Reliance On GPS Is A Liability

I’ve written a couple times previously about how we shouldn’t rely on GPS solely. It appears the US government might have just come to that conclusion as well.

GPS is awesome, but it cannot be the only mechanism used for navigation. CANNOT.

Posted in Architecture, Life | Leave a comment

Use MongoDB

So an Anonymous Coward’s pastebin rant against MongoDB has an awful lot of legs. I circulated a few thoughts yesterday morning to head-off the inevitable concerns of “um, we’re doing a lot with Mongo, and now I’m nervous”:

[It] really smacks of oops-I-didn’t-plan-and-got-bit, which is entirely too easy to do on the razor’s edge. 10s millions users without a decent pre-launch beta, load-testing etc? Most of the arguments here are things well-known in the mongo community: GWL, sharding problems under load, eventual consistency, etc.

So to everyone out there who, after reading that pastebin:

  • might have thrown up a little
  • questioning why/if they’re using MongoDB
  • thinking perhaps last week you made the worse career decision of your life
  • might want to re-evaluate the technology decisions of co-workers who advocated it

GOOD! These feelings are totally valid and in-general will do everything to help MongoDB and its community. Really, I mean that. Even if everything in that pastebin is a lie (most things are half-truths, at best) and the negative reactions because of it are “baseless”, they serve to raise questions, they serve to validate, they serve to do what we should do with every technology decision we make: be skeptical and prove.

A lot of the MongoDB adoption I’ve seen amounts to “well I think it’s cool because I can use JavaScript” from the UI crowd or “I suck at writing SQL queries” from the app crowd or “I hate tuning my systems” from the systems crowd… or, worse “I’ve heard it’s awesome”.

I know in the Age of iEverything, it’s a knee-jerk reaction to just buy/do things because some salesman in a turtle-neck tells you he just changed everything, but if you ever take anything home from my writing:

Don’t Ever Make An Infrastructure Technology Decision Because You Heard It Was Awesome

But, in case you were curious, MongoDB is awesome, and you should use it: just don’t take my word for it. Be skeptical and prove.


Posted in Architecture, Linuxy | Tagged , | Leave a comment

SSL CAs Are An Unnecessary Evil

I’ve talked about this to numerous groups, going back to 1999, but seems I’ve never done so publicly.

Certificate Authorities are completely unnecessary.

“OH MY GOD HOW DO WE MAINTAIN THE WEB OF TRUST?!” you scream. Easy, the same way we do In Real Life, with a little twist.

Posit 1: Your browser starts with a completely empty CA database. Yup. No CAs, no Certs, no CRLs. It has a concept of “levels of trust”, just like PGP/GPG: you explicitly trust certain people/companies/etc. different than others.

Posit 2: CAs only sign for their domain, and all Certs in a domain must be signed by the domain CA.

Posit 3: Domain CAs can also sign other domain CAs that they sufficiently trust. This signature has no functional impact on the system.

Scenario 1: High-Trust, offline relationship. You are a Bank of M@ customer. You visit a Bank of M@ branch and open an account, signing up for online banking. You’re given a read-only USB stick that has the Bank of M@ Certificate Authority Public Key on it. You go home, plug it in, and your browser and other software now knows that all ‘’ addresses (email addresses, web RLs, etc.) signed by that key are legit.

Scenario 2: Opportunistic Trust, online relationship. A friend sends you a link to a pair of gloves you’ve been looking for. The link is to a site you’ve never been to, (that I just made up). You add the item to your shopping cart, click the ‘checkout’ button, and the site redirects you to their SSL site to complete the transaction. Your browser has no data for How does it get it? Well, how did it get to to begin with? A DNS request. It makes a similar DNS request asking for the KEY, which is either a URL pointing to the CA Public Key, or the Public Key block itself. In either case, the browser can load the CA for, implicitly trust other Certs and keys signed by it, and you have a new pair of gloves on the way.

Scenario 2a: Treason Uncloaked! You receive an e-mail, purportedly from, but signed with a different CA, or links to a site purporting to be but is signed with a different CA. Your e-mail client, which has the CA Key for loaded warns you visibly of this discrepancy. The content of the e-mail, however, says “We needed to change our CA key, please use this one instead”.

  1. The CA Key enclosed was not signed with the previous CA Key for
  2. The previous CA Key for isn’t on the published CRL for
  3. The CA Key enclosed is not the CA Key obtainable via DNS.

The software, and thus the user, can be pretty certain this is bogus. This is not the you’re looking for.

Scenario 2b: Subversive Treason Uncloaked! Someone hijacks your DNS. Perhaps the government, perhaps malware, perhaps your jealous life partner. They know your penchant for and decide to forge their own CA key, and make it so that your browser will download that key, but login through a Man-In-The-Middler server they have set up. Nefarious!

  1. Your browser indeed downloads the forged key.
  2. The forged key is not signed by the CA Key you have.
  3. The CA Key you have is not on a CRL for
  4. Or the CA Key you have is on a forged CRL for, that is not signed with the CA Key you have.

The software, and thus the user, can be pretty certain this is bogus. This is not the you’re looking for.

Scenario 2c: Real certificate/key/CA change.’s CA is going to expire soon, so they generate a new one. They sign it with the old CA Key. They add the fingerprint of the old CA Key to their public CRL. They sign the CRL with both the old and new CA Keys.

  1. New/first-time customers are oblivious to the switch.
  2. Existing customers download the new CA Key and the CRL.
  3. They authenticate the CRL as it is signed by both the old (that they trust) and new (that they’re skeptical of) CA Keys.
  4. They authenticate the new CA Key as it is signed by the old CA Key.

The software, and thus the user, can be pretty certain this is legitimate. This is the you’re looking for.

Conclusion: This is a very simple, inexhaustive exercise. More questions remain, but they’re all solvable. There is no reason why every domain can’t be a CA for itself. There is no reason why being a Certificate Authority is a billion-dollar business. There is no reason why we have to put up with an anachronistic monopoly on “trust”. There is no reason why this cannot be free and open, and a domain can generate infinite certificates/keys/etc. for their own domain.

In Verisign We Trust, My Ass.

Posted in Architecture, Opinions, Work | Leave a comment

Redundant Array of Independent Datacenters

I used a phrase last night/this morning that I use to refer to distributed datacenter architecture, and afterwards decided to google it. It seems that while Cisco mentioned it a lot in 2010, I beat them by a few years in describing and naming the concept of a Redundant Array of Independent Datacenters – and other than that, it has received almost no searchable results. Unfortunately, the vast majority of my communications about this were in-person, but a zgrep of my mail archives did return  a few hits, the below being the oldest. I thought that was cool. A more informative post forthcoming as time allows.

Subject: Quick Reply
From: Matthew Keller <[REDACT]>
Date: 06 Dec 2002 12:21:30 -0500


I got your vmail and think we're on the same page. Basically thinking
about it like storage, but a Redundant Array of Independent 
Datacenters, if you will. Between the 3 or 4 of us, there is no 
reason we can't make the JNOC idea work, and really save all of 
us a lot of time and energy. Let me know when you get back from 
vacation and we'll chat more. 

Thanks again for your call,

Matthew Keller
Enterprise Systems Analyst


Posted in Architecture, General, Work | Leave a comment

Open Response to Open Letter to the Netatalk Community

I can’t help but notice that you seem to think yourself above some pretty important facts with the coup you appear to be attempting towards Netatalk.

First, and most importantly, while there are currently only a small handful of devs, you’re standing on the shoulders of giants. I haven’t done any source analysis as to how many klocs you have contributed vs not, but I’ll bet its a tiny percentage- especially if you factor in total klocs contributed over the 15(?) years of the project versus your relatively recent involvement.

Secondly, your act of “big companies should pay me or they can’t have Netatalk” shows a gross misunderstanding as to how Open Source works, and the rules the GPL binds you by. Please don’t feed the trolls with claims that there are lots of BSD headers running around source files, as some of your strawmen have been doing in various forums. That’s bunk and well-explained in historical discussions. Every line of Netatalk code is under the GPL unless you want to base “your” version of Netatalk off of versions prior to 1.5, when it was BSD-licensed.

Lastly, I’m disappointed in you. I won’t betray confidence implied in discussions we’ve had, but this isn’t something I would have expected from you. Your assertion that “it’s better to have an actively developed Netatalk, than a non-free, non-open Netatalk” is very incorrect. It is the freedom and openness that got it to the point where you could derive value from locking it up.

I’m sorry your business plan is obviously not working the way you’d like. This isn’t the solution. The solution is to change or replace your business plan, not commit at worst legal license violations, and at best very disrespectful and dishonorable acts with that which is not yours.

Matthew Keller

Posted in Coding, Linuxy, Opinions | 6 Comments

Apple Touchscreen Patent – Invalid

You may be surprised to learn that Apple was granted, essentially, a patent on touchscreen computing. (and yes, I know it’s N-finger, so technically it’s multi-touch.. regardless) There is TONS of prior art to invalidate this, and I have in my museum-of-geeky-products-i-bought-that-never-caught-on, several pre-2007 devices that can prove that.

Really. Shush.

Posted in Uncategorized | Leave a comment

Dear MongoDB

Dear MongoDB,

I would like to use the positional operators you have for updates, ala ‘user.$.name’, in the field selectors for queries, ala find({“”: “Matt”},{“user.$.address”}) such that I can see only the fields of that sub-document/sub-object in my return data instead of having to return “user.address” which may have thousands of results, and then filter it in code before returning it the application.

Yes, I know I could have a different document model, but I don’t always get to pick that. This would be awesome.

Thank you for all the fun,

Posted in Architecture, Coding, Linuxy, Work | Tagged , | Leave a comment

Congratulations Xen

Xen is now in the mainline kernel, where KVM has been since Feburary 2007. Xen is still a completely separate kernel, with completely separate interfaces. Xen may now be in Linux, but still is not Linux.

Posted in Architecture, Linuxy, Opinions | Leave a comment


Case: Large menu system where different users use different items more often than others. Some spend 80% of their time in <5% of the options, some spend 60% of their time in the least used 10% of the options.

Problem: Menu needs to adapt to how the user uses it, with zero-configuration for ease of use.

Solution: The menu needs to adapt it ordering based on the user, and possibly the type or role of user. Every time user U clicks a menu link, that needs to be counted such that after enough clicks, the location of that item changes.

For example, after 100 clicks of an item, the menu is reordered based on the number of clicks div 10 all items received.

Similarly, as user U has role R,  when a new user U2 is created with role R, his default menu ordering should be the median (sum of each menu item div number of users) of the users with role R.

Result: Existing users have their most readily used items closest, their seldom-used items furthest, and new users receive a base-optimal menu set for their role. Solution scales to very large user and role sets, with minimal-to-no user confusion, and zero user-configuration needed.

Posted in Architecture, Coding, Work | 1 Comment

GPS Jamming: For Fun Or Profit

From this /. article. I’ve written about the dangers of relying on GPS previously.

“A simple $30 GPS jammer made in China can ruin your day. It doesn’t just affect your car’s navigation — ATM machines, cell phone towers, plane, boat, train navigation systems all depend upon GPS signals that are easily blocked. These devices fail badly — with no redundancy. These jammers can be used to defeat vehicle tracking products — but end up causing a moving cloud of chaos. The next wave of anti-GPS devices include GPS spoofers to trick or confuse nearby devices.”

Posted in Life, Opinions, Rants/Tirades | Leave a comment