slash blog

Another short “today I learned” post from the analytics mines. If you have previous experience writing any form of data munging or analytics tasks then you have almost certainly encountered Python, Pandas, and AWS S3 in some combination.

These jobs usually follow the structure:

1. download the files from S3.
2. deserialize them into Python objects & create Pandas dataframes.
3. perform calculations over these dataframes.

Normally #1 and #2 would be wasted repetitive work that is left to the reader, but there is a better way.

I attended BSidesSF this year for the first time in a while and saw Aalaa Kamal Satti and Yuru Shao of Pinterest speak about their efforts on password security for both Pinterest’s consumer and business users. During their talk they spoke about implementing support for the /.well-known/change-password URI that allows websites to integrate with the password managers that ship within most modern browsers.

These password managers have had features like checking for compromised credentials via HaveIBeenPwned for a while but prior to the .well-known/change-password URI they all suffered one crucial limitation. The complete absence of any standards in website building meant that even if they could notify a user about a weak password, they couldn’t direct them to the settings page that they needed to change it. The inability to create a one-click navigation for password updates meant that only the most motivated users would successfully find their way through to completing the flow. This definitely rings true of my own experience of the internet. Could you reliably find the change password page on any website you’ve used within the last 18 months with only three clicks starting from the homepage? I couldn’t.

This week at work I had the need to build a small ETL (Export, Transform, Load) process to move some data from PostgreSQL database A (a primary relational database used by our application to serve customer traffic) to PostgreSQL database B (a back-of-house instance used to perform metering and other usage analytics).

We already use Apache Airflow to orchestrate the metering tasks, data sync and Stripe API interactions, so building this process in Airflow was my first choice.

I recently had the chance to join Guy Podjarny of Snyk to record an episode of The Secure Developer podcast. We spoke about my time at Intercom and my winding journey into security engineering starting from the product side. You can find a link to the recording and a full transcript of the episode.

Guy and I spoke about what I see as the big overlaps between product and security engineering, and the role that empathy plays when you’re developing security tools for an internal engineering audience. I also had a chance to share details of some anti-XSS and authorization engineering projects that I worked on while at Intercom to give examples of how this all works in practice. I had a fun time talking with Guy, and I really hope you’ll enjoy listening to our conversation.

Last year I started making a more deliberate effort to make digital memories of everyday life in the form of audio recordings, photos, and video. While I’ve long been a fan of taking a camera with me on trips, the months-long absences of any photos in my Lightroom library made me realize how much every day life I was neglecting to record.

As a byproduct of this new habit I’ve ended up with a bunch of material documenting in greater detail the electronics and musics side projects that have occupied more and more of my time since 2019. Initially I had hoped that some of this material would make its way to the world in the form of short blog entries but I let self confidence and procrastination get the better of me. In the end I only released a single YouTube video in 2019, a noodle recorded on my DIY-assembled Eurorack synthesizer.

In November last year I had the fortune of attending my first Hackaday Supercon in Pasadena, LA. For those unfamiliar with it, Supercon is best described as a hardware hacking conference, dedicated to people’s extensive making talents. In attending the conference I decided to bring with my Briefbass eurorack setup (a portable 6U ~100HP setup built from a Samsonite briefcase), primarily to share with some close friends who were also attending. Given the magnitude of the other projects that people bring to Supercon I hadn’t expected that it would get any notice but I ended up having a number of really great conversations with people and also gave a few hands-on introductions to others. The experience made me realize the importance of sharing projects openly in a community and engaging others.

Taking that lesson and applying it a little closer to home, I decided this last weekend to invest some time in improving my writing setup, specifically with the aim of making publishing extremely easy. While I’m a big fan of Hugo, my direct to S3 upload approach meant that I could only post updates from the one machine with valid personal AWS credentials.

Now with the help of some fancy Github Actions I need only update the Git repository with new source content, and it will take care of the rest. The entire workflow definition is just over 40 lines and straightforward to follow. This brings the act of writing and publishing into reach of something that can be achieved with an iPad and a half hour of focus time. I’ve not decided to take a specific writing goal or number, but I do hope that the sum of these small changes leads to more and more frequent creative output in my future.

Web content accessibility has been on my mind recently as I watched one of the other engineering teams at Intercom in San Francisco undertake to make the Intercom Messenger accessible and compliant with the Web Content Accessiblity Guidelines (WCAG) 2.0 Level AA. Despite the continued growth and evolution of the internet it has yet to really live up to its true potential as universally accessible communication, and the accessibility landscape of online content is no exception. In the process of recreating my blog I decided that I wanted to learn about the various standard components that make up web accessibility and see what I could do about implementing them here. Here’s a bunch of changes that I made to the blog as a result of my search.

This is an extension of my last post: A brief musical journey, as well as a number of stories which I’ve been posting on Instagram in recent days.

As part of my of my adventures in the world of producing elecronic music I came across the fascinating world of modular synthesis. Modular synthesizers are composable musical instruments which are built up of many discrete modules, almost like the Lego bricks of synthesizers. Unlike traditional keyboard synthesizers which have defined signal paths modular synthesizers allow you to patch together whatever sequence of modules you want to create the sounds you desire. For a computer nerd like me it’s the perfect mix of music creation and programming. If you’re not familiar with it then I highly recommend taking a quick look at this introduction YouTube video to familiarize yourself with the idea as it’s much easier to understand through observation.

I’m back! It’s been a while but I’ve decided to dust off my old blog and to start trying to write some more regular updates as to what I’ve been doing these last 18 months. For those of you who I’ve not seen in a while it’s been a busy time.

One of the primary things I’ve been spending time at recently has been all things music, in particular both learning to create and attending more live electronic music. Electronic music has been an interest of mine for many years ever since being introduced to the likes of Mugasha and Soundcloud by friends back when I first arrived in California. Since then it’s become by far the largest genre that I consume, serving as a backdrop to most of my daily activities. Whether I’m working on software issues during the day or doing the dishes at home in the evening you’re likely to find me enjoying some music at the same time.

This weekend I took the opportunity of some downtime and the fact that I’ve deployed a new primary VPS (with the wonderful iocoop) to migrate my blog source to use hugo, leaving behind the Octopress setup I’ve had for a while.

Why? Well I’ve been on a small Go kick recently at $DAYJOB and elsewhere and having played with some of the other utilities developed by spf13 such as cobra and admiring their ergonomics and simplicity I was keen to give hugo a try.

On top of that the Octopress setup I had never seemed to be very stable. Octopress itself has been in the middle of a major rewrite for quite some time, and combined with the hassle of bootstrapping the requisite Ruby runtime each time I started using a machine, the resulting hassle meant that my blog hasn’t seen much use.

Hugo on the other hand is a) a single static binary which I can build easily on any of my development machines b) way more minimal in its configuration and c) much more functionaly complete.

Thankfully hugo comes with an import jekyll command which allowed me to import the few blog posts that I’d already written. The only content left behind was the “about” page which is easily reproduced.

Add in a Makefile to make generation and deployment an easy process, and the resulting blog code is much cleaner.

I doubt this will be a major solo catalyst in promoting more writing on my par, but I do hope that it’ll significantly reduce the activation energy that exists for me to publish anything.