master (ani had the repo misconfigured without branch protection)

opensource is fundamentally broken by design

Please understand this and learn from people like Russ and myself who have been there and back.

The myriad of tools that are relied upon by developers every day are built and maintained almost exclusively by unpaid volunteers, and the maintainers of open-source projects, our digital infrastructure, are in desperate need of support. Because code is less charismatic than a hit YouTube video or Kickstarter campaign, there is little public awareness of and appreciation for this work. As a result, there is not nearly enough institutional support for the output that sparked an information revolution and is the backbone of our digital reality.

Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure

Society runs on software but software building tools are buckling under the demand. In this report, Nadia Eghbal addresses the challenges.

Ford Foundation

Just like physical infrastructure, digital infrastructure needs regular upkeep and maintenance. Companies need to do more to support open-source authors' work, otherwise, our digital world risks security breaches, interruptions in service, and slowed innovation.

If you become an open-source maintainer, please understand that there are systemic issues and one of the best ways to create change at the moment is to introduce friction that hinders mindless consumption.

For your own well-being, as soon as open-source stops being fun, stop it. As an open-source maintainer, you don't owe anyone anything - re-read the open-source license  your software is released under because it makes this very clear:

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

learn how the internet works from a cat

These three videos will explain the infrastructure fundamentals that every software developer should know. If Nil mentions something you don't understand, pause the video and go research it.

USENIX

The Advanced Computing Systems Association

USENIX

choose boring technology

Let’s say every company gets about three innovation tokens. You can spend these however you want, but the supply is fixed for a long while. You might get a few more after you achieve a certain level of stability and maturity, but the general tendency is to overestimate the contents of your wallet. If you choose to write your website in NodeJS, you just spent one of your innovation tokens. If you choose to use MongoDB, you just spent one of your innovation tokens. If you choose to use service discovery tech that’s existed for a year or less, you just spent one of your innovation tokens. If you choose to write your own database, oh god, you’re in trouble.

Choose Boring Technology

Dan McKinley :: Math, Programming, and Minority Reports

own your identity

You should own your realname dot com. Now there's one thing that is very important: Your domain registrar should be separate from your web-hosting / email company so that your web-hosting / email company can never hold your identity hostage. Never purchase addon services from your domain registrar - only purchase these three items:

• Domain registration
• Whois Privacy
• DNS Hosting (if required)

That's it!

ditch douliekmudkips04@gmail.com

Now that you own your identity as a domain name, it's time to ditch your high school gmail account.  Host your mail under your identity using a convention such as:

• ghuntley@ghuntley.com
• firstname@ghuntley.com
• hello@ghuntley.com

Having a highschool style email address on a resume is a rookie mistake that raises questions about technical competency. Seeing someone having email addresses at their domain conveys that they understand what an MX record is.

Hosting your mail under your identity also enables you to move between email providers. This is incredibly important, cool email addresses do not change.

get a custom phone number for life

In Australia, the three telcos — Telstra, Optus, and Vodafone have a private number department. Call each one up and ask if they have a phone number combination that you desire for purchase.  If Vodafone has the number but you use Telstra then signup for Vodafone then port the number over to Telstra.

content is all that matters

You need a blog that is hosted on your own personal domain. Do not post content to medium, devto, freecodecamp or anything like that because eventually those platforms will either be sold or shutdown. When content is authored outside of your domain then you are losing out on compound interest.

Our Incredible Journey

Putting the ack! in acquihire

Tumblr

always shoot b

As you go through life, always be snapping photos and videos with the express intention to use them later in future blog posts. Stand out from the crowd by using your own imagery. It is important. The photo in the header of this blog post was captured in 2017 after a mentoring session about marketing fundamentals. Thank you Lana Montgomery.

public speaking

Here is the first talk I ever delivered

Compare this to my first television appearance. There's still a long way to go in the arena of improvements (uhm, ahs, etc) but public speaking is an incredibly important life skill. Start at user groups. They are always looking for speakers. User groups are also a fantastic way to find a job (if you do more than just turn up) btw.

Much of what I learned came from the following two websites:

Tips for Public Speaking – speaking.io

Public Speaking things

Thoughts on public speaking by Zach Holman

Doing a TED Talk: The Full Story — Wait But Why

In August of 2015, I was invited to give a TED Talk. Here’s the full (very stressful) story.

Wait But WhyView all posts by Tim Urban →

ps. Thank you John Bristowe for giving up your speaker slot at NDC many years ago.

create silly projects

Create stupid things for fun, ignore best practices and just launch them. One of my best hits was authored after one too many CustomResourceDefinitions (beers). When you rock up to interviews, you want to have something to show. A story to tell and insights to share. If someone can play with it before the interview then all the better.

Technology rarely matters. TheNFTBay was created in vim and the content was manually yanked and pasted between files. No templates. Lots of duplication.  Hosted on GitHub and wrapped in CloudFlare. If you follow best practices on silly projects then you will never launch em.

iterate

Launch that thing, it'll never be ready so just launch it once you can clearly explain in words the value proposition. Get an iteration loop going immediately based on feedback from the launch. People respect the hustle if you listen to feedback, adapt, and incorporate it. Engage with anyone who engages with you and prep yourself for the prospects of not sleeping for 48 hours.

Steve Blank Books for Startups

See the “Startup Tools” Tab for Tools and Blogs. For Books on Silicon Valley History see here Free Harvard Business Review article here Entrepreneurial Management Stack Over the last fe…

Steve BlankGray Somerville

invest in your tools

If you are working remotely then grab the best microphone you can because vocal presence dramatically affects how people perceive you. When you can afford it, pick up a full-frame SLR camera with some nice glass. When everyone is using the same aperture (webcams, smart phones) all you need is to stand out from the pack is to use a different aperture.

on community

Follow https://twitter.com/rosiesherry, grok https://en.wikipedia.org/wiki/Eternal_September and devour https://www.jonobacon.com/books/artofcommunity/. In the technology industry, there are thought filter bubbles and echo chambers. You'll be a more effective community leader if you deliberately go out of your way to locate and understand dissenting opinions.  Community is made up of people and it's your job to understand people. All people, not just people who share the same values as yourself.

help others look good

If someone helps you, then help them look good. Thanks, K33g!

In what seems like a long time ago, in part because it is, I learned the catastrophic capabilities of this command the hard way, and I'm sure folks my vintage have similar stories as it's essentially a right of passage in the sysadmin world. Back in 1996, I was 14 and whilst the internet has fundamentally changed over the years, one thing has not - the internet is still a dangerous place filled with bad actors.

I had spent hours learning how to install Slackware onto my fathers Cyrix 6x86 computer and days learning how to configure the PPP daemon to connect the computer up to IBM dot NET via an US Robotics 56K V.92 modem when life served me a lesson.

At the bottom of the installation guide I was following there were recommendations to join an internet relay chat room for newbies on EFNet (ahoy!) so I did exactly that.

As a member of the generation that is the Eternal September (ie. complete unawareness of pre 1993 internet etiquette) I launched right into asking my first question without saying hello. The interaction went down something like this:

me: hey, how can I do $x?
random: $ sudo rm -rf /

Being 14 and completely oblivious, I ran the command as root. Poof, days of work down the drain and one important lesson was learned:

Don't trust instructions from random people on the internet

Unfortunately, not much has changed in the last 25 years. The command is dangerous and you should absolutely not run it on your local computer yet,  that's what nearly every software developer is risking multiple times a day when they consume a random repository from GitHub on their local computer.

25 years have gone by since I discovered that consuming instructions from the internet (be that from a person, or from open-source software) might result in a computer needing to be reinstalled yet fundamentally not much has changed in our industry to address this problem even though the consumption of software created by complete internet randoms has skyrocketed.  

Anyway to make the problem real, two weeks ago, for approximately 4 hours a widely utilized NPM package, ua-parser-js, was embedded with a malicious script intended to install a coinminer, harvest user/credential information and to compromise developer workstations.

my office is a tent that my employer purchased for me

If you look up on Instagram, you’ll see jaw-dropping pictures under the hashtag #vanlife. It’s true. The big blue world is freaking beautiful, but beauty comes at a cost.

Geoffrey Huntleyghuntley

Gitpod (where I work) was one of the many companies that consumed  us-parser-js as a transitive dependency.  As soon as news broke, we audited the Gitpod infrastructure (git rev-list --all | xargs git grep "ua-parser-js@" | cut -d@ -f2 | uniq) to determine if an infected version was in use (it wasn't) and as-is best practice we rotated the application development credentials of our engineers on the off chance someone did any work with yarn.lock during this period.

Because Gitpod builds Gitpod with Gitpod, no packages or dependencies are downloaded onto our engineers devices' which contains this class of security incident and inhibits malicious actors pivoting towards completely compromising workstations of our employees.

Cool huh?

This is just one of the reasons why I think by 2023 working with ephemeral cloud-based dev environments will be the standard. Just like CI/CD is today.

Honestly, I would not be suprised by 2030 if insurance companies made the usage of ephemeral sandboxes (in whatever form: be that cloud, OCI, or firecracker) a condition of issuing cyber insurance. In this distributed world where remote development is now a norm moving towards ephemeral sandboxes is an important lever to counter the increasing threat of source integrity and supply chain attacks.

On that topic, I personally believe consumers of open-source software need to make adjustments to their workflow in order to achieve supply chain security. There's unfortunately a push happening broadly across our industry right now that roughly translates "maintainers need do all this additional labor to make open-source easier to consume by billion dollar companies" (eg. maturity ladders) and I think that's wrong.

The thing about open-source software that’s too often forgotten, it’s AS-IS, no exceptions. There is absolutely no SLA. That detail is right there in the license! In business terms, open-source maintainers are unpaid and unsecured vendors.

The pushes for supply chain security are admirable but, personally, I think the industry needs to also invest in making developer tooling that prioritizes reproducible builds and making source/binary substitution more accessible so that consumers don't need to consume mystery binary packages with questionable contents in the first place.