Profile

Cover photo
Andy Bastable
120 followers|5,526 views
AboutPostsPhotosYouTube

Stream

Andy Bastable

Shared publicly  - 
 
Want to read some words I contributed about the MAGIC of the #KSRivals scanning technology? Of course you do. 
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
See the magic behind the Kinect Sports Rivals "Champion" scan. I totally helped make this happen. TOTALLY.
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
 
"Goal Celebrations FX" by +Xavier Barrade
1
Add a comment...

Andy Bastable

Shared publicly  - 
1
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
Not sure I'm brave enough to actually have it as my ringtone though!
 
+Monti Tredway's new ring tone. lol
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
#faith

Apologies for the change in direction here. I generally stay out of faith debates these days. As a younger, more zealot person of faith, I used to seek them out with friends -- but they drained me, and my friendships so much that I rarely "go there" now. But I'm not one to turn down a chance to explain why I think why I do, and also to explain why I think Dawkins and his legion of worshippers (pun intended) get it wrong. For those who want me to talk about computer games, feel free to skip this one if it's not your bag.

On a mini-comments thread the other day (with +Ian Norris and +Alex Darby) I suggested that faith was a rational response to honestly appraising the tools we have available to discern a "correct" worldview -- but I was challenged to explain why, so this is an attempt to do so. Note that I'm not trying to suggest that faith is a response to the "human condition", eg. some pre-programmed response to uncertainity, or some shrinking back from the harshness of the world to a more hopeful place -- but rather a rational, well thought out decision based on a balanced appraisal of the world.

Second disclaimer. You'll be able to argue this position, like /really/ easily. It's based on the old postmodern/modernity dichotomy and there are lots of people who will argue passionately for/against objective truth. That's fine. The whole thing I'm getting at is that it's important to find your own way and lean on your own chosen world view with faith.

I promise I'm not going to turn this into a rant about Dawkins, but I am going to start there. The thing about Professor D and his faithful Rationalistas that I find most baffling is the lack of critical thought in appraising the assumptions that underpin not only scientific reductionism, but fundamental rationalism in its fullness. The Scientific Method is a wonderful tool, necessary for the continuous improvement of scientific knowledge - but it is woefully underskilled for making comments on objective truth sitting outside of its remit. For one thing, it's fully-wedded to scientific knowledge /at the current point of time only/. A hundred and fifty years ago the very smartest minds in the world were adamant that the atom was the tiniest thing that could exist -- they could not comprehend that in the next century it would see not only neutrons, electrons and the like but also charm quarks and up quarks and tiny particles that appear in two places simultaneously, and hint at a multiverse outside our own. Are we so arrogant to think that we've got the rational world so sewn up at this point as to rule out any reality that might exist outside our faculties?

Secondly - why this incessant need to be right? If you die believing something wrong - who cares? Seriously. If your life has been given hope - if it's made you and those around you better/happier/more hopeful/less bitter but it all turns out to be bunkem - was it worth it? I vote yes. Given that I can never know actually whether what I believe is true, why not pick something that just makes life a bit better?

Now I know y'all going to start listing attrocities commited in the name of religion. I'm not about to defend them - but the answer to bad religion isn't necessarily no religion -- perhaps it's good religion. My religion makes me more hopeful, and tells me to be nice to people when my body is aching and I've been wronged over and over again. Through weekly meetings it reminds me to keep trying, keep striving to make the world a better place - to give people something to live for. It keeps the idea of "Justice" and "Fairness" etched in my brain, and ensures that it is the lens I view the world through. It stops me from sitting comfortably when i'm acting like a jerk - and nags me repeatedly that there is always a better way to live.

Maybe a faithless life can give you all those things - but frankly I'm fed up of hearing about what people don't believe and would rather hear what people do believe. What gives you ultimate hope? Is it in human endeavour and scientific progress? Awesome - me too. What else? Share your vision with me; enchant me with its beauty and vision; its depth and grandness. Just know that I looked at the world and all the worldviews that were available to me, and chose one that made sense. In the person of Jesus I found hope, and I choose daily to take that as my path - eyes open, brain engaged. I just don't need a rabid High Priest of Rationalism to tell me what is an acceptable faith to follow. He has chosen his (uncritically), I have chosen mine.
1
Alex Comer's profile photoAndy Bastable's profile photoAlex Darby's profile photo
41 comments
 
<troll>I think Jesus' mother Mary might qualify as having had direct experience of God.>/troll>
Add a comment...

Andy Bastable

Shared publicly  - 
 
Good write up!
 
The following descriptions are my own impressions and conclusions as a non-security guy on the Chrome team, not some kind of official position of the team, Google, etc. This is always true on this feed but I thought it worth repeating here.

This week was an interesting one for Google Chrome. It's been somewhat covered in the press, but no one seems to have written in detail about the end-to-end picture, so I'll give it a shot.

The annual ZDI/TippingPoint "Pwn2Own" contest was this week. For those of you who haven't heard of this, it's an annual contest where if you can compromise a laptop using a browser vulnerability, you win the laptop (or more than that in some cases). ("Pwn" is a corruption of "own", meaning in this case "to take over", basically. Kids these days, etc.)

Normally, teams prepare exploits in advance and then arrive at the contest, sit down, and use them -- leading to true but misleading headlines like "XXX Browser hacked in 5 minutes at Pwn2Own!" ...Well, probably days to months of preparation, really.

In any case, in the three previous years Chrome has been public (and thus been included) no one had touched us. By contrast, the only other browser to make it through one of those contests unexploited was Firefox -- and it did it once.

This was understandingly annoying the folks who run the contest, who get better publicity when everyone gets hacked. So each year they've been tweaking the rules in hopes of assuring this. If I understand correctly, this year they decided to rule that Flash exploits were in-bounds for Chrome on day one, but not for the other browsers, on the basis that Chrome ships Flash and the others don't. This is arguably fair; the reality is that one reason we ship Flash is that almost all desktop users have Flash anyway, so not shipping it would not reduce the spread of Flash, it would just leave it to be updated by the standalone updater, which has not always been as fast as the Chrome one. So if you want to attack the common desktop configuration, Flash should be in-bounds for everyone.

This matters because historically Flash has been much easier to exploit for a variety of reasons. We actually have a kind-of-crappy sandbox for Flash, but it's nowhere near the strength of the main Chrome sandbox and we've never been under any illusions that it's unbreakable. (Well, nothing is unbreakable. But our main sandbox has only had a few holes we've seen over the years and we've never known of any in-the-wild exploits of it. By contrast our Flash sandbox is more of a speedbump.)

The solution to this is in the works, by the way -- reworking Flash to run on top of PPAPI, which is a next-generation plugin API that we're developing out in the open (but somewhat curiously, other vendors are not paying as much attention to; having an idea of just what kind of problems NPAPI causes, I can only conclude this is because most of them are not yet to the same place we are w.r.t. multi-process architectures and sandboxing; IE is the furthest but it looks like Microsoft is going to make a play to stamp out plugins entirely on Win 8). The advantage of PPAPI is that it's been designed to support sandboxing (among other things) to a much greater degree and will let us secure Flash to a much greater extent.

Unfortunately, PPAPI Flash is not done yet -- hopefully in not too many more major versions of Chrome -- so we're stuck with NPAPI Flash and its weak sandbox. Combined with the new Pwn2Own rules this meant trouble. In fact, before the contest even started, we believed we had a very good chance of being exploited at Pwn2Own, most likely by VUPEN, a security firm that had a Flash exploit for Chrome get some press last year and we believed was gunning to do the same thing again this year, in a higher-profile place.

Another problem, from our perspective: if Flash was in-bounds for Chrome, then chances were lower anyone would try for an exploit that broke out of the much-harder-to-target main sandbox; after all, why bother? To make Chrome safer, however, we wanted people to have an incentive to try to break our main sandbox, because if it was possible, then we wanted to know and fix it, rather than leaving users vulnerable.

This brings up one other problem with Pwn2Own, and that is that in some ways it doesn't seem to be a true "white hat" event. ("White hat" is security speak for people who hack on the side of the "good guys", helping to make products more secure by finding problems and then sharing them with the vendors; "black hat" by contrast refers to an unscrupulous or malicious researcher.) Most distressingly, the Pwn2Own rules have explicitly never required teams to turn over sandbox escapes. I don't really understand what motivation there could be for this, as the only possible effect here is for vendors to not fix their sandbox problems and thus not make their users safer. This doesn't seem like a good thing to me.

For all of the above reasons, we decided to pull out as Pwn2Own sponsors (note that this doesn't stop Chrome from being in the contest), and run our own contest, called Pwnium, at the same time and the same venue. Announced rather close to the contest start date (in http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html ), there were to be three payout levels:

* $60,000 for an exploit that used only bugs in Chrome. This would represent either sandbox escape or avoidance, either one of which would be a critical hole.
* $40,000 for an exploit that used bugs in Chrome combined with other bugs, e.g. OS bugs. For example, a Chrome bug plus a Windows kernel exploit.
* $20,000 "consolation prize" for an exploit that used only bugs in plugins and the OS. These bugs would affect users of all browsers.

We honestly wondered if we'd get any attempts at the $60k level. (That doesn't mean "believed we wouldn't", that means "wondered".)

When the two contests started, VUPEN was quick on the draw at Pwn2Own to take us down. For various reasons (including a clever hack by one of our security guys that signalled particular types of plugin-sandbox problems via a special identifier), we think they used another Flash exploit. AFAIK we haven't actually gotten the bug back from ZDI/TippingPoint (how long does it take, guys? Come on) so we don't know for certain -- and VUPEN isn't interesting in providing the Flash sandbox escape, presumably because they can make more money selling it to people who want to try and exploit Chrome in the wild. (That's their business model: find holes and then sell them to people other than the vendor. Again, not very white-hat if you ask me, but they're not asking me. I also got asked previously if VUPEN would sell the exploits to us if we paid; I'm not sure, but I think the answer is "no".)

This of course led to the aforementioned breathless headlines -- "Chrome owned in five minutes! Vaunted Chrome sandbox goes down!" -- although technically this wasn't the vaunted sandbox, but the not-vaunted one :). (It is worth explicitly noting here that this kind of bug is indeed a serious hole that would leave real Chrome users vulnerable. While I'm being picky about which sandbox was actually broken and how technically challenging that is, I don't want to minimize the serious user impact of bugs like this. Which is of course why we want the real bug from the Pwn2Own contest operators so we can actually fix it.)

That brings us to Pwnium, which turned out to succeed beyond our wildest dreams.

On day one, we got an exploit from Sergey Glazunov, a guy who's earned a lot of money from us already by reporting security bugs over the years (I failed to mention that in addition to Pwnium, Chrome has long had a policy of paying for security bugs, under which we've shelled out several hundred thousand dollars). Sergey chained two distinct bugs together and managed to avoid the Chrome sandbox (I have been told that "avoid" was more accurate than "escape") to qualify for a $60,000 reward. This was a really interesting exploit that we will hopefully be able to publicly explain at some point in the future when there isn't a risk of exposing existing users to it.

At this point our crack security team sprang into action. Within 24 hours they had developed, tested, and deployed fixes for Sergey's bugs (see http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html ). Deservedly, our press coverage shifted from "Chrome owned in five minutes" to "Chrome patched with incredible speed". I'm really proud of our team here; getting a fix like this out to hundreds of millions of users in less than a day really speaks to the quality not only of our security folks but also our release team and our world-class auto-update system.

The next couple of days were fairly uneventful for us, although I'm told that VUPEN was sitting on exploits for all browsers and ready to use as many as they needed to take first place at Pwn2Own (which they did; congrats guys); I'm not sure how many actually got used in the end, but I think (?) all the browsers did eventually go down to one team or another.

Just as we were about to close Pwnium, we got one more submission, this time from someone going by the handle PinkiePie (a My Little Pony reference; the ardent My Little Pony fan who sits ten feet from me was ecstatic when I told him about this. No, I'm not kidding). This time the exploit chained three separate bugs together, the last a sandbox escape, for another $60,000 reward. Once again, this was a really cool bug and we hope to give a complete public explanation at a future date.

Getting two totally distinct $60k bugs like this was more than we'd dreamed. I happened to run into our security team lead that night, and while describing the esoteric and creative nature of the bugs he admiringly joked "we must have gotten the world's two most autistic people to submit bugs to us", since the bugs were apparently quite a handful for our (extremely talented) security guys to even understand.

Once again, the engineering team delivered. Despite the bug coming in on a Friday afternoon, by today, we announced ( http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.html ) that we were pushing another less-than-24-hour-turnaround vulnerability fix for PinkiePie's exploit. Two exploits, two patches, two days. I wish this were the kind of thing I had anything to do with so I could take credit!

Pwn2Own and Pwnium have now wound down. I'm sure we'll run Pwnium again next year after the kind of results we got this time; $120k is well worth it to get such creative bugs, which teach us a lot about how we can improve not only Chrome itself but our ongoing testing and security procedures.

In the meantime, I suspect our hiring pipeline will be taking a marked interest in two particular gentlemen :). Hopefully they have the same interest in us!

I frequently give a talk to Nooglers (new Google employees; this company has its own whole lingo) about Chrome and Google, and security features prominently. While I had to change the bits about Pwn2Own for this week's talk, I'm happy to have still been able to say, "All of this means that Chrome is not perfect, but we believe it's the most secure browser available today." Here's hoping I can still say that for a long time to come.

(P.S. Even the VUPEN folks very kindly said nice things about our sandbox -- although I wonder if this was not only kindness but also subterfuge to make it look like they'd actually broken the main sandbox when they might have actually gotten past the plugin one instead.)
1
Add a comment...
Have him in circles
120 people
Satish Shewhorak's profile photo
Jonathan Wright's profile photo
Bella Bastable's profile photo
Andy Pallister's profile photo
Paul Evans's profile photo
Paul Holden's profile photo
David Costello's profile photo

Andy Bastable

Shared publicly  - 
 
Beautiful data visualisation of the closeness (or otherwise) of the major European languages.
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
Awesome!
 
+Valve and +WETA Workshops = OMG. MUST. HAVE.
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
Coming in CM9 soon...
 
Yay. The only thing missing for a complete lockscreen are my next calendar event and a count of unread messages for each inbox :-)
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
For +Ian Norris, especially.
 
Android ICS 4.0.4 on Samsung Laptop (Model: SENS R60+) : I ported android full source including several devices (e.g: Graphics, Wireless LAN, Wired LAN, Camera, Bluetooth, USB 2.0) into Intel X86 based Samsung Laptop successfully. I really need to prepare TESTBED to evaluate my idea.
*DEMO: Android ICS 4.0.4 on Samsung Laptop (Model: SENS R60+)
1
Add a comment...

Andy Bastable

Shared publicly  - 
 
THIS
 
How Apple Sidesteps Billions in Taxes Around the Globe: Some Personal Reflections

If someone asked you how much Apple paid on $34.2 Billion in profits, what would you guess? Especially if you listen regularly to the right-wing rhetoric about how tax burden is unsupportable, how jobs are being destroyed because of excessive taxes, and how companies are being made uncompetitive by their tax burden? How much?

$9 billion? $10 billion? Nah. It's $3.3 billion, or a tax rate of about 9.8%. The actual figure is likely even lower, since "Apple does not disclose what portion of those payments was in the United States, or what portion is assigned to previous or future years."

Apple, of course, is not the only one. This front page article in today's New York Times singles out Apple as an example both because Apple is now about to become the most profitable company ever, and is one of the most aggressive in tax avoidance. But the article isn't unfair to Apple. It talks about a culture of tax avoidance throughout corporate America, and in particular, at high tech firms, which have the biggest opportunities for tax avoidance because digital goods and "intellectual property" can more easily be made to appear to belong to subsidiaries in low or no-tax countries.

Big companies have armies and lawyers who outfox tax collectors by taking advantage of a patchwork of conflicting tax regimes around the world. For example:

"Apple, for instance, was among the first tech companies to designate overseas salespeople in high-tax countries in a manner that allowed them to sell on behalf of low-tax subsidiaries on other continents, sidestepping income taxes, according to former executives. Apple was a pioneer of an accounting technique known as the “Double Irish With a Dutch Sandwich,” which reduces taxes by routing profits through Irish subsidiaries and the Netherlands and then to the Caribbean. Today, that tactic is used by hundreds of other corporations — some of which directly imitated Apple’s methods, say accountants at those companies."

There's an expanded explanation of the Double Irish with a Dutch Sandwich later in the story. But this line gives one taste: "In 2004, Ireland, a nation of less than 5 million, was home to more than one-third of Apple’s worldwide revenues, according to company filings."

I highly recommend this story. It is truly eye-opening. I'm going to post a couple of the graphs from the story separately (Note to G+ - do allow embedded graphics and multiple links! With a storify-like interface, you could do this super-easily without making people need to know HTML.) The bar graph that shows Apple's growing profits versus their relatively static taxes is here: http://www.nytimes.com/imagepages/2012/04/29/technology/29appletax-hp-graphic.html?ref=business

Alas, it is a pale shadow of the version in the print edition, which is vertical rather than horizontal, and uses a scale that takes up 3/4 of the front page. Truly eye-opening.

This graph,http://www.nytimes.com/interactive/2012/04/28/business/Shrinking-Corporate-Tax-Rates.html?ref=business shows that the problem is not limited to Apple. As corporate profits have soared, the amount paid in taxes across the board has remained fairly flat. Clearly, the tax collectors are falling further and further behind the experts at tax avoidance.

But to my promised personal reflections

I can already imagine the comments of the libertarians and anti-tax advocates in the comments on this post. "Avoiding taxes is just keeping more of the hard-earned wealth you've created by being productive and successful."

But I'd like to suggest a thought experiment. Imagine that you and a large group of friends, or an extended family, decide to hold a reunion or big party that requires renting a space and some real expenses. You agree to share the expenses equally. Then one of you says, "I'm getting us a discount on the hotel from my friend, so I shouldn't have to pay my share." Another two or three say, "I'm helping with the catering, so I shouldn't have to pay." Another: "I'm willing to act as designated driver, so I shouldn't have to pay." Each time, you think, "Yeah, that's reasonable."

But before long, things get dicey. Three more people fail to send in their promised check for the deposit despite repeat nagging. The ten people who are left on the hook for the expenses say, "This is too much. We can't afford it." So you start by letting a couple of your friends, who you know are really hard up for money, off the hook. Oh sh*t, the problem just got worse for the remaining people, who now have to shoulder a bigger and bigger part of the cost (or put it on a credit card and hope that they will one day be able to pay it back.)

Somewhere along the line, you realize that you just can't afford the great party that you'd all had your hearts set on.

You have a choice: You can scale back. Or you can stop accepting all the special reasons why one friend or another shouldn't have to pay, share the costs as originally planned, and make it affordable by all working together.

Sometimes cutting back is the right choice.

But sometimes, working together, we can do things that are wonderful, that none of us could do alone.

Put it in the context of your family. Wouldn't those of you who had more resources support those who didn't? Wouldn't you shoulder more of the burden? You're well off. Your brother or cousin is not. They can't afford to make it to the family reunion, but you love them dearly. Would you help?

I can imagine the libertarians and anti-taxers again: "But that's your choice. The problem is that government has a monopoly on force, and makes us do this against our will."

Hold on: You all made an agreement in the beginning to hold this party. Then some of you decided you wanted to opt out of paying for it.

It's a bit more complicated than that, of course, because it was our ancestors who decided to hold the party, and agreed over time on how to split the costs, and a bunch of wasteful cousins ran up the tab. But we're still a family, we still care about each other, and we want to do right for each other. So we work it out, and try to be fair, and to the extent we can, generous.

That's how it is, folks. We can be a happy family, who look after each other and create joy and possibility through being together, or one that chooses to go our separate ways, and leaves a lot of happiness on the table.

P.S. I come from a large, close, and generous family. I grew up in a household where my father borrowed money to meet his charitable obligations. When my company nearly went under in 1985, my mother saved it with a loan of a large percentage of her liquid assets, with the only stipulation being that she'd ask for it back when I didn't need it any more, and someone else did. That became known in the family as a "mammy loan."

A few years later, that same money helped my brother to buy a house. As I became more successful, I paid it forward to other family members as well.

I look at families that are successful. They love and take care of each other, and are repaid in ways that make everyone happier.

I look at families that are unsuccessful. Everyone looks after number one, and they gradually drift apart.

I know which kind of family I want. And I want my country to work the same way.
1
Add a comment...
People
Have him in circles
120 people
Satish Shewhorak's profile photo
Jonathan Wright's profile photo
Bella Bastable's profile photo
Andy Pallister's profile photo
Paul Evans's profile photo
Paul Holden's profile photo
David Costello's profile photo
Basic Information
Gender
Male
Story
Tagline
Principal R&D chap at FreeStyleGames, makers of DJ Hero and other awesome things.
Introduction
Principal R&D chap at FreeStyleGames, makers of DJ Hero. Married to a part-Scandinavian, father of two beautiful girls, follower of Jesus. All at the same time.
Links