Awesome Conferences

A feast of analogies

A few years ago a coworker noticed that all my analogies seemed to involve food. He asked if this was intentional.

I explained to him that my analogies contain many unique layers, but if you pay attention you'll see a lot of repetition... like a lasagna.

By the way...

I've scheduled this blog post to appear on the morning of Wednesday, Feb 10. At that time I'll be getting gum surgery. As part of recovery I won't be able to bite into any food for 4-6 months. I'll have to chew with my back teeth only.

Remember, folks, brushing and flossing is important. Don't ignore your teeth. You'll regret it later.

Posted by Tom Limoncelli in Misc

I'm excited to announce that I've been interviewed as part of the ACM Interviews series. Listen to the 1-hour interview or read the summary via this link

ACM Interviews are part of the ACM Learning Center (click on Podcasts).

Over the last 20+ years Stephen Ibaraki's interviews have included famous computer scientists and innovators like Vint Cerf, Eric Schmidt, Leslie Lamport, and more. (Complete list here.) Stephen is involved in many professional organizations, he frequently addresses the United Nations, and has received numerous honors including being the first and only recipient of the Computing Canada IT Leadership Lifetime Achievement Award.

I was quite honored to be asked. (Actually I was confused... when approached at an ACM event last year I assumed Stephen was asking me to nominate people worth interviewing, not asking me to be interviewed!)

I consider this a major career milestone. I am grateful to all those that have helped me get to where I am today.

Background on the ACM:

The Association of Computing Machinery (the US representative to the United-Nations(UNESCO)-founded IFIP, International Federation for Information Processing):

The ACM reach is 3.4 million, with 1.5 million users of the digital library and is the largest and most prestigious international professional organization in computing science, education, research, innovation, professional practice (200 events and conferences, 78 newsletters/publications, 37 special interest groups such as SIGGRAPH, the top awards in computing science such as the ACM Turing Award -- the Turing is considered the Nobel Prize of Computing with a 1 Million USD prize.

Posted by Tom Limoncelli in Publications

In this episode we talked with Alice Goldfuss about the changes you need to make when growing a DevOps or sysadmin team. Alice also talked about dealing with remote workers, her experience at film school, plus she shares insights about giving your first presentation at a conference.

You don't want to miss this!

For the complete list of LISA Conversations, visit our homepage.

Posted by Tom Limoncelli in LISA Conversations

Today (Feb 2) at 3:30PM PST we'll be recording this month's episode of LISA Conversations.

Our guest will be Alice Goldfuss. We'll be discussing her LISA '15 talk about growing a devops team: Scalable Meatfrastructure: Building Stable DevOps Teams

You won't want to miss this!

(NOTE: This recording was rescheduled; our usual time/date is the last Tuesday of the month.)

Posted by Tom Limoncelli in LISA Conversations

In my previous blog post, "SHA-1 Deprecation: Pro, Con, or Extend?", I was a bit sarcastic about an anonymous company wanting to keep producing SHA-1 out of lazy greed rather than helping customers.

Here's an update by Symantec about their latest actions.

Basically, the proposal to extend SHA-1 certs was withdrawn because during the ballot debate, so many new attacks against SHA-1 were revealed that.... oh the embarrassment.

So now companies can request SHA-1 certs as long as they expire on Dec 31, 2016. Luckily one good thing happened: non-legacy browsers are removing their trust for the SHA-1 root certs, which will make them more secure and will serve as a canary in the coalmine.

In other words, if you are still using SHA-1 certs, you will start to get warnings from you non-mobile users (easy to fix) now, giving you an indication that you need to start fixing your mobile users (you have until December 2016).

However I don't think that's enough of a "signal". It is still possible for companies to be oblivious to the situation. I'm no crypto expert, but I think people should consider two things to "raise awareness":

  • SHA-1 certs should expire much sooner. Imagine if people had to renew them every month. That would keep the issue visible. If you get a cert that is good for 12 months, it is easy to forget about the issue because there are bigger fires to put out. Monthly (or 60-day) renewals would keep the issue in the forefront of people's minds.
  • SHA-1 certs should cost $10,000. This would introduce economic pressure to stop supporting legacy devices, which would put pressure on legacy devices to upgrade.

The real problem, however, is vendors making systems that are stuck with old software and can't be fixed. I wish there was something we could do to make it economically infeasible for vendors to make such devices. Right now it is cheaper to produce a product with no upgrade mechanism, which means that device is going to make like difficult for everyone else in a few years (or in a few minutes if that's when the next Heartbleed or ShellShock arrives). Wouldn't it be great if, instead, any time a vendor was about to create a non-upgradable system the C++ compiler would detect this and refuse to compile. Or maybe it should compile but output a warning that in n days it will erase the developer's hard disk instead.

I can dream, can't I?

Posted by Tom Limoncelli

NOTE: Due to circumstances beyond our control, this episode will be recorded Feb 2 at 3:30PM PST.

This weekend is a good time to watch the video we'll be discussing on Usenix LISA conversations.

Our guest will be Alice Goldfuss. We'll be discussing her LISA '15 talk about growing a devops team: Scalable Meatfrastructure: Building Stable DevOps Teams

You won't want to miss this!

Posted by Tom Limoncelli in LISA Conversations

NOTE: Due to circumstances beyond our control, this episode will be recorded Feb 2 at 3:30PM PST.

On the next episode of LISA Conversations...

Our guest will be Alice Goldfuss. We'll be discussing her LISA '15 talk about growing a devops team: Scalable Meatfrastructure: Building Stable DevOps Teams

You won't want to miss this!

Posted by Tom Limoncelli in LISA Conversations

BNF meets Bowie

This is floating around teh interwebz and I normally don't post this kind of thing, but since this blog recently discussed the death of Peter Naur, and since David Bowie passed away recently, I thought this was appropriate.


This song, Modern Love, was a big hit around the time that I was first getting interested in Bowie. At that time he'd already had more fame and success in the music industry than most could even hope for. As a result, I learned his music in a strange order. First his hits of the day, then going back to his back catalog and learning about his early career and music.

David Bowie, RIP, 2016.

Posted by Tom Limoncelli

Google NYC has announced a series in monthly tech talks for the Site Reliability Engineering/DevOps community in New York City! The first meeting is January 20th at their Chelsea NYC office and will include a number of short talks by speakers from Google, Dropbox, and I'll be the speaker from StackOverflow.

The event will be held on Wednesday, January 20 at Google's campus in Chelsea, at 75 Ninth Avenue. Doors open at 5:30pm, food will be served at 6pm, and talks start at 6:30pm and run until 8pm.

RSVPs are required because this is NYC.

More info and RSVP information is here at this link.

Hope to see you there!

Posted by Tom Limoncelli in Speaking

I read Ryan's article about why SHA-1 should be deprecated faster and why we should veto the proposed extensions. It is an excellent explanation of what's going on. I highly recommend it (and look forward to the complete series when he publishes it):

I feel like the cert provider's reply should be this:

Dear Ryan:

Screw you. You obviously don't understand the business we are in. We are in the business of PRINTING RANDOM NUMBERS AND SELLING THEM FOR UNGODLY HUGE SUMS. You're naive proposal may help the world, but how does that help us profit?

Here's an example, Ryan:


See? That was a random number. We just sold it to some duncehead that doesn't know the difference between a SHA-1 hash and a FQDN. For how much? A thousand dollars. That's right. ONE THOUSAND DOLLARS. We do that every few seconds and it (snoooooorts a big line of coke) feels so good!

Why did it cost $1,000? because we list the price as $48 but then upsold him on wildcards, EV (whatever the heck that is!?!) and a hella boat load of other things.

So let me tell you what we, the cert providers, think about your proposal to help the world or something:

Screw you. Screw you, the horse you rode in on, and your little dog Toto too!

Why? Because we're making money hand over fist and if you require us to change our code, we'll have to... well... pay a programmer to do that, test it, and verify it. That costs money. You know what "cost" is, Ryan? It's the opposite of me sitting in my executive office snorting coke.

So, yes, we've convinced Twitter and CloudFlare and others to do a lot of coding to work around our fucked up little system. Meanwhile, we will spend nothing. How perfect is that?

Yes, we could adopt SHA-256 for all certs and make the web safer but that would be something you'd do if we gave a shit. Yes, we'll adopt that awesome SHA-256 technology someday but ...and this is important Ryan... it won't be on 2016's budgets. Money spent today is a lot more expensive than money spent tomorrow. Why? Because there's a good chance I'll be out of here by then and it will be some other dipshit executive's problem.

Sure, in the meanwhile the NSA will crack the crypto and read everything people say on the internet. Do you think I care about that?

Sincerely, Every executive at every cert provider

P.S. Here... have a thousand dollar random number on us: 6.

Ok, I'm sure that's not exactly what the cert providers are thinking. I'm sure it is pretty close. I don't think they'd actually give away a free random number.

Posted by Tom Limoncelli in Funny