

Zed Shaw - The ACL is Dead - CUSEC 2008 - edwardog
http://blog.cusec.net/?p=197
Recorded almost a year ago (before the bank busts, and shortly after Zed’s first famous rant), this presentation was given to about 400 Canadian undergraduate software engineers and computer scientists. Zed talks about management and his ACL-killer at a bank job accompanied by Factor-powered slideware. Also: steaks, strippers, and statistics.<p>N.B. This video might damage your vision of Zed swearing all the time and may make it seem like the last year of ranting was a terrible joke gone wrong. Oops.<p>P.S. - Check out this year’s lineup (Ingalls, Stallman, Bryant, Culver, Hwang, and Bowkett are just the keynotes). This is one of Canada's best kept secrets, and tickets are super cheap.
======
davi
Notes from lunchtime viewing of first 40 min

\------------------------------------

~9:29: "law is actually kind of a turing complete language"

Law is fuzzy; ACLs are fuzzy. ACLs can't handle real law because they're not
Turing complete.

~11:20: had a business manager learn Ruby, had him implement poorly
specified/tough features --> result: he modified/eliminated requirement

~12:20: a bunch of if statements are easier & better than an ACL

~13:50: in one case, 1000 users and 1000 containers would have required
270,000 ACL entries to implement one compliance rules; and 5 minute polling
updates, because rule was time-based; --> couldn't audit, handle real-time
changes; would've required 12 beefy boxes to execute.

14:40: Instead, re-write all rules in 400 lines of Ruby; analysts could read
the code and say if implementation was right.

15:45: So a language wins, right? No -- "this is where the Suck begins" --
where management comes and crushes your soul. Bad product was substrate for
document management system.

17:50: How do they sell this stuff? Connections, subterfuge? No.... "Steak and
strippers, baby."

19:00: "This is one reason I want _women_ to be in charge."

20:00: "What happens when they give you an MBA is they give you a lobotomy...
and you walk out going 'Synergy! Synergy! Synergy!'"

21:00: MBAs are trained in _manufacturing_ \-- programming is _not_
manufacturing -- you're going to work in an environment where they think
you're worker bees on an assembly line.

22:00: So what to do about it?

1) Managers see people sitting there, they think nothing is going on. If
management says "I demand all of your creativity but trust none of your
judgement," you have to gather evidence that makes you more credible. You have
to be objective. Try out whatever crappy technology that they're proposing.

2) Develop alternatives: if their crappy technology is good enough, stop; but
if not, try out alternatives before suggesting.

3) Statistics; develop some pretty graphs. E.g., Zed's team built a demo
server, showing slow performance. Without those, he would've had no evidence
to contradict the sysadmin who was saying his tweaks had helped. Be prepared
for intensely technical arguments, too.

4) Admit technical deficiencies.

~29:30: If none of this works, and they won't take it, build it anyway and
then sell it to them or their competitors. The client can be your first
customer. Good way to start a company.

~30:00: our doc management system is very simple, 4400 lines of Ruby plus some
Samba modifications, and better than anything else out there.

Drools -- JBOSS rules engine -- "blows ass" -- just use Ruby instead.

~31:30: Figure out Roles first, with a Role Resolver -- draws on LDAP etc. --
30 lines of Ruby -- now, ~200 lines of Ruby, covers all bizarre corner cases,
easy to add new rules, easy to fix existing rules.

~33:30: And they _still_ wanted the crappy older thing. At this point, it's
_all_ the social problem. What _mattered_ was the old product had the same
name. "Document Store 2000" vs. "Document Store New Gen" -- completely
different, but easier to get through manager's manager's procurement process
-- "that's the stupidity you deal with in the real world".

35:15: How do we win? We kept hammering. They sent out their best guy. I had
him implement the toughest rule, the one requiring 200,000 ACL entries. Then
had him explain to his managers why it wouldn't work. Had nothing to do with
tech.

36:15: This stuff will kill you. How do you keep your soul through all of
this? [Poll audience for years of education] -- "It don't matter" -- you're a
factory worker.

37:30: "Business leaders don't really like you, because they need you, and
they don't understand anything you do. ... And the sales people know this;
they know if they go to your boss, and give them steak and strippers...."

~38:40: Fight your hardest not to be a corporate coder: your life as a geek or
a coder should be all about exploring some new domain that no one else gets --
you can only go to conferences and talk to other geeks about what you do. A
corporate coder works only on the stuff he's supposed to on one language, and
never touches code otherwise. You should go home and do something _fun_ with
technology.

40:00: how to avoid not getting burnt out by day job? I.e., how to avoid
losing your soul?

[40:30 stopped watching, back to work.]

\------------------------------------

~~~
undertoad
Thanks for posting this; the part at 40:00 actually motivated me to view the
rest, which I recommend to anybody working in a corporate job.

Hopefully this summary does justice to the remainder (but IMO it's worth
watching):

40:00 Essentially he says you're not defined by your job. Your outside
projects represent your self-expression and the corporation doesn't get a
piece of that.

42:00: Most companies treat programmers like factory workers. In that case,
act like one: do a professional job and punch out at the end of the day.

43:30: "If the company makes money off the sweat off your back, you get a
chunk. If you don't get a chunk then you give them what they absolutely ask
for, keep it to a minimum, be friendly, be very professional, do your stuff,
make sure it's well-written, but don't go out of your way to give them your
latest, greatest research or your idea or whatever."

44:00: Work on weird and cool stuff at home to stay sharp. If all you do is
corporate coding, all you'll ever be is a drone.

45:00: When you're coding at home, "you're making poetry people can play
with." But you don't want to do this for a company that doesn't care. "Who
wants to make another document management system, time tracker or accounting
system? There is money in that, but unless you're making the money too, it's
not really fair."

47:30: Don't fear change. At home, take chances and learn new stuff. But at
work, just give them what they want because they'll make changes whether you
like them or not. It's just a job.

50:00: If you're concerned about being outed, consider creating an online
identity (like "_why").

51:30: Don't do Blub at home; do something completely different, break the
rules and code for fun. At work, don't think too much, don't be different and
just get it done.

52:40: Outside work, make sure you're not someone's "resource" to be
"utilized." Run with like-minded folks.

54:00: Embrace your geekiness, get out there and do it now.

55:00+: Questions and answers. This was good too, but somebody else will have
to take over the transcription. ;)

~~~
michaelneale
Q&A was good - I think Zed is wildly missing the non technology/boring
business aspects of starting up (I guess he hasn't tried to start something up
before? Or maybe he has...).

~~~
undertoad
Reading your post and considering it further, I guess his message is less
about starting up than about how to survive a day job and continue to grow as
a human being by doing interesting work at night.

Blub work on a startup at night could be another path away from employment
that isn't really addressed in the presentation (though it's very difficult to
pull off, IMO).

~~~
Angostura
It's strikes me that his advice on how to avoid getting burnt out at work is
advice that is precisely designed to ensure that your day job is boring,
unfulfilling and that you never get given any tasks that are interesting or
designed to let you stretch your intellectual wings.

------
bprater
Wow, the guy doesn't have horns!

He's actually really entertaining to listen to. I like his real-world examples
of problems.

Steak will never be the same.

------
sspencer
Zed is probably the only blog author I would really like to meet in real life.
And this video seems pretty close to what I imagined he'd be like.

~~~
ambition
Come to CUSEC 2009. He'll be there.

------
markessien
Zed is going to become important. It's easy to write, but it's not easy to
look good on video, as well as have good video timing. He's not perfect, but
he's good.

If he sticks to his rant-personality, he will sooner or later become on of the
stars of the internet.

~~~
old-gregg
Personally I don't see who can compete even _now_. Zed's blog is the _only_
blog RSS feed I have in my reader. Nobody else has earned the privilege so
far. Everything else in my reader is corporate stuff like HN or arstechnica.

------
stcredzero
I love that he's saying "The ACL is Dead." This should be said loudly and
often. Maybe it'll get through the heads of management out there. Heck, it
needs to get through the heads of a lot of programmers.

Modern security and access controls need functionality like capabilities.

~~~
davi
Any links? As only a sometime-programmer, the "ACL is Dead" idea is new to me.
I could use some good examples.

~~~
Hoff
Zed Shaw discusses this in several parts within the presentation; it's
somewhat of a recurring theme.

ACLs as they're implemented on most operating systems are wicked limited;
tracking attributes and access to anything beyond simple boolean HAVE_ID or
!HAVE_ID or HAVE_THIS+HAVE_THAT logic gets really ugly with an ACL. And the
classic ACLs are not at all dynamic, as is pointed out in the presentation.
You can't easily tie the access control processing directly into the LDAP
directory for employment status or into the system time for time-based rules,
for instance.

Having access to conditional statements and such to manage access control is
infinitely more flexible. This is the "Turing Complete" part of the
presentation.

This processing all reminded me of what you can do with D inside the DTrace
environment, too. But I digress.

Watch the presentation. It's worth your time.

~~~
rcoder
ACLs (and RBAC, and most capability security models) are limited _for a
reason_ \-- they allow you to _prove_ that certain security properties will
hold for your application. Without a solution to the halting problem, no such
assertion can be made about security mechanisms expressed using Turing-
complete languages.

That's not to say that ACLs are the last word -- they were defined and
analyzed in depth in the 60s and 70s, and work in security theory marches on.
Models such as information flow analysis, object capabilities, etc., allow for
much richer policy definition while still making stronger guarantees about the
security of the finished system.

While I actually like most of what Zed has to say in this talk, I think he's
doing a grave disservice to the security theory community by dismissing out of
hand everything they've done in the last 40 years.

~~~
michaelneale
Yes that provability is big - but I guess is his point is that with SOX and
other legal requirements - that provability and applicability of ACLs is now
completely out of the window, so its time to stop hammering the square peg
into the round hole.

------
allertonm
Lots of stuff here that resonates with this some-time CMS architect and
soulless corporate wage slave, but I missed the part where Zed was able to
provide an easy-to-use UI to allow non-programming sysadmins to change the
security rules. That must have been so simple he didn't need to mention it,
right... right?

~~~
gnaritas
No, but he is saying that complex things require an actual language, not a
point and click UI idiots can use, so changes to rules would _require_ a
programmer.

Seriously, the idea that a complex system can be built by non programmers is
somewhat of a pipe dream, it always ends up being more complex than some
simple code a programmer can understand.

~~~
allertonm
I agree wholeheartedly with your last statement, but my point was that Zed got
through the whole hour without once mentioning that this was a trade-off that
was being made - and it is a pretty important one.

(Also, non-programmers != idiots)

~~~
gnaritas
It was not a trade off being made. The point and click UI could no longer meet
the requirements. That's what he was getting at saying the legalese was turing
complete. The requirements the law now mandated required an actual language to
to implement because the old system with ACL's _can't_ do the job anymore.

That the new system doesn't have a point and click UI isn't a trade off, it's
just a consequence. He wasn't trading a complex system for a simpler system,
he was replacing a complex system that could no longer work with a simpler one
that could.

And while not being a programmer doesn't mean you're an idiot, not being able
to learn some simple scripting to modify rules does make you an idiot. If your
job requires you to modify the rules, and you _can't_ learn to do it, you're
dumb. All intelligent people are capable of learning some simple scripting.

------
nirmal
I wish I could see his slides.

~~~
silentbicycle
It's in Factor, right?

Is the source available?

~~~
bk
<http://www.zedshaw.com/conferences/cusec2008.factor>

~~~
tlrobinson
I can't seem to figure out how to run this... I downloaded the OS X
distribution, opened it, selected "Run..." from the File menu, and selected
the cusec2008.factor file. Now what?

~~~
tlrobinson
Why was this downvoted? I'm asking a legitimate question.

~~~
glymor
Probably because it's explained on the video page:

<http://vimeo.com/2723800>

If you are still having trouble try:

    
    
      USE: cusec2008
      
      start-presentation

------
thenduks
This whole "must follow speaker with camera" thing has _got_ to stop. Just
stick the camera on the slides and leave it there. _At least_ get both in the
frame. This is pushing unwatchable with him pointing to the slides all the
time, the audience laughing at the slides, he's referring to code on the
slides... Kill me :/

~~~
michaelneale
Hey that sounds like a neat camera product idea: how common is it that you
want to record 2 visuals at once? Pretty common - so a little camera with 2
separate point-able lenses would be nice - or something like that.

------
shaunxcode
Zed Shaw: Joe Hill of programming. Though rather than organizing workers into
unions/factions of the IWW he is advocating people reserve their "real"
programming/creativity for themselves unless they stand to make a profit
(which they would if labor conditions were equitable). I can totally get
behind that.

------
thomasfl
fucking awesome

