A few weeks ago I decided to start collecting some statistics on kelma.mt. Google Analytics gave me some basic interaction statistics but I wanted to delve deeper into how people were playing the game.

On average, 1,000 people play the game every day. Most answers come in between 7am and 9am and the second most between 7pm and 9pm. I was surprised to see that even during the early hours of the day 2am - 4am, activity does not stop. I guess people enjoy playing the game if they cannot sleep or maybe players who are working night shifts?

The majority of the games are solved in either 4 or 3 guesses and 9% of the games ended without the correct guess.

Unsurprisingly, the most common starting word is KELMA (8%) with WERQA (3%) and MEJDA (3%) being the second most common.

I also decided to gather some statistics on what words people type that are not in the dictionary. The top offenders are HASEL, ĦAWEL, XELTI, GMIEL and ŻMERĊ.

The first few are obviously spelling mistakes, however I did find some words which were not in my dictionary; such as: PASTA, BINTI, ĠOBNA, MONTI, ĠAĦAN, ĊERTU and ĊOMBA. The dictionary source I am using is Ġabra from the University of Malta. After I gather some more and filter out the spelling mistakes I intend to submit these to the dictionary. I may even be wrong and some of these words might not even be valid in Maltese, we'll see.

From the demographics side of things, during the last 28 days, US, UK, Italy and Belgium ranked the highest visits after Malta.

OS and browser-wise, Android and Chrome win the race, with a staggering 80% of usage coming from mobile devices:

One last interesting fact that I noticed is that people prefer to play using the web browser rather than the app. Only 163 devices have the kelma.mt app installed on Google Play Store. In reality, the app in the Play Store is just a PWA wrapper around the app so I can see why there would be no need to download the app.

Anyways, I am really glad people are enjoying kelma.mt.

A lot has already been said about the 6-hour Facebook, WhatsApp, Instagram, et al... outage of 4th October 2021. Instead, I will take a different approach; visualizing it.

As keen-eyed network engineers had already deduced, Facebook's AS32934 withdrew all BGP routes at around 5PM UTC on 4/10/2021. I had already done a blog post in the past with a layman's summary of what BGP is. In short, BGP is, quite literally, the protocol that makes the internet work. BGP is used to announce routes of how one network can reach another network over the internet.

16:42 UTC: AS32934 Route Withdraw

Using RIPE's BGPlay, we can see AS32934 withdrawing its routes and essentially leaving the no path for IP packets to reach the Facebook network. All of this happens in about 10 minutes, after which the internet has fully converged on the new route announcements and no viable path to Facebook's network was available.

23:00 UTC: AS32934 Announcing Routes

After about 6 hours of downtime, Facebook's border routers started announcing AS32934 again and we can again visualize the internet converging. Internet routers started adding these routes to their routing tables so IP transit towards Facebook was possible again.

For more details about the October 4 outage, Facebook has published a blog post with some technical challenges they had during the outage and how they overcome them.

In any case, it's also a big relief that big companies can also have 6-hour outages :) At least, this time, it was not our fault!

Finding the right partner from 3,812,261,000 females (or 7,692,335,072 humans, if you're bisexual) is difficult. You never really know how one partner would compare to all the other people you might meet in the future. Settle down early, and you might forgo the chance of a more perfect match later on. Wait too long to commit, and all the good ones might be gone. You don't want to marry the first person you meet, but you also don't want to wait too long because you'll run the risk of missing your ideal partner and being forced to make do with whoever is available at the end. It's a tricky one.

This is what's called "the optimal stopping problem". It is also known as "the secretary problem", "the marriage problem", "the sultan's dowry problem", "the fussy suitor problem", "the googol game", and "the best choice problem". The problem has been studied extensively in the fields of applied probability, statistics, and decision theory.

The problem is as follows:

"Imagine an administrator who wants to hire the best secretary out of n rankable applicants for a position. The applicants are interviewed one by one in random order. A decision about each particular applicant is to be made immediately after the interview. Once rejected, an applicant cannot be recalled. During the interview, the administrator gains information sufficient to rank the applicant among all applicants interviewed so far, but is unaware of the quality of yet unseen applicants." - The Secretary Problem

At the core of the secretary problem lies the same problem as when dating, apartment hunting (or selling) or many other real life scenarios; what is the optimal stopping strategy to maximize the probability of selecting the best applicant? Well, in reality, the problem is not about choosing secretaries or finding the ideal partner, but about decision making under uncertainty.

The solution to this problem turns out to be quite elegant. Let's say you can rate each partner/secretary from 1-10 according to how good they are:

Had we known the full information beforehand, the problem would be trivial; choose either Alissa or Lucy. Unfortunately, we cannot look-ahead and there's no going back. When you're evaluating one partner, you are unable to look forward into the future and consider other opportunities. Similarly, if you date a great girl for a while, but leave her in a misguided attempt to find a better one and you fail, there's a good chance she'll be unavailable in the future.

So, how do you find the best one?

Well, you have to gamble. Like in casino games, there's a strong element of chance but the Secretary Problem helps us improve the probability of getting the best partner.

The magic figure turns out to be 37% (1/e=0.368). If you want to delve into the details of how this is achieved, I suggest you to read the paper by Thomas S. Ferguson named "Who Solved the Secretary Problem". The solution to the problem states that to increase the probability of finding the best partner, you should date and reject the first 37% of your total group of admirers. Then you follow this simple rule: You pick the next best person who is better than anyone you're ever dated before.

So if we take the example above, we have 10 lovers. If we chose 1 at random, we have approximately a 10% chance of finding "the right one". But if we use the method above, the probability of picking the best of the bunch increases significantly, to 37% - much better than random!

In our case, we end up with Lucy (9). Yes she's not an Alissa (10), but we didn't do badly.

Unfortunately, this method is not a 100% successful, as mathematician Hannah Fry discusses in this entertaining 2014 TED talk:

Variations of the Problem

In the Secretary Problem, the goal was to get the very best partner possible. Realistically, getting someone that is slightly below the best option will leave you only slightly less happy. You could still be quite happy with the second (or third-best) option, and you'd also have a lower chance of ending up alone. Matt Parker argues this in his book "Things to Make and Do in the Fourth Dimension: A Mathematician's Journey Through Narcissistic Numbers, Optimal Dating Algorithms, at Least Two Kinds of Infinity, and More".

In reality, many of the variations of the Secretary Problem are quite more accurate in solving specific problems.

Summary

In laboratory experiments, people often stop searching too soon when solving optimal stopping problems.

At the end of the day, the secretary problem is a mathematical abstraction and there is more to finding the "right" person than dating a certain number of people.

Although applying the Secretary Problem for finding true love should be taken with a pinch of salt, Optimal Stopping problems are real and can be found in areas of statistics, economics, and mathematical finance and you should take them seriously if you ever want to:

• Sell a House
• Hire someone in a difficult position
• Look for Parking
• Trade Options
• Gamble
• Just know when to stop in general

Real life is much more messy than we've assumed. Sadly, not everybody is there for you to accept or reject, when you meet them, they might actually reject you! In real life people do sometimes go back to someone they have previously rejected, which our model doesn't allow. It's hard to compare people on the basis of a date, let alone estimate the total number of people available for you to date. And we haven't addressed the biggest problem of them all: that someone who appears great on a date doesn't necessarily make a good partner. Like all mathematical models our approach simplifies reality, but it does, perhaps, give you a general guideline; if you are mathematically inclined.

A great article "Knowing When to Stop: How to gamble if you must—the mathematics of optimal stopping" in American Scientist by Theodore P. Hill goes into more details about this topic and is quite an interesting read.

Ever wanted simple syntax for slicing out a part of an array, string or span? Now you can!

Let's consider the following program:

using System.Collections.Generic;
using static System.Console;

class Program
{
    static void Main(string[] args)
    {
        foreach (var name in GetNames())
        {
            WriteLine(name);
        }
    }

    static IEnumerable<string> GetNames()
    {
        string[] names =
        {
            "Christopher", "Natasha", "Jean", "Matthew", "Luke"
        };
        foreach (var name in names)
        {
            yield return name;
        }
    }
}

As you might expect, this program just prints the 5 names in the console.

Ranges and Indices

With new Ranges syntax, we can modify the foreach to iterate over names 1 to 4. For example:

foreach (var name in names[1..4])

The endpoint is exclusive (element 4 is not included). 1..4 is actually a range expression, and it doesn't have to occur like here, as part of an indexing operation. It has a type of its own, called Range. If we wanted, we could pull it out into its own variable, and it would work the same:

Range range = 1..4; 
foreach (var name in names[range])

The endpoints of a range expression don't have to be ints. In fact they're of a type, Index, that non-negative ints convert to. But you can also create an Index with a new ^ operator, meaning "from end". So ^1 is one from the end:

foreach (var name in names[1..^1])

This lobs off an element at each end of the array, producing an array with the middle three elements, so the result would be:

Natasha
Jean
Matthew

Range expressions can be open at either or both ends. ..^1 means the same as 0..^1. 1.. means the same as 1..^0. And .. means the same as 0..^0: beginning to end. Try them all out and see! Try mixing and matching "from beginning" and "from end" Indexes at either end of a Range and see what happens.

People today suffer from information overload; there's too much news and it's next to impossible to filter valuable news through the noise.

This is why I have decided to create a weekly newsletter, curated by me with news and articles that (I think) are worthwhile. Usual topics are: Software Development, Infrastructure, Databases, Security, DevOps, QA, UI/UX, eSports, iGaming, Space and more...

The newsletter contains no ads and no tracking whatsoever and your email addresses will never be shared or sold to anyone. It's also easy to unsubscribe from if you feel it's spam.

The implementation is fairly simple and open-source. You can find it on GitHub cdemi/NewsletterCurator

Just to give you a general idea, one of the emails looks like this:

Subscribe

To subscribe to the newsletter, you can fill out this form:

Many modern aircraft are equipped with ADS-B; a surveillance technology in which an aircraft determines its position via GPS and periodically broadcasts it, enabling it to be tracked.

ADS-B

ADS-B is much more accurate than conventional radar surveillance systems. This gives air traffic controllers the potential to reduce the required separation distance between aircraft that are ADS-B equipped.

ADS-B is seen as being vital to maintaining future efficient airspace management in busy airspace. It also provides advantages in remote ‘non radar’ areas too – here suitably equipped aircraft, with a traffic receiver connected to a display can see other aircraft without conventional radar coverage. This enhances aircraft visibility and reduces the risk of air to air collision.

ADS-B transmits separate messages every 500ms carrying 10 bytes of data each. These contain GPS position (latitude, longitude), pressure, altitude, callsign, as well as track and ground speed over 1090 MHz with about 50 kHz of bandwidth. ADS-B uses pulse-position modulation to transmit data.

What does it look and sound like?

If you were to visualize the 1090 MHz frequency during ADS-B broadcast it would look something like this

And if modulated in AM, it would sound something like this:

Receiving ADS-B

Receiving ADS-B is relatively easy as long as you have the correct equipment:

• A working RTL-SDR dongle that can receive at 1090 MHz. The R820T or R820T2 tuner is recommended for best performance at 1090 MHz.
• A vertically polarized antenna tuned to 1090 MHz.
• Optionally, a 1090 MHz Signal Filter
• Software for listening and decoding ADS-B.
• Software to graphically display the received aircraft location data.

Depending on the Antenna setup, you'll be able to pick up signals from aircrafts pretty far from your position, especially if you are outdoor and in a position with a good sky view.

I decided to hook these up to a Raspberry Pi 3 B+ running a headless setup of Raspbian Stretch Lite.

Dump1090

After installing the RTL-SDR drivers (`apt-get install rtl-sdr`) I then installed Dump1090. Dump 1090 is a Mode S decoder specifically designed for these RTL-SDR devices.

Feed Data to FlightRadar24 and FlightAware

All that I needed to do now, was install the FlightRadar24 and FlightAware packages to feed them data from my dump1090 installation.

Currently, I'm using an indoor antenna and my receiver is receiving ADS-B broadcasts from aircraft about 150 km away. I will soon upgrade to an outdoor antenna when I have time to lay some proper coax cabling, hopefully this will increase the range and get better data.

FlightAware also provides a public dashboard where you can see contributions 😁

Interested?

If you're interested and want to get started here are some tips and links:

• PiAware - ADS-B and MLAT Receiver ✈ FlightAware
• Build your own ADS-B receiver – Pi24
• PiAware Aircraft Tracking Kit Inc. Raspberry Pi 3B+
• About RTL-SDR
• RTL-SDR Quick Start Guide
• /r/ADSB
• /r/RTLSDR
• /r/AmateurRadio
• Find your local amateur radio community:
  • Malta: Malta Amateur Radio League (MARL)
  • United Kingdom: Radio Society of Great Britain (RSGB)
  • United States: American Radio Relay League (ARRL)
  • Canada: Radio Amateurs of Canada (RAC)
  • Australia: The Wireless Institute of Australia (WIA)
  • New Zealand: New Zealand Association of Radio Transmitters (NZART)
  • Others can be found by Googling ones close to your location

For those of you who don't know, Cloudflare is like a CDN on steroids. To use Cloudflare, you need to change your domain's nameservers (authoritative DNS servers). Ghost(Pro), on the other hand, is the SaaS version of Ghost, an open-source blogging platform.

Since the first day I setup this blog, I put it behind Cloudflare. This means that all the traffic going to blog.cdemi.io, instead of going directly to Ghost(Pro) will pass through Cloudflare instead. In a way, Cloudflare will be like a man-in-the-middle, except in this case it will be a good man-in-the-middle.

Advantages

This gives me various advantages:

• Caching of static content closer to the end-user
• Rate Limiting
• Adjusting Security Level
• Custom SSL Certificates
• Access Rules
• Custom Apps like Google Analytics

All of these are really awesome features that are provided by Cloudflare and that I was making use of.

Ghost(Pro) moves to Cloudflare

Unfortunately for me, about 2 months ago, Ghost decided to move behind Cloudflare and this is when I received this email:

What?! So, my domain that is on my Cloudflare account, is now being given to Ghost(Pro)?! This sounded very bad, so naturally, I emailed Cloudflare to ask them not to do this, at least on my domain.

I explained to them that this change means that I will lose:

• My custom security level settings
• My custom SSL Certificate
• My custom access rules
• Google Analytics App

After 2 different support engineers blatantly denied the effect this would have, the third one finally confirmed that:

we [Cloudflare] don't provide any double clouding solutions for now

He also confirmed that since this is their issue, he will put my domain on hold and not enable this on my account, which I thought was a good resolution of this ticket.

Unfortunately for me, on October 2nd, my monitoring systems alerted me that I had lost all visibility of traffic flowing through my Cloudflare account for this blog. Sure enough, I login to Cloudflare and see that I no longer have management access to my own subdomain on my own Cloudflare account.

After contacting Cloudflare support, they confirmed to me that even though they had agreed to hold my domain from being transferred to Ghost(Pro) they still went ahead and delegated it to them.

This means, that with the new change I cannot even turn on "Orange Cloud" since I was no longer in control of my own domain.

After a lot of back and forth with the Team Leader of the Cloudflare support, I was still unable to convince him that this situation doesn't make any sense for me.

Gaining back control

After realizing that Cloudflare isn't going to delegate management of my own domain back to me, it occured to me that bypassing this logic wouldn't be that difficult.

All I needed to do was create a temporary subdomain that points to my ghost domain. I knew Cloudflare would hijack this domain and delegate it to Ghost, so as you can see, I cannot turn on "Orange Cloud". After that, I pointed my actual blog domain to the temporary domain and turned on "Orange Cloud".

Conclusion

Cloudflare will gladly delegate any of your domains that are pointing to any SaaS provider hosted on their platform. Indeed I am on the free plan of their account, but I really doubt their response would have been different had I been a paying customer. Unfortunately, there isn't really an alternative to Cloudflare and they know that. I am one of Cloudflare's biggest advocates, I really believe in what they are doing for the internet and tech community in general. Let's hope that they don't end up like other companies who had the motto "do no evil".

I doubt this trick will keep on working for a long time. If it's really true that they don't support "double clouding" this setup for sure does it. When they close that, I would have to spin up my own VMs to do my reverse-proxying in order to keep my domain from being delegated.

A few days ago, I got the idea to deploy a public-facing honeypot.

A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. - Wikipedia: Honeypot (computing)

The aim was to give this honeypot a public IP (which I wouldn't advertize) and see how much time it takes before some bot would detect it and try to hijack it.

For this experiment, I deployed a Debian VM on the Hetzner Cloud for €2.94 a month which is even cheaper than DigitalOcean's $5 a month VM. As a honeypot I opted for an open source project micheloosterhof/cowrie which I had to fork to cdemi/cowrie. The reason for this is that although cowrie supports posting to Elasticsearch, it didn't have any support for Ingest Plugins, specifically, the Ingest Geoip Processor Plugin.

Cowrie was configured to listen to SSH on Port 22 and Telnet on Port 23, this means that I had to install authbind to give permissions to run on these ports.

sudo apt-get install authbind
sudo touch /etc/authbind/byport/22
sudo chown cowrie:cowrie /etc/authbind/byport/22
sudo chmod 770 /etc/authbind/byport/22
sudo touch /etc/authbind/byport/23
sudo chown cowrie:cowrie /etc/authbind/byport/23
sudo chmod 770 /etc/authbind/byport/23

Because I had enhanced cowrie to support Elasticsearch Ingest Plugins, I could now add a new Pipeline:

PUT _ingest/pipeline/geoip
{
  "description" : "Add geoip info",
  "processors" : [
    {
      "geoip" : {
        "field" : "src_ip"
      }
    }
  ]
}

This GeoIP processor adds information about the geographical location of IP addresses, based on data from the Maxmind databases. This processor adds this information by default under the geoip field. The geoip processor can resolve both IPv4 and IPv6 addresses.

By adding a mapping to this index, Elasticsearch can identify the geoip field as a geo_point type. This will allow Kibana to display this on a Heatmap.

PUT _mapping/cowrie
{
  "cowrie": {
    "mappings": {
      "cowrie": {
        "properties": {
          "geoip": {
              "location": {
                "type": "geo_point"
              }
          }
        }
      }
    }
  }
}

After the service was setup, it was time to turn it on. In less than 5 minutes after turning it on, a bot had already tried to login over Telnet to this machine!

Unsurprisingly, most of the intrusion attempts came from China, Russia, Brazil, Japan and Korea.

Most of the attacks came over SSH, which is predictable since Telnet is practically an obsolete protocol and if you use it over the public internet, you should be shot.

An interesting observation is that the connection attempts to the Honeypot increased gradually. One theory for this is that the botnet that discovered the Honeypot could have started advertising the Honeypot to other attackers. Alternatively, it stands to reason that the more time the honeypot stays active, the increased likelihood to be discovered.

The most common username was, surprise surprise, root and admin. This goes to show how important it is to disable/rename your root and Administrator users.

Most of the commands being run on the Honeypot look like they are targeting IoT Devices (like Cameras, Routers, etc...) which run BusyBox. Most probably these are Hajime or Mirai botnets as their Reconnaissance phases are somewhat similar.

Some of the commands are sent in a blind attempt to navigate whatever vendor-specific command-line interface (CLI) the Telnet server implements. enable is a common CLI command to allow access to privileged-mode commands. system attempts to navigate to a menu of system-management options. shell and sh attempt to run a Bourne shell.

The /bin/busybox cat /proc/mounts; /bin/busybox ECCHI commands are the botnet probing the system to look for writable mounts where to download the first stage binary. Note the repeat of the venerable /bin/busybox ECCHI command, which serves a purpose not dissimilar to its use before: Hajime and Mirai both use the ECCHI: applet not found signature to find the end of the command line's output.

The IP Addresses where to download the binary from might be of unsuspecting victims that have encountered the botnet and not necessarily that of the attacker.

Another command that got my attention is cat /bin/echo. This command is used by the botnet so that it can inspect its header to determine the target's processor architecture. Once the target processor is determined, the botnet can execute the relevant binary.

Conclusion

The internet is a dangerous place. Within minutes of leaving a Honeypot on the public internet several botnets have discovered it and tried to claim it for their own. It's important to follow security best practices when exposing stuff over the internet. Some of which:

• Move your SSH, RDP to non-standard ports
• No Telnet!
• Consider putting all non-public listening ports (sshd, RDP, SNMP, rsyslogd etc.) behind a VPN (or SSH Tunnel)
• Try to use Key Authentication over SSH
• Disable/Rename root or Admin users.
• Badly made IoT Devices are very dangerous. Consider segregating them and firewalling them.

In the recent past, there have been numerous debates on the privacy of personal data in devices like smartphones and laptops as well as on online sites like Facebook and Google. On one hand, the government institutions and business organizations want to gain full control of people’s data for business purposes and surveillance while on the other hand, the users of the gadgets want to be assured of their privacy and that their information will be not be used by unauthorized people for selfish gains. This trend has been observed all over the world especially in the UK and in the United States. The need to have control over people’s privacy has erupted a conflict between Apple Inc. and the federal government whereby Apple refused to unlock a phone of a terror suspect despite the court giving such orders. That incident elicited arguments on data encryption and its limits when it comes to cybersecurity. The validity or invalidity of this argument depends on different perspectives; legal, ethical, social, and professional.

From an ethical perspective, the argument could be viewed and determined using utilitarian ideas that the most appropriate way of deciding an ethical issue is determining the decision with the best consequences. Relating this to how the privacy issue has turned out, the argument will be determined by considering the side that has most dire consequences. The one where citizens including criminals can secure their transactions in devices, or the one where the government infringes people’s privacy and spies on its citizens.

Both the social and ethical justifications of surveillance are based on the pretext of “safety by instilling fear”. Security agencies claim that terrorists and criminals with ill intentions use encryption to hide their activities hence the need to monitor people’s devices. Encryption is critical because it guarantees people’s intellectual privacy. In other words, encryption protects us from surveillance when we are making sense of the surrounding through reading, thinking, and even communicating privately with the people we trust most. With the growth of technology, intrinsic activities like thinking and communication were facilitated by gadgets like smartphones and computers. Even during shopping and recreation, people use these devices which record historical usage information. However, when people are monitored, they tend to act differently. Stoycheff’s study shows that internet surveillance prevents people from reading or contributing to controversial issues. The threat posed by this tendency is well understood by illustrating how the most celebrated ideologies in the modern world such as holding the government accountable and equality for all were once controversial ideas decades ago. A free and democratic society should not be wary of “dangerous ideas” neither does it need intellectual surveillance.

It is true that encryption has the potential of making the work of security agencies difficult. However, the issue should not be treated as an isolated case because the difficulties introduced by encryption are similar to those introduced by civil liberties like freedom of speech, the need for a warrant before security officials invade our privacy and the democratic control of the security agencies. Society is more secure when it has hope than when it is gripped with fear and perceived as potentially naughty kids that need to be tamed. After all, backdoors used by the government can be used by criminals and hackers.

The legal and professional implications of the debate on encryption are well demonstrated in the speech by the then FBI Director James Comey in 2014. Comey stated that the leak by Snowden had caused a lot of fear and mistrust which made tech companies overreact to Snowden’s leak. He underplayed the need for encryption by referring to it as a marketing strategy. In an attempt to make surveillance appear legally acceptable, he objected to the use of the term “backdoor” and stated their urge to use the front door that has clarity, transparency, and guided clearly by the law. Comey reiterated their adherence to court orders and the legal process that allows them to obtain the information required to conduct investigations on criminals and terrorists. While that statement might appear reasonable and legitimate, there are professional, legal, and ethical objections to the installation of decryption technology in personal devices. These objections apply to the legalization of surveillance on UK citizens through the Investigatory Powers Act.

From a professional perspective, it is difficult to regulate who use the backdoor. Cryptographers argue that the modern field of computer technology is increasingly becoming democratized. In other words, today’s government secrets could be ideas for someone’s research project tomorrow and in the next day used as tools for a cyber-attack. For this reason, the installation of a backdoor does not guarantee that it will not be found by someone else and used for malicious purposes. That possibility is demonstrated by the Vodafone hack that took place in Greece in 2005 whereby a legal wiretapping connection used by security officials was compromised leading to spying on of hundreds of people. Similar incidences have been reported in other countries, even by Snowden leaks themselves.

Professional cryptographers further allude that the feasibility of decryption software or building of a backdoor is limited to the theoretical stage. In the past, the NSA has made huge strides in developing a secure backdoor that can only be used by the agency. Although the software used by the NSA is one of the global standards used to create encryption codes, the leak by Snowden revealed that as early as 2000, the NSA discovered a loophole in the code which they exploited to discover the outcome of the random number generator exclusively, hence enabling them to decrypt the common encryption keys. Concerns in the IT profession arose after the discovery that cryptographers had already noted a weakness in the code even before Snowden blew the whistle. Unfortunately, at that stage, they could not prove it. These suspicions were exacerbated after the Snowden leak indicating that even the most sophisticated intelligence agency in the world could not secure its data and secrets. This theory demonstrates the professional implications of legalizing surveillance and creating a backdoor.

From a realist point of view, the Investigatory Powers Bill in the UK does not have any legal or professional implications. Currently, we are living in an era commonly known as “the golden era of surveillance” whereby the security agencies read and intercept vast amounts of personal data. The increased rate at which people’s activities are facilitated and mediated by technology has, in turn, increased the amount of digital information left behind about ourselves. It is important to note that encryption only helps a user conceal the content of the messages but not their context, widely known as metadata. The metadata identifies what one reads, the people you communicate with and their location. Metadata has become a popular tool to the extent where Michael Hayden, former NSA director, once boasted that they kill criminals using metadata. In addition, big business organizations and security agencies have developed methods of hacking endpoints in communication systems such as the personal devices we use daily. As a result, a new business niche has emerged that involves identification and trading of software weaknesses for exploitation. In fact, the UK and US governments are alleged to hire the services of companies like Hacking Team, Gamma, International, and VUPEN that sell unidentified software vulnerabilities. Given that the use of internet and computer devices, this is only expected to increase in the future. This means that the magnitude of metadata available for use by governments will inevitably increase. That leads to the conclusion that with or without the backdoor, the government still has tons of freely available information for exploitation. While this tendency might be legally and professionally acceptable, it is not acceptable from a social and ethical perspective.

The social, ethical, and professional implications are demonstrated by the analysis of the trade-off between privacy and security especially from an economic standpoint. While it might be possible to install backdoors, the cost would be too huge in many aspects. From a professional point of view, it is possible that the security agencies can install backdoors that are legally allowed but it is likely that the business organizations would exploit this loophole in carefully choreographed treachery. That tendency could also be witnessed if the UK government would force telecom companies to provide them with centralized access, which would significantly stunt innovation. Further, the social and professional implications would be noted by the stifling of innovation especially in academic research where researchers and scholars would want to protect their backdoor from suspicious professors.

The implications of legalized surveillance on innovation in IT profession are well demonstrated by the economics of complying with the regulations. Until a decade ago, the telecom business was monopolized by big companies many of which were state-owned. The rate of change of the architecture of their systems was low hence easy and cheap to create and incorporate a surveillance system into them. However, that trend has changed whereby the tech industry now comprises of many start-ups that develop communication systems in various forms. With every feature that these start-ups add to their systems, the architecture of their system also changes. Therefore, it would mean that these start-ups have to incur high costs to ensure they comply with the government regulations of legalized interception and decryption of their traffic. To avoid these costs, the companies would prefer not to innovate and make changes to their systems.

If the government was to force the tech companies to allow wiretapping into their systems, it would mean a threat to their existence and growth. Typically, backdoors are characterized by the centralized flow of information. However, most revolutionary innovations in the contemporary world are characterized by the decentralized flow of information. In the recent past, we have seen an increase in the use of peer-to-peer technology where computers communicate with each other without the need for a centralized control. These technologies include file storage services, communication services, and payment processing services. Given that it is extremely difficult to wiretap such systems, the implementation of forceful surveillance and wiretapping would mean that the companies providing these services cease to exist.

While the designers of the Investigatory Power Act might have had good intentions, the legislation has significant potential adverse implications for the UK’s tech companies. Globally, it has been noted that administrations that require tech companies to install backdoors significantly affect their export opportunities. That tendency has been noted in Chinese tech companies like Huawei that have encountered challenges in penetrating overseas markets for fear that their devices have backdoors. In the same way, US cloud storage companies have been unable to win over foreign customers for fear that the NSA could use backdoors to monitor their data.

In conclusion, the debate whether to opt for privacy or security is erroneous. The choice should be between targeted surveillance and mass surveillance. While encryption of data by default would render legitimate efforts of interception and decryption harder, it would only be difficult for mass surveillance. Security officials would still be able to carry out targeted surveillance. Even with targeted surveillance, there would be many viable options to enforce it. Some of them include remote hacking of devices and mass retention of data for all institutions and companies. With the enactment of the Investigatory Powers Act, there are many professional, ethical, social, and legal implications. As of now, it is still unclear how the government will implement a robust mechanism to prevent the abuse of surveillance tools such malware and backdoors. The implementation of this Act has elicited a tussle between the security officials and the tech companies. Regardless of the outcome of this tussle, it is clear that a robust strategy is needed that would address the fears of all interested parties. Importantly, a sophisticated, robust, and secure solution is urgently needed to protect people’s right to privacy.

Again, before I go any further, I would like to point out that as I'm writing this, the feature-set for C# 8.0 still hasn't been decided. This means that information written here is subject to change.

One of the new features being proposed in C# 8.0 is to introduce Records. Records are a new, simplified declaration form for C# class and struct types that combine the benefits of a number of simpler features. Essentially, Records are a way to create very lightweight classes that are just a collection of fields (POCO).

The Records syntax should allow implementation of these classes and structs with absolute minimum code:

public record BlogPost(string Slug, string Title, string Body, DateTime DatePublished);

This would be expanded out to a much larger class that also implements IEquatable.

using System;

public class BlogPost : IEquatable<BlogPost>
{
    public string Slug { get; }
    public string Title { get; }
    public string Body { get; }
    public DateTime DatePublished { get; }

    public BlogPost(string Slug, string Title, string Body, DateTime DatePublished)
    {
        this.Slug = Slug;
        this.Title = Title;
        this.Body = Body;
        this.DatePublished = DatePublished;
    }

    public bool Equals(BlogPost other)
    {
        return Equals(Slug, other.Slug) && Equals(Title, other.Title) && Equals(Body, other.Body) && Equals(DatePublished, other.DatePublished);
    }

    public override bool Equals(object other)
    {
        return (other as BlogPost)?.Equals(this) == true;
    }

    public override int GetHashCode()
    {
        return (Slug.GetHashCode() * 17 + Title.GetHashCode() + Body.GetHashCode() + DatePublished.GetHashCode());
    }

    public void Deconstruct(out string Slug, out string Title, out string Body, out DateTime DatePublished)
    {
        Slug = this.Slug;
        Title = this.Title;
        Body = this.Body;
        DatePublished = this.DatePublished;
    }

    public BlogPost With(string Slug = this.Slug, string Title = this.Title, string Body = this.Body, DateTime DatePublished = this.DatePublished) => new BlogPost(Slug, Title, Body, DatePublished);
}

As you can see, the properties of the record are created as read-only properties with a constructor for initializing them. In addition, it also implements value equality and overrides GetHashCode correctly for use in hash-based collections, such as Dictionary and HashTable.

Apart from this, we can also see that it has implemented a Deconstruct method, for deconstructing the class into individual values with the tuple syntax:

var (Slug, Title, Body, DatePublished) = blogPost;

Lastly, we can see the implementation of the With method. This is a new introduction to the language as well. Method parameter's default argument will additionally allow referencing a class field or property using such syntax. This is particularly useful for implementing the With helper method dedicated to creating modified copies of existing immutable objects, e.g.:

var newerBlogPost = blogPost.With(DatePublished: DateTime.Now.AddDays(20));

Additionally the with expression syntax is being considered as well, as syntactic sugar, for calling this method:

var newerBlogPost = blogPost with { DatePublished = DateTime.Now.AddDays(20) };

If you want to investigate Records in more detail, I suggest you have a look at the dotnet feature proposal on GitHub, which goes into more detail about caller-receiver parameters, with-expressions, declaration syntax and much more.

Two of my best friends since forever are getting married next year and I couldn't be happier! As a best man, one of the duties is to assist the groom (and bride) on their wedding preparations. It occurred to me that using Agile methodologies might just be the best way to plan a Wedding.

When you think about it, Wedding planning is not that different from software development planning. We have a budget, a delivery date (the big day) and a colossal list of tasks with varying priorities.

For those of us that work in Software Development it might be a natural choice to solve planning problems this way. Working in an agile environment for the past several years has lead me to approach projects in another light and can help reduce the complexity in everyday lives. In this case, the groom, the bride and the rest of the wedding task force team have no idea what a Kanban Board is, so part of the challenge is to demonstrate what Agile is, how it works and why it is advantageous.

Agile Software Wedding Development

The term "agile" was coined in the 2001 Agile Manifesto. Agile software development is an approach to software development that advocates incremental delivery, team collaboration, continual planning, and continual learning.

Agile is not a "thing"... you don't "do Agile"; rather agile is a mindset that you use to approach software development. There isn't one approach that works for all situations, rather "Agile" has come to represent a variety of methods and practices that align with the value statements in the manifesto.

Agile advocates discipline in adaptive, continual planning, early delivery and continual improvement and most of all encourages rapid and flexible response to change. Finally agile practices should not just be followed blindly, but rather apply what makes sense to your environment.

In a wedding agile team, we have the bride and the groom (team members, product owners and active stake holders), the best man (the Scrum Master and team member) and the Groomsmen and Bride's Maids (team members).

The Scrum Master

The scrum master is accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. The scrum master is not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master also ensures that the Scrum framework is followed. The role has also been referred to as a team facilitator or servant-leader to reinforce these dual perspectives. Some of the core responsibilities of the scrum master are:

• Helping the product owners (remember in this case the Bride and the Groom are produce owners) maintain the backlog (To-Do List) in a way that ensures the needed work is well understood so the team can continually make forward progress
• Helping the team to determine the definition of done for the product, with input from key stakeholders
• Coaching the team, within the Scrum principles
• Promoting self-organization within the team
• Helping the scrum team to avoid or remove impediments to its progress, whether internal or external to the team

Kanban

Kanban is a lean agile methodology to manage and improve work across human systems. Funnily enough, the underlying Kanban method originated in lean manufacturing inspired by the Toyota Production System.

In Kanban, work items are visualized to give participants a view of progress and process, from start to finish usually via a Kanban board.

The Kanban Board

For a Kanban Board I decided to use Trello mainly because it is easy and free although not as advanced as I would have wished.

Although Kanban does not require that the team use a Kanban board, it is the preferred way to see the flow of work, get the participation of the team, and manage work.

A Kanban board shows how work moves from left to right, each column represents a stage within the value stream. In our case, this is the Kanban Board for the wedding.

Instantly, everyone (including the Bride and Groom) can visualize work in progress and understand complex information like processes, task relationships and risks related to a team's ability to complete work on time. It is easier for us to process information with a visual aid than without.

Why?

From various Movies and TV Shows, it is clear to me that Wedding Planning can never be stress-free. My aim is that by adopting Agile Methodologies to Wedding Planning, I can make this an a less-stressful process for the Bride and Groom. Having specific deadlines and time frames that are apparent to everyone on the team makes everything a lot easier. The team can be super organized and help stay on task.

For this to work with most efficiency, we need to touch base frequently and give each other updates on where we are on the tasks we are working on. Over the next few months, using agile is going to be essential to help create efficiencies as we start working on the website, save the date/invitations and finalizing the guest list.

I hope that everyone can realize that Agile is not something that you just do on Software (or at work). In essence, it is the concept of Divide and Conquer that we have been using for ages taken into the 21st century. Split tasks into smaller tasks, start somewhere and do continuous improvement. Dealing with change is inevitable and we have to learn to response to the unexpected.

Again, before I go any further, I would like to point out that as I'm writing this, the feature-set for C# 8.0 still hasn't been decided. This means that information written here is subject to change.

One of the new features being proposed in C# 8.0 is to add support for virtual extension methods (methods in interfaces with concrete implementations). Java already has something similar called Default Methods.

Why?

The main reason to introduce Default Interface Methods is to enable developers to add methods to an interface in future versions without breaking source or binary compatibility with existing implementations of that interface. Coincidentally, adding default interface implementations to a language also introduces a new language feature: traits. Traits have proven to be a powerful programming technique.

How?

The simplest way of how to use this feature is by adding a concrete method in an interface, which is a method with a body.

interface IMyInterface
{
    void MyMethod() { Debug.Log("IMyInterface.MyMethod()"); }
}

A class that implements this interface need not implement its concrete method.

class MyClass : IMyInterface {} // This is allowed by the compiler since MyClass implements MyMethod

IMyInterface i = new MyClass();
i.MyMethod(); // prints "IMyInterface.MyMethod()"

As a practical example, let's imagine that we are writing a Wallet Service and we have this interface declaration:

public interface IWallet{
    void PerformTransaction(decimal amount, string description);
}

With the introduction of this feature, we can easily enhance IWallet (even without making any breaking changes) as follows:

public interface IWallet{
    void PerformTransaction(decimal amount, string description);
    void Debit(decimal amount, string description){
        PerformTransaction(amount * -1, description);
    }
    void Credit(decimal amount, string description){
        PerformTransaction(amount, description);
    }
}

Won't Interfaces become Abstract Classes?

In a way yes, but also no. There's no multiple inheritance in languages like C# and Java (before Java SE 9), which means you can't inherit from more than one class. On the other hand, a class is (and will continue to be) able to implement several interfaces. Another thing which still keeps interfaces unique is Covariance and Contravariance.

Follow Development

If you are interested in participating in discussions about this issue or just want to follow progress, have a look at the proposal on dotnet/csharplang GitHub.

Before I go any further, I would like to point out that as I'm writing this, the feature-set for C# 8.0 still hasn't been decided. This means that information written here is subject to change.

One of the features being discussed for introduction in C# 8.0 is Nullable Reference Types. A proficient C# Developer might say "What?! Aren't all reference types nullable?" It's true, in C#, unlike other languages such as F#, null is the default value of every reference type. What else would the default value be? What other value would a variable have, until you can decide what else to assign to it? What other value could we pave a freshly allocated array of references over with, until you get around to filling it in?

Also, sometimes null is a sensible value in and of itself. Sometimes you want to represent the fact that, say, a field doesn't have a value. That it's OK to pass "nothing" for a parameter. The emphasis is on sometimes, though. And herein lies another part of the problem: Languages like C# don't let you express whether a null right here is a good idea or not.

Yet!

How?

From C# 8.0, all reference types will be considered to be non-nullable by default. When you want a nullable reference type you will have to express that explicitly. Yes, a consequence of this design choice is that this will add new warnings or errors to existing code!

Here is what a sample BlogPost class will look like in C# 8.0:

class BlogPost
{
    string title;   // Definitely not null
    string? shortDescription; // May be null
    string body;    // Definitely not null
    
    void test()
    {
        title = null; // WARNING! Cannot convert null to non-nullable reference
        shortDescription = null; // OK
        var length = shortDescription.Length; // Warning: Possible dereference of a null reference
        if(shortDescription != null) 
        { 
            var length = shortDescription.Length; // OK, you checked 
        }
    }
}

This means that this class is now able to express the intent that every blog post has a Title and Body but only some blog posts have a ShortDescription. In fact, this is why this language feature is called "nullable reference types". Those are the ones that are being added to the language. The nonnullable ones are already there, at least syntactically.

The fact that this is a breaking change, is by design. Microsoft want it to complain about your existing code because part of the purpose of this feature is to find bugs in existing code. Having said that, the C# Design Team have implemented these in such a way to make developer's life easier. Firstly, null behavior will be in the form of warnings, not errors and secondly, there's going to be a compiler switch to turn these new warnings on or off.

Why?

So, now that we know how this new feature works, one my ask "Why does the C# Design Team feel the need to introduce this?"

The reason is the terrifying NullReferenceException! We've all run into this exception plenty of times and they are mistakes that could have easily been caught at compile time if only we had the means to express it. Nullable reference types don't solve this problem, but they do allow us to express our intent much better. This is the only way to force developers be aware that a reference type may be nullable or cannot be nullable.

Try it out!

If you would like to try out this feature before it is even released, I suggest you read The C# Nullable Reference Types Preview on C# Language GitHub. In there you will find Installation (and Uninstallation Instructions) as well as the ability to give feedback to the C# Design Team.

Group Policy is a feature of an Active Directory environment where it provides a centralized management and configuration of operating systems, applications and users' settings. If you're a System/Network Administrator, you've surely used them to enforce a corporate security policy, and if you're a user, you've almost certainly been frustrated by the limitations imposed by these policies.

Unfortunately, there is one big problem with this, or rather with how organizations deploy their security infrastructure. If users in your Active Directory domain belong to the Local Administrators Group, they can get around these policies any time they want.

How?

In essence, policies are applied as follows:

This means that since the GPOs are applied last, they will be the ones overriding your Local Policy. The problem with this is that all policies, essentially, are changes to Registry Keys. This means that in order to bypass Active Directory Group Policy changes, all you need to do is to identify the policy's setting location and change it!

There are many group policy references available, but since machine group policy settings store in the HKEY_LOCAL_MACHINE branch of the Registry and per-user group policy settings store in HKEY_CURRENT_USER, if you don't know the location of the setting that's preventing you from doing something you want you can use RegMon (now replaced by Process Monitor) to find it.

Example

Restore Access to Removable Storage

For example, a very common policy applied is to Deny Access to Removable Storage as follows:

This means that as soon as this policy is applied, we should find equivalent Registry Keys showing this policy. In this case, we will find the Keys at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

As expected, with this policy and registry keys, in place, the user can no longer access his Removable Storage devices.

So, in this case, all we need to do is just delete these Registry Keys and re-connect our removable storage. We can either do this manually or just run reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices" /f in an elevated command prompt. Voilà, you can now access your removable storage again.

Skip Windows Server Update Services

Most of the times, system administrators in an organization point to their WSUS in order to reduce download bandwidth. Unfortunately, most of the time, these servers are never updated or the updates are not approved. In order to switch back to Microsoft's official update servers to have the latest security patches, you can just run in an elevated Command Prompt:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f /v UseWUServer /t REG_DWORD /d 0
net stop wuauserv
net start wuauserv

Conclusion

This blog post tries to highlight the fact that networks that run with users as local administrators have no way to enforce policies on their organization's computers. The reason that most networks leave their users with so much power is that many applications violate basic security programming guidelines and won't run otherwise.

Today was a very special day for me; it was the day I met Steve Wozniak!

The opportunity came when for GiG's 5 Year Anniversary Event, named GiGsters Connect, our organization invited over Steve Wozniak for a fireside chat.

Of course, as soon as I heard this, I quickly turned euphoric and immediately fetched some books and a shirt for the occasion.

Who is Steve Wozniak?

A Silicon Valley icon and philanthropist for the past four decades, Steve Wozniak has helped shape the computing industry with his design of Apple's first line of products the Apple I and II. He also influenced the popular Macintosh. There are a lot of scientists, product engineers, and hardware developers who have made a significant contribution to the growth of the technology industry. However, Stephen Gary Wozniak has left his competitors behind. One can say without exaggeration that thanks to his genius, the tech industry has reached new heights.

A young computer genius who was an unwelcome person in universities

Steve Wozniak was born almost 70 years ago in sunny California. Being the son of an engineer, he learnt the ropes of electronics at an early age and fell in love with it. It is interesting to note that the University of Colorado Boulder did not want to see first-year student Steve Wozniak within its walls after the young genius had hacked into the institution's computer system.

The future great scientist made a second attempt to earn an undergraduate degree and entered the University of California. Although Wozniak was never a star student, he was building working electronics from scratch during his university days. The world's first computer known as the "Cream Soda", was one of those Stephen's self-taught projects.

Despite the fact that Wozniak did not get an A+ for any of his academic papers, his university days yielded fruits; he started his brilliant career at that time. Wozniak's rising to the highest pinnacle of fame began in 1971, when the future worldwide famous hardware developer was introduced to a senior high school student Steve Jobs. They soon became friends and started working together for Hewlett Packard Enterprise Company. Since Steve Wozniak did not see any point in continuing his studying at the University of California, the young man often missed classes and was expelled as a result of his poor academic performance.

The Birth of the Apple I

Meanwhile, the IT industry witnessed the invention of a microprocessor. The world of electronics was moving on and the demand for PCs was rising. Interestingly, Apple I "owes its existence" to Steve Wozniak's financial pressure. The computer engineer could not afford himself to buy a PC and that encouraged him to invent one in 1976. That was the birth of the Apple I.

"My goal wasn't to make a ton of money. It was to build great computers" - Steve Wozniak

It's worth emphasizing that the computer genius designed all components of his invention single-handedly, including the hardware, circuit board designs, and OS. Wozniak's computer was of better quality compared to its competitor, the Altair, and performed more complex tasks. The Apple I left mark in the history of computing as the first home PC, which could display characters on screen.

Wozniak showed Steve Jobs his darling, who saw striking potential in his friend's invention. That was the beginning of the Apple's epoch. The two computer geniuses started Apple Computer Inc. in late 1970's.

Stephen Wozniak left Hewlett Packard and headed the research and development unit of his own Company. Steve Jobs hit the white. Soon the Apple I became the best-selling PC in the world. Apple Computer, Inc. was growing and its founders were selling not only Wozniak's "darling" but also PCBs, monitors, and computer games.

The Birth of the Apple II

The success of the Apple I encouraged Woz not to rest on his oars. Significantly, there was another thing that urged on one of the Apple's co-founders to polish up his device. The Altair 8800, which was the chief competitor of the Apple I, had provision for an expansion card and provided its users with the opportunity to program in BASIC languages.

Thanks to Woz's hard work and genius, the second generation of Apple computers successfully entered the market in 1977. The Apple II outclassed the Altair 8800. Moreover, the device took technology industry to a new level. It is of interest to note that the popularity of Jobs and Wozniak's inventions rocketed sky-high. In 1980, the company's total value was already $117 million.

A man of many talents

In 1987, Stephen Wozniak left Apple, however, the computer engineer is still an individual shareholder in Apple Inc. till date. When Apple and Woz had gone their separate ways, the inventor of the "Cream Soda Computer" started a new business venture. His company introduced the first-ever universal remote control into the market.

As mentioned above, Stephen Wozniak has never been ready to rest. Setting himself the goal of creating wireless GPS, the legendary engineer founded another company called WOZ in 2001. Five years later, he devoted his talent to acquiring technology companies with the purpose of developing them.

"Happiness = Smiles - Frowns" - Steve Wozniak

Speaking about the life and career of Steve Wozniak, it is impossible not to mention that the co-founder of Apple Computer, Inc. is a man of many talents. He is not only the inventor of the Apple I and Apple II computers but he is also a gifted education teacher. Combining his work on contribution to the growth of the U.S IT industry with a tutoring elementary school students, Steve Wozniak imparted his knowledge and skills to the younger generation. The computer wizard enjoyed helping his pupils to achieve their learning objectives.

Talking to Steve Wozniak

Today, Wozniak is an influence in his field. Both engineers and global business leaders consider his opinion. So you can imagine my joy, when GiG offered me the opportunity to attend a small private Meet & Greet with Steve Wozniak in the Executive Lounge at the Intercontinental Hotel where Woz signed GiG's Apple II.

After the Meet & Greet, we went down to Main Arena, where Robin led the interview. Of course, Woz preferred to come on his Segway :)

Steve reminisced in memories of what it was like to invent the Apple I, Apple II and start a company with Steve Jobs. I though it was quite hilarious how he wanted to make sure that the people understood the difference between the real Steve Wozniak versus the one that's usually portrayed in the movies.

Wozniak also remarked on the fact that he believes in Blockchain technology. It seems he doesn't HODL any coins (except 1 BTC) but he really approves of Ethereum in how it is a platform and not an actual currency. On the other hand, he is really not impressed by the huge number of ICOs around; who blames him?

In the meantime, questions were already coming in from Twitter on #WozMalta but I was very eager to ask my own!

Soon enough, I got my chance to ask Steve Wozniak how he feels about Governments intruding on open technologies such as the Internet (Net Neutrality) and Law Enforcement backdoors to devices (such as the year old Cupertino case). I really appreciated how clear he was in his response; he is simply in favor of Net Neutrality and fully committed to User Data Privacy. On the other hand he doesn't like to meddle in politics, so he prefers not to vote. A man after my own heart!

Of course, I had some other questions that I submitted on Twitter:

Finally, I managed to get him to sign my iWoz Book and get some (rather shaky) photos with him :)

Anyways, all in all I am really grateful to GiG for this wonderful opportunity of a lifetime. I got to meet one of my role models, talk to him and have him sign my books and my shirt. Today was a good day :)

Oh, and by the way, we are always recruiting!

"Be a builder, and have fun in the process" - Steve Wozniak