Profile

Cover photo
Matthew Sachs
252,909 views
AboutPostsPhotosYouTube

Stream

Matthew Sachs

Shared publicly  - 
 
Trying an experiment here.  Give me a song parody prompt -- a song, plus a line or a title or a theme for a parody version of it -- and I'll write lyrics for the parody.
1
Eric Barry's profile photoMatthew Sachs's profile photo
11 comments
 
(+Dan Pierson: Posted to corp+ due to excessive quantities of inside baseball.)
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Beautiful! "I am a total sucker for banknote mockups and aside from the simplicity, what caught my eye about Bernát's project is the one security feature: if you look at the notes under a UV light, you see the skeletons of the animals depicted on the notes:"
For her master's project, Barbara Bernát designed a set of fictional banknotes: the Hungarian Euro. I am a total suc
2
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Thoughts on how to replace Social Security Numbers, inspired by the Anthem breach.

SSN serves two incompatible purposes: it (in conjunction with other easy-to-find information like name) is a bearer token for identification and authentication.  It's adequate for identification, and there would be huge migration costs to replacing it for that, so let's not try.  Requirements for a replacement authentication mechanism:

* Can be used by many loosely-connected parties -- federal and state tax-collecting authorities and financial institutions at a minimum, for value of "financial institutions" that includes anyone who can extend a person credit which includes provision of services, so cell-phone companies and doctors offices and video-rental stores.  Sigh.  But if these entities can report "you" to collection agencies for failure to pay, then let's make sure that it's really you.

* Can be used offline.  Challenge-response protocols are hard when you're filling in and mailing a paper form.

* Can be used by everyone.  Including homeless people with no source of connectivity or power or ability to secure possessions.

That's a really tough set of requirements.  I think the best we can do is to add a second number, call it the Private Number or PIN or something so it's really obvious that it's sensitive.  The system designed around this number would have the following properties:

* Can be revoked and replaced on-demand.  Since it's not an identification number, that doesn't come with the same headaches that replacing SSN does.

* Would be asked for much less frequently.  It should be a federal crime to ask for this number except for purposes of filing a tax return, opening a line of credit, applying for federal benefits, or [other small set of whitelisted purposes.]

* Would be handled much more securely.  Similar to the credit-card CVV number, there would be regulations around the secure processing of this number.  Most importantly, it would need to be used to verify identity as soon as practical, and it would be illegal to retain any copies of the number after that verification had been completed.

That already gets us somewhere much better than SSN.  The credentials needed to steal identity are much less valuable, and big breaches are no longer financially viable since victims can trivially rotate PINs.


If we wanted to go the extra mile, we could also implement some kind of opt-in system where, say something like:

* User opts in and receives a U2F token.  Probably has to be done in person at a government office so that extra-strict identity verification can be done, and token doesn't have to be sent in the mail.

* Now, in addition to PIN, user has to supply U2F to authenticate.  PIN can also be used (in conjunction with other identity verification mechanisms such as checking photo IDs and in person at a government office) replacing a lost U2F token. Or, even more optionally, user can enroll biometric info in step 1 and that would additionally be used to replace lost U2F.

* For paper forms or legacy systems that aren't U2F-enabled, user can generate a one-time PIN, ideally one bound to a particular entity and purpose (e.g. bound to IRS for filing of 2015 taxes; bound to T-Mobile for applying for telephone service.)

But, honestly, that'd be enough of a boondoggle to spec out and implement and deploy that I'm not sure it's worth doing at all, and if it is then it should be decoupled from the SSN->SSN+PIN transition.
2
2
Matthew Sachs's profile photoPatrick Jones's profile photo
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Two observations here:

- I've been interviewing a lot of candidate's for Google's engineering practicum internship, a program intended to help high-potential 1st- and 2nd-year college students, especially those from "historically underrepresented groups in the field", gain skills, and experience, and exposure to Google as an employer.  I usually ask candidates how they became interested in computing, and by far the most common answer is that they took AP CS in high school and loved it.

- "[The school] will use computer science as a form of literacy, threading it through other subjects [...]. For instance, rather than using paper and a calculator to solve a kinematics problem in physics or using a shortcut like Wolfram Alpha, students might code their own script to process the problem and produce an answer. [...] (One downside of such an approach is that it can put an undue burden on the teachers who have to implement it, many of whom lack a background in computer science.)" -- This suggests that schools should have CS faculty, but instead of / in addition to teaching their own courses, they should assist other faculty with lesson plans and provide in-class aide in e.g. the physics class on the day they're doing coding.  Perhaps this is something industry professionals can help with, I'd love to spend O(hours) per week at a school helping with this kind of thing.
 
The number of schools offering AP Computer Science has dropped 35% in recent years.
1
Add a comment...

Matthew Sachs

Shared publicly  - 
 
If you were looking to come up with a set of constraints around "humane, livable employment" -- a minimum set of standards that an employer should meet in order for its relationship with its employees to be considered ethical -- what would you include?

Or if you're looking for a more concrete question: Say you were looking to define a personal policy constraining the kinds of restaurants you were willing to patronize, the kinds of cleaning services you were willing to hire, and so on based on how they treated their employees.  Without regard to limitations on your ability to find businesses that met these policies, your ability to assess a business's compliance, or the financial cost to yourself, what things would you include such a policy?

Things on my list so far:
- 10 days/yr paid sick time (based on working a full year of 40-hr weeks, scaling proportionally for part-time employment), modeled off Seattle's law which includes things like care of family members.
- A minimum hourly wage significantly higher than the federal minimum, exact amount TBD.
- No discrimination on basis of: age, citizenship, disability status, familial status, gender identity, genetic information, national origin, pregnancy, race, religion, skin color, sexual orientation, or veteran status.  (Yes, I know that all of those except age for <40, gender identity, and sexual orientation are already federal law.)
- Eligible for subsidized health insurance, regardless of number of hours worked.  (Exact details about what constitutes "subsidized" and "health insurance" TBD.)
1
Matt BenDaniel's profile photo
 
* Unions should be sidelined, because they can't address these?
* What about contractors? Interns? Apprentices? University teaching assistants?
* You think people should not tip waiters much?
* Non-profits should be held to the same accountability?
* Should people be allowed to volunteer?
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Woah, How I Met Your Mother is a remake of Tristram Shandy! Mind = blown. I may have to read this now. Sayeth Wikipedia: "As its title suggests, the book is ostensibly Tristram's narration of his life story. But it is one of the central jokes of the novel that he cannot explain anything simply, that he must make explanatory diversions to add context and colour to his tale, to the extent that Tristram's own birth is not even reached until Volume III."
1
Eric Barry's profile photo
 
This describes me perfectly.
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Dear parents: Your lives could be worse. "The big guy in this picture is the cuckoo - a young cuckoo.  The little one is the momma bird, who is feeding the baby, even though the baby is now like five times as big as she is."
cattletyrants: “blurds: “ avianeurope: “ Common Cuckoo (Cuculus canorus) »by Kee Liu ” I’m seeing some confusion about this one in the reblogs, and it is for my money one of the most interesting...
1
Add a comment...

Matthew Sachs

Shared publicly  - 
 
I'm totally uninterested in actually talking to any recruiters at the moment, but next time one pings me I'll be awfully tempted to give this reply...
“This is my new standard reply to recruiter emails (lol "culture fit")”
1
Add a comment...

Matthew Sachs

Shared publicly  - 
 
I'm interested in why -- taking as a given, for the sake of argument, that (to a problematic though far from universal extent) -- police are racist/corrupt. Is it a prison experiment-esque "power corrupts"? Is it a vicious cycle, where police spend most of their time dealing with minority populations who are hostile to them because of those communities' prior experiences with police? Is it caused by who is out there joining the force?

Better oversight et al are great and all, but I think the impact is going to be limited until we address the underlying systemic causes.

1
Add a comment...

Matthew Sachs

Shared publicly  - 
 
 
It's come to my attention that I haven't yet made a public statement specifically about #GamerGate. But as it's come up in a few threads, at this point, I think it's about time that I made my position on this matter absolutely clear.

"GamerGate" is a lie from beginning to end. It has exactly three parts to it: it has its core, which is and has been from the very first day about allowing and preserving a "gamer culture" which is actively hostile to women (among others), and preserving it by means of threats, harassment, and violence towards anyone who ever suggests that it should be otherwise.

It has its bullshit layer, which is that it is about ethics in journalism. If it were about ethics in journalism, then you would see people talking about actual ethical questions in journalism, and you would have seen it from the beginning. But from its first days, its only ties to this notion were the use of bizarre (and provably false) accusations from Zoe Quinn's ex-boyfriend to accuse game journalists of being in a cabal to destroy the "gamer culture" of its core layer, and one listserv thread (as covered on http://goo.gl/3B0wcc) where professional journalists did, indeed, have a serious discussion about journalistic ethics: about whether the newsworthiness of this blog post outweighed the potential harm to its subjects. But rather than portray this as journalists doing what ethical journalists do, Milo Yiannopoulos instead portrayed this as a conspiracy by journalists to support the Secret Feminist Cabal. That is, his article itself was bollocks from beginning to end, as has been the entire argument.

And it has its fellow-travelers, people who either actually believe the bullshit layer or do so vocally and disingenuously in order to confuse others and add a shroud of legitimacy.

How do I know that this is true, and that there is not a legitimate discourse mixed in with the violence and so on? That I am not unfairly tarring all of GamerGate's proponents with the same brush?

It's really simple. I have not once seen a proponent of GamerGate actually distance themselves from the hatred and violence, or excoriate it, or say that it is fundamentally wrong and that they do not agree with either its means or its ends.

What I have seen is lots of people coming up with ways in which they, too, are being harassed, and so claiming a false equivalency. I got to watch an excellent example of this on one of my own threads earlier today; there, one of its proponents argued that the movement being called a bunch of scum (as it had been by someone else) is a form of harassment, and perfect evidence of how “there are trolls on both sides.” Yet he elides the difference between that and people being chased out of their homes, people waking up every day to death threats, to real and meaningful impact on people's lives. This is not a serious argument: it is an attempt to lie and to confuse the issue.

The other argument I have kept hearing is “I never distance myself from acts I have never associated myself with.” That is, people claim that they are under no obligation to distance themselves from the acts of the rest of GamerGate, even while they hoist its banner. Sorry: when a movement is known, first and foremost, for its violence, then to associate yourself with it does associate you with its acts. You cannot say “I support al-Qaeda. They’re really about the US military presence in Saudi Arabia,” or “Hey, the KKK has done a lot of great community service work,” and not thereby associate yourself with everything those organizations are really known for. Sorry; you lie down with pigs, you’ll get covered in mud. You keep doing that, and people will have every reason to assume that you like it.

The fact is that there is no meaningful way to "recapture" the GamerGate tag for anything honest, both because it was never tied to that in the first place, and because it has become far too polluted to do so. If someone actually feels like having a conversation about ethics in journalism, they should by all means do so -- depending on what they say, I may even support them in this. But they should not do so in the company of villains, because that simply obscures any real discussion they might want to have with filth.

This is not behavior worthy of human beings. It is vile, it is violent, and if there is anything legitimate at all inside GamerGate, it needs to get its ass out of there right now and clearly separate itself from the bloodthirsty mob. Because right now, anyone who walks around with that label is painting themselves as being open supporters of it, and anyone who supports that is someone that I wouldn't piss on if they were on fire.
3
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Parenting ProTip: Have a song you want to share with your kid, but it's shall we say from a less civilized error? Fix it with robots! Consider On Top of Old Smokey:

But a false-hearted lover
Is worse than a thief
A thief he will rob you
And take what you save
But a false-hearted lover
Will lead you to your grave
And the grave will decay you
And turn you to dust
There's not one girl in fifty
That a poor boy can trust

Christ, what an asshole! He probably posts to PUA forms whining about how nobody wants to date a nice guy like him. Which is too bad, because it's a classic song and I'd like to sing it, but it's simply not appropriate. Ah, but I can fix this with robots! Bam!

But a false-hearted robot
Is worse than a thief
A thief he will rob you
And take what you save
But a false-hearted robot
Will lead you to your grave
And the grave will decay you
And turn you to dust
There's not one bot in fifty
That a coder can trust

That person's no asshole, he or she is a character in some schlocky sci-fi movie!

I haven't tried it with other songs yet, but I'm pretty sure this is a universal solution. Because robots.
1
Matthew Sachs's profile photoStephen Peters's profile photoJean Gifford's profile photo
4 comments
 
I think I need to consider this a bit...
Add a comment...

Matthew Sachs

Shared publicly  - 
 
Highly reminiscent of the "goto fail" vulnerability.  Amusingly, the patch <https://bugzilla.redhat.com/attachment.cgi?id=867911&action=diff> changes a bunch of "goto cleanup" to "goto fail".

Also, xref http://daringfireball.net/2014/02/apple_prism: "Once is happenstance.  Twice is coincidence.  Three times, it's enemy action."  —Ian Fleming, Goldfinger
This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
1
Alex Feinman's profile photo
2 comments
 
Also, I quote once again Ballard's Law, to wit, "Never attribute to conspiracy that which can be adequately explained by incompetence and blind luck."
Add a comment...
Story
Tagline
More fun than a gallon of strawberries.