Monday, June 27, 2016

Honor, Dignity, and Victim Culture

I won't bore you with details, but I will point to an interesting article on a rise in microagressions and the concept of a "Victim Culture". To recap quickly there are three primary types of cultures discussed #1 Honor Culture - were you generally have a personal code of honor and use force to correct even the slightest of offenses #2 Dignity Culture - were you ignore insignificant (that is, legally allowed) slights and rely on dialogue and third parties to dispute offenses according to a unified, documented written code, and #3 Victim Culture - were you use the perception of victimization to resolve disputes.

In Honor cultures the strong are rewarded for being strong or oppressive and there is nothing to check their power. This leads to adaptations in behavior that favor the idea that "the strongest make the rules". Moreover, the rules tend to be arbitrary and (inherently) serve those who are already in positions of power (or in the case of revolution wherever has superior weaponry). This, to me, is clearly not an appropriate way to exist as a society. In such a society, warlords and gangs will run rampant as each leader seeks to continue to amass enough personal power to maintain their position.

On the other hand, Victim Cultures do the exact opposite, but end up devolving into the same scenario on it's ear. The adaptations become "I'm the most victimized" and in this culture a downward spiral of "who's the bigger victim" exists as each player in their attempt to amass power points out infractions against their person. To me, Victim Culture versus Honor Culture both have the problem that the source of "truth" is subjective and can be easily manipulated to favor those that are on both extremes. In this culture, individuals only become powerful by expressing their "victimhood" to third parties. This leads to gossip and demagoguery being the way to nullify perceived violations of your person.

At the top of the triangle of these cultures is "Dignity Culture". What is important about this model is that actors are automatically imbued with power (and, for example...human dignity) and their actions can only take away from it..."proper" actions are assumed and "improper" actions are punished according to a SHARED set of values. This is the foundation of (not just) the american system of government and at the cornerstone of my personal belief system. The important difference between the three is that this is the only one of them that assumes equality and codifies what is wrong action and what are appropriate consequences. This means that collectively and socially we agree to "universal" terms and rules and apply them unemotionally in all situations versus allowing either victims or oppressors to make their own rules that are highly situational and based often on emotional responses versus a "rule of law".

This having been said, I've been thinking about this a bit and, in particular, I think about a video I watched a while back with our current President speaking to the owner of a gun shop about gun control. In this clip, it appears evident that spreading Fear Uncertainty and Doubt (FUD) about the current president's position on gun control has clouded an otherwise rational person with what appear to be an inaccurate assessment of affairs. His decent into victimhood is clear by his assessment that the current administration is hell bent on punishing the "good law abiding people" while not trying to keep guns out of the hands of the "good guys". This video (to me) is a clear example of how pundits can spin situations and tell a compelling (if untrue) tale of doom that incites otherwise rational people to attribute motives that don't exist to otherwise innocent and well intentioned attempts at improving the overall state of the human condition.

My point is: Before condemning someone who doesn't share your viewpoint, step back and apply Hanlon's Razor... That is, "Never attribute to malice that which is adequately explained by carelessness". It is much easier to feel that another party is wrong and attribute actions to motives that don't exist (but fit your worldview or predispositions) than it is to step back and really look at their actions and attribute "malicious intent" instead to "lack of skill".

Monday, April 25, 2016

Headless rasberry pi 3 install for OSX for non-noobs

Having purchased a raspberry pi 3 a few weeks ago, I was quite confused by almost every reference for install mentioning "plug in HDMI monitor and USB keyboard" as a step. While I've found references on how to do a headless install, it seems that many of the instructions come from a background of "you've already installed and run the graphical installer". As a person coming from an arduino/linux server background, I really don't need X11 for my use case and just want a powerful micro controller that I can setup via ssh (well, USB would be better, I still don't understand why you can't do this using the USB connection as a tty...but that's a different discussion). What follows are the steps I used...NOTE if you use the wrong disk number you will destroy potentially important information on your machine, use at your own risk and only do this if you understand what this means otherwise you will likely have an unusable machine or at a minimum lose information.

First, download the raspbian lite image.

Next, plug your sd card into your mac



and you should see an entry that corresponds to your SD card. My output had an entry similar to this (other output omitted)

/dev/disk2s1 129022 55730 73292 44% 0 0 100% /Volumes/mysdcard

Unmount the sd card:

sudo diskutil unmount /dev/disk2s1

Copy the image to the RAW device (this means /dev/rdisk2 instead of /dev/disk2s1...the disk number will quite likely be different on your machine)...

sudo dd if=2016-03-18-raspbian-jessie-lite.img of=/dev/rdisk2 bs=1m

Note, I'm not sure about the whole "block size" thing, but this is what I used.

This will run for a few minutes with no feedback, you can hit ctrl-T in your terminal to get a status output. Once this command has completed, you can eject the disk.

sudo diskutil eject /dev/rdisk2

now plug the sd card into your pi, power it up (via usb), and look for the device (plugged into ethernet) on your network. Assuming you've found the device's IP address (mine was at you can then ssh into the machine with:

ssh pi@

Using 'raspberry' as the password

At this point you should have a functional pi image and can continue with your configuration...My first set was to resize the root partition using raspi-config (as I have a 32gb card).

Hopefully these instructions will help 'slightly more advanced' users wade through the "Noob" clutter available on the internet.

Friday, April 15, 2016

Do you test your IT operations and business processes?

The software industry expends a lot of energy making sure software is tested. From unit testing, to system and performance testing, to manual "poke it with a stick testing", almost no software team "doesn't do it" or fails to see the need. Ironically though, many places don't routinely test their IT operations and business processes. This is ironic because if those things are broken or brittle, it generally has a MUCH larger negative impact on a company than buggy software.

To clarify, I've worked with many companies that have a "backups" and "disaster recovery plans", but they never TEST to see if either of this can actually lead to a recovery in the timeframe expected. A well known (for me at least) scenario in the IT field (related to operations) is this:

  1. "Yes we do backups"
  2. Server fails, all data is gone
  3. Build new server (this works)
  4. Restore data that was previously backed up
  5. Realize backups actually were written in a way that isn't recoverable, the backups we thought were being performed have actually never worked, someone "forgot" to enable backups for that particular server...(the list goes on and on...)
  6. Weep
  7. Go out of business

Stretching outside the technical realm, there's another area that confounds me on its lack of testing maturity, which is: "Testing your process". Most places I've encountered are, at best, able to define and presumably follow a process of some sort, but generally unable to understand or define what happens when the process fails. As an example, many places have "human steps" in their process, but never test "what happens if the human forgets, has incorrect assumptions about what that step means, or is just plain lazy and lies about performing a step?". In general, there is too much reliance on an individual sense responsibility being the safeguard that the process will perform adequately.

As a very common example...if we have a software delivery process and a step is "update the API documentation", how many organizations will actually QA the process to understand how to detect and/or ensure that this step is done? More importantly, how many teams will have someone test "making a change without updating the documentation properly" to ensure that this is detected? My general answer is "a vanishingly small number".

Most people (in my experience) when quizzed about issues such as this will throw out statements like "well, we pay our people well and they are 'good' people, so we don't have to worry about it". To me, this is a silly and fragile position to take, many professions have very highly paid people who are extremely reliable (for people) that still have checks, double checks, and controls to ensure that the "things we said we were going to do" actually "got done". While I think the security industry is the dimension of tech that has made the most progress in "defining" these sort of controls, I still see that (even in that industry) most companies don't take the additional step to validate or test that the process itself is adequate and failure is detected at an appropriate manner, level, and time.