Thoughts on security, beer, theater and biking!

A Spam Tweet That'll Crash Twitter App

2012-02-01T19:21:00.000-08:00

I saw something I have never seen before today. No, it's not unusual to get "@ replies" from Spambots after I've been retweeted or mentioned something like Yoga, Women or iPhone on Twitter - I've seen that a thousand times. (as an aside, how does Twitter not auto-recognize an account that has no followers and only sends @replies not as spam?)

But, today after I tweeted about my support for Planned Parenthood in the midst of the Susan G. Komen foundation dropping funding for mammograms and breast exams at Planned Parenthood - I was retweeted.

I then got a bunch of spam followers and a few spammy @replies. As per usual, I clicked on the tweets, selected the various user names and reported them as spam.

But that didn't work for one tweet. It looked like this on my Twitter App on my iPhone:

Every time I clicked on it, the app crashed. When I looked at it on my desktop computer, it looked like this:

Not the first time I've seen this type of tomfoolery on the Internet, but the first time I've seen a tweet that will crash the twitter app.

Joinging the Lyric Carolers this year!

2011-11-21T16:50:00.000-08:00

As I'm not quite up to dancing, yet, I was excited to find another venue for getting to perform - The Lyric Carolers!

The Lyric Theatre typically performs Gilbert and Sullivan light operas, or other similar period type pieces, but what to do after their fall show closes and their spring show opens? Why, sing holiday carols!

I successfully auditioned and joined the group this year. What an honor to be with such amazing singers! I even have a wonderful Victorian costume and bonnet to wear for the season. The bonnet's got a bird on it. Yes, a bird! :-)

We're still available for booking large groups of singers and small. Whether you're looking for a simple quartet to lighten up your holiday party, or the full choir for your corporate event - we can do it all!

To book, simply fill out the booking form, or send mail to ask any questions.

All proceeds go to supporting the theater's regular efforts.

GHC: Anita Borg Social Impact Award Winner

2011-11-11T18:30:00.000-08:00

This year's ABI Social Impact Award winner is Anne Ikiara, from NairoBits.

What If More African Women Had More Access and Use of ICT Skill?

Anne Ikiara started the talk by telling us about her background as an African woman, not unlike others. She was the youngest of ten children - 6 brothers and 3 sisters. Once men are circumcised, they no longer do chores. And these aren't like American chores you give children. Ikiara had to cook. To cook, she first had to go to the forest and get firewood. Then she had to go to the well and pump water. Nothing is simple.

Forty percent of the women do not have access to any education - they aren't even functionally literate. If you cannot read or write, how can you possibly interact with technology? There is so much violence against women that just surviving is their number one task. The only time you can get online is to go to a cyber cafe, usually a long walk, which a woman can only do after she's finished her house work, and sometimes at great peril.

Making matters worse, as soon as a young girl starts to develop breasts, she can be married - as young as eight years old - to a man as old as eighty. How can she get an education then?

Still today, in Africa, women are discouraged by their teachers from pursuing math and science.

Women do 80% of the agricultural work, but only own 5% of the land. Nearly 50% of women in the sub Sahraran Africa are married by the time they turn 18!
Ikiara was lucky and didn't marry until she was 22 and her husband didn't rush her to have children. Her mother, and others, thought there must be something wrong with her, that she needed a doctor, as she hadn't had any children by the age of 26. So much pressure to just be a mother.

A recent contested political election resulted in riots - most of the dead were women.

Women in Africa need more access to education, more role models, more equality!

What has Nairobits done? They target youth from non-formal settlements - very impoverished people. No running water, living 10 people in a 10x10 shack, etc.

Originally this started in Nairobi and was meant to be a one time event - but the interest was so ovewhelming, they needed to do more.

In order to encourage women, they accept much older girls and have flexible times to come for the training. They know these 16 year olds, many of them are mothers, cannot commit to 8AM-5PM for training. Nairobits asks the girls when they cam come for training, and work with that.

This type of training is now being replicated in Uganda, Tanzania, Zanzibar and Ethiopia. Nairobits has trained more than 6,000 youths, mostly women, in Kenya alone.

Training starts slow - they may have to introduce the youths to things like indoor plumbing. What a different world. Can you imagine?

Continuing this is difficult, as donor funding is down, and there is an overwhelming need for services. So many students have to be turned away.

Nairobits has centers where the students can come and use their skills after their graduation and get access at times convenient for them.

I had to ask Ikiara how she got out of this poverty: her brother. One of her brothers recognized that she was smarter than he was, and was able to get her into boarding school where she had six years to learn in peace, with no house work. She has taken this gift, and is passing it on to others. The women she trains in technology, they, too, tell others.

The women who are trained can then get real jobs and increase the financial well being of their entire family, so parents, in the end, are usually very happy to have an educated daughter.

The most limiting thing for Nairobits is money. They need sponsors, they need funds. To put one student through six months of training - it merely costs 10,000 Kenyan Shillings - $107 USD.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Denice Denton Emerging Leader Award Winner

2011-11-11T17:00:00.000-08:00

This year's ABI Denice Denton Emerging Leader award winner is Tiffani Williams from Texas A&M University.

Discovering Relationships in the Tree of Life

Dr Williams has been studying phylogentic trees to discover relationships. She opens with the example of the Dentist in Florida in 1990 that gave HIV to one of his patients. Even though HIV can mutate from person to person, phylogentic trees can show that the source of the virus and could prove that the dentist did indeed give the virus to his patient. It was also used in a court case to identify a man that intentionally gave HIV to 6 women - he is deservedly spending the next 70 years in prison.

There is some more work in this area is used for studying big cats - to see which cats are most related. For example, the lion, leopard, jaguar, tiger and snow leopard are part of the same group, but clouded leopard is not. By studying this, they can try to help save the species.

Dr. Williams did a great job showing that some of the most interesting is cross disciplinary - you need computer science, genetics and statistics to help save species!

But, these trees can be very large, expensive to store and impossible to easily transfer. Compressed files help, but you might lose useful data.

Storage is cheap, in theory, but upgrading and adding storage to your laptop is not easy and sometimes simply not possible.

Phylogentic trees are represented in Newick formatting, a notation based on balanced parentheses. something like this: (((A,B),D),C,(E,F))); It was actually pretty clear when Dr. Williams used the laser pointer :-)

The problem: one simple phylogentic tree can have 32 Newick patterns! This makes it hard to both compress and identify relationships. Dr. Williams came up with a way to store a unique tree as a unique binary code - then a simple hash algorithm can identify related trees.

The hash table can be further compressed with shorthand, like a special symbol that means "all trees have this relationship", and another for relationships when there are fewer items that share a relationship that do. And this can all be compressed using Tree Zip and stored in plain text!

As much fun as compression is, Dr. Williams advises against using it on humans - we don't like to be compressed into a group, especially when it comes to negative stereotypes.

I learned so much today - I'd love to take an entire class from her!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Plenary Session: Partnering with Executive Leaders for Shared Vision and Career Growth

2011-11-11T15:30:00.000-08:00

The plenary sessions always seem a bit mislabeled to me - this one is about partnering in executive leadership, and, yes, there are executive type people on the panel - but their advice is actually useful in any level of your career.

Moderator: Linda Apsley (Microsoft)

Panelists:

Microsoft Partnership: Bill Laing and Betsy Speare

CA Technologies Partnership: Gabby Silbermann and Carrie Gates

Harvey Mudd College Partnership: Marie Klawe and Christine Alvarado

Bill Laing and Betsy Speare started out the discussion by introducing each other. At first I thought this was odd, as most people can introduce themselves the best, right? But, it was so interesting to hear the words they chose to describe each other - much more glowing than most people would use for themselves.

Both Laing and Speare again reiterate that if you're seeking advancement, you need a sponsor. And sponsors and mentors are not the same thing. When looking for a sponsor, you need to choose someone you admire and has something that you want (skills, connections, etc). But, you can't just say, "Hey, be my sponsor!" Laing suggests also looking for people you can have an authentic connection with, as that will be the most successful advocate for you.

Marie Klawe, President and Professor at Harvey Mudd, and Christine Alvarado, Assistant Professor at Harvey Mudd, met when Klawe joined Harvey Mudd as president. Alvarado was surprised to discover that Klawe had already heard about her, a measly second year associate professor. Klawe had heard of Alvarado, because of her energy and the women's programs she was starting.

When Alvarado joined Harvey Mudd in 2005, their CS department was only 12% women - not unlike the rest of the US. Between her efforts, and Klawe putting them in overdrive when she joined, they are now up to 40% women!

Some of the things that they do - they bring first year undergraduates to this conference, even non-CS majors. This encourages more women to join the department and helps to retain them, as they are able to build a network.

Silberman and Gates go all the back to when Gates was still in school, and they kept in touch. When he wanted to hire her, they actually met up at TGI Fridays in an airport. He hired Gates and has been her sponsor ever since.

Gates wanted to make it clear that Silberman wasn't just watching her and taking her to the next promotion level - she asked him. Now she's a Distinguished Engineer at CA technologies, but quipped that she's still not sure what she wants to do when she grows up. ;-)

An observation from the panel was that men and women don't necessarily think differently, but they do tend to act differently. Men have been conditioned since they were 5 to show off and try to top everyone around you. Some professors can find that type of thing annoying, when a student is constantly trying to one up them - but they are certainly noticed.

Speare recommends She Wins, You Win : The Most Important Rule Every Businesswoman Needs to Know and Overcoming the Five Dysfunctions of a Team: A Field Guide for Leaders, Managers, and Facilitators (J-B Lencioni Series), to learn more about fixing your teams and fixing them with women. :-)

A question from the audience asked about how you prevent things from looking like favoritism. Liang said this is why he recommends finding a sponsor that is not in your direct reporting line of management - they could even be at a different company! Another panelist noted that this is a reason to have more than one sponsor.

Klawe notes that she'll mentor just about anyone she has time for, but will only sponsor people that she truly believes in, so that when she tells everyone about the sponsored accomplishments, nobody will be able to deny the value of it.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Change Agent Winners

2011-11-11T12:30:00.000-08:00

This year's ABI Change Agent award winners are Marita Cheng (Robogals) and Judith Owigar (Akirachix). It's unusual to see two winners, but these young women are so fascinating, I can see how got two!

The Small Victories
Presenter: Marita Cheng (Robogals)

Marita Cheng graduated in the top 0.2% in her country from high school, and was sought after by many schools. Her parents wanted her to medicine, so she'd have a nice, steady job. Cheng wasn't interested, though, so she found she couldn't answer any of the questions during her biology review - but the reviewer did suggest she follow her passion, engineering, instead of what her parents wanted her to do.

So, her career as an engineering student began. Cheng only knew two other girls from her small home town entering engineering, and thought this must just be because she was from a small town. That view was shattered when she actually arrived at school and couldn't find any women.

Cheng surveyed friends and others to try to figure out why this was. Through all her research, she discovered that middle school aged girls are not getting enough exposure to engineering - and Robogals began!

Cheng and her volunteers started teaching 10-14 year old girls how to build robots using the Lego Mindstorms during Australian school holiday in July.
Robogals now has 17 chapters in 6 countries, has taught over 3000 girls about engineering and use 1000 student volunteers.

Why 10-14 years old? It's the best time to capture their interest so that they still have enough time to get the right pre-requisites to explore engineering in university.

The charity is fully student run! Right now just in Australia and New Zealand, UK and Europe - will be expanding to the US in 2012.

And, yeah, Cheng is still a student, too! Wow!

Where Did All the Girls Go?
Presenter: Judith Owigar (Akirachix)

Judith Owigar from Nairobi, and while studying in Kenya, discovered a great dearth of other African women studying engineering and she wanted to fix this.

Africa really lacks infrastructure - no land lines, DSL, etc. Mobile phone technology has really changed the picture - giving more people a chance to connect in Africa.

In Kenya alone, they have 25 million mobile subscribers (64% of the population), and 12.5 million Internet users - mostly accessed via mobile phones. So, anything AkiraChix wants to do needs to be accessible via mobile phones.

The organization seeks women already in tech to train them to do outreach, give them networking opportunities and set them up with with high school girls that they can mentor.

Owigar believes that having more technical women in Africa can help end poverty. Education is the key to a successful life ahead. I've heard so many other people talk about this - more educated women have more control over how many children they have and their ability to feed and educate their children. That's how you end the cycle!

AkiraChix has been training high school girls in Java - and some of their former students are already developing software for Android!

Owigar is seeing more results, girls are forming tech businesses, going into new higher paying jobs, more confident, expanding their network and staying in tech.

Both really inspired me! Small changes are making a big difference already!

This post syndicated from Thoughts on security, beer, theater and biking!

Exciting Crypto Advances with the T4 processor and Oracle Solaris 11

2011-11-11T11:11:00.000-08:00

I'm sure you all heard about the T4 launch in September, announcing the latest and greatest in the SPARC hardware line. These systems add a number of new features, but I'm going to focus on the ones that are related to cryptography.

The Cryptographic Framework feature of Oracle Solaris was first included with Oracle Solaris 10.
Our focus was always to provide highly optimized algorithms to the rest of Oracle Solaris, so that the entire operating system could take advantage of the best cryptogrpahic performance available.

At that time of the initial release of Oracle Solaris 10, there were no standard CPUs with cryptographic cores, but as the SPARC T series chips were developed, we always made sure to have a driver plugged into the Cryptographic Framework that would give the Cryptographic Framework consumers access to these devices.

But things have changed with T4. These chip sets have made crypto a part of the core instruction set, accessible via nonprivileged instructions. That means, there are no drivers required to enable hardware assistance for cryptographic operations. Applications just access these instructions just like any other basic CPU instruction. That's right, crypto is now just a basic service provided by the CPU.

What does this mean? Well, before, in order for an application to access hardware crypto on a T3 system, the stack would look something like this: application -> libpkcs11 -> pkcs11_kernel -> IOCTL interface -> n2cp (7D) -> hypervisor -> crypto unit.

Now the stack will look more like this: application -> libpkcs11 -> pkcs11_softtoken -> CPU.

The one notable exception for this is the hardware random number generator (HW RNG), which still is only directly accessible via hyper-privileged registers through the n2rng driver. You can access this via /dev/random and /dev/urandom, as well as through the Cryptographic Framework's libpkcs11. See random(7D), n2rng(7D), and libpkcs11(3LIB) for more details.

With all of these changes, we're able to even more highly optimize the performance of cryptography on Oracle Solaris 11.

Algorithms Included

A primary goal of the Cryptographic Framework is to provide Oracle Solaris with highly optimized algorithms, and we made no exception for this release.

In Oracle Solaris 10 Update 10 (08/11), AES, DES, DES3, MD5, SHA1, SHA2 (SHA256, SHA384, SHA512), RSA, and DSA are all accelerated by T4 crypto instructions for all supported modes of operation. To access these via libpkcs11 (3LIB), you'd use the standard PKCS#11 mechanisms listed below [1].

If you additionally download patch 147159 for Oracle Solaris 10 Update 10, you'll get further optimizations for AES-ECB, AES-CBC, AES-CTR, AES-CFB128, and MD5, SHA1, and SHA2.

In Oracle Solaris 11, we have all of those optimizations, plus optimizations for DES and 3DES, as well as optimizations and support for AES-CCM and AES-GCM.

To access these optimizations on Solaris 11, you need change nothing. We've made all of the code changes necessary in the Cryptographic Framework for you. Your applications that use the Cryptographic Framework (see Consumers section below for many examples), will take advantage of our optimizations and the T4 hardware right out of the box.

OpenSSL engine

In Oracle Solaris 11 on a T4 system, you'll notice a new OpenSSL engine called t4. The t4 engine allows OpenSSL to access the optimized T4 crypto instructions directly, without needing to go through PKCS#11. The t4 engine is on by default, if the processor below supports those instructions. Nothing for you to do.

If you're still running Oracle Solaris 10 Update 10, you'll still need to set up your application to go through the pkcs11 engine, and make sure you apply patch 147707.

For example, if you're using Apache Web Server on Oracle Solaris 10 Update 10, or on Oracle Solaris 11 (in order to get the RSA accelerations) you'll need to set this line in your ssl.conf:

SSLCryptoDevice pkcs11

Consumers and Performance

The consumers of the Cryptographic Framework includes: ZFS, IPsec, IKE, kerberos (user and kernel), libsasl, KSSL (in Kernel SSL), OpenSSL, SSH, Java JCE, libsnmp, lofi(7D), and the Oracle DB (11.2.0.3). As well as anything that accesses libpkcs11(3LIB).

Just a note about the Java, T4 is treated the same way as on T2, T3 and Intel - you need to go through the Java JCE provider.

And the Oracle Database? Uses our optimized T4 functions right out of the box (v 11.2.0.3).

Do you want to see just how much our performance optimizations get you on T4? Click on any of the hyperlinked consumers above to see their specific performance gains on T4, or navigate on over to BestPerf to see the latest and greatest numbers.

With the exception of the extra steps required on Oracle Solaris 10 Update 10 for OpenSSL to obtain access to the optimized functions that use the T4 instructions, there is nothing for the administrator to do to get access to this acceleration. It simply works right out of the box.

How do I know if I'm using this?

Accessing these instructions does not require a driver, so there are no kstats to indicate how often any of these instructions are being used. At this time, it is not possible to obtain data from the Operating System regarding execution counts for nonprivileged cryptographic instructions.

[1] PKCS#11 mechanisms used for accessing T4 crypto instructions via libpkcs11 (3LIB) in Oracle Solaris 10 Update 10 and Oracle Solaris 11:

CKM_DES_CBC, CKM_DES_CBC_PAD, CKM_DES_ECB, CKM_DES_KEY_GEN, CKM_DES_MAC_GENERAL, CKM_DES_MAC, CKM_DES3_CBC, CKM_DES3_CBC_PAD, CKM_DES3_ECB, CKM_DES2_KEY_GEN, CKM_DES3_KEY_GEN, CKM_AES_CBC, CKM_AES_CBC_PAD, CKM_AES_ECB, CKM_AES_KEY_GEN, CKM_BLOWFISH_CBC, CKM_BLOWFISH_KEY_GEN, CKM_SHA_1, CKM_SHA_1_HMAC, CKM_SHA_1_HMAC_GENERAL, CKM_SHA256, CKM_SHA256_HMAC, CKM_SHA256_HMAC_GENERAL, CKM_SHA384, CKM_SHA384_HMAC, CKM_SHA384_HMAC_GENERAL, CKM_SHA512, CKM_SHA512_HMAC, CKM_SHA512_HMAC_GENERAL, CKM_SSL3_SHA1_MAC, CKM_MD5, CKM_MD5_HMAC, CKM_MD5_HMAC_GENERAL, CKM_SSL3_MD5_MAC, CKM_RC4, CKM_RC4_KEY_GEN, CKM_DSA, CKM_DSA_SHA1, CKM_DSA_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_X_509, CKM_MD5_RSA_PKCS, CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION, CKM_SHA256_KEY_DERIVATION, CKM_SHA384_KEY_DERIVATION, CKM_SHA512_KEY_DERIVATION, CKM_PBE_SHA1_RC4_128, CKM_PKCS5_PBKD2, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN, CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_MASTER_KEY_DERIVE_DH, CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, CKM_TLS_PRF.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Technical Leadership Award Winner

2011-11-11T10:56:00.000-08:00

This year's ABI Technical Leadership award winner is Mary Lou Soffa, from the University of Virginia. Her talk was titled "My Dance with Research: An Ode to my Graduate Students"

Dr. Mary Lou Soffa has graduated a bunch of PhD and MS students, half of which are women and/or minorities - impressive! Thirty-two PhD students alone (half women).

Dr. Soffa has been so inspired by her own graduate students, they keep her on her toes (she's got to make sure she's reading all of the latest publications in her area), lead her research in unexpected directions and challenge her on a regular basis.

One of her favorite things about being a professor has been mentoring. When she saw what a big difference she could make with just one student with just a little extra time, she knew this was something she had to pursue.

She's noticed a consistent pattern between her male and female students - for example, when a male student's paper is rejected, he believes the program committee is full of idiots. When a female student has her paper rejected, she believes it's because the paper was just junk. Hrm, gets back to yesterday's keynote about men overestimating their own accomplishments.

Dr. Soffa draws parallels to some of her favorite dances for how different students work - like the Swing - all over the place (she must remind them to focus, focus, focus!!), or Hokey Pokey - coordinated and works well with others.

Dr. Soffa had quite a windy path to becoming a computer scientist! She started out in maths, tried sociology, philosophy, environmental acoustics - all in PhD programs, before discovering computer science (via a course required by her environmental acoustics studies).

Not only does Dr. Soffa metaphorically dance with her students, they do so with each other as well. She took us through a cool graphical adventure about how each of her students work influenced each-other, even years later, as well as the general computing world. For example, one of her fist student's work went into the C++ language.

Dr. Soffa's students work on code analysis is now being used to find vulnerabilities in code in a safe lab environment.

One suggestion Dr. Soffa had for one of her students, who was always rushing to implement things and not thinking through the designs, was to sit in a room for four hours and just think. No laptop, no cellphone, not even any paper. Just think. She said there are so many interesting ideas you can come up with in the silence of your mind. Might have to try this, but when could I have four hours to do this? Maybe just starting small.

It sounds like she's just had a blast in academia, anyone thinking about pursuing a PhD should look to have her (or someone like her) as an adviser. Student success, learning new skills (for students and herself), and moving research forward are so important to her. What an inspiring woman!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Friday Keynote

2011-11-11T10:00:00.000-08:00

This morning's keynote: The Honorable Shirley Ann Jackson, Rensselaer Polytechnic Institute. The first African American to get a PhD from MIT and the first African American woman to head up a national university, among many other firsts.

Dr. Jackson joked that it's often easier to get two computer scientists to communicate, even from across the world, then it is to get a CS person to communicate with sales person in the same room. :-)

She notes, more seriously, how important science is to communicating on a global perspective. It's a way to grow, think, interact and imagine. The digital world has shrunk the world, allowing people from radically different cultures and disciplines to work together.

Overcoming communication barriers is so important for helping to bring solutions to the international marketplace. Realize that some women may see three different colours: azure, teal, aquamarine... a man may just see green. Choose your words carefully and respect those you're talking to. Listen and be prepared to short out conflicts.

Another barrier to communication is cognitive biases. To best be able to collaborate, we need to go in with trust and assume that the others at the table are also honest and looking for sincere collaboration.

As technologists, we need to learn how to take data and show it in a way that can touch the general public - humanize it.

Expand this idea to social cognitive networks. There is so much here that can still be explored, how can we apply this? Will it allow us to make wiser choices? Communicate with others better? Or perhaps just be really cool :)

When we start to add sentience to the network, we're again back to trust. Having trust is easy, validating that your trust is well placed is hard.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Senior Women's Summit

2011-11-10T18:30:00.000-08:00

The day long session started out with some great tips from Jo Miller, both talking about our brand again and got us brainstorming about what things we think are holding us back. Jo had a recently published article on the Anita Borg site that talked about the difference between a sponsor and a mentor. A sponsor or advocate is someone that stands up

After lunch, we sorted ourselves by industry and academia, as well as by goals (Industry Individual Contributer vs Executive tracks), and I had a tough call to make. Do I want to pursue the DE track? Or management? Then Jo Miller reminded me that this is just a networking and learning exercise - why not get exposure to people I don't have access to now? So, I sat down with an executive from American Express. :-)

Then we got a wonderful panel of very senior women that told us about their paths.

Moderator: Sabina Nawaz, Executive coach and organizational development consultant; CEO, Nawaz LLC

Panelists:

Nora Denzel, Senior Vice President, Big Data, Social Design and Marketing, Intuit
Jamie Erbes, HP Fellow and Director, Services Research Lab, Hewlett-Packard Labs
Ann Gates, Associate Vice President of Research and Sponsored Projects, University of Texas at El Paso
Leah Jamieson, The John A. Edwardson Dean of Engineering and Ransburg Distinguished Professor of Electrical and Computer Engineering, Purdue University

Leah Jamieson has been the Dean of Engineering as well as a professor at Purdue University for 5 years, and has found it to be a rewarding and demanding task - she's had to learn how balance looking forward and looking up, while still taking care of everything beneath her - as Dean, there are a ton of responsibilities.

Ann Quiroz Gates talked about making sure you stay active in your communities, for her that means IEEE. You need to be able to articulate what you need, and be ready to make a case for what you bring to the table. Don't just be the squeaky wheel - show what someone is going to get in return.

Nora Denzel said she actually had a really fast rise into the executive ladder - just 15 years! HP actually sent her back to school to get her MBA. Her advice? "I strive to make sure I'm not the smartest person in the room - be comfortable with being uncomfortable." How else can you grow? She believes that sometimes the biggest thing that holds us back is our own minds - grow your network, worry about doing a good job and not necessarily make everyone like you.

Jamie Erbes said she thought she herself is her biggest roadblock sometimes. For example, at HP you have to apply for fellowship - and she kept not doing it. One year, as the deadline approached, executives and other fellows kept coming to her and asking her why she hadn't submitted her application, yet. She didn't think she was worthy, but after enough people asked her

Jamieson marks the import of picking a clear communication style and make sure it works for the job you're aiming towards.

Several of the panelists mention how times were rougher when it came to networking in the 80s, like Erbes being left in the car when the rest of her co-workers went to strip club. Fortunately, that type of thing would not be considered acceptable behaviour.

Denzel and Jamieson both stress how important it is to show agility. While working for the same boss for 10 years may show your loyalty, it doesn't necessarily show your ability to learn new things quickly. This is a weird one for me - I've worked in such a large company for so long, but my job is always changing. My LinkedIn profile is full of all sorts of different jobs, even though it was always the same person writing my paycheck. Does that show agility? Does the fact that I like a steady paycheck and stability of having health insurance mean that I'm not willing to learn new things? Probably not, but it's something to be sure that I can present well that it's not just one job.

Advice from the panelists on your brand (after being asked by the audience what their brand was) was to do a "360 review" and see what people think your brand is - it could help you better align what you're doing, or motivate changes if it's not something you like.

After the panel, we all got to sit down at a table with a senior executive from major companies and ask anything we wanted. I even got to practice my elevator pitch with an exec from Adobe, and she gave me some great tips to improve. Then we did some more speed networking, then through our biggest "want" on the wall and people signed up to help us. I definitely have things to follow up on here!

More on that later!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Thursday Keynote Sheryl Sandberg

2011-11-10T10:37:00.000-08:00

Our keynote speaker is Sheryl Sandberg, from Facebook.

Sheryl Sandberg has the tough balancing act between providing connections and protecting privacy. Best career advice she ever got came from Eric Schmidt, after she was leaving government and entering industry, and he offered her a position as general manager of Google. To Sandberg, that GM position was nothing, and she didn't want it. Schmidt tolder her "Stop being an idiot, all that matters is growth. If you go to a comapany that is growing, it doesn't matter what you're doing."

In the US, we have a huge unemployment rate, with fears that this is not a temporary problem, but Sandberg doesn't see this in tech. She said every technology firm she knows is hiring and growing. Technology jobs are the exception.

Sandberg admits that she's not a computer scientist, not even very technical, but she is a woman, so finally decided she felt qualified to do the keynote at Grace Hopper. She said she would be better at her job if she were more technical, and doesn't think that someone could do her job in the future unless they were technical.

STEM jobs pay more across the board, but women still only make 86 cents per dollar for the same job, compared to men with the same qualifications.

In order to have leaders in the future, we need more women to join STEM careers. But, in order to do that, we need to attract them to the programs and make sure they stay in. This has been accomplished at Harvey Mudd - gone from 12% women in CS to %40.

But, we're losing ground in leadership roles. Women are not getting promoted, women are losing seats in congress.

Seventy percent of the people in poverty are women. Women are still the property of their husbands. This type of thing just cannot go on.

Sandberg has 5 pieces of advice for staying ina career in CS and in a career in
general.

1. Believe in yourself

The best talk she'd ever attended was "Feeling like a Fraud" (Imposter Syndrome, now). When she mentioned it to male colleagues, they didn't get why it would be interesting. Men, time and time again, overestimate their achievements - women undervalue. Men attribute success to themselves. Women, to working hard, help from others, and being lucky.

Raise your hand, even when you're not sure you can do it - because there's a man next to you that is raising his, and he's not necessarily anymore qualified then you are.

You need to sit at the table, or opportunities pass you by.

When Sandberg gave this talk at Facebook, she said she had time for two more questions as they were short on time. Later, a woman came by her office and said she learned something. Sandberg felt pretty awesome, so asked what it was. The employee said, "I learned to keep my hand up". Huh? Well, Sandberg said she'd only take 2 more questions - so after the second question was asked, all the women put their hands down. Because there wouldn't be anymore questions. But, that's not what actually happened - Sandberg continued to take more questions - from the men. Several more.

Sandberg noted that if she didn't notice this, as a woman while giving this talk, how could we possibly expect our peers, managers, leaders to notice us if we aren't raising our hands?

2. Dream big

We have an achievement gap - until we close this gap, we won't have more women in these top fields. As men get more successful, men and women like them more. As women get more successful, men and women like them less! Huh? So, we, as humans, want to be liked. so may not be as ambitious - may not seek those top positions. What if we had 50% of power positions filled by women? We couldn't possibly dislike 50% of our leaders. Sandberg believes that the solution to this problem is simply more women in computer science, more women at the top.

3. Make your partner a real partner

If you want to succeed - you have to have a real partner. You can't rise to the top and still be in charge of the majority of the house work and parenting. Sure, date the wrong guy in college, have fun - but marry someone that's going to be a partner. Just like with work achievements, most men overestimate how much time they spend on parenting as well!

4. Don't leave before you leave

Women leave jobs piece by piece. For example, if she is attending medical school, but knows she will be in charge of raising the children - she might pick a less interesting field. If she turns down an interesting job, because she's thinking of having children - she'll feel undervalued and regret missing that opportunity later.

"Lean forward. Always lean forward."

Tech jobs are the most flexible, so they tend to attract women who need the flexibility.

5. Start talking about this

I know what it's like being the only woman in the room. You don't want to rem
ind people about this. "I spent the majority of my career fitting in". Men are
jumping at the opportunities, women wait to feel comfortable with the idea of the new career.

Sandberg was advised against doing TED talks about being a woman in tech, told it would ruin her career if she dared to say that men and women were different. In fact, it didn't - it did lead to more women applying for jobs at Facebook.

Sandberg used to work 7AM-7PM, but that's just not possible with children. Sandberg is always home for dinner at 6PM - yes, she's checking email later at night than she used to, but she is doing it.

We need to talk about it - if we don't, things won't change.

"I'm older than most of you in the audience, by decades. I want to tell you something - my generation is not going to change this. You are the promise for equality, and equality is what matters."

What if men were half of the stay-at-home parents? What if we had more women CEOs?

"What would you do if you weren't afraid?"

What an amazing talk - so inspiring!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Workshop: Building Your Brand as a Technical Expert or Leader

2011-11-09T17:30:00.000-08:00

I love Jo Miller. She has an excellent grasp of personal brand. And not that cheesy brand thing you hear every one else talking about, but what do you want to be known for - what do people come to you for. Being well branded helps you to make connections and help others make connections.

Jo gave us a goal to come up with what we want our career niche to be, create a personal brand statement and figure out how make our brand visible. And this has to be something we can really use.

How does one figure out ones ideal career niche? Well, first, I should stop writing like I'm the Queen (as she's already got her niche figured out for her :-). Really, what are you passionate about, what are your skills and talents, and what does your company need/value? If you can find a place where those things intersect, you may have just found your niche!

When you know your sweet spot, it's easier to choose assignments, mentors and sponsors.

For me, I've been in my field for more than a decade. Back in the late 1990s, early 2000s, I was the firewall expert. I knew all there was to know about the complicated protocols, ins and outs of PASV FTP (passive file transfer protocol, used by browsers), and I rearchitected the SunScreen firewall NAT (Network Address Translation) component. I was nicknamed the Goddess of NAT.

But, as the years have gone on, I've become much more general - focusing on more connecting technologies, like the Oracle Solaris Cryptographic Framework. I'm not a cryptographer, but I know the basics and I know the standards. I'm a great public speaker, all the acting I've done really helps with that. I'm great at making connections and helping people to solve their problems, even if I can't solve it myself. I write good code and debug problems. I design software. I am an expert in defect tracking. Certainly those are useful skills? How do I make that a brand?

It may not be as bad as I think, as when I asked a fellow conference attendee what my brand was, she said: "security, beer and bicycling". Well, that does sum up my passions!

Jo Miller also talks about what happens if you've somehow ended up a negative brand? One example was a woman who was branded as "high maintenance". The woman was a QA manager and thought she taking care of problems. She needed to change from being the complainer, to the partner in helping people to solve their issues. Something definitely to think about. (side thought of my own: do men have to worry about this?)

Another place you can get caught is as an entry-level or mid-level type person, which makes it hard to get promoted.

While you're still in school, it's easier to create a brand - work hard and get good grades, and you're branded as a good student. But how does that work in the real world? How do you take results and get to reward and recognition? You've got to add visibility!

How can you do this? Jo Miller's first step, strangely, is work less! Huh? Well, if you're always working and never telling people about what you're doing, nobody will notice. This doesn't mean spend 95% of your time evangelizing yourself - you have to have something to evangelize after all. Just spend 5% of your time doing this.

She asks us to write a "30 second commercial" for ourselves. Mine would be, "I'm Valerie Bubb Fenwick, Principle Software Engineer in Oracle Solaris. I'm known for security, beer and ...." oh, wait. Gotta tweak that. "I"m known for security and as the bug queen. Come to me when you need help learning about security, defect tracking, or finding the right person to help you in the Oracle Solaris organization." "and, we can talk over a beer" :-)

So, that just gets us through the first two steps. Once we pull this all together, we need to have a career-planning conversation with our leaders. Yes, that includes your manager, but others in your organization. Show them your value in the thing you're interested in. And, once you do that - you need to ask for help. Just something as simple as, "Is there anyone else you think I should talk to about this?"

The fourth step sounds so simple: work hard, but on the right projects. How do you know what the right projects are? Something that aligns with your brand or where you'd like your brand to go. And deliver. If you don't deliver valuable results, no matter what else you do, you aren't going to get anywhere.

When picking the project, look for specific roles (as opposed to general), push the cutting edge in your field of expertise, executive special projects, projects that directly support your organizations strategic plan, exposes you to a new department and demonstrates higher level of technical, business or leadership skills.

Now, on to speed network!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: PhD Forum 1: Hardware and Security

2011-11-09T10:45:00.000-08:00

Intelligent Cache Management for Reducing Memory System Waste

Presenter: Samira M. Khan (University of Texas at San Antonio)

Caches are just not efficient, if there's a cache miss hundreds of extra cycles of delay are added. Processor performance is doubling every 18months, but memory performance is only doubling every 10 years! It just can't really keep up.

Most of microprocessor die are is cache, but they aren't efficient. Using the cache efficiently is important to improve performance and reduce power. The problem is dead blocks - not even getting used. Up to 86% of blocks in the cache are dead at any one time.

This is caused by the most recently used cache management policy, so many blocks just simply go unused. Khan's research was based around predicting which blocks were going to be dead and take advantage of them and changing the replacement policy, reducing power requirements of the system.

Usable Security and Privacy Policy Management

Presenter: Maritza L. Johnson (Columbia University)

Johnson's research is around access control and policy management. She started out with some real world examples, like how all of us are wearing Grace Hopper Conference badges, which grants us access this session.

Johnson's next slide was the Confidentiality, Integrity and Availability triangle, while she discussed the balance while talking about read write access to files, an every day problem in shared environments. To properly approach this, there needs to be a constant cycle of evaluation, analysis, and design. You can't just come up with a design and be unwilling to modify it, as needs and usage may change.

As users of Facebook, we're all access control managers, as well. Johnson and her colleagues did their research around facebook, as it's so open and available for studying.

A question the research sought to solve was Are users' Facebook privacy settings correct. This is hard to totally know what someone else's intent was, as each person has a different level of information they feel comfortable sharing.

The app they developed an application to look for potential violations between what the user intended and what they got. For example, if someone shared publicly "I'm at work. I'm just laying on these chairs until my boss..." ... should that really be public?

The research involved participants using an app that they told what type of information they wanted to share, and then it studied what happened over a period of time, and showed what it believed were violations of the policy to the users. Many of these were confirmed to be violations, yet, users still didn't want to change their privacy settings.

The ideal setting for most user is actually to just share with friends only.

Detecting Stealthy Malware Using Behavioral Features in Network Traffic

Presenter: Ting-Fang Yen (Carnegie Mellon University)

Yen started out with a great background in what a Botnet is: infected hosts with a subtle command & control system that are doing malicious activities. One single botnet has 3.6 million hosts - combined, they have more computing power than the top 500 supercomputers combined.

A botnet may have a centralized control, where all infected hosts get their commands from a central control computer, but many have peer-to-peer control.

Previous work in this area looked for a signature of a botnet to identify new infections. Similar work is done by mapping behaviour of a botnet.

Botnets are becoming more sophisticated, but our current techniques are just not keeping up.

Yen's research was around finding previously unknown bots. One way of doing this is using the research that shows that most hosts use a consistent amount of network traffic on a daily basis - if that traffic suddenly rises, or happens during odd hours, the host may be infected. Bots also use consistent payloads - so look for a lot of similar communication.

Peer-to-peer botnets tend to blend in, traffic wise, with other, normal peer-to-peer traffic. Research noticed, though, that timing of botnets packets are too regular - not being driven by a human.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Excited about presenting!

2011-11-07T12:56:00.000-08:00

I'm getting really excited about the Grace Hopper Celebration of Women in Computing - I fly to Portland tomorrow. I've got my schedule put together [1], and the slides for our presentation posted on the GHC Wiki.

I'm thrilled to be presenting with Radia Perlman (Intel), Terri Oda (University New Mexico), and Lindsey Wegrzyn (Adobe) - such an esteemed group of women. We're presenting on modern day security attacks and how to protect your privacy online. This isn't going to be a highly theoretical talk, but helping technically savvy people understand the sometimes tricky environment we all work in every day.

We're presenting on Thursday, November 10th 11:30AM-12:30PM Convention Center – B113-115. Come and check us out!

What talks are you most interested in seeing?

[1] Unlike most conferences where you have a choice between an invited speaker track and refereed papers - the Grace Hopper Celebration of Women In Computing has EIGHT simultaneous tracks. If you haven't spent time at least narrowing down which track you want to attend for each session, you won't really have time to figure it out on the fly and will likely end up in a track that isn't as interesting to you as some of the others. Btw, you can switch to different tracks throughout the day.

Wow, Ten Platelet Donations This Year!

2011-11-03T16:25:00.000-07:00

And it's only just November! I got an email this morning from the StanfordBlood Center telling me that last night's platelets donation was my tenth of the year. I still have 4 or 5 more appointments scheduled, so as long as I can stay away from sick people, hopefully I can get to 15 by the end of the year!

Why do I give platelets? First of all, I can give more often - once every 72 hours (though a maximum of 24 times a year). Platelets are also the most precious component of the blood - when they take platelets from you at the center, they use an apheresis machine that puts the red blood cells back in your body. The platelets are needed for premature babies and cancer patients, among other critical need patients. I've had enough friends and relatives that were very sick and needed platelets, so I want to make sure the blood bank always has plenty on hand.

Unfortunately, platelets don't have as long of a shelf life as regular blood - so, it's a good think I can give more often!

I'm going again in a couple of weeks (November 14th at 5:30PM in Mountain View) - who wants to come with me? If you've never donated platelets before, you'll have to donate whole blood and get tested to see if you have enough spare platelets in your blood stream that you donate.

This post syndicated from Thoughts on security, beer, theater and biking!

Using Twitter and LinkedIn at Conferences

2011-11-02T16:39:00.000-07:00

For those of you that don't also follow the Grace Hopper Bloggers blog, I wrote two posts there recently on getting the most out of LinkedIn and Twitter for conferences.

As I've been managing the Anita Borg Institute for Women in Technology group and the Grace Hopper subgroup for more than a year, each with thousands of members, I've come to learn a thing or two about what makes a good profile and what makes you look like a spam troll. If you're interested, wander on over to GHCBloggers and check them out.

And what makes me an expert on Twitter? Um... 7500+ tweets?

Did I miss anything?

Oracle Solaris 10 Encryption Kit has moved

2011-10-31T13:03:00.000-07:00

The Oracle Solaris 10 Encryption Kit has moved from the Sun Download Center to the Oracle Technical Network. This package is only for older Solaris 10 systems, prior to release Solaris 10 09/07 (aka Update 4). All newer versions of Oracle Solaris have the larger key sizes installed on the system by default.

This post syndicated from Thoughts on security, beer, theater and biking!

Levi's Gran Fondo Wrap Up

2011-10-30T15:35:00.000-07:00

Mark and our friends were fortunate enough to have spots in the Levi Leipheimer Gran Fondo earlier this month.

For you non-cyclists out there, that means they got a spot in the 100 mile, very hilly, bicycle route. Due to my injury last year, I didn't sign up. So, I could sit at the festival all day while I waited for Mark and the gang... or be useful. This year, I chose to be useful.

I volunteered at the Ocean Song water station, where we provided water, electrolytes, and toilets to very tired riders who were 80 miles into their ride and had just completed a nasty climb. (except those on the Medi-fondo route, who were 43 miles in... but had also just completed that same nasty climb!)

This woman just amazed me - she had pedaled up that hill on a cruiser, complete in her custom made cycling outfit - with the Fondo embroidered on it!

Best of all, I got to meet Levi himself (again). He is just the nicest guy you'll ever meet, always willing to pose for a picture.

Mark and Rod made it to the rest stop eventually:

And, finally, we ran into Levi again at the festival. Super nice guy that he is, he posed for another picture, this time with Mark.

Are you Going to Grace Hopper?

2011-10-28T14:13:00.001-07:00

The Grace Hopper Celebration of Women in Computing is less than two weeks away!
Do you have a blog? Are you planning on taking notes of the sessions you attend on your laptop? Please consider sharing your blog entries and notes on the Grace Hopper wiki. For more details, please see Charna's latest post, and sign up for the sessions you're planning to attend.

The Grace Hopper Celebration of Women in Computing is less than two weeks away! Are you ready? I'm not, but I'm getting there.

Oracle Open World is Next Week!

2011-09-26T16:24:00.000-07:00

I can't believe another year has passed - Oracle Open World is just next week. What makes this extra exciting? Attendees will get their first official peek at the final Oracle Solaris 11 release. Both Larry Ellison (Sunday) and John Fowler (Tuesday) will be talking about it, as well as 15 sessions and meet the experts Monday through Friday.

Are you planning to attend?

Grace Hopper Conference is just around the corner!

2011-09-23T14:41:00.000-07:00

I can't believe the Grace Hopper Celebration of Women in Computing is coming up in November! So soon! Oracle is a silver sponsor of the conference this year, and there are several women from Oracle that are presenting!

Again this year, I'm on the Communities Committee, but this year I'm co-chair! We make sure that major sessions are both blogged and have notes taken, encourage people to tweet, blog, and share on facebook.

I'll also be presenting "Security Attacks, Countermeasures and Protecting Yourself Online!" with Teri Oda, Radia Perlman, Satwant Kaur, and Lindsey Wegrzyn. We've only got a half and hour, so it'll be hard to pack it all in, but I know we'll manage. Better start working on our slides... :-)

Are you coming to the conference? Willing to blog or take notes?

This post syndicated from Thoughts on security, beer, theater and biking!

Palo Alto Players: Nunsense with a Twist!

2011-09-20T20:45:00.001-07:00

This weekend, we went to go see Palo Alto Players' production of Nunsense with a Twist. There are quite a few versions of Nunsense out there, but this was the first one I've seen. The twist, in this case, was that Mother Superior (Sister Mary Regina) was played by Chris Blake... and Chris is not short for Christina. :-)

The basic premise is the nuns are short on cash for a very important project and they are doing a fund raiser, which explains why they are all on stage and singing. Hilarity, of course, ensues, as the show goes on and things just keep going wrong.

What I loved most about this production is that there was no mention or issue made of the fact that Mother Superior was being played by a man... Mr. Blake wore the same shoes as the rest of the ladies and the same habit. They didn't tart him up nor did Mr. Blake act like a man in drag. He was, quite simply, just Mother Superior.

Okay, not "just" - Mr. Blake brought wonderful physical comedy to the show, peppered in his priceless expressions throughout, and even sang wonderfully.

All five cast members were a joy to watch and brought something unique to the production, particularly Charlotte Jacobs as Sister Robert Anne, who really shined in "Growing up Catholic" and "I Just Want to Be a Star".

The show also featured great performances from Juanita Harris (Sister Mary Hubert), Jennifer Martinelli (Sister Mary Amnesia) and Jennifer Gregoire (Sister Mary Leo, the ballerina nun).

Of course, these actors did not direct themselves, nor choreograph their own dances! The wonderful staging and delightful dance numbers deserve kudos as well! Mark Drumm directed and Alexandria Kaprielian choreographed.

I loved that the band was behind the performers, as this theater, like so many poorly designed theaters in the bay area, has no pit for the orchestra. Even behind them, none of the cast struggled with tempo or cut-offs. Definitely a well-oiled machine, kudos to band director Matthew Mattei.

Excellent lighting, of course, as Ed Hunter was behind lighting design, as he is for many shows that I've seen, performed in, or merely heard great things about. (When Mr. Hunter is not lighting a show, he may be playing cello in the orchestra. Definitely a love of theater!)

My only complaint would be about the slow start to the show, which had some awkward audience interaction at the top. I believe they were delaying due to late comers for the show, as parking was particularly difficult that night. Once the show actually started, with Sister Robert Anne welcoming us all to the theater, it was a delight.

One other small nit: On the back page of the program, along with the donation envelopes, there was a bizarre lack of apostrophes. For example, they have a "Producers Circle" level of donors. Instead of either "Producer's Circle" or "Producers' Circle" (depending on how many producers own the circle). Hopefully they'll get that cleaned up for the next production. Maybe I've just been reading Cake Wrecks for too long ;-)

This post is syndicated from Thoughts on security, beer, theater and biking!

Mary Ann Davidson on Security Auditors

2011-09-08T13:27:00.000-07:00

Mary Ann Davidson, Chief Security Officer at Oracle, has just published an outstanding article, Those Who Can't Do, Audit, on companies that are now offering static code analysis as a service and why Oracle won't be turning over any of our code to them. Here at Oracle, security is a core part of every product.

While I do work in the Oracle Solaris Security team, we work on software that are typically seen as performing a security based services. For example, I work on the Oracle Solaris Cryptographic Framework - we provide hardware optimized cryptographic algorithms to applications and the rest of the operating system. A pretty standard security function. But, secure coding standards, in-house static analysis, and security considerations need to be a part of the development of the entire operating system.

I think Ms. Davidson said it best: "Oracle cannot – does not – outsource security."

This post is syndicated from Thoughts on security, beer, theater and biking!

Bugs in my oatmeal

2011-09-07T11:19:00.000-07:00

I made a bowl of oatmeal this morning, threw some fresh black berries on it, and was about to pour milk on top, which I noticed some movement out of the corner of my eye in the clear plastic container we keep the oatmeal in... at first, I thought it was an ant, and wasn't too creeped out. Then I noticed more. I remember getting these things in our flour when I was a kid, though our flour wasn't in an airtight container. All the same, I couldn't eat the oatmeal I had just made (though I did salvage the black berries).

I'm going to pretend that the bugs (and larvae) weren't in there yesterday when I did eat that oatmeal.

Guess we get to clean out our pantry tonight! Ah, so nice to be back from vacation.... ICK!

This post is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Applied Cryptography, Refereed Papers

2011-08-12T17:30:00.000-07:00

Differential Privacy Under Fire
Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan, University of Pennsylvania.

There is a lot of data out there that is very important that we try to protect. For example, Netflix knows what movies you watch. Users rate movies in Netflix so that Netflix can make recommendations, but they don't necessarily want to share that information with the rest of the world. Simply replacing people's real names with pseudonyms is not enough, because if people know enough about you, then they will still be able to identify you from the available data and learn even more about you.

Even with protections, people can take advantage of timing attacks where they know the data must be in there, just based on how long the system took to reply to the query.

So, how can we avoid leaking information via query completion time? Their suggestion is to make timing predictable - so regardless of how long the query takes, always return at a constant time. That may mean padding on a delay, or aborting part of the query and returning an error.

By aborting the query, that could actually change the result, but the researchers say that's okay, because the default values will be set to what was expected if the lookout had completed (in this case 1, for true).

Their proposed solution, Fuzz, will pad this time in there, which sounds like it will solve the timing attack, but may make your transactions unacceptably slow, in my opinion.

The audio and video of this presentation are now online.

Outsourcing the Decryption of ABE Ciphertexts
Matthew Green and Susan Hohenberger, Johns Hopkins University; Brent Waters, University of Texas at Austin. Presented by Matt Green.

The researchers have been working on protecting medical records. By using cryptographic control on the records, you can encrypt the record for all valid participants, but that is not very flexible - what if you add, or remove, relevant people?

Attribute-based encryption (ABE) is a little more general. For example, you can encrypt data that can be read by "Cardiologist at Johns Hopkins", so if your cardiologist changes, your new doctor can still access your medical record.

The main problem is that the more complex the policy, the larger the ciphertext grows as well as the decryption time. For example, doing a decrypt on a smartphone could take up to 30 seconds - too long for practical use, particularly if you were a doctor that had to do these decrypts all day long.

The naive approach is to leverage the cloud to assist with the decryption, but you really need to trust your cloud....just too many vectors for attack.

Their approach is to have *two* keys - a transform key (TK) and a secure key (SK). The transform key, which can be in the cloud, can't fully decrypt the ciphertext by itself. The cloud would then partially decrypt the data, and the SK on the phone would complete it.

The researchers found that by doing this transform, which allows external assist, the decrypt time on their iPhone went from 28 seconds to under 2 seconds.

This same research can be applied to smartcards, which are very slow little chips.

The audio and video of this presentation are now online.

Faster Secure Two-Party Computation Using Garbled Circuits
Yan Huang and David Evans, University of Virginia; Jonathan Katz, University of Maryland; Lior Malka, Intel. Presented by Yan Huang.

The researches are trying to implement a system for secure 2-party computation using garbled circuits that is much more scalable and significantly faster than prior work.

This is based on prior work by Andrew Yao from the 1980s. While the garbled circuits theory has been around for a long time, prior implementations have been too slow to be used in practice. The researchers used a Yao chaining garbled circuit, and added a method of parallel processing to speed up the processing time.

Their framework doesn't require people to have expert knowledge about cryptography, but users will need to know basic ideas of boolean circuits. You can learn more and try out their Android app at their website, mightbeevil.com.

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Pico: No More Passwords!

2011-08-12T15:34:00.000-07:00

Frank Stajano, from the University of Cambridge, talked about the growing password problem Many years ago, when we all only had one or two passwords to remember, memorizing one or two simple 8 character passwords was very simple to do.

Nowadays, we like have 20-30 (or more?) accounts, all with different password policies, and we just can't memorize them all - and the things we're coming up with that we believe have high entropy, are actually very easily cracked - as illustrated by this recent xkcd.

The little shortcuts we take, like reusing our "good" passwords, means that once it is compromised on one site (through no fault of the user), the attacker has access to many more sites. This was demonstrated recently with the Sony password leaks.

Because we forget passwords, all websites have a method for recovering your password - which can be attacked.

Stajano says that passwords are both unusable and insecure, so why on earth are we still using them?

Perhaps we can start over? Let's get rid of passwords! That's where Pico comes in. The goals of Pico are:

no more passwords, passphrases or PINs
scalable to thousands of vendors
no less secure than passwords (trivial)
usability benefits
security benefits

He wants to make sure we stay away from trying to make the user remember things, so that eliminates things like remembering pictures, shapes, etc.

Other requirements for Pico are it must be scalable, secure, loss-resistant, theft-resistant, works-for-all, works from anywhere, no search, no typing, continuous.

Pico would have a camera, display, pairing button and main button, as well as radio to communicate. The device could look like a smart phone, a keyfob, watch, etc, but it is a dedicated device. It shouldn't be on multipurpose device, like an actual smart phone, as it would then be opened up to too many forms of attack.

The camera would use a visual code in order to know what it is trying to authenticate. The radio device would be used to communicate to the computer over an encrypted channel. The main button is used to authenticate, and the pairing button would be used for initialization of an authentication pairing. Obviously, this type of system would not just be an extension of existing systems, but would require hardware extensions.

Pico would initialize by scanning the application's visual code, get the full key via radio and check it against the visual code and stores it. Pico would respond, then, with an ephemeral public key, then challenges the application to prove ownership of the application's secret key. Once all of those challenges are passed, then Pico will come up with it's on keypair for that application and share a long term public key with the application. The application will store that and then would know your Pico the next time you try to connect to that application.

While you're connected to the application, your Pico would be continually talking to the application, via the radio interface.

Of course, simply having the Pico cannot be enough - otherwise someone could take your Pico and impersonate you. This is where the concept of "picosiblings" comes into play. Picosiblings would be things like a watch, belt, ring, cellphone, etc (things you often have with you), and the device would only work with those things nearby. [VAF: Personally, I'd hate to think I wouldn't be able to get money out of the ATM simply because I'd forgotten to wear my Java ring that day].

If you lose your Pico, you'd need to use some of your picosiblings to regenerate it - so don't lose all of your picosiblings as well! It seems that you want to have enough picosiblings, but not too many. I'm not sure how you determine that correct level :)

Pico access can't be tortured out of you, as it can't be unlocked by anything that you know (there's no PIN or password).

"Optimization is the process of taking something that works and replacing it with something that almost works, but costs less." - Roger Needham

With that in mind, Stajano notes that if he actually wants people to adopt this, he would likely need to think of a smart phone client.

There were a lot of interesting ideas in this talk, but the thought of carrying around yet another device is not appealing, and the burden of replacement and function (with all the picosiblings) makes this seem untenable to me - but, if it gets people thinking, then it's definitely a step in the right direction!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Dealing with Malware and Bots, Refereed Papers

2011-08-12T12:35:00.000-07:00

Detecting Malware Domains at the Upper DNS Hierarchy
Manos Antonakakis, Damballa Inc. and Georgia Institute of Technology; Roberto Perdisci, University of Georgia; Wenke Lee, Georgia Institute of Technology; Nikolaos Vasiloglou II, Damballa Inc.; David Dagon, Georgia Institute of Technology. Presented by Manos ANtonakakis.

The motivation is that IP-based blocking techniques cannot keep up with the number of IP addresses that the C&C domains use, as well as there is a time gap between the day the malware is released and the day the security community analyzes it. There is a new tool, Kopis, that can analyze large volumes of DNS messages at AuthNN or TLD [top level domain] servers that will detect malware-related domain names.

Kopis asks the question: who is looking up what and where is it pointing?

The research focused on "interesting domain names" - those that have the most lookup requester diversity and resolvers that are from networks that historically from networks that have been compromised in the past.

Their researchers also looked at the rise of IMDDOS.The first big infection happened in China, and it took between 15-20 days before the US and Europe were infected.

Kopis can be used to detect phishing campaigns by identifying malware-related domains, before a related hash for the attack is identified. You can protect your network before it's infected.

The audio and video of this presentation are now online.

BOTMAGNIFIER: Locating Spambots on the Internet
Gianluca Stringhini, University of California, Santa Barbara; Thorsten Holz, Ruhr-University Bochum; Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara. Presented by Gianluca Stringhini.

Spam is getting sneakier and sneakier, coming up with subjects and senders that seem relevant to you, which gets it through filters and gets you to open the mail. It's hard to track spambots, as IP addresses of infected machines change frequently and new members can be recruited quickly.

They've been able to find other members of a botnet by assuming that all members will behave in a similar fashion (ie frequency and targets). Additionally, they used a spam trap to populate seed pools (a set of IP addresses that participated in a specific spam campaign) and logs at a Spamhause mirror to find known spammers.

In order to get this right and avoid false positives, they need to have at least 1,000 IP addresses in their seed pool. They came up with a great equation for calculating the threshold for what is really spam, and attempted to label which spam was coming from which botnets.

When they ran their software between September 28, 2010 and February 5, 2011, they tracked 2,031,110 bot IP addresses! The hope is that this software can help to improve existing blacklists.

The audio and video of this presentation are now online.

JACKSTRAWS: Picking Command and Control Connections from Bot Traffic
Gregoire Jacob, University of California, Santa Barbara; Ralf Hund, Ruhr-University Bochum; Christopher Kruegel, University of California, Santa Barbara; Thorsten Holz, Ruhr-University Bochum. Presented by Gregoire Jacob.

Current detection techniques fall into a two categories: host-based techniques, network-based techniques. In order to automatically detect these, you need to be able to examine clean command and control (C&C) logs, but this can be hard as these are often encrypted.

Jackstraws uses a combination of network traces and host-based activity and applies machine learning to identify and generalize C&C related host activity. They achieve the latter by mining significant activities and identify similar activity types.

All of this data is input into jackstraws so it can generate a template for matching other botnets. With lots of interesting graphs, they can now identify C&C traffic from noise.

The audio and video of this presentation are now online.

This article syndicated from Thoughts on security, beer, theater and biking!

USENIX: The (Decentralized) SSL Observatory

2011-08-12T10:31:00.000-07:00

Peter Eckersley, Senior Staff Technologist for the Electronic Frontier Foundation, and Jesse Burns, Founding Partner, iSEC Partners, started with the well known crypto stipulation, which is your encryption is only as good as your trust anchor. Knowing that, they wanted to see how secure the X.509 certificates in the wild are, so they started scanning port 443 on IPv4 servers the world over, so they could collect certificates.

They have created an Observatory Browser Extension that collects certificate chain, destination domain, approximate time stamp, optional ASN and server IP that users can install into Firefox that can be used to help the researchers gather more information, and also help you to identify if you've got a bogus certificate in your browser.

Certificate Authorities have a hard job (verifying server identities) with strange incentives (they get paid for each certificate they issue). In 2009 there were three major vulnerabilities due to CA mistakes and in 2010, EFF discovered some evidence that governments were compelling CAs to put in back doors for them. On top of all that, there are a lot of certificate authorities out there. All of these things were daunting to the researchers as they started their project.

The technology this is all based on, X.509, was designed in the 1980s, before TLS/SSL or even HTTP! In their research, they discovered 10,320 kinds of X.509 certificates in the wild, of those, only about 1300 were *valid* (according to SSL).

They found 16.2 million IPs were listening on port 443, and 11 million responded to their SSL handshake.

Typical browsers trust about 1500 CAs. Can that really be a good thing?

These CAs are located in about 52 different countries. They found many certificates that are valid but don't actually identify anyone in particular: localhost, exchange, Mail and private IP addresses [RFC 1918]. What's the point of having a CA verify your identity, if you aren't really providing an actual identity?

They tried to use their browsers to check certificate validity, but had a hard time using it, because Firefox and IE cache intermediate CAs. This means that some certificates are considered valid only sometime (depending on where you've been before with you browser). Clearly, that shouldn't be - a certificate should either be valid, or not.

Even when problems are found and the CA authorities are aware, revocation of problematic certificates is difficult or impossible to do, as many browsers and other software doesn't look at revocation data. They found nearly 2 million revocations, 4 in the future and 2 from the 1970s (before this technology existed).

They found a few subordinate CAs that claim to be from the country "ww" (which doesn't exist), with organization "global" and a bunch of other bogus information - that were irrevocable, and the CPS pointed to dead websites.

So, what can we do? Consensus measurement, more vigilant auditing, DNSSEC + DANE, or certificate pinning via HTTPS headers.

Consensus measurement is where you look for sites to all agree that a certificate is valid, but false warnings can happen when sites swap certificates for testing purposes or for other unknown reasons. Users are already "trained" to ignore warnings if they get too many false positives, so this approach would be problematic.

Certificate pinning relies on whoever used to be domain.com should stay domain.com, which works great if it is implemented correctly. The right way to do this, is to create a private CA just for this domain, and use it in parallel to PKIX. Using this correctly can protect you against compromise and malice, though users would still be vulnerable at first connection.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Deport on Arrival: Adventures in Technology, Politics, and Power

2011-08-11T17:40:00.000-07:00

J. Alex Halderman, Assistant Professor, Computer Science and Engineering at the University of Michigan, started the talk out with a look back at his family history. Apparently his great-grandfather was an illegitimate of a noble and artist, and his grandmother was a spy. As a grad student, back in 2003, he was working on DRM technologies (at the time made to protect CDs - remember those?).

These early copy protections could be easily over-ridden with felt tip markers or by pressing the shift key while inserting a disk. Halderman wrote about this online, and was quickly threatened with lawsuits by the DCMA and the company that had created the DRM technology (their slogan was "Light years beyond encryption").

The next round of DRM technology would install software onto your computer to prevent you from copying CDs - in the form of a rootkit that munged with your registry. Not only was that software doing things that that weren't disclosed, but they also introduced privilege escalation bugs, and if you did uninstall the software, it would leave a remotely executable vulnerability on your desktop.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hess, Sony.

Halderman, by publishing these issues, caused Sony to have to recall millions of CDs over the holiday season and brought government oversite into the industry. To the best of his knowledge, attempts at putting DRM software onto CDs has been dropped by the industry. [VAF: though I have seen these recently on CDs I've purchased, at least labeled that it had copy protection.]

Since then, Halderman has been focusing on voting machines, all the way back to the old machines with the big pull levers. In that time, most of the requirements around "robustness" had to do with machines working in hot or cold weather and not losing data if they were dropped.

After the 2000 election debacle, may electronic voting machines were rushed to market without adequate testing and without a third party security review. The code was put up online accidentally by Diebold, and people found many mistakes quite quickly. Diebold claimed the software was out of date and threatened to sue many of the people who had found issues.

In 2008, Halderman and two other researchers finally got their hands on an actual Diebold Accuvote machine, which he acquired from a man in Times Square wearing a trench coat in an alley.... really.

Realizing how litigious Diebold was, the researchers performed their experiments on the machine in a room (missing from the building blue prints) in the basement of their building.

They were able to discover a method to set the percentage of votes they wanted one candidate to get at the end of the voting period, all the while, the paper tape was printing the correct numbers for those voting.

Another method of attack could be done with just 30 seconds of access to the machine with a memory card that would overwrite the voting machine's memory.

Finally, they were able to come up with a voting machine virus that would self-propagate to every voting machine.

Despite these findings, these machines are still used state wide in at least Maryland.

Diebold argued that the box had security in the form of a lock, but the researchers found you could pick the lock with a lock pick set in 10-15 seconds, a little longer with a paper clip. But, why bother? All boxes had the same key, and that same key was also used on minibars and jukeboxes - readily available for purchase on the Internet.

Debra Bowen, Secretary of State in California, took this research to heart and began a full audit of all of California's voting machines and demand e-voting machine manufacturers to provide source code for analysis. The California review found that it wasn't just Diebold that had issues, but all manufacturers of electronic voting machines.

Halderman and other researchers were able to obtain voting machines for next to nothing at various government surplus sales. In one case, they thought, why bother doing this again? We know the box will be insecure. So, instead, the got the voting machine to boot Linux, start X and run a PacMan emulator.... :-)

As states can't seem to find enough bugs in physical electronic voting machines, places like Washington, D.C. wanted to try Internet voting last year. Luckily for Halderman and his grad students, D.C. put the system online a few weeks in advance of voting to allow people to attempt to attack the system.

The students discovered the router passwords were "cisco123" and that there was a publicly accessible webcam in the server rooms. By watching the server rooms for a few days, they knew the schedule of the admin (shown in the talk picking his nose) and when security went home. So, they could launch their attack after 5PM.

They were able to put in false ballots *and* get the system to send them copies of other people's votes. The ballots were encrypted on the server, but the temporary copy of the ballots were not...

Halderman and his researchers did not let D.C. folks know that they were in active attack mode, but wanted to see how long it would take them to notice. They modified the "Thank You for Voting" page to play Michigan's fight song after every vote. It took two days for them to discover this, only because another tester complained to the authorities that he didn't like the new music they'd put on the page - it was annoying.

That still may not have been enough to stop them from deploying. It was also discovered that one of their internal testers wanted to make sure the system wouldn't crash if someone uploaded a very large PDF file, so he uploaded the biggest file he could find... which happened to be the real voter credentials for the election. So, the e-voting was called off... for last year. Wonder what 2011 will hold?

Halderman broke from election talk to tell us about his recent adventures in airports, including filming TSA agents (who don't like to be filmed patting people down, because they feel their privacy is being violated) and wandering around parts of airports that were meant to be secured, but weren't (doors unlocked and security guards were asleep).

Halderman and another researcher went to India to study their electronic voting machines, which previously had not been evaluated by independent researchers. They were able to get their hands on some actual voting systems, and did find that the software was hardcoded into the hardware during manufacturing. So, they attacked the LED display that shows you how many votes each candidate got by making a lookalike board that had chips hidden under the LEDs and a blue tooth transmitter, so you could remotely stack the votes.

The person in India, Hari, who had helped them get access to the voting machine was taken into custody by police a short time later. Fortunately, all ended well for Hari, but it must have been a terrible time while he was in custody. This, of course, led to Halderman being denied future access to India, which he discovered the next time he traveled there.

This was a very entertaining talk, done mostly with pictures, yet it was still very easy to follow. A delight! Once this talk is posted online, definitely check it out!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Privacy in the Age of Augmented Reality

2011-08-11T12:30:00.000-07:00

Presented by Alessandro Acquisti, Associate Professor of Information Technology and Public Policy at Heinz College, Carnegie Mellon University.

Acquisti asks what are the trade-offs associated with protecting and sharing personal information? How, rationally, do we calculate the risk and benefits?

You can look at it from a economics point of view. Acquisti starts with an example from a paper called Guns, Privacy and Crime, analyzing where the state of Tennessee released the names and zip codes of all people that had handgun carry permits. The NRA was outraged, as well as privacy experts, saying this information would make these people at more risk for crime - newspapers believed it would be the opposite. Acquisti and his colleagues studied this and found a direct relation between crime in those areas - that is, crime went *up* in areas with low gun ownership. Obviously, the criminals knew the risk was lower to themselves in those neighborhoods. I'm sure that's not what the state of Tennessee was going for.

The conundrum here, of course, is that different people value their privacy at different levels. He asks us to consider: "Willingness to accept (WTA) money to give away information" vs. "Willingness to pay (WTP) money to protect information." In theory, they should be the same, but in practice, they believed people have a higher WTP.

Acquisti and his colleagues did an experiment at a local shopping mall where they rewarded survey participants gift cards as a reward. One group received a $10 gift card that would not be traced, and the other group was given $12 card that would have the transactions tracked and linked to your name, and they were given the option to swap.

So, while they're both actually being given the same choice, it was psychologically framed differently when presented. People who were originally given the $12 card very rarely wanted to give up the $12 to get their privacy back, while those that started with the $10 card wanted to keep it. If you have less privacy, you value privacy less. McNeally's famous quote, "You have zero privacy anyway. Get over it," came up.

Another area they were curious about was is the Internet really the end of forgetting? That is, memories fade, but Facebook doesn't. I've said this over & over again to teenagers, "The Internet is forever." What the researchers wanted to see was that if people would discount the information if it was old. Their hypothesis was that bad information would be discounted more slowly than good information. For example, if you last received an award 10 years ago, people may say, "Yeah, but what have they done lately," compared to being caught drunk driving, for which you may not ever be forgiven.

Their researchers did three experiments: the dictator game (with real money), the company experiment (judging a real company, but no real money involved), and the wallet experiment (where subjects read about someone doing something either good or bad with a wallet and then judge him).

In the wallet experiment, even though all of this information is fresh on the mind of the subjects, they found that if they said Mr. A did something positive with a found wallet 5 years ago (returning cash found), does not impact people's feelings about Mr. A, whereas if he had done it recently, they would have a more positive view of him. But, if he did something negative (like keeping the cash), it didn't matter if it happened last year or 5 years ago - people did not like this Mr. A.

The lesson learned here is that be careful about letting negative information about yourself from getting on the Internet, as people will not forgive your past indiscretions. The speaker gave specific examples of the Facebook meme where young women post pictures of themselves when they are out of control drunk and passed out or worse. Even as they grow up and mature, they will not be forgiven for those past indiscretions.

And, with computer facial tagging getting better and better, even untagging yourself won't prevent you from being recognized.

The researchers studied public Facebook profile pictures along with their IDs and compared them to publicly known pictures of those people to see if people are using their real picture - they were able to discover that about 85% of them were accurate images. This could be further leveraged to see if people are using their own real picture on dating sites :)

What this means, is that even if you change your name, you still won't be able to escape your face (well, not without significant cost and potentially negative consequences).

The better and faster that facial recognition software gets, the less privacy we will have in public. Someone you just met could look you up by your face and learn all sorts of information about you. Scary!

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Securing Search, Refereed Papers

2011-08-11T12:23:00.000-07:00

Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade

Nektarios Leontiadis, Carnegie Mellon University; Tyler Moore, Harvard University; Nicolas Christin, Carnegie Mellon University. Presented by Nektarios Leontiadis.

The researchers chose to focus on illegal sales of prescription drugs, as it's the most dangerous form of online crime - if someone takes the wrong dosage of a drug, or gets a counterfeit drug, they can die.

This type of spam takes advantage of trust that people have in someone's blog or other social network by exploiting search results. The search results in a browser shows what looks like valid links, but will redirect you to an online pharmacy - they call these infected links.

The researchers collected a lot of search results where they queried for various drug related topics (from "cialis with now prescription" to "ambien overdose"), and they got many infected servers (like umass.edu) and legitimate servers (online pharmacies).

These infected sites and illegitimate comments to blogs are crowding out legitimate online health resources. .Edu domains and high ranking sites are particularly at risk, and the infection seems to last longer on .Edu sites.

The problem is that they are actually getting a very high conversion rate (ie number of click-throughs where people actually make purchases).

The researchers see three possible solutions: getting the prominent infected sites fixed, which would not be too hard, as there are only a handful there, fixing the search engines to recognize these attacks, and trying to stop illegitimate redirection.

The audio and video of this presentation are now online.

deSEO: Combating Search-Result Poisoning

John P. John, University of Washington; Fang Yu and Yinglian Xie, MSR Silicon Valley; Arvind Krishnamurthy, University of Washington; Martín Abadi, MSR Silicon Valley. Presented by John P. John.

John showed us the malware pipeline: find vulnerable servers-> compromise webservers and host malicious content - > spread malicious links via email, IM, search results -> bad stuff happens.

Their research focused on on the spread on the malicious links. Nearly 40% of popular searches contain at least one malicious link in top results. Instead of getting the content you want, you get "scareware" that tells you that your PC is infected and you need to install software to fix it. As if that's not bad enough, give it a few weeks or months, and it will ask you to pay $50 in order to keep protecting your PC, even though it is actually malware.

Sites running osCmmerce are particularly at risk, due to it being a popular piece of shopping cart software with many well known unpatched vulnerabilities.

The script is obfuscated, but what it basically does is generates a page for a keyword, gets text from Google and images from Bing, and now it's got something that will look legitimate and get you to click through. They get their keywords based on top trending keywords from Bing and Google.

The malicious sites can sufficiently cloak their behaviour using redirects and javascript, so they can hide themselves from automatic detection by search engines.

Their tool looks for sites that suddenly have a new type of content or large quantities of new content, clustering similar domains, and comparing the new pages on one site to another's.

The audio and video of this presentation are now online.

This article syndicated from Thoughts on security, beer, theater and biking!

USENIX: I'm From the Government and I'm Here to Help: Perspectives From a Privacy Tech Wonk

2011-08-11T10:30:00.000-07:00

Tara Whalen, IT Research Analyst from the Office from the Privacy Commissioner of Canada, was a last minute fill in.

Ronald Reagan: "The nine most terrifying words in the English language are 'I'm from the government and I'm here to help.'", and while Whalen is from the government, she hopes that we aren't terrified of her. :-)

As the US Government doesn't have an Office of Privacy, Whalen gave us an overview of her Canadian agency. The office was established in 1983 with the passing of the Canadian privacy act. Their mandate is to oversee compliance with the 1983 Privacy Act and the 2000 PIPEDA Act, which means they protect both corporate world and individual citizens. They help review new policies and guide parliament.

In addition to those more standard government functions, they also have a technology analysis branch, where they do investigations, audits, privacy impact assessments, and research. This division supports a lot of research, even including a game for Canadian children to teach them about privacy.

Whalen went into detail into a couple of case studies. The first one was their investigation of Facebook, where a group of law students had reviewed Facebook's policies as compared to Canada's PIPEDA and Privacy acts. Their result was a 24 point complaint to Whalen's office, which triggered an in depth investigation.

The investigation was very detailed and involved using things like packet sniffers to see what actually is happening with data on the wire. After a year, the Canadian government had an official complaint to give to Facebook requesting eight items to be corrected, six of which where relatively easy changes to the language on the site. For example, disambiguation between account deactivation and account deletion.

Some of the roadblocks that her team hit were Facebook redoing all of their privacy settings and adding many new features in December 2009 as well as all of the third party apps that hook into the system. New complaints have come in, so the investigation is still undergoing and Whalen could not comment further.

The next case study she presented was on the Google WiFi complaints, which was initiated by privacy investigator in Germany. Basically, while Google was driving around collecting pictures for their Street View service, they were also collecting information on WiFi networks. Google's initial response was that there was no data payload being collected, which made the privacy experts very happy ... until they found out that wasn't a true statement. Google had actually accidentally collected over 600 GB of payload data from around the world from unprotected WiFi networks.

Google of course apologized and quickly discontinued the practice.

Google did hand over the data collected in Canada (18G) to the government, who then was faced with a bit of a conundrum. Google had not looked at nor utilized the data, so the privacy group didn't want to go and deep dive into the potentially very personal information and expose things that at this point had still been private. They did a cursory examination where they did look at some of the personal information to verify that it was indeed collected, and presented aggregate information in their report. They did find whole emails, even though Google had stressed they had only picked up fragments of information - obviously, the data they collected depended on what a user was doing at the exact moment the Street View car drove past their house.

Google did take the complaints very seriously, added changes to training for engineering and then also appointed an internal privacy officer.

Another area the privacy office looks at is location privacy. The case shown here was about a German citizen who sued Deutsche Telecom in order to get his own data about his locations and then shared it with the world. Quite a shock about how much information his cell phone carrier had for him!

Then there was the recent case where Apple was collecting location information from iPhones and 3G iPads, even if the location services were disabled on the device. This information wasn't just stored on the device, but also transferred to any computer you would sync with and transmitted to Apple. This was well discussed in the media, particularly due to how visually interesting the maps were.

It wasn't just Apple. Android and Microsoft did this as well, though to varying degrees.

In Canada, there is a lot of legislation being proposed to help protect privacy and better define when data can be held and accessed by law enforcement.

It is good to know that, at least in Canada, there is someone in the government that cares deeply about protecting citizen privacy.

The audio and video of this presentation are now online.

This article is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Forensic Analysis, Refereed Papers

2011-08-10T15:43:00.000-07:00

Forensic Triage for Mobile Phones with DECODE

Written by Robert J Walls, Erik Learned-Miller and Brian Neil Levine, University of Massachusetts Amherst, presented by Robert Walls.

Forensic triage attempts to acquire evidence quickly, accurately from a crime scene. DECODE works on mobile phones and can extract information from the raw data on the phone, without specific knowledge of the phone's file system or operating system.

Phones are the focus of this research as they are everywhere and essentially record our lives, and likely contain evidence. Even without direct evidence, they can be used to find motivation and establish a time line.

Directly browsing the phone only gets law enforcement the information that hasn't been deleted, and could possibly modify the data while the phone is being inspected. Many commercial tools currently available are very expensive and focused on the most common phones.

DECODE will look at the raw storage (bytes of data with unknown format), which helps retrieve "deleted" data, meta-data and time-stamps. It does this using block hash filtering and inference.

Inference relies on most phones having data listed together, like name, time, and phone number.

This work can be applied to phones that have not been previously seen - making it much more extensible in this ever changing market.

The audio and video of this presentation are now online.

mCarve: Carving Attribute Dump Sets

Written by Ton van Deursen, Sjouke Mauw, and Sasa Radomirovic, University of Luxembourg. Presented by Sjouke Mauw.

These researchers used beer, card readers and time to look at hacking their public transport cards. Unfortunately, were not able to use existing forensic carving tools, so had more work to do. The researches knew when the cards were purchased, how much money was left on them, and when they were last used - as they were their own cards. This gave them some "known text" to search for, ie attributes of the card.

Just knowing that "plain text" was not enough, in some cases the plain text was too simple and would appear multiple times on the card, for example, knowing that the card had been used 4 times. But, using that data, with others, they were able to narrow down the different components of the card.
The audio and video of this presentation are now online.

ShellOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks

Written by Kevin Z. Snow, Srinivas Krishnan, and Fabian Monrose, Universyt of North Carolina at Chapel Hill; Niels Provos, Google.

Exploit kits are making it easier and easier to deploy attacks. The speaker started out with a real world example of an email that looked very much like the standard email you get from a Xerox copy-scanner, except that the attachment contained shell code that could be used to attack the system.

One way of detecting this with dynamic code analysis by partly executing the code in a sand box environment, to detect malicious code. Emulation based approaches are slow and can be easily detected by the malicious code.

This is where ShellOS comes into play. Execution runs uninterrupted, at native speed. If any fault occurs, it is trapped and skipped. It does this in real-time, which makes it more stealthy.

Their next experiments were around how effective they were in practice at detecting shellcode. At 100Mb line, they could process packets in real-time and not risk any dropped packets, running on one CPU.

Their most important test came for trying to detect PDF code injection attacks. This is where Niels Provos came into play, handing over documents that had been flagged by Google's Large-Scale Web Malware Detection System and compared it to past USENIX Security conference PDFs (the assumption being that those would be exploit free).

While examining these documents, they found almost all of them were attempting to get a shell, which is what ShellOS was created to detect. They were able to detect the code in the malicious documents, and didn't get any false positives in the presumed innocent set from USENIX.

This seems like a very cool project and I'd be very interested to see where this ends up going.
The audio and video of this presentation are now online.

This post is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Analysis of Deployed Systems

2011-08-10T14:01:00.000-07:00

Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

The paper was written by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu and Matt Blaze, presented by Matt Blaze.

APCO Project 25 (P25) is a standard for digital two-way radio used by law enforcement in the US and worldwide. They work over a narrow band radio channel at 9600 baudes, where the sender makes all decisions, everything is multi-cast and has no concept of "ACK".

The standard does allow for optional security, like encryption (AES, DES, etc) that are configured in a manual process - though they can be rekeyed live (while in use). What is interesting about these security options is that they are not explicitly defined in the standard, which leaves it up to vendors to come up with ways configure things like encryption. So far, the paper authors haven't found any of the devices that use authentication.

Looking at attacks, you can use something similar to "ping" to actually create a map of where all of the P25s in the area are - basically, giving away locations of security personal, which can help attackers find weak spots.

There are also very easy ways to jam these devices using consumer devices, like "GirlTech IMME" (an "instant messenger" toy), which could be purchased for $15. Jammers can even be configured to jam selective traffic, like block all encrypted traffic - a good way to get users to think something is wrong with their crypto mode so they'll disable it.

While you can rekey on the fly, it does require everyone already having a key to begin with. The P25s rely on centralized keying, so if just one radio comes in that does not have the key, then everyone needs to talk in the clear. So, why bother with cryptanalysis, when you can just look for clear text [USENIX Security '95]?

The researchers recommend that the encrypted switch be disabled all together and just encrypt an entire channel, and decrease frequency of rekeying, which is actually leading to security problems and getting people to talk in the clear.

The audio and video of this presentation are now online.

Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

The paper was written by Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber and Edgar Weippl from SBA Research.

There are many places where you can now store data in the "cloud", some using simple models like FTP or more complex, like delta detection. Most sites are now trying to use deduplication, which will help save on storage space.

Looking at Dropbox, which uses Amazon Simple Storage System (S3), dedup (SHA-256) and AES for encryption. The researchers' first attack takes advantage of the hash manipulation, where they could use unauthorized file access by just having the hash value - undetectable by victim or Dropbox.

The second attack they analyzed was the "stolen host ID attack", where Dropbox uses host ID to link particular host with an account - so, once someone else takes your credentials, they can impersonate you. This attack can be easily detected, and Dropbox is now preventing this.

If you know someone else's host ID, you can store your data in their Dropbox - won't count against your storage quota, and as long as you have the address, you can continue to retrieve your data.

The audio and video of this presentation are now online.

Comprehensive Experimental Analyses of Automotive Attack Surfaces

Written by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner and Tadayoshi Kohno.

Cars are no longer a mere mechanical device, they are controlled by tons of computer controls (ECUs) running millions of lines of code. In general, this makes the car safer, but is a problem if an attacker is able to take control of the car.

Many of these ECUs can even be reprogrammed while the car is being driven! All it would take is for one of these devices to be infected for it to spread to the rest of the vehicle. These types of controlls could allow an attacker to do things like disable breaks, disable lights or even disable the engine!

The researchers said there were three major types of systems to attack. First, indirect physical attacks work over a physical interface, though no direct access to the physical device. Short-range wireless attacks can impact things like tire pressure sensors, remote keyless entry, wifi access points and vehicle-to-vehicle communications. Third type of attack was long-range wireless attacks, taking advantage of things like HD radio or systems that are used for roadside assistance.

Every vector of attack the team worked on led to some type of system shut down.

In the indirect physical attack, the team looked at the media player that uses ISO-9660, which is apparently pretty common. They were able to come up with a WMA file that would play fine on a computer, but would reprogram a car's radio.

Their short-range wireless attack used bluetooth to take advantage of a strcpy() bug, which was completely undetectable by the user. They were also able to take advantage of a buffer overflow in the telematics unit in the car - basically, you can call a car and fill it with malicious code.

In fact, they could take their malicious "song" from before on an MP3 player with the speaker going to a phone that has called the unique cell code for the car, and the attack code was loaded by the car.

Actually managed to install an IRC client onto the telematics unit, and could use that client to get a shell on the telematics unit, getting the car to send broadcast packets to attack other cars.

You can easily use this technology to steal a car - use GPS to locate the car, use their device to unlock the car, bypass security tools and start the engine. They showed a video where they did this - drove a car away with no key!

Same researchers took advantage of these same technologies to remotely eavesdrop on people in their car - 1,500 miles away!

These telematics units contained things like ftp, telnet, nc, vi... on a UNIX like real-time operating system. Not quite secure out of the box...

How did we get here? Basically, nobody's been attacking them, so there's been no reason to protect them. But, this is improving - SAE, USCAR and US DOT are working on this. Too little, too late? Let's hope not!

The speaker ended the talk with a picture of a hacked odometer. Great talk!

The audio and video of this presentation are now online.

This post is syndicated from Thoughts on security, beer, theater and biking!

USENIX: Three Cyber War Falacies, Dave Aitel, Invited Talk

2011-08-10T10:51:00.000-07:00

Dave Aitel, CEO of Immunity, Inc, started out with a picture of "The truth shall make you free" - a quote from a wall in the offices of the CIA, which helped Aitel launch his talk on cyber security and cyber war and how irony pervades this industry.

According to Aitel, there are three fallacies of cyber war:

Cyberwar is asymmetric
Cyberwar is non-kinetic - as in it's in the virtual world, no "real" victims.
Cyberwar is not attributable

Aitel notes that there won't always be explosions or "instant death" when it comes to cyber war, but there can still be great consequences - including loss of utilities, the more things come on line.

He warns Californians about the security implications of PG&E's SmartGrid, where a not-so-smart chip will control when you can have AC, etc., that will be very easy to compromise. That type of attack, along with recently discussed expoits on automobiles, put people's lives in jeopardy every day.

For example, STUXNET, which many took as a temporary trojan horse that is now totally under control - what the community at large doesn't seem to see, is that it was a demonstration that this (or something like it) can be used to target any factory or any utility at any time.

The problem with a lot of these trojans and worms, is that once your corporate network is infected, it is virtually impossible to to completely rid your network of these hackers. Think about it, if it took you six months to a year to discover the intruder, then you have to assume they are everywhere and you will unlikely be able to totally get them out.

Aitel then started on his point about how cyber war is NOT asymmetric by giving many counter examples, though, unfortunately he spoke very fast and the slide ware moved quickly (and was overcrowded and filled with tiny words) so I had a hard time following that point...

Automated computer security commonly involves things like vulnerability scanners, static analysis, web application scanners - they just don't work, too slow and tedious and really still require manual analysis. Aitel believes his team can find more bugs by just looking at the code, rather than relying on this analysis. Personally, I think that's great if we were all perfect, but I've definitely seen static analyzers find stuff that humans missed, both in writing and while reviewing.

Aitel has a very strong opinion on "script kiddies" - he believes that the term "script kiddie" belittles what is really a challenging career, which he compares to nuclear scientist. I'm sure he's trying to be a bit tongue in cheek, but, as someone with a science degree, I can say for certain that a nuclear scientist would most definitely be a lot more skilled than someone that runs someone else's attack scripts. Sure, there may be some learning curve to running these, but... it's not nuclear science.

Aitel then went on to quote CERN about how SSL based VPNs are all broken, due to fundamental flaws in the architectures, but did not go into details. I'm happy that I'm reading my mail over an IPsec connection ;-)

One thing that has changed over the years is that the attacking community is now mature, organized and highly motivated. After realizing that DefCon this year had reachead 19 years of age... and that I started attending back in DefCon 2, I can only imagine how accurate that statement is. [and at DefCon this year, there was a children's track.... ]

Regulation can't help here - it's too slow. Aitel argues until the "traditional bearded men that work on security get into Government" it isn't going to get better. I guess Professor Spafford meets that mold, but not sure how Susan Landau fits that mold.... guess she'd better work on her beard.

Overall, this talk was fun and entertaining, but seemed to be an agenda for why you couldn't possibly secure your own network or code on your own, and you need to hire his security team.

I think the important take-a-ways are that you cannot rely on static analyzers alone to make sure your code and network are secure, policies and tools need to be regularly re-reviewed, and keep ahead of the attackers.

The audio and video of the talk are now online.

This post is syndicated from Thoughts on security, beer, theater and bikes!

USENIX: Charles Stross Opening Keynote

2011-08-10T09:22:00.000-07:00

Charles Stross, two time Hugo Award winning science fiction writer, greeted us with a talk on Network Security in the Medium Term (2061-2561). He quipped that by setting his predictions so far out, we'll be unlikely able to prove him wrong - and if we can, then he'll be happy to just be alive.

His talk started out with stating the obvious, that we won't have to worry about network security if, for example, we have a global system panic - so, he's going to assume that doesn't happen. The other issues around seeing his predictions come to fruition depends on medicine meaningfully extending our lives, having stable political systems and managing society's increasing complexity.

In the future, we won't be able to ignore emerging countries like China and India, and, well, the whole of Africa, all of which will change how we manage security and interact together.

Stross told a story of a theoretical time traveler from the 1960s and how huge of a technology hurdle he'd have to overcome - no imagine how much technology change we can expect in the next 50 years! Children nowadays will never know the experience of being lost, always connected, always with GPS at hand. [of course, such an assumption presumes the child growing up in a home of means, don't forget the aforementioned Africa!]

Stross took us through a myriad of potential futures - like will we, as humans, have a lifelog like we have in modern cars? Will we have to fight super viruses, bacteria and cancer? Will genome sequencing computers be able to help protect us? But, will we want to share our own DNA in order to aid these computers? Give up our privacy in order to always have an alibi? Give our insurance companies access to vehicle harddrives so they can detect how people really drive?? It seems unlikely.

I've personally submitted my DNA into two systems: Kaiser Foundation's Genome Study and 23andMe. I did this both to advance science and to give myself valuable information about my gene profile, though my neighbor, a DNA forensic scientist, believes I was insane to share my DNA with anyone. Perhaps I should've consulted her before I spit in that cup.

Lots of interesting scenarios to think about, we'll definitely have to be more careful with our privacy as more information is put online and in storage.

The audio and video of the talk are now online.

This article is syndicated from Thoughts on Security, beer, theater and biking!

Peaches en Regalia

2011-08-07T16:22:00.000-07:00

My husband and I had the pleasure to see Peaches en Regalia from Wily West Productions at the Stage Werx Theater in San Francisco last weekend.

This is a new work, being presented for the first time as two acts. It's a sweet play revolving around the ever changing life of the title character, Peaches, who has recently taken a job at a restaurant where they serve... wait for it... Peaches en Regalia.

Sarah Moser, as Peaches, takes the stage by storm with her opening monologue which describes college, her internship at a financial institution and why she decided to take a job at a diner. Moser is energetic and her monologue comes to life as the other actor's help her reenact scenes from her recent past.

The hilarity continues when Philip Goleman comes into the diner as Norman and then gives us a hilarious monologue on bathroom etiquette and working on his flirting skills.

Of course, the two come together. The fast paced and delightful show moves along as Nicole Hammersla (Joanne) and Cooper Carlson (Syd) fill in the picture. Joanne has a nervous tic (picking at her sweaters) and Syd is a soft-hearted republican.

This was a wonderful production that will keep you entertained throughout! Even with a short 10 minute intermission, the show was still about 90 minutes running.
Definitely worth a trip up to San Francisco!

This post is syndicated from Thoughts on security, beer, theater and biking.

Oracle Solaris Security BoF at USENIX Security

2011-08-04T15:40:00.000-07:00

I'm excited to announce that Oracle Solaris Security developers will be presenting on our recent work, talking about cloud security and doing a Q&A panel at a BoF at USENIX Security next Thursday night.

Date: Thursday, August 11, 2011
Time: 7:30-8:30 PM
Location: The Westin St. Francis, 335 Powell Street, San Francisco, CA
Room: Elizabethan A

If you're attending USENIX Security, please come by. There will be give-a-ways for excellent questions and beer. Does it get any better than that?

Scratch: Lagunitas Beer Dinner

2011-07-26T09:00:00.000-07:00

I've got a huge backlog of beer related blog posts, so many that it's a bit overwhelming. So, instead of starting many months back, I'm going to restart with some recent brew dinners and hopefully get the others picked up in a retrospective of sorts.

A new restaurant in Mountain View recently opened up called Scratch. They feature upscale American "comfort food" and have recently begun doing beer dinners. This is very appealing to me, because I can walk there, which beats the myriad of trains and late nights it takes to get to the Monk's Kettle (but, wow, are the Monk's dinners good).

The featured brewery on July 7, 2011, was Lagunitas Brewing Company, based in Petaluma, California. I've been to a Lagunitas beer dinner before up at the Monk's, so I was very excited they were coming down to Mountain View. You've probably all seen their IPA in the grocery store, but don't let that fool you - Lagunitas does a lot more than just IPAs.

The first course, prepared by Executive Chef Sean Eastwood, was an ahi tuna "gazpacho". With a name like that, I was expecting a sort of soup, but what we got was a lovely, thick piece of raw tuna topped with a sweet gelee, served with an heirloom tomato confit, almond and avocado puree. This was paired with Lagunitas classic IPA, coming in at the evening low of 6.5% ABV. The IPA is their standard hop forward American style IPA, which was softened nicely with the food. An excellent pairing.

While waiting for the next course, we got to try the Wilco Tango Foxtrot (available in the 22oz section of many local groceries - yay!), a wonderful brown ale with 7.8% ABV. Jack Alger, in charge of Ales and Marketing at Lagunitas, told us a bit about this beers origins: While most browns are low in alcohol and typically a session beer, that's just not what Lagunitas makes - yes, this beer was mild in flavor, with the slight nuttiness you'd expect from a brown, but an extra sweetness made this even easier to drink and reminiscent of a bourbon barrel ale. Approach with caution, as a 7.8% ABV beer will bite you on the butt if you're not careful!

The next course was sweetbreads. Not something often eaten anymore stateside, but something my husband, a Brit, had had more than enough of growing up. Scratch and the chef were awesome and prepared my darling husband some sweet pea ravioli as an alternate course.

He absolutely loved the course and in particular the thinly sliced fried zucchini.

The rest of us at the table got the sweetbreads. I'll let you read the wikipedia entry to see what exactly sweetbreads may be (hint: all kinds of things qualified as offal), so as diners, we were left to our imagination to guess what exactly we were eating. The black lentils were delicious, but the citrus (grapefruit?) was a bit too tart for the beer and the rest of the dish. The sweetbread itself (which was later identified as the thymus gland) was very fatty, and tasted a bit like chicken livers with the texture of frog legs. I think it could've been much better prepared if it were in a bread sausage like form, where the bread could've helped to soak up some of the fat. The fried giant capers, though, were a nice touch.

Next came out the Lagunitas Hop Stoopid. With a name like that, I was worried - I like a hop flavor in my beers, but not "attack hops" - you know the kind, so bitter they make your tongue curl? Well, it was a bit like that... but, my husband and the other Brit at the table love their beers like that, and so the ABV 8.0% brew did not go to waste.

This was paired with the "Bone Marrow, Two Ways" course. As should be obvious from the picture, the first way was right in the bone. The second way was fried - a bit like a tater tot. This came with a wonderful salad, again with grapefruit, that was very delicious. I spread my bone marrow right onto the crunchy crostini, but even then it was still a bit too rich. I'm not sure how the fried quail egg fit into the picture, other than making for quite a beautifully plated dish.

Finally, the Lagunitas folks brought out one of my favorite styles: a red! The Lucky 13, coming in at a hefty 8.3% ABV, was a much more mellow beer than the Hop Stoopid, with toasted malts being the prevailing flavor. This paired wonderfully with the lamb ravioli served with sweet peas, pickled artichokes, mint syrup, pea and mint puree all on top of... cassoulet lamb shank! This was a meat lover's delight. The ravioli was fork tender, and the lamb simply melted in your mouth. The beer positively opened up with this course, the best course and the best pairing of the night... well, until dessert.

Lagunitas delighted us with the next beer, Little Sumpin' Sumpin' at 7.5% ABV. This was their version of a Belgian Wit beer, made with Belgian yeast, yet filtered (which seems, at least for me, to lower the hangover factor). While it was hop forward, the beer was still delicate and sweet, with a slight hint of peach to it, which means it paired absolutely perfectly with the Peach Buttercake. The cake, similar to an upside down pineapple cake - just with peaches, was moist and bold enough to stand up to the beer. The lavender caramel made it all just like a spa experience. I was in heaven.

That was supposed to be our last course, but Jack had something else up his sleeve, a Cappuccino Stout (8.8% ABV). This beer, which smelled just like chocolate covered espresso beans, was actually made with a special blend from Hardcore Espresso in Sebastopol.

I was actually thinking at the time that I would've liked some more of that ice cream from the previous course so I could make my self a beer float. Fortunately, the chefs wanted to surprise us as well and they brought out a bonus dessert of chocolates! Splendid!

Overall, a magnificent dinner right here in Mountain View. The staff was friendly and accommodating. I loved having someone from the brewery present to tell us all about the beers, and the pace of the food was perfect. For future dinners, though, I would recommend the chef try to balance the super rich and a bit strange courses more with the rest of the menu. The only bad surprise came at the end when there was a 22% gratuity added on top of the total bill (that is, food plus tax). I didn't expect that for our group of four, and only mention it so that if you join a future dinner, you can be prepared.

Now the question, do you like the picture of the course before I talk about the course, or after (as is done in this post).

This post syndicated from Thoughts on security, beer, theater and biking!

Woe is Me -or- Going through TSA with a broken finger...

2011-07-19T22:26:00.000-07:00

Sorry it's been so long since I've written - I had a broken finger! It's mostly better now, but for awhile there, I kept my typing to mostly work specific activities. Typing when down an index finger is not the easiest thing to do, especially since I've been touch typing since I was 12 years old, not to mention the finger just plain hurt.

What does this have to do with the TSA you might ask? Well, I did this on my way to the airport when I was coming back from a trip to Fort Wayne, IN. Being rushed, talking to my sister on the phone, and my dad and a friend in the car, while getting out to get a coffee... something fell through the cracks. Well, or got stuck in it... slammed that finger right in the door! The folks at Starbuck's were kind enough to give me a bag of ice, but that was not something I really needed at that moment. While I didn't know it was broken, I did know it hurt like nobodies business.

Fast forward 20 minutes and we're going through TSA. The Fort Wayne airport, while very small, seems to have the most well provisioned TSA division in all of America. If there's a new process or tool, they have it. Plus, they don't really have any lines, so what's the rush?

I'm not a big fan of the new scanning machines. I think they were rushed into the airports, aren't well studied, and are a great example of industry lobbyist pushing "safety" standards, so I wanted to opt out. One of my traveling companions has recently had a lot of radiation (treatment for cancer) and also opted out.

This airport isn't really set up for this - as the line just puts every single passenger through the scanner, so anybody that opts out has to go through an unusual procedure. As my friend was also a female, she had the one female agent on pat-down duty totally occupied, so I had to send all my luggage through the x-ray and wait on the outside of the metal detector.

Even though my finger was in excruciating pain, I waited until my friend cleared. My pat down was uneventful and no worse than I've gotten before when setting off the metal detector. I was neither embarrassed nor threatened, the TSA agent was respectful and friendly, and she screened her gloves for explosives after the pat down.

But then I set off an alarm. Hrm. Even though my finger was in excruciating pain, I had to go to another room and get another pat down, this one slightly more invasive. After awhile, the agent and her supervisor took pity on me and brought me the ice my husband had gotten for me, which helped a lot.

But then I set off the alarm again. This time nobody knew what to do next. They decided they needed to double search my bags (by rescreaning, hand check and check for explosive residue), but that's where there was another pickle. In all that time where I was not able to get to my luggage, my husband had repacked it for me. And since he was standing with our traveling companions and TSA didn't know, 100%, if something may have been handed over - my companions all got rescreaned. They (and all of our luggage) were negative for any residue or suspicious items.

I finally thought of what might have been causing the alarm: I'd gone to an antique store with my Dad that day, and he'd looked at antique guns. Was it possible I actually *did* have residue on me?

Two TSA agents and two supervisors later, we were all on the airplane!

Coming home, my husband thought of a more likely cause: I'm always fertilizing things in our garden and may have done so in those same jeans right before I left. Word to the wise, don't wear clothes to the airport that you may have worn in your garden! Or go antiquing ;-)

As I was walking away, one of the TSA supervisors asked the other, "Did you write down her name?", and I heard, "Yes, it's right here." Which, of course, means I'll be sure to be extra early for all of my future flights.

Now, why is this all so frustrating? I'm sure you've all heard of the guy last month that was flying around with expired boarding passes. He wasn't arrested the first time he was caught, but the second time. Are we really spending our efforts in the right place?

This post is syndicated from Thoughts on security, beer, theater and biking

Sun Metaslot and my missing keystore

2011-06-30T15:01:00.000-07:00

By Karen Tung on Jun 14, 2005

[VAF: This entry was transfered from Karen Tung's old Sun blog, due to its relevance to the Solaris Cryptographic Framework]

Since The Solaris Cryptographic Framework is integrated into Solaris 10, we have added some new features to the framework. One of these features is the Sun Metaslot, which will be generally available in the next Solaris Update release. In case you can't wait till the next Solaris Update to try out this exciting feature, this is also available since Solaris Express 2/05, and in Solaris Patch 118918.

The Sun Metaslot will greatly simplify the life of developers who write applications that uses PKCS #11. Now that Open Solaris is a reality, I can talk about the implementation of this new feature and clarify one question I often get from users who are used to using the framework the way it was in Solaris 10.

What is Sun Metaslot?

The Sun Metaslot is a new additional slot to the The Solaris Cryptographic Framework. It provides the virtual union of capabilities of all other slots in the framework. Instead of having to deal with many slots, an application can simply choose the Sun Metaslot, which have access to features of all slots currently plugged into the The Solaris Cryptographic Framework. It also does the tedious work of managing sessions and objects on different slots so an application can use the best slot for a particular mechanism without having to move objects and sessions back and forth. The Sun Metaslot behavior conforms to the PKCS#11 Standard. Applications should treat it as if it were any PKCS#11 slot with normal PKCS#11 semantics.

When you install the next Solaris Update release (or Solaris Express 2/05 or the patch), you will get the Sun Metaslot feature by default. There is no special configuration necessary. The Sun Metaslot is always presented as the first available slot in the The Solaris Cryptographic Framework. As such, if your application is written in such a way that it just uses the first capable slot to perform cryptographic operations for your application, your application will use the Sun Metaslot with no modification at all. If your application is very particular about the exact slot in which an operation is done, all slots in the originalThe Solaris Cryptographic Framework is available as usual except a minor catch, which I am going to explain below.

Why is one of my slots missing?

Ever since I gave the beta version of my Sun Metaslot implementation to other Sun internal engineers to try, I often get this question in my email. I am sure many of you might have exactly the same question. So, it's probably useful to explain it here for the last time, hopefully.

Here's the typical email:
I installed the Sun Metaslot feature into my test system, and everything seemed to work fine. However, when my application does a C_GetSlotList(), I found that the "Software RSA PKCS#11 softtoken" slot is missing. Is this a bug?

This is working as designed. When the Sun Metaslot feature is enabled, one visible difference you see on your system is the slot that is configured to provide persistent storage for "token" objects (aka keystore) is "hidden". The Sun Metaslot does not have its keystore. It uses the keystore from one of the actual slots. By default, Sun Metaslot is configured to use the "Software RSA PKCS#11 softtoken" slot, so, users will see that it is "missing".

The slot to be used as Sun Metaslot's keystore is configurable. See the cryptoadm(1M) command on how to configure a different keystore for Sun Metaslot.

During the Metaslot implementation, we found that making the keystore slot as one of the available slots will cause a problem with "object aliasing" between the Sun Metaslot and the keystore slot. If an application accesses the Sun Metaslot and the keystore slot at the same time, we won't be able to control the authentication state. For example, if the application first calls C_Login on the Sun Metaslot, Sun Metaslot will call keystore slot's C_Login(). Now, if the application makes the a sequence of a C_FindObject calls to retrieve the list of private objects from on the keystore slot, it will be able to successfully get the list. However, this is not the right behavior since the application hasn't done a C_Login to the keystore slot yet.

To prevent the above problem, we decided that it is best to hide the keystore slot. Even though an application won't be able to access the functionality of the keystore slot directly. All its functionality are still available via the Sun Metaslot.

Life is a Cabaret at Sunnyvale Community Players!

2011-05-09T14:00:00.000-07:00

Me and the gang went out to see Sunnyvale Community Player's production of Cabaret on Saturday night and we all had a great time!

It's interesting to see a show with such a small staff. Lee Ann Payne doubled as director and choreographer (no easy task, given the complexities of the choreography in this show) and Dan Singletary was music and vocal direction. It seemed to me that this gave them a better way to focus their efforts and the results were a seamless production that was beautifully staged.

As I've said before, one of my favorite things about seeing shows with the Sunnyvale Community Players is that the actors and actresses are not typically mic'ed, leading to a amazingly rich and rewarding sound. We could hear the gentle shakes in Emily Bliss's voice as she belted out the title song, Cabaret, as the lead of Sally Bowles. While her emotion was clearly written on her face, hearing the subtlety in her voice made the number that much more enchanting.

Dan Singletary did a great job balancing the orchestra with the vocals - I could hear both perfectly at all times!

The Emcee, Paul Araquistain, was just downright amazing! Every time he appeared, the stage brightened (or darkened, depending on his intent) and the cast just seemed to focus around him. One of my favorite numbers was "Two Ladies", where Araquistain was joined by Cheryl Ringman (Kit Kat Girl/Susan) and Denise Lum (Kit Kat Girl/Ting Ting).

The costumes were sexy, where necessary, and total period otherwise. Great job by Ana Williams (costume design), Sue Howell, Mary Beth Buzzo and Barbara Morgen (costume construction).

It's hard to call out specific actors or actresses that stood out, as everyone was great, totally in character, always in the moment. Very impressive, indeed!

I'm not exactly sure which revival this one was based on, but did miss the darker ending of the last version I had seen. Let's face it, Nazi Germany was not a fun place for homosexuals and Jews in the early 1930s...

One thing is for certain, this show only runs for one more weekend (through May 15th) and deserves a sold out house! Treat yourself, you'll enjoy it!

Punctate Inner Choroidopathy -Or- My Crazy Eye

2011-05-08T21:46:00.000-07:00

Those of you that follow me on twitter are aware I've been having some major weirdness in my right eye over the last couple of weeks.

As someone that has always had bad vision, losing my eye sight has always been my biggest fear. Having an eye do strange things where one Ophthalmologist even said, "I've never seen anything like this before" ... well, it's disturbing, to say the least. I waver between wanting to share with everyone what is going on to just wanting to be left alone and hope for the best, so please understand.

About two weeks ago, I noticed a blurry/fuzzy spot in my vision. I called Kaiser, where fortunately I had already been referred a few months back to Ophthalmology due to 2 spots my optometrist detected on my retina [1]. My optometrist was concerned that I might have Presumed Ocular Histoplasmois Syndrome (POHS) - blood tests confirmed, though, that I did not. My doctor in ophthalmology told me to come back in 6 months or if I noticed any vision changes. That brings us back to two weeks ago.

I was initially told I'd have to wait until May 10th to see someone, but as every day I had new flashes and fuzzy spots, I didn't want to wait. I showed up at the main hospital and sat until my ophthalmologist was able to see me (he took me on his lunch break). He ordered lots of tests: OCT (retina scan), Optomap (picture of the back of the retina), Visual Field Assessment (fuzzy spots and flashing lights cause problems with seeing little tiny dim flashing lights in peripheral vision...it turns out), and an optical angiogram (where I was injected with yellow dye, dilated and more pictures were taken of my eye to check for bleeding - there was none - *whew*).

Still, my ophthalmologist was stumped. He could see there were things going on in my retina, but it was nothing he'd ever seen before. He sent me to a retina specialist for my next visit.

My retina specialist has seen something like this before: Punctate Inner Choroidopathy (PIC for short!). I'd give you a link to a great sight on this eye disease, but... none exists. It's a very rare condition that nearsighted, healthy women in their thirties get. My specialist gave me a great paper on it, published in the Survey of Ophthalmology in January 2011 by Dr. Radgonde Amer and Dr. Noemi Lois. Unfortunately, the major conclusion of this paper is that PIC needs more research.

There are no known treatments, and the majority of the cases spontaneously get better on their own with no long term vision impact. It's the side effects that can be problematic, so let's hope I don't get any of those!

Fortunately, as of now, my central vision is still crystal clear and my left eye is 100% normal, so I can still totally and safely function in my daily life.

But, still very freakish. I have toyed with whether or not to write this blog post - perhaps it's over sharing. I don't know, at this point I kind of want to share to see if anyone has any ideas or luck with any experimental treatments.

So, let's hope I'm in the majority of this one! And let's face it, there are worse things to get!

[1] In 2008 I had very similar symptoms as to what I'm having now, but was diagnosed with having a perfectly normal vitreous detachment. Well, 2.5 years later, my optometrist noticed the retinal scarring. Drs. Amer and Lois said in their paper, "After 2-3 years, some scars become distinct and pigmented and resemble the scars associated with POHS." So, I'm betting I was misdiagnosed before. Not that it makes a difference, as there is no treatment for either vitreous detachment (it's caused by age and onsets earlier for the nearsighted folks) or PIC. But, knowing I probably had this in 2008 and completely got better... well, I'm very hopeful for a full recovery.

Review: Shattered Dreams: My Life as a Polygamist's Wife

2011-05-05T15:47:00.000-07:00

Shattered Dreams: My Life as a Polygamist's Wife
by Irene Spencer

My rating: 5 of 5 stars

This was an amazingly heart breaking tale of a young girl who's upbringing led her to seek to become someone's second wife. She was a fourth generation polygamist, growing up all over Utah and Arizona. The Church of Latter Day Saints had long ago shunned the practice, so these "pligs" were left to fend on their own, making their own churches, following their own "prophets" (all of which insisted that the more wives you had, the better your chances of securing a place in heaven were).

As you can imagine, having many wives with even more children was an untenable situation. Growing up, Irene was at the lowest level of poverty, living off of the US Government welfare system, wearing clothing made of old flour sacks, and wondering where her next meal would come from. As only one wife was recognized as the legal wife, the rest of them were "single mothers" and able to collect benefits from the Government.

Irene's mother did eventually leave her father and take up the monogamous lifestyle so much of the rest of America considered normal, and begged Irene to marry a man that was not interested in multiple wives. But would Irene listen?

Every step of the way, as a reader, I was shouting out to Irene to make different choices. To me, raised in a traditional family, it seemed obvious that Irene was making the wrong choices, dropping out of school to "marry" her half-sister's husband and move down to Mexico.

Irene recounts her time living in Mexico, Nicaragua, Utah and Arizona, often with no electricity, no running water, and no food to feed her ever increasing family. In the end, her husband had 10 wives and over 50 children.

I could not put this book down, I can't recommend it enough!

View all my reviews

Hey Jerk, who are you callin' a jerk, Jerk? And... progress!

2011-04-29T12:01:00.000-07:00

Pardon me while I jump up on my soap box again. Riding into work today with two other riders on a wide, quiet road (4 lanes with a large shoulder) I was riding partially next to one of my companions. A man in a white car with a black roofbox on top decided to cut us off, stop on the right blocking the shoulder to give us this important safety message: "RIDE SINGLE FILE!!!!!!!"

Then he tore off again, demonstrated that his brake lights were out and then ran a red light. Way to be a jerk, jerk!

I rarely ride double and never do so unless there is loads of room. We were hardly a large pack, with only two of us sort of overlapping, and the road was wide and relatively deserted.

The good news is, though, I WAS RIDING MY BIKE! :-) I'm commuting into work 2-3 times a week now with little to no pain.

I've met another one of my goals as well: I have gone on 2 pleasure rides with hills! (Up Steven's Creek Canyon and back)

Oh, and I can get in and out of a car like a normal person !

I've started doing one-on-one Pilates where my instructor is working on correcting a lot of my compensatory behaviours and I'm already seeing results - hopefully some day soon I'll see the bottom of my left foot again! :-)

Smartphones: Is it worth it?

2011-04-20T13:42:00.000-07:00

Many years ago, I can remember the delight attendees at DefCon II had at learning how they could easily eavesdrop on others (and make free phone calls) by abusing a poorly installed PBX phone system at Circus Circus in Las Vegas.

It was so simple to use a scanner (or even another cell phone, like my Motorola Microtac Ultra-Light) to listen to people on their cordless phones or analogue cell phones sitting nearby.

I was so excited, then, when I heard about all of the new digital telephony standards that would make such eavesdropping impossible.

Fast forward more than a decade and many of us are carrying smartphones that have a handy built-in GPS. That GPS is great when you want to find a good taqueria nearby, or get turned around walking in an unfamiliar city - but not great when police start pulling the data off of your phone with no warrant!

Seems far fetched and paranoid, doesn't it? Well, I found out today that Apple is storing all of your locations on your iPhone (and transferring it to your "host" computer that you sync with) in an unencrypted file, along with nearby wifi information. I'm sure this is for some future app that will tell you where to go for free wifi, or something, but the privacy implications are staggering!

Combine that with the fact that some Michigan police officers are carrying around mobile phone "extraction" devices that they are using in some routine traffic stops to download GPS information along with photos and text messages from people ... without a warrant!

Surely we shouldn't have to give up this information just because we want the convenience of finding a great place for beer? Well, we can't say that Susan Landau didn't warn us...many times.

Sheherezade XI: 2010 A Year in Review!

2011-03-26T13:31:00.000-07:00

Wow, what a delightful time out last night! My husband and I drove up to San Francisco to catch this year's fund raising installment for the Playwrights' Center of San Francisco at the Stage Werx Theatre, Sheherezade XI: 2010 A Year in Review.

Again, we were presented with 8 short plays, all centered around events that occurred last year. From somber to hilarious, we were taken on quite a journey! I have never cried so much, followed directly by so much uncontrollable laughter.

With all of the recent news out of Japan, I had all but forgotten the plight of the fishermen in the Gulf Coast, but Rachel Ferensowicz, Charles Lewis III and Richard Egan brought all of that destruction and worry right back into focus in Oil and Water.

And who could forget the San Bruno gas pipeline explosion? I certainly won't, after the great performances by Philip Goleman, Wesley Cayabyab and Shubhra Prakash in Emergency Contact.

Another favorite of mine was Many Winters, featuring Heidi Wolff and Rachel Ferensowicz. Rachel and Heidi took us through a heartbreaking tale of losing a child, and the great weight it puts on the mother's shoulders. Could she have prevented the loss? Was there something society could have done? When does the grieving end?

Lighter plays covered such topics as the psychic octopus, Paul der Krake (played by Wesley Cayabyab), iPads (iWhat), and an intriguing take on Prop 8 (Prop Ate).

The only disappointing thing, for us, was the audience was not full. This is a wonderful show, benefits a great group and should be sold out every night! The benefit runs through April 9 - seven more shows. Go get your tickets now!

Baby steps to recovery! Milestone this week!

2011-03-18T16:04:00.000-07:00

Sorry I haven't posted much lately on how I've been recovering from my 3 cm x 1 cm tear in my quadricep tendon, let's just say it's been more than a bit depressing.

Recovery has been very slow, as I've additionally damaged my low back from walking around for 6 weeks with a knee immobilizer on (damage was compounded, I believe, by sitting at a computer terminal, as my leg/low back could never be properly positioned - not even with help of ergo specialist).

I am angry that my orthopedics PA did not give me crutches at first, nor have any advice or help for working at a computer, but that's water under the bridge now.

I don't want to go into details at this time, but suffice it to say that I essentially stopped writing and gave up most hope when both my physical therapist and physician recommended I transition into chronic pain management, as I had recovered as much as possible. In their expert opinions, as my physical therapist put it, "We've been doing this a long time. We know when someone has achieved all the benefit they can from physical therapy."

At that time, I could barely walk without pain and had hardly any strength in my left leg.

For those of you that follow my blog or know me in real life, you realize that getting news that I was not going to be able to walk a short distance to dinner from my house was devastating.

In addition to the low back pain, floating/electric pain down my left (injured) leg, and major muscle atrophy I also have unexplained spasms in my thigh adductor muscles. I've lost total hip flexibility (yoga's been tough!) and am frequently surprised by pain in that area.

I know, plenty of folks have it worse off than I do, so that's enough complaining for now.

On to the bright spots: my sister-in-law is a physical therapist and had examined me over the Christmas break, and she believed I was fixable. Through her determination and my husband's inspiration, I requested a new physical therapist from Kaiser. I was pleasantly surprised when they had no issue reassigning me.

My new physical therapist is wonderful. With her help, plus deep tissue massage and recently chiropractic adjustments, I'm back on the mend.

Here were my New Year's Goals:

Sit without pain
Get in and out of bed/car without pain and like a normal person (as opposed to the old lady method)
Drive my manual transmission Mustang with a heavy clutch
See the bottom of my left foot
Sit "Indian style" (which I believe is now called "criss cross, apple sauce")
Walk all day without nerve pain in left leg
Ride my bike to work
Ride a pleasure ride
Downhill Ski

Now, 2 months in, I've met the following:

Driven my Mustang (w00t!)
Walked all day without pain
Skied (many thanks to my Skiers Edge, which I was able to do rehab/retraining of my muscles in the comfort of my own home). Don't worry, I just did some easy runs at Badger Pass and Bear Valley. No blacks or moguls for me this year :-)
and..... drum roll please.... Rode my bike to work *both* ways this past Monday! With no pain!

I have to really focus on form and keeping my abdominal muscles really tight to do it, but I did it!

Has anyone ever had their thigh adductor muscles go into spasm? I'm hoping for some insight here - everyone seems to be stumped.

There is hope yet :-)

Thank you all for your support! Every day I am a little bit better. I will keep doing retraining and physical therapy until I am there.

*hugs*

Bourbon Barrel Beer, hard to find!

2011-02-04T16:32:00.000-08:00

After my trip to Kentucky in 2009, I've fallen in love with beer that has been aged in bourbon barrels. While I'm not a huge fan of bourbon straight up, I do like bourbon sauces, bourbon balls, and other bourbon treats - like beer!

Being aged in a barrel softens most beers, and being aged in a bourbon barrel gives hints of the bourbon, along with accenting the natural malt flavor of beer.

My favorite bourbon aged beer is made by Kentucky Ale, both an ale and a stout are available. Unfortunately, it is not available outside of the tri-state area, so I can only get my hands on it by either visiting Kentucky, or begging a friend visiting the area to bring me back a four pack. [hint: if you're planning a visit to KY soon, please leave room for some of this beer for me :-) ]

Fortunately for me, aging in bourbon barrels is becoming more trendy, so I can get some out here on the west coast.

I recently got my hands on a couple of bourbon beers and did a sampling with some friends, who also contributed a nice Firestone Walker porter to share.

We started with the Dogfather's Bourbon Barrel stout - a strong beer. Unfortunately for this batch, it wasn't hints of bourbon, but more like someone had added a shot of bourbon to the bottle before the cap went on. The bourbon aroma overpowered the coffee overtones in the beer and it was a bit too strong for my liking. It was still a really good beer, and so close to being great. We should've had this heavy beer last. (11% ABV)

Next up was the Widmer Brother's Reserve Barrel-Aged Brrrbon, which was just a nice regular amber brew that had spent a perfect amount of time in a bourbon barrel. I originally mistook this for a stout because it seems that out here on the west coast, brewers only make bourbon barrel stouts. Lucky for us, this was a very drinkable beer with hints of caramel and bourbon. I'll have to get a couple more bottles of this! (9.4% ABV)

We finished with the Firestone Walker's Reserve porter, which was dark in colour, yet surprisingly light tasting - we could've actually started with that one! I love all Firestone Walker's beers - always tasty, unique and full flavored. (ABV 5.9%)

I know Full Sail just released a bourbon barrel stout, which I still need to get my hands on. Any of you have a favorite bourbon barrel beer? and where can I get them? :-)

Telnet attacks on the rise? Protect yourself on Solaris!

2011-01-28T16:32:00.000-08:00

I just read, thanks to Steve Green's "Security News", that Akamai just released a report that said attacks against the telnet port (23) are on the rise. While this may seem strange at first, it is completely understandable - we're all so used to using SSH (Secure Shell) or Kerberos for secure shell access that many of us may have forgotten about older machines or even newer machines that may still have the telnet service running.

Remember that in Oracle Solaris 11 Express 2010.11 and the OpenSolaris releases, the telnet service is turned off by default, thanks to the Secure by Default project:

ryoga $ svcs telnet
disabled       Jan_24   svc:/network/telnet:default

If you find your service has been re-enabled, well, you'd better review your audit logs and see who did that, and quickly disable it again:

ryoga $ svcadm disable svc:/network/telnet:default

Since Solaris 10 Update 3 shipped, there was a secure by default option at install time, and you can set up that profile after you've installed. Check out netservices(1M) command.

TSA, Thanksgiving Travel and Me

2010-12-03T16:34:00.000-08:00

After reading all the articles on the risks of the back-scatter technology (never mind the privacy implications) and watching the videos of screaming children getting "enhanced" pat-downs, I was nervous about traveling for this Thanksgiving holiday in the US. I was ready to 'opt-out', but wasn't sure how I felt about the "enhanced" pat down.

Back in October I received an 'old-style' pat-down from a male TSA agent in LAX. I was fine with it. I did not feel violated, nor did I feel that the agent was missing out on anything by not feeling the underwire in my bra. The agent was friendly, apologetic for the inconvenience and even found a place he could search my bag where I could sit and watch (my injured knee wasn't up to doing anymore standing after a day at the Women's Conference).

Then I saw the videos of the screaming children and I suddenly became very uncomfortable with this. Many women, including myself, (and men) have an event in their past when they were touched/fondled/groped/etc in an unwelcome manner. To have to relive that moment in public at the airport just to travel is unsettling.

So, very nervous, I entered SJC on Thursday morning... only to find most of the back-scatter machines turned off. The one I saw in use was being used to scan a women's personal wheelchair - I couldn't help but think that was a perfect use for the scanner! The woman, like all travelers in wheelchairs, was receiving an 'old-style' pat down.

I went through, like everyone else, in the same fashion I have for years - removed my belt, watch, shoes, jacket, liquids, laptop and medications...*whew* and "simply" went through.

It was the same on my return through Seattle. One machine was on, but people could just choose to go through a different line. No questions asked, no extra screening.

What made me angry was all of the main-stream news outlets, including our local KGO, reporting that the back-scatter machines had not slowed down the lines. The main report I heard was that passengers would rather get the scan and get through quickly.

But that wasn't true at all. The machines were not on. The "enhanced" pat-downs weren't happening. How dare they say the launch weekend was a success when they were not using them?

That's a waste of our money and a gross misrepresentation of the events. I'm afraid Bruce Schneier has it right - the TSA is not going to back down, because they'd seem like idiots. Another example of how lobbyists for manufacturers are shaping policy, instead of policy shaping manufacturing.

The TSA is inconsistent at every airport I go to. During that trip to LA, the TSA ID checker screamed at me when I approached his podium with my traveling companion. He would not begin her screening until I returned to behind this blue line, which was difficult as the entire line had already moved up. Yes, I can read (but thanks for pointing it out) the sign saying to stay behind the line until he was ready to process us - I just assumed that, like every other airport, you could go up with your entire party. At least the agent that had to do my pat-down in LAX was friendlier. Oh, yeah, in Seattle, they actually have a sign on the podium directing people to be at each side - they can process you faster if you come up with your entire party or 2 at a time (even with strangers).

Another disconcerting thing I noticed: no where to do a private screening if requested! Why not have a few privacy screens up? They could be set up like a maze or other formation to take up the least amount of space while still providing privacy (and room for your witness, if requested).

Boy, am I glad I'm not flying for Christmas!

Adam Carolla and Me

2010-11-21T20:41:00.000-08:00

I guess it's safe to say that I am a huge Adam Carolla fan. I've listened to him on Loveline, watched him on the Man Show and the Adam Carolla project, listened to his CBS radio show, and never miss a podcast (even listen to Car Cast, where I am actually learning about cars).

That being said, I couldn't believe I didn't know Adam Carolla was coming to San Jose! On Thursday afternoon, I caught a tweet from the San Jose Improv and canceled our previous plans and asked my husband if he wanted to come with me (as I was going, alone or not!) We got there early for dinner, which got us front row seats. It was like having a private conversation with the Ace man for nearly 2 hours. He was funny, charming and brought lots of new material to the stage. Having the extra component of a slide show (so we really could see exactly what Adam was ranting about) made it all that much more entertaining.

I even nodded along as Adam ranted at me that, as a woman, I need to know that when my husband just starts saying "will do. will do.... will do." (ala Dr. Drew Pinsky), it means he wants to get off the phone. Don't worry, Adam, I promise I will!

I am a good/bad audience member (depending on your perspective), because if you're funny, I will laugh uncontrollably. Thursday night, I nearly went into coughing fits due to my manic laughter :-)

If you get a chance to see him live, don't miss it. It's a great show and Adam takes the time after the show to meet, greet, sign books, and take pictures (as long as you're quick!)

Get it on!

Oh, and thanks to my husband, for being indulgent, riding his bike home at a frantic speed so we could make the express train to San Jose, and holding my place in the autograph line while I ran to the bathroom :-)

Security Friday for Oracle Solaris 11 Express 2010.11

2010-11-19T17:12:00.000-08:00

Dan Anderson, performance guru extraordinaire, has written up some great articles on enhancements he made to the Oracle Solaris Cryptographic Framework for Oracle Solaris 11 Express 2010.11:

Intel AES-NI Optimization on Solaris, provides background on the AES algorithm and describes how he was able to leverage Intel's AES instruction set built into the chip in order to boost performance.
Carryless Multiplication Optimization for AES GCM Mode in Solaris, an excellent overview of what exactly GCM mode is and how this feature in the Intel chipset can be leveraged for better AES performance in the kernel.

Both are great reads and a good window into the innovation we are still doing on the Oracle Solaris Cryptographic Framework team. Thanks, Dan!

Dancing with the Stars mini-rant & question...

2010-11-17T11:48:00.000-08:00

Spoiler Alert.... if you didn't watch last night, then don't read this.

Before I start my rant, anyone know who the dancers were for Annie Lennox's "Universal Child" performance? They were amazing!

Bristol Palin somehow, yet again, was at the bottom of the leader board and sailed into the next round - this time, the finals! Sure, she is charming and an "every day person" - not a celebrity (but, why is she on Dancing with the Stars in the first place if not for being famous?). I get that. She seems like a wonderfully sweet young woman, but her dancing is not up to par. Routinely she freezes in the middle of the routine and stops dancing, and yet she makes it into the next round.

Last night she claimed that her success of moving forward was not politically motivated, yet there are actual political sites running 'Vote for Bristol' campaigns. Come on people, this is a dancing competition! I've always loved it for not turning into a popularity contest, and it's worse now that a contestant is moving forward based solely on her mother's political affiliation.

Okay, it is only a TV show, but one I really enjoy watching. Great music, great performances and real personal journeys without fake drama.

... for now.... :-)

Neil Young's LincVolt has gone up in flames

2010-11-16T17:05:00.000-08:00

I was sad to hear the news today that Neil Young's 1959 Lincoln Continental that he had converted into a hybrid caught fire and burned up. Seems that not only is this neat car that Neil brought to the Sun Menlo Park campus for a visit gone, but so are some of his other memorabilia from his long and interesting career. Luckily, nobody was hurt and the team seems to have learned something about the charging system.

Oracle Solaris 11 Express 2010.11: Trusted Platform Module

2010-11-16T16:18:00.000-08:00

Wyllys Ingersoll wrote a great post today on the new Trusted Platform Module, and the plugin, pkcs11_tpm.so, that hooks it all into the Oracle Solaris Cryptographic Framework in Oracle Solaris 11 Express 2010.11. You can enable and disable the TPM provider via cryptoadm:

# cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_tpm.so
/usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are enabled.

# cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_tpm.so mechanism=all

# cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_tpm.so
/usr/lib/security/$ISA/pkcs11_tpm.so: all mechanisms are disabled.

# cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_tpm.so mechanism=all

You can find out more about configuring the actual TPM device over on Wyllys's blog.

Wow, Solaris 11 Express is out the door!

2010-11-15T15:48:00.000-08:00

It's hard to really describe all of the cool things that have ended up in the Oracle Solaris 11 Express release that came out this morning. I mean, you've all heard about the new packaging system, new installer, and encrypted ZFS, but what about all of the other smaller things that have gone in over the years?

Like sedimented strong crypto algorithms - so customers no longer have to manage separate packages and patches? These were installed by default as of Solaris 10 09/07 (aka Update 4), but I took a very different approach for Solaris 11 - removing those old packages from the OS and making strong crypto just part of all the basic modules. This greatly simplified the Oracle Solaris Cryptographic Framework source code and enabled a lot of projects to move forward, like libsoftcrypto and several projects in OpenSSL.

For the rest of this week, I'll try and highlight other Oracle Solaris 11 Express security features that we've all worked very hard on getting into this release.

GHC10: Friday Keynote, Barbara Liskov, Another Perspective

2010-10-11T15:37:00.000-07:00

I did not originally blog on Dr. Barbara Liskov's Friday morning keynote, but found while writing up my trip report that many of the things she mentioned had really stuck with me so I wanted to share with a wider audience.

First of all, Dr. Liskov was an amazing and energetic speaker - enough to keep 2000 jet-lagged women wide awake through an intense technical walk through the history or structured programming languages at 8:30 in the morning. Fascinating and inspiring!

My notes mostly come from my twitter feed, as well as Teri Oda's, and the Grace Hopper Conference wiki. Hope you get something from them as well!

Friday morning was full of extreme technical talks, beginning with the 8:30 AM keynote from Barbara Liskov, Professor at MIT and 2008 ACM Turing Award Winner. Dr. Liskov regaled us with the evolution of programming languages by describing a series of must-read papers and the advances she made to this are of the science. She started in computer systems, and in those days, it was the job of the programmer to make up for the lack of
system resources and under provisioned systems.

Dr. Liskov's advice:

"Reading programs is much more important than writing them." (she notes people will be reading your program for years to come and you only write it once - comment!)
"Don't try to work on a problem when you get too tired. The solution won't come to you until you're rested."
"Programmers think in terms of programming languages...if the language supports and idea it's much more accessible to them."

Dr. Liskov's recommended papers:

"Dataless Programming", R. M. Balzer, 1967.
"Go To Statement Considered Harmful", E. Dijkstra, 1968.
"Definition mechanisms in extensible programming languages", S. Schuman, P. Jorrand, 1970.
"Hierarchical program structures", O. Dahl, C. A. R. Hoare, 1972.
"Program Development by Stepwise Refinement", N. Wirth, 1971.
"Information Distribution Aspects of Design Methodology", D.L. Parnas, 1971.
"Global variable considered harmful", W. Wulf, M. Shaw, 1973.
"Programming with abstract data types", B. Liskov, S. Zilles, 1974.
"The connections between modules are the assumptions which the modules make about each other." Parnas in Liskov, 1980
"A design methodology for reliable software systems.", B. Liskov, 1972.
"Data abstraction and hierarchy", B. Liskov, 1987.

Dr. Liskov was a pioneer in computer language development. Many of the concepts she was discussing with her peers in the 1970s are just now appearing in modern languages. When asked what her advice was on the best "first language", she said "Python is used a lot, but lacking features we
want students to learn. C# and Java have those, but are harder to learn."

[Update: Thank you, Kelly, for the additional papers!]

GHC10: The Power of the Purse: Making Our Collective Voices Heard

2010-10-01T14:16:00.000-07:00

The panel started out with some great slides that showed how much more women use technology than men. Women make 70% of the consumer buying decisions, women dominate higher education (140 degrees per 100 for men), and women are more likely to work in health care and education, slightly more resilient to economic swings.

The panelists include Kathleen Naughton (HP), Cathy Lasser (IBM), Wei Lin (Symantec), Divya Kolar Sunder (Intel), Vidya Dinamani (Intuit) and Patty Lopez (Intel).

Vidya said that Intuit has done a lot of lab and in home studies about financial behaviours, and they find that independently men and women behave similarly, but when they are put together to work on things like taxes they see that men are very quick to answer questions while women take the time to understand the questions and make sure they are answering them correctly.

Divya, a recent new mom, talked about shopping for baby products and how troublesome it was to find a diaper bag that worked for both her and her husband and baby bottles that seemed more like mom. She found reading blogs from other mothers, who seem to naturally want to share their experiences, help her find what she needed.

Cathy, from IBM, is actually researching how people shop online. Some of the things they have found is that people are much less likely to return items they've bought online, which makes sense as it's harder. One thing they thought women might like was to have an avatar of sorts so they can see how an outfit would look on them, but it turns out most women don't want to see a 3D image of themselves, so it actually discouraged purchases. An audience member said she felt similarly about shopping in stores, that she didn't like how clothes looked there, but did at home, so she preferred shopping online.
I can get that - it seems many stores always have really awful, harsh overhead lighting that, even when I was a skinny teenager, made me look awful.

A few of the panelists than discussed their thoughts on online retailers doing data mining, mostly saying they are comfortable with this occurring as it so greatly improves their shopping experience. There is some concern that the retailers need to store this and use it in a safe manner, though there doesn't seem to be a good way to check this and currently no standards to protect the consumer. Wei, who works in security at Symantec, disagreed. One of the behaviours she has witnessed that she finds disturbing is when you shop for a type of item at one online retailer and they go somewhere else, you'll get an ad for that item. It's not clear to the consumer if this is a legitimate service or spyware.

Cathy said that a lot more companies are listening to feedback from their customers to redesign things - like NorthFace jackets and providing covers for cell phones to brighten them up so they can be found in purses!

Wei wanted to share some best practices with us: never give out your password, never give out personal information, never open a link or attachment from a stranger, change your password (personal one, too) frequently, use malware and virus detection software from trusted sources, and don't use a debit card for online shopping. Wei also recommends getting a password wallet to help you manage all these passwords, so you can frequently change your password. I would caution you to be careful when choosing such software, as it can also be malware, too! You don't want to make it too easy for the hackers! :-)

There seemed to be a lot of questions about security and best practices for privacy on the Internet, so perhaps the Grace Hopper Conference needs a security and privacy track next year! :-)

GHC10: Fighting Cyber Crime: Technology that Fights Crime and Protects Our Children

2010-10-01T13:01:00.000-07:00

You have a 6 in 10 chance of being impacted by cyber crime, yet people worry way less about this type of attack than they do about snake bites or getting struck by lightening. Rhonda Shantz, from Symantec, is concerned about this general lack of concern. Other panelists today include Cristina Fernandez (National Center for Missing and Exploited Children), Sarah Seltzer (Microsoft), Les Nichols (Boys and Girls Club of America), and Erica Christensen La Blanc (CA Technologies).

[TRIGGER WARNING: Some of the content below, which has to do with exploited children, may make some readers uncomfortable or bring up painful memories. Please proceed with caution.]

The cool thing about these panelists are their incredibly diverse backgrounds that brought them all into areas that protect children. For example, Les was an architect (not in the sense that we think of in the software industry, but rather the type that designs buildings) and Erica started out in television!

Taking us straight to the facts, the panel lets us know that 62% of children are having some sort of trouble online (sexual predators, bullying, stalking, virus, malware) and only 45% of parents know this. WOW! According to the National Center for Missing and Exploited Children, pimps are using social networks to try to recruit children and others into their prostitution rings. Only about half the children who are exploited online report to their parents, because they are afraid if they do tell, they will lose their Internet access. No matter how terrible it is being exploited or harassed online, it's not worth it to them to report because the typical parental response is to take the child off of the Internet. It's hard to imagine how important Internet access has become to our children - definitely something for parents to keep in mind.

The Internet, which makes all of our lives easier, has unfortunately made it 'safer' for pedophiles to get access to exploitive material and connect with other pedophiles that they can trade material with (peer to peer networking gone bad). Now technology companies like Microsoft, Symantec and CA are looking for technological systems to find inappropriate images, shut down servers and find the predators. While I've always associated groups like the National Center for Exploited and Missing Children with working on this issue, it is heartwarming to discover some really large businesses are helping to find these disgusting criminals. The agencies that focus on children, unfortunately have little technology experience and have come to rely on these other companies to help them bridge the gap to protect children.

Norton provides a tool called Norton Online Family for free, which aims to help parents protect their children without overly restricting the child's access to the Internet. Boys and Girls club of America has My Club My Life for teens and Net Smartz, but that does require the children to voluntarily give up some of their online access but they are seeing children willing to do this.

Microsoft is working with Dartmouth on PhotoDNA, a fascinating piece of software that can identify inappropriate photos and permutations (resized, cropped, etc) in other places and help server admins take them down and find the perpetrators.

This is a truly frightening area for our youngest generation, and I'm glad to see some really brilliant people working on this!

GHC10: Computational Sustainability: Computational Methods for a Sustainable Environment, Economy and Society, Carla P. Gomes

2010-10-01T09:09:00.000-07:00

Professor Carla P Gomes, faculty of Computing and Information Science and director of Institute for Computational Sustainability, is a pioneer in the field of computational sustainability.

In 1987, there was a UN report that first raised concerns about human impact on the planet. A follow-up report showed things like the biomass of fish is 10% of what it was 50 years ago. We're over harvesting our planet and overusing our resources. A 2009 report looked at whether or not we've crossed the tipping point, and it was looking grim. All these things inspired Professor Gomes to do further research in this area to see what we could do to help reverse the tide using the field of computer science. She strongly believes that computer scientists can, and should, play a key role in increasing our efficiency of managing natural resources.

Computational sustainability encompasses many disciplines like economics, sociology, environmental sciences and engineering, biology, crop and soil science, meteorology and atmospheric science. There is a need to develop computation methods to model things in these fields, which will help resolve these problems. This cross discipline model helps all fields learn new research models from each other, which is helping things in this area to progress.

One problem this field is addressing is wildlife corridors, which link biological areas allowing animal movement between areas. One of the issues here is that, while important for the the animals, there isn't usually much money available to buy land, etc, to set these corridors up so that animals in different national preserves can cross populate. This is a computational problem - need to find the graph that has the best and cheapest path between the two places. While this is an NP hard problem, the computer scientists can simplify the problem by using the Min Cost Steiner Tree. Models are critically important in solving these problems and for addressing the issues of scale.

This approach allows them to handle large problems and reduce corridor cost dramatically, allowing the projects to actually proceed as opposed to being ignored or done with too much expense or in a sub-par fashion that won't help the animals as much as possible. Her work has been done for grizzly bears and wolverines.

Now she is working on assisting the recovery of a subspecies of woodpecker, by analyzing network cascades. They are buying up the land where the birds fly, then looking at the birds flight patterns and buying nearby land, which will help the birds spread their territory which will lead to increased population. The complicated issue is figuring out which land the birds will choose to spread to.

Further consideration is necessary for species interaction, as not all species interact in a cooperative manner.

They are getting help from the eBird project, at Cornell, which allows average folks to submit data about bird sightings. This helps them to learn where the birds are migrating and how long they spend in various areas.

Many of these concepts can also be applied to analyzing solutions to problems fought by very impoverished communities. For example, what will be more valuable to the impoverished? A chicken, improved roadways, or providing cell phones?

Back to the problem of over fishing, it seems to be caused by mismanagement. Professor Gomes is looking at models to help correct this mismanagement without causing any additional problems. Even after they figure out recommendations they need to get the fisheries to implement them. It is difficult to convince fishery owners that periodically closing the fisheries will actually lead to more fish when they reopen - you gotta give them time to reproduce and reach reproductive age!

Another thing her team is studying is the impact of fertilizers. While they do greatly increase the amount of food that can be harvested, they end up creating dead zones. On top of all that, they are also studying how to discover materials for fuel cell technology! These, again, Professor Gomes claims are problems for computer scientists.

Professor Gomes's research area is so incredibly broad! She shared with us, more quickly than I could capture, many of the different algorithms and approaches they are using to solve these problems. I got a great mini-introduction to all sorts of algorithms and data structures I'd never heard of before, like a spatially balanced Latin squares! She is an amazingly energetic, intelligent and passionate technical speaker and I think I could spend an entire day listening to her!

GHC10: Anita Borg Technical Leadership Award Winner Laura Haas

2010-10-01T08:02:00.000-07:00

Laura Haas, IBM Fellow, has been recognized by the Anita Borg Institute and the Grace Hopper Conference for her outstanding contributions to technology. I am so happy to be here to hear her talk today on information integration!

Haas and her team are trying to tackle the problem of how do we get information to people when they need it? For example, if a doctor is treating a patient with cancer, she will need to find information on how this type of cancer has been treated in the past, how well the treatments have worked and access past patient records.

The challenges faced are that you have diverse data models, overlapping data, incomplete and often inconsistent data. Different people involved want different views of the data and needs and knowledge change over time.

In order to do data integration, you need to understand what is available, as well as what the data means or its intent. You have to set up the schema, figure out how to identify information about the same object and figure out what to do with missing or inconsistent data. You need to decide which problems you're trying to solve, and execute - and hope the customer doesn't come back and tell you that they really wanted something else entirely :-)

Dr. Haas started her career in 1981 at IBM and relational databases were just coming onto the scene. You no longer had to be a database wizard to write code to interact with a database - which broadened the concept of information integration. They even called it "eager integration" - as you could eagerly get as much data as you wanted.

She then started her work on the project R* (pronounced R-star), which was a distributed relational database management system. One query was allowed to access data in multiple, homogeneous relational DBMS. This type of system helped prevent data loss and helped to distribute queries and transaction management. While the project did not have much commercial success, it paved the way for a lot of work in database systems and future products for IBM and her own future research.

Relational database technology was growing rapidly in 1984, a very exciting time for those in the industry. Dr. Haas then joined the the Starburst team (no, not named for the "fruit" chews, but named as an extension of the R* project). This was an extensible relational DBMS that allowed many types of additions - new functions, optimizations, indexes, data types, and storage methods. The best part of this? This project had legs - and became foundation for IBM's DB2 "for workstations".

Several people that worked on this project ended up being named Fellows or Distinguished Engineers, though she notes it took her a lot longer to get Fellow than her male colleagues and she had to earn many more accolades. Dr. Haas recommends that you wrap yourself with the best team you can find, do not be intimidated if they are better or smarter than you are, as they will take you places!

Dr. Haas was able to take a sabbatical from IBM to study at the University of Wisconsin-Madison, where she studied with the brightest minds in database technology at the time (1992).

One of the new problems that needed to be solved in 1993, when she returned to IBM, was how to store images, videos and text that were starting to proliferate online. Digital libraries start to emerge in this time frame and they eventually will leverage relational DBMS. Customers were starting to want databases that could store multiple data types, so Dr. Haas and her team went to look back at concepts from R* and Starburst to solve the problem and started a new project... Garlic.

Why Garlic? Because Dr. Haas doesn't like acronyms, which IBM was famous for at the time, and she loves to cook. Garlic and chocolate being her favorite things - her old team thought if they renamed the team/project to Garlic, they'd get her to come back off of sabbatical. It worked!

Garlic was a data-less (object-)relational DBMS (aka virtual DBMS/federated DBMS). Had all the benefits of a high-level query language and all the features of the underlying data sources. This not only became a product for IBM, but started two separate business units (Life Sciences and InfoSphere Information Integration). Something that is very obvious listening to Dr. Haas speak is that once you find people you like working with - stick with them. You can do amazing things!

IBM was having trouble with integration, as people working in life sciences that were trying to work together wouldn't use the same database as their colleagues, so Dr. Haas's team worked on something called InfoLink to attempt to bridge this gap. Unfortunately the project was not a market success, but did help get IBM in the door at new customers and led to the InfoSphere suite - "a complete line of products for all your integration needs."

The longer Dr. Haas was at IBM, the larger her teams got - from a 10 person research team to a 120 person development organization and eventually to over 700 people (no team picture for that group... :-)

While this all sounds wonderful, there was still major problems that needed to be solved in 1999. As more people were adding federation to their systems, issues emerged. Set-up of federation was too slow and complicated, and while the development team had assumed users would be doing very simple joins/queries, but it turned out that complex queries were more the norm.

This lead to yet another project, Clio (not an acronym!) to do schema mapping by simply drawing lines! This opened up many more doors for IBM in the DBMS space and gave the researches many more ideas for future projects.

What impressed me most about Dr. Haas was the importance she gave to her team. She was so proud of each and every person she ever worked with, remembered their names and knew all about what they were doing now. Dr. Haas is clearly an amazing collaborator and it's not surprising that these brilliant people want to work with her.

What a phenomenal technical woman, very deserving of the Anita Borg Technical Leadership award!

GHC10: Are You a Salmon, Too? BoF

2010-09-30T14:24:00.000-07:00

This BoF, on gender discrimination and sexual harassment, started out in a very interactive style, when the panelists asked us to discuss amongst ourselves the following question: "When you asked to go to this conference, did people ask you 'When are they going to have a conference for men?'" While nobody sitting around me got that exact response, we had various levels of questions from colleagues and management, like, "It's a women's conference, obviously not technical", "why do you need to go to a conference for women?", "why do you want to study hardware, I didn't think girl's were interested in that".

Sharon Mason, Rochester Institute of Technology, started out asking all of us to think about the experiences they were going to share with us and what we would do in these situations. Saying nothing, when you're confronted, is not the best option. This became a very interactive session.

Kristen Kielbasa, University of Albany student, gave us our first taste of strange behaviour from male colleagues. She was asked where she had just gotten some chocolates from, and when she responded "at the awards event for women", and her colleague responded, "Oh, we don't care about women". I guess even the enticement of free chocolate isn't enough to get a man to care about someone he works with every day.

Once the comments started coming from the audience, it became clear that it wasn't necessarily that these men don't care about women, as an individual, but that they don't understand how isolated women can be in technology careers and comments like that are not funny, but hurtful and further isolating. Some advice for responding to the above man were, "Does your mother know that?", "Why should 50% of the population make decisions for 100% of the technology user base?", "Why did you say that? What did you mean?" Great conversation openers so the person you're talking to can think more about their own comments and start a discussion.

Sharon Mason, was involved with organizing a women in technology group lunch and a male fellow student said, sarcastically, "I'm glad my tuition is going to fund women's lunch. When do we get to have a men in computing lunch?" Her response, which I think is fantastic, "Anyone, male or female, that supports women in technology are welcome to attend our lunches."

Jennifer Goodall, State University of New York, Albany, had a note in her .signature about the women in technology group she is involved in and it was included in an unrelated email she sent to a listserv. She received five bizarre email responses from men on the list, not at all about the message she sent, but about her .signature. One of them said that it wasn't necessary for women to be paid the same as men, because they can just marry a man that makes more money than they do to supplement their income!

The general opinion of women in the room was that some people cannot be won over, are aggressive towards women in general, and are only looking for a reaction. Though some did think that it may be a chance to take it as an opportunity to educate by asking an open ended question, like "what do you mean by that? Why do you think that we don't need more women in technology?"

As more women came up to share their stories, it became painfully clear that sexism and misogyny in the workplace and in universities are alive and well in present day. Some of the stories are clearly men that don't realize what they are saying may be hurtful or make women feel more uncomfortable, like "Wow, I can't believe there's a woman here." Others are truly horrifying, especially when many of these men are just claiming that it's all just a joke, said in fun. I heard things like: "We only hired you because you're cute," "Someone might lose their job over this project, it's okay if it's you because your husband can take care of you", "I heard you like 'meat'".

Things to keep in mind, often women get higher grades and graduate at higher rates. We aren't dumb, we just hear it often enough in university and work settings and can start to believe it. Others recommend having the facts available, like "women don't actually have different admission standards than men at this school", "there are lots of women that made great technology advances, like ..."

Lesson for men: If you have to keep saying, "I was only kidding", "I only say this sort of stuff around you because I know you're cool with it", "Encouraging technical women just furthers the diversity gap", etc, please realize it is hurting and discouraging women. It seems these types of wounds take a long time to heal and may have permanent damage on retention of women in technology.

GHC10: Cloudy with a Chance of Security, Another perspective

2010-09-30T09:15:00.000-07:00

I was excited to see one of the women I had breakfast with, Gerlinde Zibulski (SAP, AG), on the panel, as we were already having fascinating discussions on security and data privacy this morning. Other panelists include Kore Koubourlis (Microsoft), Linda Berardi (StraTerra Partners, LLC), and Alyssa Henry (Amazon Simple Storage Service).

This panel starts out with a great explanation of cloud computing: you pay for what you use, not for provisioning the system. Great for smaller companies that want to be able to change platforms or other directions quickly. Customers can focus on doing work, not trying to piece together a system from scratch.

When it comes to security and privacy, you need to think about things like how long can I store this data? How securely does this data need to be stored? What countries can this data be stored in? Compliance obligations can make this that much more complicated.

By storing your data in the cloud, you can leverage resources of the cloud, like disaster recovery set up, backups, penetration testing, etc. While individual organizations may say they'd like to do these types of things, and they might even have plans to do so, cloud providers have to have this all set up before they even put the cloud online. This is what you're buying from them, it's part of the service.

A funny thing is, while people are often afraid of putting things in the cloud, they actually discover that they have a much better idea of what is happening in the cloud with all the logging than they do for their internal network. There is a big problem with these internal unknown server, with the lack of logs and analysis: you might be paying people to maintain servers and applications that are over provisioned or just not used! True, you could add this type of auditing to your internal servers and applications, but will you?

Because cloud computing was so criticized a few years ago due to inadequate security, you'll often find the security on these servers is much better than anything you would provision yourself. Cloud providers know now that they are being constantly scrutinized, so they have to be secure. The panelist put forth the supposition that they are more secure than anyone's internal servers, but that does kind of miss the point that at least internal servers are... internal :-)

Overall an interesting talk, though I would've like to hear more about how they secured their clouds (where instead there was a lot of why), but it's great seeing so many women that work in security in just one morning!

GHC10: Role of Usability in Security

2010-09-30T08:03:00.000-07:00

Heather Richter Lipford, from University of North Carolina (Charlotte) and a high school class mate of mine, started out by surveying the audience to see how many bad habits those of us that should know better have: password reuse, falling for phishing, or getting a virus (lots of hands came up). This is known as the weakest link property, where the people are the weakest link - but could it be because the systems are too hard to use? (this is a reoccurring theme at this conference, it seems). Ms Lipford asks, how to improve this? Consider ease of learning, ability to perform the task quickly, have a low user error rate and high user retention over time.

Some possible solutions to things like phishing would be to have spoof warnings in browsers, but it needs to be something that users will not only notice, but understand what it means. Unfortunately, people are now thinking that things like seeing the lock icon in the browser means the site is legitimate - when all it means is that the site is secure. Phishing sites, it turns out, can use encryption, too. Oops!

Dr. Lipford's research is showing that users greatly underestimate the risks and negative outcomes of their behaviour, particularly when it comes to balancing short term gain vs long term risks.

Mary Ellen Zurko, from IBM, talked to us about her specialty in cloud computing. She noted that she's seen a change in how customers interact with IBM. Years ago, customers trusted that vendors would make the product secure and they simply wanted to know about features. Nowadays, customers want to know how the system will be secured and how their data will be protected. This comes up a lot when it comes to cloud computing, perhaps because the data is no longer centrally located and people feel more vulnerable.

More recently, people have a growing concern about keeping their email address private than a decade ago, this is a strange concept for me, but the thought of no spam is nice ....

What is usable security? UI designers need to be thinking about this usable security early in the design, make sure it's obvious and available to everyone, and avoiding surprises by anticipating future changes and addressing confusion and make sure you handle user mistakes.

Diana K. Smetters, from PARC/Google, started out by noting that more than 50% of the certificates on the Internet are wrong (this could be because they are expired, site address mismatch, invalid, etc), so all "rational" users who actually want to use the Internet are going to always click through!

You've got to meet the users half way (or more than that). For example, phishing attacks are a mismatch problem. The browser doesn't know the user's intent, ie they don't know you don't want to go to the evil PayPal imitation site. One approach to this is to not use general purpose browsers for accessing sites like banks, but rather an application - but that only works if you can get the users to use the application! [Side note: not to mention having cross platform support.]

You have no idea what a user will find difficult, unless you do an actual usability study. You have to give up on what you think would be good for the user (no matter how right you know you are) and you have to think about all types of users.

Dr. Lipford came back to expand this to to privacy as well. She talked about photo sharing sites, where other people upload and tag photos of you. The problem is that you may not want to have these photos linked to your profile or online identity. The problem is very complicated, because it may not be that you don't want to share the photo at all, but just not necessarily share it with everyone in your network. It's not just strangers that people don't want to share with - it could be that you don't want people you work with to see you drinking that giant beer at a friend's party. The thing is, even people who have had problems with photo sharing in the past, still continue to share photos, because this is something we as humans love to do.

Dr. Lipford is working with her students on coming up with a photo sharing application that allows two-way feedback between the owner of the photo and the person tagged in it. That is, the tagged person could restrict who could see the photo and request to the owner that the photo be removed.

The panel recommends the book Security and Usability, O'Reilly 2005, and the Symposium on Usable Privacy and Security, for further information on this topic, and mostly to keep in mind that usability and security go hand in hand and need to be designed in from the beginning.

GHC10: Thursday Welcome/Keynote, Another Perspective

2010-09-30T07:11:00.000-07:00

After entertaining us with a great video filmed at last year's Grace Hopper conference, they let us know that this year's conference sold out even before the early bird registration was meant to close and they still ended up with over 2100 attendees! WOW! I am so glad I registered early so I could be part of the tenth Grace Hopper celebration!

Duy-Loan T. Le, from Texas Instruments, moved to America when she was 12 years old and didn't speak English. By the age of 16, she had not only mastered the language, but was graduating high school as valedictorian! After being elected the first female senior fellow at TI, she vowed that she wouldn't be "first and last" and gave herself 15 years to help make another woman a senior fellow. Eight years later, she's still working on this goal...

Ms. Le talked about the great struggle of arriving here, becoming, in essence, deaf and dumb, as she didn't speak the language. She started working by babysitting and doing translation work, struggling to learn her school lessons at the same time as learning the language. Through all of that, she somehow managed to graduate early. Continuing on that track, she graduated from college with her engineering degree cum laude at 19 years old. By the time she was 20, she'd purchased her first house, bought her mother a house and gotten married.

During her first business trip to Japan in 1985, she noted that there were no women in the workforce. Any women seen were cleaning or serving tea. She asked us to imagine the look on the face of all those men when she introduced herself as the senior engineer that had been sent there to train them :-)

Realizing that she couldn't begin training these men with their preconceived notions, she spent the first two weeks of her four month stint learning about her hosts and her host country, and teaching them about herself as well. She found that once they got to know her as a person and as an engineer, she was able to finally proceed with the training she'd been sent there to do.

Even with all this new technology we have at our fingertips, the only real way to build relationships, according to Le, is by starting the relationship with good old fashioned face to face. There was something she had been working of for two months, that had totally stalled. It was resolved in two hours once she flew out to the person she was working with. You need to remember that it's not technology we're working with - it's people!

In order to successfully collaborate across the boundary of people, you need to have respect for those people, what they bring to the table and what they need. Doing this will help you attain your goals and get respect from those you are working with.

What a very inspiring speaker!

GHC10: Collaborative Risktaking

2010-09-29T15:01:00.000-07:00

Getting a bunch of engineers into a giant ballroom after a wonderful lunch filled with great conversation is hard. After much wrangling, we all got at tables of 10 and Dee McCrorey started us off with a really fun video taking a look back at women in technology and famous risk taking women.

Right off the bat, we're being asked to take risks at this conference: meet (and follow-up) with 20 new people, dance, and get interviewed for the Anita Borg Institute archives (and possibly used in future ABI events). I've been meeting lots of very interesting women and getting business cards (or connecting my super cute Poken to theirs) - but will I follow-up? Right now I'm going to say yes... check back with me :-)

Dee started talking about how the business world has drastically changed. For the first time, there are multiple generations working together on the same projects and that is changing the workplace as ideas are quickly exchanged. Old style companies treat their people as exploitable, let legality stifle innovation and only focus on ROI, but that type of management style will not work in this new world of business.

In order to survive in this new world, you need to innovate, collaborate, be willing to take risks, be bold, responsible and able to measure your results.

At this point, we did our group activities at our tables. We started with scoring our pre-work, a worksheet on our risk taking style. It was a strangely scored test, and we were all, apparently, responsible risk takers. :-) We were next supposed to do a team challenge, but instead my table started working on our own personal/career time lines...oops [Side note: several of us had trouble remembering order of events, except for the very tragic or very happy - ie weddings and deaths. The time line would've been excellent pre-work.]

Dee then brought up a calculus concept: an inflection point. This concept can be applied to your own personal and career peaks and valleys - these inflection points are personal and/or organizational shifts with the power to transform our lives (for better or worse). If you don't learn how to identify when these changes are coming down the pipeline, you are at risk for making a bad decision or poor career move that you'll have to work a long time to recover from.

Our next exercise was to work on our Optimum Change Cycle worksheet, which I had a lot of trouble with. Because I couldn't remember all my peaks and valleys from over the last 3 years, my time line was incomplete so then I had a tough time with everything that built onto that. Fortunately, our table mentor gave me tips to work around this which helped me relax and get more into the activities. Dee, and others, were all talking about their personal cycle - for example, Dee said she is on a two year cycle - she needs some sort of change, or she might start sabotaging herself or career. I don't think I have to have change on any cycle, as I'm often quite content to "stay the course". I mean, really, I've been at Sun (Oracle now) for 14 years, and working on the same team since 2002. [Side note: one advantage of working at a really large company is that you can change jobs without losing accrued vacation and benefits, heck, you can even change your job without changing managers!]

As I was listening to my table mates, I got to thinking - I am not change adverse and can happily role with the punches, but I don't often seek it out. Does that mean my ship doesn't have a rudder? Or is it something much simpler than that - a few years back, I lost my biggest advocate in our organization. Thing is, I didn't even know he was advocating for me behind the scenes, helping me get interesting projects as well as promotions. It was actually more than a year after he left that I noticed something was different, and my manager explained what I had lost. So, what can I do? Seek a new one out? Become my own advocate? Combination of both?

All that said, Dee says we've got to build safety nets, like networks of people to help and support you in your risks (the greater the risk, the greater your network needs to be). Beware of filling your network with just birds of a feather type folks, instead you want an innovation tribe - a diverse mix of people that can give you a mix of opinions. Doing so should allow you to make better decisions more quickly.

Make sure you share the experience with others and feedback to your network of support. This can be down with short videos, emails, blogs, etc.

Towards the end of the session, our table mentor asked about how the session impacted us and what we'd do with what we learned. My table mate, Misti, mentioned that she realized she could really benefit from a semi-annual self assessment of her career and life - to look for those inflection points and make sure she's on track with her goals. I think that's a great idea and am going to commit to doing that for myself. A lot of being a good and responsible risk taker means being aware of what you bring to the table and supplementing what you lack with a network of support.

What did you get as a take-away from this workshop?

GHC10: PhD Forum 3 UI/Education: another perspective

2010-09-29T08:43:00.000-07:00

I love the PhD forums, as you get 2-3 short presentations on fascinating new work

In this session, Laurian C Vega started with her presentation on Usable Security in Practice: Collaborative Management of Electronic & Physical Personal Information. Ms. Vega is taking a unique stance of data security: that it's not the user that is the weakest link, but the systems that make it difficult for the user to act in a secure manner. For example, one government agency she spoke to had an application that required 60 different passwords to use it fully. Now, there's no way someone is going to remember that many passwords, so users will work around this by writing things down or reusing passwords. Systems need to be made with security and usability in mind.

She went to physicians' offices and childcare facilities in rural Virginia to see how they managed their data records. She found many still used paper, but in some ways it was more secure than digital records. Obviously, nothing was online, so that threat was eliminated, and the physical records were very strictly controlled, typically by the physician themselves or by the director of the childcare facility. The downside of such a system, though, is that archives and "backups" (ie photocopies) often end up stored in someone's basement, where access is not controlled. So, there is something to be learned from the old way - both practices to initiate and to avoid!

Katherine Panciera presented In the Beginning: The Early Lives of Users in Online Communities. She had read a paper, Becoming Wikipedian, which talked about the evolution of a Wikipedia editor, showing that the more edits people performed, the more involved they got in the community. She wanted to see what she could learn about the users of online communities and how their behaviour would change over time. Much of her research so far has been on users of an interesting bike website, Cyclopath. So far, she's found that power users actually show themselves within their first few days of using the site. It'll be interesting to see what further research shows.

Our last speaker was Lijun Ni presented Building Professional Identity as Computer Science Teachers. Apparently there is a lack of teachers in this country that can teach computer science to high school students. For example, the entire state of Georgia has only 72 CS teachers! I wouldn't have even known about this problem, as it seems all the high schools (and even some of the middle schools) in the San Francisco Bay area all have CS teachers. Heck, even my high school in Indiana (R Nelson Snider) had a math/CS teacher back in 1990.

Ni's research shows that a major contribution to this is teacher retention - 46% of teachers leave the profession after only 5 years! This is so surprising to me, as it seems they are only working about as long as it took them to get their initial qualification to teach! The other major issue is that teachers who do stay are very resistant to change in their curriculum. Makes me wonder if anyone is still teaching Basic in high schools?

Ni's furthering her research to try to resolve those problems, and it seems she has a lot of work ahead of her.

Getting Ready for Grace Hopper 2010!

2010-09-24T15:09:00.000-07:00

I am unbelievably excited about the Grace Hopper Celebration of Women in Computing event happening next week in Atlanta, GA! My bag is packed... well, over packed... need to fix that. I've got my laptop upgraded and set up to access my new mail server and my new business cards with my new phone number arrived this week! I put new batteries in my Dymo label maker and have two extra sets of tape for it - you'll be able to find it at the community table so you can add extra information to your badge (like your twitter feed, etc). I looked at the conference schedule and have already made myself a personal schedule with all the rooms for all the sessions I want to attend. I need to make sure I don't forget my chargers and extra laptop battery. Packed tea and my travel kettle and I pre-ordered a travel mug from the conference, so no need to bring my own. Oh, and my rain jacket, as thunderstorms are in the forecast!

I am really looking forward to attending the PhD forums on Wednesday, before the big conference kick off happens, and I'm thrilled that usability forums include issues like how usability impacts security of the entire system. I'll be sure to post my notes right away (unlike PBWC, GHC has prolific wireless access, so live blogging is easy).

I've already started connecting with other attendees, thanks to the twitter lists that @ghc is maintaining.

What are you looking forward to? Anything other unusual items to pack?

Beers (and Bears) of Yosemite

2010-09-23T17:15:00.000-07:00

I had the great fortune of making it up to Yosemite 3 times this summer. Yosemite is the most beautiful place I've ever been, and you can't beat a campground within walking distance to a bar!

Yosemite bars serve Mammoth Brewing Company brews on tap, and you can also purchase them in every grocery store we checked (okay, that was just the one in Curry Village...). I haven't seen Mammoth beers out here in the bay area, so was excited to try them the first weekend we were out. I ordered myself a Double Nut Brown and my husband an Epic IPA. The brown was a nice typical brown (which just might be my new favorite style of beer), rich, nutty, slightly sweet without being syrupy, with an incredibly smooth finish. The Epic was much too bitter for me, typical of American brewers pushing for stronger & stronger flavored IPAs (as opposed to, in my opinion, nice flavors). Much like its flavor, the beer itself was very strong. Of course, American bars so rarely list the ABV, so we didn't know 'til my poor husband woke up the next morning with a terrible hangover.

When we asked the barmaid on our next visit about the ABV, she believed the brown was close to 5 or 5.5% and the IPA, being EPIC, was closer to 8 or 9%. Yikes, a warning would've been nice!

On another stay, we also tried the Mammoth Brewing Company Amber - lots of flavor in this one, a bit of honey, caramel, hops and lots more carbonation (not necessarily a good thing when you are at altitude).

I didn't get to see any bears in their natural habitat this year, but did have the misfortune of camping at a site with a loose bear locker. This black bear had obviously learned that if he banged on this locker, he could often get the food out. We had it padlocked, so that method didn't work, but didn't stop him from knocking on the locker. Fortunately, our neighbors chased him out of the site (we were in our tent). The next night he came back, and this time I got to help with the chasing! On the last day of that trip, the rangers treed that bear and we had a quiet night of sleep. This is when I'm glad we don't camp in grizzly country! *whew*

Progress!

2010-09-23T14:06:00.000-07:00

So, on Tuesday morning, I went in for my reevaluation of my partial tear in my quadricep tendon - and the PA from Orthopedics said I could take the torture device, I mean, knee immobilizer off! No more crutches! Now I have a cane! I need some more decorations on it, though, it's pretty boring with just a couple of dinosaur and OpenSolaris stickers.

The best part is? I can wear jeans again! It was getting pretty cold to be wearing skirts (I couldn't wear tights or leggings, either, because the knee immobilizer had to be directly against the skin).

Actually, the truly best part is I can now sit in a chair like a normal person. The pain in my back and healthy leg are starting to recede now that awkward angle sitting (either sitting on the edge of the chair so my foot could rest on the ground or with my leg up on the CPU and the leg brace digging painfully into the back of my leg) and bizarre pirate walk are done with.

I started rehab on Tuesday and am learning how to walk again. I never thought I'd be one of those people that didn't move the opposite arm to the leg that's going forward (I've heard a dozen dance choreographers yell at people for this), but here I am consciously telling myself to move my left arm as my right leg goes forward. I guess walking with crutches for a month creates some weird coping mechanisms!

Thank you all for your good thoughts - I can bend my knee to 90 degrees - hopefully more as the rehab continues!

PBWC: Lunch Session with Safra Catz

2010-09-20T17:45:00.000-07:00

One of the coolest things about this year's Professional Business Women of California conference was getting to hear Safra Catz, co-president of Oracle, give the luncheon keynote. As a recent Oracle employee, it was great to hear one of our fearless leaders speak so candidly to business women.

Catz didn't shy away from making comments about the Sun acquisition from the get go, when she introduced Oracle as a "30 year old software, well, now hardware, company". She went on to note, when it came to acquisitions, "I feel like Larry Ellison's personal shopper and I'm exhausted" and that she was very happy that Oracle was able to get Sun before anyone else did.

Catz shared her top ten list of things she wished someone had told her about earlier in her career:

You can never be #1 by chasing #1. What is #2? The first loser. Aim to be best and be willing to work outside of the box to achieve it.
Scale matters - the more customers you have the more you can spread your cost, but scale is different than size.
Focus on what your real business is. Bigger is not better and you shouldn't expand and acquire things just for the sake of "growth" - target only areas that make sense for your business.
If it doesn't make sense... it doesn't make sense! She prefers an acronym free zone and people that speak plainly and question things that don't make sense.
Don't stand still. Making a few mistakes is better than making no decisions at all.
Don't stand still, but don't chase fashion. Stick to your core.
If you don't ask, you don't get. The only way to be certain that the answer will be "no" is to not ask at all.
Just because everything can be put online doesn't mean it should be.
Integrity is a perishable asset. You can recover from being stupid, but not from lying.
The difference between having long term success or not is knowing you didn't do it alone.

Hearing Catz speak gave me a great insight into my new corporate home, and I'll try to keep her lessons in mind. Is there anything you'd add to this list? Things you wish people had told you sooner? (or, things people had told you but you really wished you'd listened to them?)

Something I continue to remind myself: try not to hold a person's past mistakes against them, and certainly don't hold your bad mood against them, either! What else?

Faultline Brewery

2010-09-08T17:28:00.000-07:00

Had a work lunch at Faultline in Sunnyvale yesterday, which meant I didn't really have an opportunity to try all of their beers... but I did get to enjoy the cask conditioned Pale Ale. Unlike many Pales lurking in the marketplace right now, this brew had lively hops without overwhelming bitterness. It came in at a nice 5% ABV and the pint glass was even nearly full. It paired well with the daily special of blackened cod served over penne pasta with alfredo sauce, peas and bits of real bacon. The beer balanced out the spice of the dish and made for a very tasty lunch. Service was superb, especially for such a large group.

I did get to try the Belgian Abby style beer as well that a friend was drinking. Lots of citrus and a fine finish. I definitely want to go back so I can have a full pint of that.

This delightful Pale Ale brings up a great point: if you're a local brewer, you really need to invest in a beer engine (or two) to serve up cask conditioned beers. The natural carbonation and cellar temperature cannot be beat for enjoying a pint.

Adapting...

2010-09-03T16:01:00.000-07:00

These last few weeks have been a big lesson in adapting for me. Vertigo, knee immobilizer, and an office move.

Life as an Oracle employee is finally sinking in - things are different. Some things are better, some are ... well, different. Packing up my old office in Menlo Park was quite a walk down memory lane - I found old CDROMs full of SunScreen source code, old Solaris install media, cards from friends, pictures of family, and stacks of old design notes.

I've moved around a lot in my years as a Sun employee, but my very first office was a double window office in Menlo Park (MPK17) overlooking the foothills - probably my favorite office to date. From there I went into Palo Alto (PAL1), Mountain View (MTV21), back to Menlo Park (MPK18) then back to my favorite building, MPK17. I moved back into Menlo Park 17 right after September 11th. Everything seemed so surreal, joining the OS group and working on a product with a seemingly endlessly large team. I couldn't believe how strict the integration standards were (and now, as a CRT advocate I enforce these and as chair I document them), nor how large the scope of our overall project was.

I sat across from a woman, Renee. And over the next 9 years, even as our offices moved, we were still across the hall from each other.

Now I'm in Santa Clara. I still have one box left to unpack. Renee is on the other side of the building, not too far, but not shouting distance either (of course, the rest of the people around me are probably grateful for this). The commute is nicer, though I'm further from my friends in San Francisco. I think I'll like it here.

About two weeks ago, I sat up from a massage and suddenly found the room spinning. No matter how long I sat, it wouldn't stop. Hours later I found myself visiting a doctor at Kaiser who diagnosed me with Benign Paroxysmal Positional Vertigo (BPPV) which is a vague diagnosis which basically means: "Something in your inner ear relocated. You're dizzy and you're just going to have to learn your new spatial environment". He performed the Epley Maneuver and gave me some exercises to do. So, I've been adapting to my new inner ear. It's taken awhile, but the dizzy spells are very infrequent and typically only happen when I turn my head upside down (like when drying my hair!). So, yoga is right out... oh, it was anyways....that knee immobilizer....

Apparently during my 105-mile bike ride for the American Lung Association, I partially tore the tendon that attaches my knee to my quadriceps. This knee has always had a tight quad, so swelling in my knee wasn't unusual. After a few weeks, though, of having it swell up every time I tried yoga or short bike rides, I made my way to Kaiser. Initial x-rays showed a perfectly healthy knee, but the MRI (which I had to wait more than 2 weeks for) showed the tear. Now I'm in a knee immobilizer. The device goes from just above the ankle to most of the way up the thigh. It needs to be worn directly on the skin, 24 hours a day. This means no jeans! I can wear short-shorts or skirts. Thank goodness I have a lot of skirts! I can walk with crutches (which results in sore ribs/hands/shoulders), or kinda like a pirate (which results in sore back). I alternate. I'm adapting.

I have a long recovery ahead of me. I can already see the muscle in the effected leg melting away. I don't know when I'll be able to ride my bike again. I'm so afraid I won't be able to. I am already tired of driving everywhere. I don't even want to think about skiing - I can't miss out on ski season, too!

As much as I want to feel sorry for myself and have a great big pity party, I realize that I am very fortunate to have medical care and an incredibly supportive husband who has been doing most of the driving and taking care of the house. I can put Renee on speed dial. I can adapt.

Professional Business Women of California Conference: Workshop Session I

2010-08-06T17:40:00.000-07:00

I will admit that when I first looked through the schedule, I wasn't very excited about any of the seminar session breakouts, so I decided to attend the workshop track. Leave it to PBWC to make sure I wasn't disappointed!

For Workshop Session I, I attended Chris Melching's Paddle Your Own Canoe: Tips for Selling Yourself.

This is something that comes up every now and again as a blogger and someone that is very active on twitter as well, but I will admit I haven't really thought much about creating a brand. When I'm online and writing, I'm usually just sharing my experience - no matter what area it's in. I see so many blogs that start up and try to have a specific focus, and fizzle out after a half dozen posts or so. I don't write enough as it is, and would rather just write about what is on my mind or interesting things I've done than worry about it fitting into my "brand".

Chris Melching, though, reminded us that anything you put on line is your brand. If you think potential employers aren't checking out your online presence before your interview, you're wrong.

Melching covered the standard excuse given for not doing self-promotion, "I don't want to brag", with a great Kate Hepburn quote: "If you don't paddle your own canoe, you don't move."

This is where things get tricky. Most of us, including me at times, sit and wait for promotions, for changes in career direction, new opportunities to simply appear. While that does happen, it's rare and you cannot depend on it.

So, paddle your own canoe! Think about ways you can stand out, and never forget the silent messages you send, for example, what does your listening face look like? Apparently, 55% of an impression is made up from body movement, so if you want to show someone that you do care about what they are saying!

1. Make a good impression

Try to keep an open body - never let hands touch!
Make eye contact, even in groups
Talk about what you can do, not what you can't do
Don't complain or dwell on the negative (this one can be so hard!)
Smile more
Come up with possible solutions

After attending this workshop, I tried to think more about my own passive face. Often when I'm working at my desk, or just thinking about something while I'm walking down the hallway, people will ask me what's wrong. I now realize that my "thinking" face reads like a "sad" or "upset" face and I am slowly trying to change that habit (which is hard to do, while thinking about something else).

2. Build up your online presence to extend your presence beyond those you interact with on a daily basis. (side note: when she asked for a show of hands of women that used twitter, blogged or interacted on Facebook... only a small number of hands came up!)

3. Act as if...

Act as if you're already important. Walk up to someone and start a conversation as if you know (for sure) that they want to be talking to you.

Act as if you're confident, and before you know it, you will be!

Keep in mind that the minute you walk into a room, you're in the spotlight and you are being judged! A women executive that Melching interviewed said that within seven seconds she is already trying to figure out how to either get you out of her office, how to help you, or how to get something from you. Seven seconds!

It is important to always put forth a professional presence so you are prepared for these quick judgments people are making (even if they aren't aware they are making them). Make sure you are put together, organized, engaged and smile.

Some tips for making this happen:

Open up your body, you'll appear more confident
Slow down your pace and listen often
Smile (often!)
Project strength in how you look, act and sound at all times
Ask questions, stay focused (put the smartphone down!)
Become contagious and change people's pulse when you speak (easier said than done, right?)
Use large gestures

When you are speaking you can be a train wreck inside, but still project confidence on the outside by:

Exhaling
Acting calm
Not fidgeting
Smile
Not touching your face
Being purposeful
Pinching the table to focus your energy, and conveniently this keeps you from touching your hands together and keeps your body open. (I've tried this, it is an amazing way to focus actually)

Ask someone you trust what your strengths are, so you are aware. Ask what you do well, what you should do more of or less of.

Of course, I'm generally thought of as an animated person (which is why I do need to watch my focus expressions), so I need to take some of these tips in stride. If I started making incredibly large hand gestures along with animated facial expressions, it would likely become a very strange experience for those I was talking to. On the other hand, I do often find myself closing up in meetings and these simple reminders can help me make sure what I'm showing others is indeed the message I'm intending to show.

4. Build selling into your everyday conversations. For example, if someone asks, "How are you?", don't answer with "fine", but rather something along the lines of "I'm fantastic. I'm really excited about this project I've been working on..."

5. Be succinct. Well, if "fine" isn't a succinct answer, I don't know what is ;-) But, what Melching is talking about here is giving folks the highlight reel. When someone asked how the meeting went, don't start on about how Bob was late, you didn't have the slides ready, then your flight was rescheduled, and then your luggage was lost.... oh, wow, I'm boring myself here! Get to the point and provide the nitty gritty details later, if they are asked for. Small bites:

What did you do?
Who benefited?
What were the results?
What are you trying to ask, get, etc?
Stay focused
Share your passion
Avoid "um, er"
Share your passion
Increase your energy in your voice

This is an area that I have trouble with. I practiced these skills for awhile right after the conference, but realize now that I'm already slipping back into some bad habits. I'm glad I'm revisiting this with this blog entry so I can start to make this a habit!

6. Know what you want and then just ask for it. If your manager doesn't know you want an international assignment, you can't be disappointed that they give the assignment to someone else on your team.

7. Encourage objections. This will help you flesh out your own ideas, find out who agrees with you and let you learn about what is on other people's minds.

8. Clarify your next steps. Be specific, especially when you're seeking advice or something else from someone.

9. Get frequent reality checks from others - back to the "what's working? what should I do more of? less of?"

10. Grow and sustain your network! Make sure you stay in touch, and not just when you need something. This applies for personal relationships as well as business ones. Try to check in once a quarter and build your network by introducing people - they will return the favor to you someday.

Overall, I really enjoyed this workshop. While I realize out of the attendees there, I was one of the few with an established online brand, that doesn't mean I can't do more to focus it. I can certainly work on the being succinct part - how long is this entry?

Do you have any other good tips for selling yourself?

Monk's Kettle Ninkasi Beer Dinner

2010-08-03T12:05:00.000-07:00

I was so happy to be able to participate in the San Francisco Bay Area debut of the draft beers of this delightful Eugene, Oregon brewer, Ninkasi, back in March.

Ninkasi, a relatively young brewing company, is named after the Sumerian Goddess of Fermentation and they have played around with some of the first recorded beer recipes while doing their brewing. Happily for us, they sent their primary brewer, Jamie Floyd, to teach us about each of the beers we tasted.

The Monk's Kettle has started a new tradition of giving the diners a welcome beer - and I can't think of anything more welcoming than a gratis beer! We were welcomed with Spring Reign, a seasonal American Pale Ale coming in at 6.0% ABV. The beer had gentle hops and a crisp flavor that, unlike many pale ales, mellowed and really grew on me as I sipped it while chatting with my friends, BJ, Rod, Cory & Mark, awaiting the first course. This was what Jamie referred to as a "session beer", and I could definitely see that. Easy to drink at 35 IBUs and not *too* strong.

The wait was well worth it, as we were served the most delicious cream of mushroom soup any of us had ever eaten in our entire lives. The soup, made from locally grown organic portobello muhrooms, was garnished with fried truffle shallots, with a tarragon reduction - simply amazing. Each of us agreed that we would've been happy if the soup was served for each course :)

The best part about this soup? It completely changed the complexion of the beer - bringing out a before hidden essence of peaches.

Chef Kevin Kroger really outdid himself with this course and we were certain we'd be let down by everything else that followed - wow, we were wrong!

The next course, coconut curry with Ocean Garden shrimp served over a Thai basil rice cake was seasoned with fresh ginger, Thai basil and mint. I found the curry lightly spiced and creamy, the shrimp was amazingly tender - perfectly cooked! Perfectly matched as well with the Total Domination American India Pale Ale (6.7% ABV), which was soft, citrusy, light and very drinkable. I swore I tasted lemon grass in the beer, too. I was surprised I enjoyed this beer so much, as it came in at 65 IBUs, and I tend to not like "bitter" beers, but this beer was very drinkable... perhaps another session beer? I can see why this beer is the #1 selling 22oz bottle in Eugene, OR. I've been keeping my eyes peeled at my local bottle shop for it myself.

Jamie Floyd took a moment here to share his IPA philosophy with us, which I find lines up perfectly with my taste preference. He realizes that hops operate on a logarithmic scale and you have to be able to find the correct balance of bitter, flavor and drinkability. Lots of brewers can make an IPA that tastes great in a 6oz pour, but Jamie only sells in 22 ounce bottle so he has to brew beers that will taste as good on your last sip as they did on their first.

And this is when true joy began - our next beer, Tricerahops Double IPA (American Imperial India Pale Ale - 8.8% ABV). This beer had an amazing hoppy flavor without the bitterness I've come to associate with hops. It can be done! It was smooth and a pleasure to drink, though at 8.8% ABV, it is better to be enjoyed in small quantities.

How could things get any better? Our waiter brought out the next course - cumin rubbed pork tenderloin, goat cheese mashed potatoes and grilled asparagus. The pork, like the shrimp, was cooked to perfection - tender and juicy, with a rosemary-orange glaze. Again, this course was cooked with tarragon - an herb I believe I've been greatly under estimating! The beer was paired well and the food and the beer accentuated one another.

Our fourth beer was Believer Double Red (American Red Ale, 6.9% ABV), which was inspired by one of my favorites - Deschutes' Jubelale. Apparently Jamie and his crew had been working on the recipe for this beer longer than anything else in their lineup, and it was their first winter seasonal. I found this beer to be more of a brown than a red, with hints of dates and a smooth easy taste. The Believer Double Red was paired with Igor Novara Dolce Gorgonzola with roasted garlic cloves and an Italian and Thai basil reduction, with toasted cashews and Metropolis bigio bread. Always a fan of blue cheeses and roasted garlic, I could not have been more delighted by this course. The flavors blended together nicely and brought out the date flavor of the beer. Another course I wouldn't have minded being repeated ;)

The fifth, and final, beer was the one I had been most looking forward to: the Oatis Oatmeal Stout (7.5% ABV, 50 IBUs). I am a huge fan of oatmeal stouts, regularly drinking some at the Tied House in Mountain View. Actually, it may just be that I'm a huge fan of oatmeal, which I eat nearly every morning and have since I was a kid.

Ah, but back to the beer! It was a creamy brew, with coffee tones and a distinct nutty flavor (I could've sworn it tasted like cashews, but that was probably the last course still lingering). The Oatis Oatmeal Stout was originally their second winter seasonal, but the beer became so popular it is now a permanent fixture in their lineup. Jamie and the gang do like a clear beer, but they try to avoid filtering as it can take out some of the lovely flavors, so they have been experimenting with using a centrifuge on this beer. I do have to say I loved the results.

Chef Kroger paired this beautifully with a tarragon chocolate chip cookie and vanilla ice cream sandwich with an Oatis Oatmeal Stout infused chocolate sauce. I don't think you can ever go wrong with an ice cream sandwich, but I would've never thought of putting tarragon into cookie mix. This was surprisingly tasty. It was a bit like tarragon was the "secret ingredient" in this beer dinner, as it popped up so often and is usually a neglected herb - but it really worked and helped accentuate the bear flavors.

All in all, another palate enticing affair! Can't wait til the next one - oh, that's tonight! :-)

Team Salty Dawgs Did It!!!!!!

2010-07-18T12:41:00.000-07:00

Wow! In one of the most amazing experiences of my life, I completed over 100 miles with my fabulous teammates in the American Lung Association's Breathe Easy Ride. I raised $4300 and the team raised $7656 (before any corporate matching) to help make lung disease walk the plank!

Since January, I had ridden over 1600 miles on my road bike, but still nothing could've prepared me for this. It was intense, exhilarating, heart breaking, exhausting, difficult and full of joy, laughter and unexpected camaraderie. My team was my pack. I could not have done it without their physical and emotional support, and the amazing support of all of you who donated to my ride and sent me inspiring letters.

A misfit team of current Oracle and former Sun employees, all with different abilities and skills, started leaving the parking lot at the Sonoma Mountain Village about 5:40AM on June 26th onto the foggy and desolate roads of Rhonert Park. I left first, as I am the slowest rider on the team, and found myself riding amazingly fast accompanied only by horses and cows, trying to get as many miles under my belt before my team caught up with me. The air was thick with fog and quite cool, and I quickly warmed up as I was maintaining speeds over 15 mph.

Mark, Richard & John caught up with me after nearly a half an hour, apparently wondering where I'd gotten off to as they were not expecting that sort of speed from me... and warned me not to spend all my energy too soon. :-) Mike & Bryn were the last group to leave the parking lot, and inadvertently followed some 66 mile riders and started off on the wrong path - bypassing the rest of the team completely...until later.

As per my plan, I spent only the minimal amount of time at the first two rest stops - just stuffing my face with potatoes (YUM! roasted with rosemary!) and fruit, reloading my Cytomax and topping up my water. At the third rest stop, we had a surprise: Mike! Poor Mike was getting over a bad cold and just couldn't keep Bryn's pace, but this was good for us as we now had 5 people in our pack!

The weather stayed on our side, remaining cool, foggy and overcast until about 10 AM when the Sun just started to peak through. The five of us maintained time trial positions (single file line, each rider right on the back wheel of the one in front), taking turns at the front. While I am used to drafting with one or two people, the formation with this group of 5 riders had us moving like the wind! At our 4th rest stop (55 miles in), we were still maintaining an average speed over 15mph, even with several moderate climbs past us. We were cool, fresh and all felt great!

Then came Coleman Road. As we started the climb, John & Mike got out ahead of us, missed a turn and went 5 miles out of the way before realizing their mistake. Richard, Mark and I slowly climbed up this steep and soul crushing road, when lo-and-behold, down came Bryn! Curious as to why he was going the wrong way, we stopped only to discover that when he finished his descent to the coast and reached HWY1, it was so impassible with fog, his only option was to turn around and climb back up Coleman Road.

Bryn regaled us with tales of rough road and cattle grates before continuing onto his own personal journey, but not even his warnings could prepare us for what lay ahead. I could've used my mountain bike, the roads were so rough and twisty (and why on earth were there so many cattle grates?!?! WHY!?!)... heck, I could've used a car. It was brutal, desolate, frightening and beautiful.

When we reached HWY1 about 70 miles in, it was foggy, but we had at least a quarter mile of visibility, so Mark, Richard and I persevered ahead - little did we know poor John was back on track and doing that terrible climb alone, even though he'd already done an extra 500 feet/10 miles on his detour. It was noon, and I foolishly thought that I could do 30 miles in just under 2 more hours....

The climb out of the coast and back to the valley was unbearable. My legs were tired. I was hungry & thirsty. Fortunately, Mark had been carrying around extra food & water all day - as there were more than 30 miles of intense climbing and scary descents between rest stops! Mark was happy to lose the extra weight, and Richard & I were happy to have food and water :-)

For those of you who are curious, we were following (in reverse) the Tour de California route - yes, serious climbs for professional riders. The pavement was graffiti'd with ALLEZ, ALLEZ, ALLEZ and various rider's names.

After finishing our descent into the valley, we found Mike, who had backtracked on the route in order to skip the Coleman climb (since he'd done that bonus 10 miles with John), yet still get 100 miles in.

When we arrived at the 5th rest stop at mile 82 a bedraggled mess, happily greeted by volunteers from the Salvation Army with warm roasted potatoes, nuts, and ice cold water. The sun was out by then and we were all getting tired. As the four of us pulled out of the rest stop, we spotted John pulling in. Knowing he'd catch up, we continued on. At this point, every little hill just killed me. I'd have to immediately drop into granny gear and just use every ounce of energy I had just to keep spinning my legs. My quadriceps were burning. My IT-bands were on fire. I could only think of all the support I had and I knew I had to finish. Mark, knowing how important this was to me, literally pushed me up the remaining hills, even though he was beyond exhausted himself.

Terrified of being removed by SAG for taking so long, as the ALA said would happen, I just kept spinning, making it to the 93 mile rest stop just as they were closing. They gave us some fig bars and cold water and we were on our way again - this time with John!

Somewhere on those last 10 miles, Mark, Richard and I got separated from the group when we had to wait an insanely long time to turn left at a T-intersection. As the three of us were on final approach, Richard ran over a small drill bit that managed to pierce the wheel and slide *into* the spoke. Mark & Richard weren't sure if they were going to get that drill bit out, so I pushed on ahead.... and missed a turn, getting lost with 103 miles completed.

In the end, I rode 105.5 miles, Average speed 13.2mph, 8 hours of riding, 10 hours total door-to-door, burned 4544 calories and climbed about 6500 feet.

The most difficult thing I've ever done. I'm still recovering. Thank you everyone! Thank you!

Professional Business Women of California Conference: Opening Session!

2010-06-30T15:31:00.000-07:00

Last month, I was fortunate enough to attend the Professional Business Women of California's annual conference in San Francisco! This conference is both inspirational and educational, a real treat to be able to attend. Oracle, my new employer, is a sponsor of this conference as well, so I got to meet many Oracle "classic" employees and got to learn more about the company and the new corporate culture.

The day started with a wonderful suggestion from PBWC Board President Ann Barlow: "Put the Blackberry down and tune in!" This is important, particularly in today's culture - most of us do not multi-task as well as we think we do (I know I don't!) and it's nearly impossible to be reading email and fully paying attention to people in the room. Personally, I was glad to give this day my undivided attention (though I did wish they had wireless access so I could live blog... which would've gotten this entry up a lot sooner!)

Ms Barlow noted that while women have many strides as professionals, the layers over middle management are still dominated by men! While it's clear this is a problem, it's not so clear what we, as women, can do to fix this.

Our morning keynoted was from Sheryl WuDunn, a Pulitzer Prize-Winning journalist, author of Half the Sky, and world traveler. Ms WuDunn told us about some of her travels - including a trip to China, where she met Dai Man Chu, a little girl who's parents were going to take her out of school in the 6th grade because $13/year in tuition was unaffordable and she was only a girl. When WuDunn wrote about this, readers from the New York Times came through with enough in donations that not only Dai Man Chu could attend school, but so could other girls in the village!

In her travels, WuDunn has learned that in many countries all resources, including food, go first to boys. In India, for example, 1-5 year old girls have a 50% higher mortality rate. In places where people make less than $1 a day, only 2% of that income goes towards educating their children, while 20% goes towards tobacco, alcohol, festivals and prostitution!

WuDunn feels the best way to end poverty and terrorism is to educate women and allow them to enter the workplace - but in order to do that, somehow a shift has to happen in spending priorities in impoverished countries. She feels that groups performing micro-loans, as well as places like Heifer International that gives livestock are some of the ways that can help make women more independent in these countries and hopefully make positive strides towards education and entering the workplace.

What an inspiring way to start the morning!

Training Continues for next week's 100 mile ride!

2010-06-17T17:00:00.000-07:00

First, thank you to all of the advice I got from this blog and on facebook, particularly to WillO, @kleen, Bryn and Mark, my training has been progressing very well!

With more frequent snacking, Cytomax in my bottle, and shorter but more frequent breaks, I have gotten away from the mysterious gassy stomach and massive headaches on my long rides. My speed has really improved as well, though I am still the slowest rider in my group rides.

So far my big rides have included 65 miles in the East Bay for the Primavera (which was so amazingly beautiful! We got to race against a steam powered train!), 82 miles in Gilroy's Tiera Bella (the 100 mile route with the big climb up to Henry Coe and back cut out... :-), and 83 miles from our house to the ocean and back (big climbs included Arastedero, Alpine, Old La Honda Road, Stage Road, Pescadero and Tunitas Creek). I'm still riding after all that!

I've even done three mountain bike rides this year - and haven't cried on any of them (even though I fell down once and ran into a post another time.... :-)

Look at that awesome speed! It's a good thing you can't hear whining in a photo ;-)

While training has been going well, I am still far short of my goal. Can you please help support the fight against lung disease? As a reminder, I am riding because my mother is a lung cancer survivor, my step grandmother just died from lung disease and many other members of my family have lung disease - including me! Doing all this riding with asthma is tough, but it is such a worthy cause. Please help me out by supporting my ride today! Your donation is tax deductible.

Monk's Kettle does it again - and cabs?!

2010-06-03T13:23:00.001-07:00

A full write up will come later, but suffice it to say that Monk's Kettle pulled out all the stops last night for their Lagunitas Beer Pairing dinner. The hops were ever present and well balanced by the delicious food.

Dinner was a bit slower paced than normal, which meant we had to rush out to catch a cab. It took us forever to find one that wasn't occupied, but then the driver we got DIDN'T KNOW WHERE CALTRAIN WAS! How can you be a cab driver in San Francisco and not know where the Caltrain stations are? There are only two....by the time we got out of that cab, it was no longer possible for us to make our 10:45PM train, so we had to wait it out 'til the midnight train.

Sayer made sure our wait was bearable, though, by bringing us out some of the leftover dessert chocolate and some beer - YUM!

So, is there a good way to find a cabbie in SF that actually knows where the train stations are? Any recommendations? Or do I just need to print out a directions and take them with me?

Now Appearing in Gypsy!

2010-05-18T16:12:00.000-07:00

Sorry for the long delay since my last post - I've been busy rehearsing for my opening of Gypsy at Hillbarn Theater in Foster City!

I'm playing the role of Miss Cratchitt in Act I and Renee in Act II, and having a blast! I haven't been on stage at Hillbarn since I appeared as Minnie Fae in Hello Dolly several years ago. It's a great production with an amazing cast and crew!

Annmarie Martin is amazing as Mama Rose and inspiring to me as an actress. When I have my scenes with her, I feel a passion and character connection that forces me to be perfectly on my game and in the scene. She's a total pro - literally! Not to mention an incredibly nice person who does some amazing knitting and crochette. Oh, and she's an avid Sharks fan - check her out singing the Canadian and American national anthems in the Shark tank!

Every actor I'm sharing the Hillbarn stage with are taking the production very seriously - always in character, hair & makeup always done as designed, costumes kept nice, and engaged in the scene - even if they don't even have any lines.

And the crew.... first of all, it's the first time I've ever been on a show with an entirely female run crew! [1] Yay, women techies! They are super organized - everything just runs smoothly. Sets are where they need to be and props are always in the right place. Thank you, Joey, Rosie, Haley, Aya, and Andrea!

Beyond the run crew, the orchestra is spot on; the sound guy, Steven, monitors the levels perfectly throughout the show; sets are repaired as needed by our fantastic set designer/builder, Lee Basham; gorgeous costumes from Shannon & Mae; lovely hair-dos from Dee & Kathleen; and things run smoothly thanks to producer Lee Foster!

If you get a chance, please come see the show - we've been selling out nearly every night, so buy your tickets sooner than later! Let them know you're coming to see me. It's a wonderful production - you won't be disappointed!

[1] Nick, our fill-in techie, is not a woman and still really awesome!

First Firkin Friday at the Tied House!

2010-04-06T09:30:00.000-07:00

I was given the very cool honor of getting to tap the firkin (a small barrel of Real Ale) this past Friday at the Tied House, for being such an avid Tied House fan on Twitter, Facebook and my blog. I was very nervous when I discovered this was a good ol' fashioned type of tapping - with a pointy tap and a mallet! I'd heard the last person to do this got sprayed in beer - and I did *not* want to waste fine beer!

Carolyn and the gang walked me through it, and with one (okay... two) swift swings, the firkin was tapped!

This month's beer was a fine Mai Bock from Peter Licht and Ron Manabe. While I've complained in the past that the firkins can suffer from too much yeast (most likely from not sitting long enough before being tapped), this Mai Bock had no issues there. The *imperial* sized pints were filled nearly to the brim by the happy bartenders, and the beer went down smooth. At one point I heard the ABV was 7%, so we all tried to be careful with the quantities, but the beer was so yummy that I think there were a lot of hang overs on Saturday (don't worry, most of us walked there!)

I don't have much experience with Mai Bocks, but this one reminded me of all the things I love about a hefeweisen, and none of the things I don't. It was light and crisp, with a slight citrus flavor. It was a bit cloudy, but like I noted before, was not yeasty.

I think our group made a pretty good dent on the firkin :-)

I don't know what the special beer for next Month will be, but I can tell you this: if you go to the Tied House in Mountain View on the first Friday of every month about 5PM, you won't be disappointed.

(in interest of full disclosure, I did get a free pint for my tapping efforts, but if this wasn't a good beer, I wouldn't have bothered discussing the taste :-)

Sweet Charity at West Valley Light Opera

2010-04-05T09:00:00.000-07:00

We were lucky enough to catch the great production of Sweet Charity at West Valley Light Opera down in Saratoga CA this Saturday. While I'm familiar with most of the songs (like, Hey Big Spender!), I'd never managed to see the show before.

One thing that really stood out to me in this show was the ensemble! Each and every one of them were able to dance, sing and act! When they were on stage, they were in the scene - never just standing there.

Katie O'Bryon was amazing as Charity, getting you immediately on her side, no matter how bad her choices were. She was hysterical - especially in the Vittorio Vidal's Apartment scene - the portions where she was in the closet (which, very cooly, we could see into through a scrim) had me laughing myself silly.

My friend, Michael Carey, was charming, sweet and endearing as Charity's first "sensible" love interest, Oscar. His chemistry with O'Bryon, particularly in the Coney Island and Barney's Chile Hacienda scenes, was delightful.

Other standout performances were seen from ensemble members Ian Teter (loved him as door man for Club Pompei & in Rhythm of Life Church) and Valerie Valenzuela (fantastic dancer & super cute Fairy), Marcie Marshall (Ursula), Patty Reinhart (Nickie), and Brittany Blankenship (Helene).

This only runs for one more weekend, so please be sure to check it out!

Monk's Kettle: Shelton Brothers Beer Dinner

2010-04-04T18:22:00.000-07:00

Okay, so I'm behind on writing up the beer dinner's I've attended... This one, which was fabulous, was on December 2, 2009 at the Monk's Kettle. While these dinners usually feature a specific brewer, which makes for an interesting challenge for the chef to pair to a limited set of beers, this one was coordinated with an importer, Shelton Brothers, so we got to "tour" the world at Monk's Kettle that evening.

We started out with a delightful visit to Germany with Weissenohe Monk's Fest, which featured a slightly hoppy caramel flavored Marzen style beer. This paired amazingly well with our starting course: chicken liver braunschweiger with pickled shallots on a crostini. I don't know about you, but I love braunschweiger and feel that it is a type of mystery meat that has been largely neglected by the American masses over the last few years. I was glad to see it back and with such a nice beer.

A short jaunt over to Belgium for De Ranke XX Bitter (Belgian IPA). This was an abbey style "farm ale", which I found was a little too hoppy for me to start with, but once I tried it with the mussels in fresh herbs and tomatoes, WOW! This pairing completely changed the flavor of the beer in the most amazing way. My notes say: "made it very yummy" :) And none of us, excepting the one that doesn't eat shell fish, could not get enough of these mussels and broth! Of course, they were served with amazing Belgian style pommes frites. This was the course I could've eaten over & over again.

Onto the Netherlands - land of tall and very polite people, and amazing beer. We were treated with Christoffel Nobel (Imperial Pilsner), apparently the first Trappist brewery to open in the Netherlands. We felt for certain that this could easily be a terrible hangover beer, due to the fact that it was remarkably delicious and 8.7% ABV. My friend, Julie, and I both tasted Bing cherries and mandarins in this beer, and it was again another amazing pairing! Served with house-cured gravlax with a hovmastarsas sauce, capers, shaved red onion and toasted Metropolis Bigio.

Then, surprisingly, we came back to America for a Michigan brewed beer. I guess Michigan is like another country to those of us that live out in California, but more importantly, it was a good cask ale - specially made just for the Monk's Kettle! This was an odd beer, with an odd name: Jolly Pumpkin Barn Noire, which tasted sweet with hints of cinnamon and orange peel. Chef Kevin Kroger felt that such a strange beer deserved a strange course, and for the first time in my life I had lamb tartare, served with house made crackers. I found the lamb so tender and tasty. I wasn't sure I'd be a fan of raw ground lamb, but Chef Kroger worked magic and made an amazing pairing (and was super nice and provided Mark with some roasted goat cheese, as he just couldn't tolerate the thought of eating raw meat).

Now for our cooked lamb course, a delicious lamb stew, we went to Norway for Nøgne-Ø Porter (American Style Porter). Like many porters, this one tasted heavily of chocolate and espresso and ... pure yumminess. Another friend at the table stated that he loved this beer more than anything, and yes, "I want to marry it". His review of the stew: "Like being wrapped in a snuggie". The lamb stew, with onions, carrots, celery, turnips, Bay leaves and fennel, paired so well with this beer, it really showed how well Chef Kroger can match up entrees when given a wider selection of beers.

At this point, I can't lie, we were getting a little tipsy. While it's not like each of these beers is coming in a pint glass, they do keep coming. Fortunately, the staff at the Monk's Kettle is well prepared for happy beer drinkers and kept all of our water glasses full and kept quickly bringing out the food :-)

Our next stop on our international tour was in Denmark for Mikkeller Christmas Chokladbollar, served with a "traditional dessert" of chocolate balls rolled with oats and covered in coconut. I definitely got apricots on the nose of this one, but on the palate a different beast arose: nutmeg, cinnamon, chocolate - well, to me & Julie, this beer tasted exactly like Toll House chocolate chip cookies. To Phil, it was "Christmas in the mouth". Okay, at 11% ABV, we were more than tipsy, but did all love this beer and the chocolate balls that came along with it!

The dinner ended with a Belgium Redux: Struise Pannepøt (Quadrupel) at 10%. We all loved this beer. Julie thought it tasted like "a great espresso that you have with a dash of nutmeg". Sirena said simply, "This is good".

Chef Kevin Kroger has grown by leaps and bounds. This dinner was amazing, the pairings were intriguing, and the service was phenomenal. I really enjoy hearing directly from the importers and hearing various stories about the beers and the brewers.

Soon I'll be writing up the March dinner :-)

First Big Training Ride and Request for Advice

2010-03-26T15:22:00.000-07:00

Last Sunday, 1/2 of Team Salty Dawgs (plus a bonus rider) headed out on our first big training ride in preparation for my first century: 58 miles! We started in Mountain View (though one rider started in Sunnyvale...), headed up the bay shore trail to the Sun's Menlo Park campus, and made a right turn onto the Dumbarton Bridge. After we got over the bridge, we continued on beautiful bicycle trails through Alameda County until we found ourselves at Niles, where we had a delightful lunch at a little cafe (complete with cafe lattes!) and watched the steam trains go by.

After lunch, we reversed our route, pushing hard against the head winds that had come in since the morning. My dear friend Eileen had only ridden 11 miles previously this year, so I was very proud of how she stuck with the group and had no complaints (other than dreaming about a warm bath and cookies back at her own home).

We jokingly called it the Tour de Toilettes, as it seemed one of us always needed to stop every time we came across one. Fortunately, all of them, except one dreadful port-a-potty, were well maintained and clean. :-)

We did this in 4 hours and 19 minutes of ride time - it was mostly flat, though, so this weekend we'll have to start on the hills!

My only complaint, though, which is one I seem to have after every long ride (greater than 3 hours) is a headache and a stomach ache. My stomach seems to get incredibly filled with air during a ride - like I'm swallowing air or something? It's sort of like drinking a couple of Diet Cokes or beers really fast. That full feeling that, I'm sorry to say, does come with burps and nausea.

I'm certainly not drinking soda during a ride like this. I was also not eating, except for my lunch stop. I drank water pretty continuously from my Camel Bak.

So, any ideas? Anyone else have this problem of stomach ache on a long ride?

One of my team mates, Bryn, thinks the headache might be from lack of electrolytes and has suggested Cytomax. What do you think?

I've also been focusing on my speed - I want to finish these 100 miles in less than 24 hours :) My normal average speed on a ride like that is 12.5 mph, I've got to do better. That was my normal speed into work, but with all the riding I've been doing lately, I've gotten that up to around 15 mph (no hills).

btw, I'm still looking for folks to join our team! The ride is in Sonoma area, 65 or 100 miles, on June 26. You can find information on our team page. If you can't ride, please support us with a financial donation! Thank you!

Enjoyed Sheherezade: Year in Review!

2010-03-26T11:50:00.000-07:00

Mark & I made it up to San Francisco last night for the Playwrights' Center's annual fund raising presentation of 8 short works, Sheherezade; Year in Review! My friend Phil was in the show again, which is a great motivator for getting me up to the city for theater :-)

You know what I love about short works? It gives the authors a chance to explore some really bizarre topic, but not for very long - so before you realize how ridiculous this is. Like, Fara Fawcette and Michael Jackson meeting in a hair salon in heaven. :-)

Each of the pieces deals with some big event from last year. In addition to the deaths of those two beloved celebrities, they covered the Muni problems, H1N1, trouble in Tehran, gay politicians, Bernie Madoff, a 14 year-old's discovery of a new type of supernova, and... a cult of transvestite Radha worshipers.

My favorite had to be Muni Aphrodite, by Bob Hayden. I loved how straight both actors (Phil Goleman and Cory Tallman) played what could've been just a silly story. Of course, they brought humour into it as well. While I don't live in SF, so couldn't fully relate to the Muni problems of 2009, it was obvious that most of the audience was right there with those actors.

They have two more performances - tonight & tomorrow. It's for a good cause and lots of fun, too, so go check them out. I'm also hoping to catch Sweet Charity with West Valley Light Opera this weekend, which I hear is great!

Ada Lovelace Day: Women Who Inspire Me

2010-03-24T22:59:00.000-07:00

There's about an hour left of Ada Lovelace Day - a day we can all write about women in technology that we've found to be inspiring or in some way encouraging...

I've been mulling over this all day, trying to think of a woman mentor from my past that inspired me to continue in computing, before it finally hit me that I'm actually inspired every day by two very cool (and younger than I am!) women I got to know last year at the Grace Hopper Celebration of Women in Computing - Ed & Ashley!

These two fun loving former college roommates have a zest for all things techy and geeky unmatched by almost anyone I've ever met. They both actively reach out to other women (and men) in technology with their twitter accounts (Ed's / Ashley's), their blogs and their 5-minute shows on technology.

I was even part of a webinar today with Ed, sponsored by Microsoft, where we talked to high school and college students about our careers (so far) and was amazed at how Ed's love for computing was totally palpable over the phone!

OpenSolaris Constitution passed, new OGB voted in... and thanks!

2010-03-23T15:01:00.001-07:00

I am so happy to be able to write that the new OpenSolaris constitution has received a strong majority of votes and was ratified by the community! While I was still frustrated that we didn't get closer to 90% turnout, since becoming a member of the electorate is voluntary and comes with only one responsibility: voting, but I was thrilled to hit a new high for OpenSolaris elections of 71% voter turnout!

Thank you, everyone, for taking the time out of your schedule to participate and make this happen. I am happy for the entire 2010/2011 OGB:

Dennis Clarke
Moinak Ghosh
Teresa Giacomini
Simon Phipps
John Plocher
Joerg Schilling
Peter Tribble

I think they'll all do a great job, especially under the terms of the new constitution!

It was with great pleasure I was able to serve on the board for this past year. I learned many things about myself, some good - some bad, and how better to work with others, when we are not necessarily seeking a common goal. I loved meeting community members, working to fix our problems, identifying things for future OGBs and shaping our community. I feel I have grown and matured in ways I could've never imagined and thank all of you for letting me participate so closely in the governance of your community.

While time commitments didn't let me re-run for the OGB, I am excited about the new board and wish them all luck! I'm sure they'll do a great job.

OpenSolaris Election for new OGB and New Constitution is going on now!

2010-03-18T15:05:00.001-07:00

The OpenSolaris community elections are well underway, yet we are still very low (in my opinion) with the number of people that have actually cast ballots! Everyone who has accepted a core contributor grant is expected to cast a ballot, though it is not required that you vote for both the candidates and the constitution in order to have a valid ballot. Out of the 428 eligible voters, only 270 have cast a vote.

The out going OpenSolaris Governing Board (OGB) worked very hard on the new constitution which requires a majority of the eligible voters to approve it in order to pass. While more than a majority have logged in a cast a ballot, we missed passing last years constitution by only a handful of votes, so I'd really like to see our number of voters hitting 300-350. Really, there's not much else a core contributor grant gives you, right now, in the community other than the right to vote in the annual election.

So, if you are a core contributor (or not sure if you are or not), please hop on over to the polling place and cast your ballot in this critical election. (if you're not eligible, the system won't let you vote ;)

Thank you! Valerie

Loved reading the Lion's Game

2010-03-12T13:08:00.000-08:00

The Lion's Game by Nelson DeMille

My rating: 4 of 5 stars

I really enjoyed this book. I love how DeMille can write many different characters as if he really is in their shoes. You can feel the exhaustion of the agents, and he conviction of the jihadist, with every page.

I love when fiction can make you think - I really felt like I could understand *why* Asad Khalil hated America so much. I could feel his grief at the premature death of his loved ones. Don't get me wrong, I could never condone what this character does, but DeMille did give me Asad's perspective.

I understand this was a sequel to another book, Plum Island, but I haven't read that one and had no problem with this book.

View all my reviews >>

Dan Roberts on OpenSolaris ... or Something Useful in our meeting!

2010-03-10T14:38:00.000-08:00

As part of the existing OpenSolaris constitution, we (the OpenSolaris Governing Board) are required to hold an annual "meeting" before the election in order for the election to be valid. While, generally, this involves a fetch a rock exercise of core contributors (aka "members") logging into the forum, announcing themselves, then logging off, we do occasionally have useful and interesting conversations here. (and before you comment how silly that requirement is, please note that we have a new proposed constitution at this year's election that removes the annual meeting requirement).

Peter Tribble invited Dan Roberts to our virtual meeting the day after it started, and he joined and was very forthcoming about Oracle and their thoughts on OpenSolaris and Solaris:

"Oracle is investing more in Solaris than Sun did prior to the acquisition, and will continue to contribute technologies to OpenSolaris, as Oracle already does for many other open source projects."

While not all questions could be answered at that time, I was very pleased to see the community being engaged and concerns listened to.

TADA Presents Godspell!

2010-01-15T15:14:00.000-08:00

We were lucky enough to catch one of the final dress rehearsals for TADA!'s musical, Godspell! TADA!'s group of "Blue Plaid Players" put on an annual production to raise money for the performing arts at Presentation High School in San Jose. This year's cast is full of teachers and alums from the school, along with a few parents and just happy actors. With such a motley collection, you might think the performance would be subpar - but it wasn't!

I had originally thought they had brought in ringers for Jesus and John the Baptist/Judas, but Chris Cozart (Jesus) and Eric Buell (John the Baptist/Judas) are both teachers from Presentation! Who knew the halls of this Catholic girl's school was holding so much talent!

I loved the costumes, by Diana DieBold, which were very eclectic and reminiscent of the Original production of Godspell in 1970. Director Jim Houle took the usual liberties with the script by updating a few scenes. One demonstrates the pitfalls of greed with a recent flash back to the housing debacle, and the prodigal son was retold with ... Star Wars characters! Great lighting from Heather Kenyon, too.

Other standout performers included Kristen Gradwohl, Kris Heiser, Dave Coldren, Scott King... well, and everyone else in the cast! If you get a chance to catch this show, it opens on January 16th and runs through January 24th.

Goodbye, Grandma Dianne

2010-01-08T14:52:00.000-08:00

2009 was a bad year for the women I called Grandma. I lost Grandma-ma (mother's mom) on January 1, 2009. Grandma Dianne, my father's stepmother, passed on December 30, 2009, after a long battle with osteoporosis and COPD, at the age of 87.

Some would say she wasn't my grandmother at all, as we had no blood ties, but to me she was the only grandmother I ever knew on my dad's side. My dad's mother, Ginny (aka Munner to my siblings) died when my mother was pregnant with me, so I never met her (though I heard many wonderful stories about her).

I have many happy childhood memories of staying at Grandma Dianne's house, and walking through the woods with Grandaddy and visiting with my cousins, Leslie and Mike, that lived nearby. Grandma Dianne always had a few pesky, yet photogenic, raccoons living in the woods behind the house - we loved to watch them as children. Grandaddy passed away in 1981, but we still visited Dianne often for years to come.

After I moved away to school, I couldn't visit, but regularly exchanged lengthy letters with Grandma Dianne. She often included pictures of her dogs and shared stories of her youth, and I was always so happy to see a note from her in my dorm mail box.

As the years went by, Dianne stopped replying to my correspondence, but did tell my mother how happy she was to receive them. She was embarrassed of how much her hand writing had deteriorated, so I started calling her instead. It was always nice to talk to her, as she would reminisce about Grandaddy (Danny, to her), her sister and father, her beloved dogs: Missy, Daisy and a charcoal colored one she had as a girl, and about her travels to England as a young woman. She was always excited to hear about the shows I was in or had recently seen and all of the trips I had been taking, always asking for more pictures.

She spoke frequently of how much she loved her 6 grandchildren and 13 great-grandchildren, even though some of the great-grandchildren lived far away and she never got to see them in person.

This year for Christmas, my parents gave me Grandma Dianne's china. I was pretty sure this china was passed down from her English ancestors, but when I called her to thank her for them, she was already too weak to answer the phone.

I will miss my phone calls with her. To me, she was always my grandmother.

How Doctors Think: A review

2009-12-23T17:06:00.000-08:00

How Doctors Think by Jerome Groopman

My rating: 5 of 5 stars

This was a phenomenal book that changed the way I looked at every doctor's visit I've ever had, along with questioning at least one diagnosis from my past.

Groopman told story after story about how once one doctor gives you a diagnosis, most other doctors will shut down their "cognitive reasoning" and never question that diagnosis and will keep trying to treat something you may not have. In some stories, this resulted in the death of a patient. He also talks about how physician lore and influence from drug and device companies perpetuate incorrect diagnoses and treatments.

For a personal example of a bad diagnosis sticking, I was diagnosed with carpel tunnel syndrome by a nurse practitioner who referred me to an orthopedic surgeon, who confirmed the diagnosis and was ready to operate. I then was lucky to meet my friend's cousin, a Harvard Med student, who within moments said "you don't even have the right symptoms for carpel tunnel - you have a pinched nerve in your neck and any surgery to your wrist would just cause you more pain and discomfort". My problem was corrected by a series of chiropractic adjustments - no surgery and now I'm pain free (and have been for years).

One poignant set of examples in the book that really stuck with me was about spinal fusion surgeries - these are very common and are well reimbursed by insurance companies, yet there is little evidence that they cure low back and extremity pain. There is little follow up done by the actual surgeons to see how the procedure impacted quality of life, and when follow up is done and the patient hasn't improved, they are simply told "well, you're one of the people this treatment doesn't help". Basically, if you don't have a spinal tumor or an actual broken back, back surgery probably won't help and will likely make things worse!

Groopman keeps things real by even referencing his own mistakes.

This book isn't a scary book, but rather one that gets you to think more about your own health and teaches you how to communicate with your doctor to help them keep out of the cognitive traps and really question what *else* could be wrong with you.

It is a must read for everyone! Really!

Thank you, Stormy, for recommending this. I wish I had read it years before!

View all my reviews >>

Sun Carolers do it again!

2009-12-22T15:47:00.000-08:00

The Sun Carolers did it again this year, touring the campus and delighting our fellow employees! This year was different, though - it was caught on video!

I can't embed this first one, but please check it out: The 12 Bugs of Christmas!

These other two were recorded by Deirdre Straughan and feature "I'll Be Home For Christmas", "Merry Christmas, Happy New Year" (ala Hallelujah chorus), "Carol of the Bells", "Jingle Bells", "Hanukah, Oh, Hanukah" (partial), and "Let it Snow". Enjoy!

'Tis the Season for Giving

2009-12-22T15:22:00.000-08:00

This is the time of year that we all get pinged by charities hoping to talk us all into a last minute charitable (and in the US, tax-deductible) donation. Separating the wheat from the chaff is a challenge, but with sites like Charity Navigator, it's easier than ever before.

Then along came Jen Yates, of Cake Wrecks fame, and she's doing the coolest thing: using her massive quantity of blog followers to do GOOD! For 14 days this month, Jen and her husband are selecting a charity to give at least $200 to and asking her minions^H... followers to each give just a dollar to these same charities that she has prescreened for us. It is so inspiring to see how many wells for clean water will be available now, how many children will have meals, how many homes can be built, etc. just due to this super simple plan. Jen's appeals appear at the end of each of her daily wreckports, and are neither preachy nor too pleading.

I've found myself giving a few dollars each day to each of these charities - and am so impressed at how quickly a lot of people just giving a bit can add up so fast! Jen's even made a "round-up" page if you want to catch up on the giving!

In addition to those charities, I've lent my support this season to Second Harvest Food Bank, The Family Giving Tree, Heifer International, West Valley Light Opera, Purdue University (Women in Science & Computer Science funds), and the Silicon Valley Bicycle Coalition.

It seems in this day and age, everyone needs a little bit more help to stay afloat. If you can, help out the Cake Wrecks charity drive - even a dollar or two adds up when enough people participate. Where are you giving this season?

Number of women on staff == "Best Place To Work" ?

2009-12-16T16:51:00.000-08:00

I've read countless "Best Place to Work" lists over the years, and usually happy to find Sun on those lists (and knowing when it was missing that the people compiling the list obviously asked the wrong questions if they missed a wonderful company like this one).

The latest list I saw today, posted on Brazen Careerist's site, took a different approach - while specifically looking for companies that would be attractive to Gen Y (aka Millennials) - the looked at companies that offered a lot of flexibility. Realizing that nearly every company now-a-days self reports as being very flexible, the authors decided to use the metric of number of women employed being close to at least 50%.The rationalization was that women wouldn't tolerate a company that didn't offer true flexibility.

My first response was, "Cool! Who doesn't want to work with more women?!", and then I remembered that my teams have always been the exception (often with near 50% women, and never an all white team) - not sure why that is, are women just more attracted to security? But I digress...I know my personal experience is not the norm.

Sun wasn't on that list. In fact, only two tech companies (Google & Yahoo) were, and I realized, that's probably because the saturation of women in technology is nowhere near 50%, so even tech companies that are very flexible and have "lots" (as a relative term) of women would not have qualified for this list. What do you think? Should we be using a different metric for gender equality for tech companies? or just hope that the trend reverses and women start joining the tech force in droves?

Sun is a fantastic place to work and very flexible, btw, as recognized by many other lists - and by me :)

Team Salty Dawgs Rides Again! Can you do it?

2009-12-15T11:31:00.000-08:00

It may seem a bit early... but if you don't have plans for June 26, 2010, how about coming up to wine country with us and riding 30, 66, or 100 miles to raise money for the American Lung Association!? We'll make lung disease walk the plank! Argh, mateys! :)

Why am I bringing this up now? You can save $20 on the registration fee by registering before December 31, 2009. So, it's only $30 right now! The ride is wonderful and the support is great. Minimum fund raising is $150 - but you have more than 6 months to do it in, so it'll be easy!

This is my first year attempting 100 miles - I may end up only doing 66, but I'm going to train for the 100 and hopefully pull it off! I'm a slow rider, though...but anyone that wants to join the team can know that you can ride faster with Mark :)

So, what do you say? Ready to ride?! Sign up on the team page!