"In detroit we used to make things"

Requiem for Detroit is a fantastic documentary on BBC2. Brutal. The interviews, the filming, the soundtrack, the historical coverage.

Some of the post-industrial UK cities are pretty bleak too; I think of the welsh mining towns or the steel cities in south wales, the scottish central belt towns, other places. Yet also some interesting stuff in the film too; reminds me of the People's Republic of Stoke's Croft. Where I was last week -at the Canteen.

This is Athens

Economically: in deep trouble. But it is at least sunny.

This is Bristol

Same "classic" greek/roman columns. And, according to the NYT, not that different from Greece economically

We aren't part of the Euro zone, so can play exchange rate games, but if you look at the UK:US exchange rate, our currency is being pretty heavily discounted. There's some debate that this is due to election plans/uncertainty, but its moot: whoever gets in inherits a mess. Either its the friends of the bankers, or its the same group of people who were meant to overseeing them. Either way, their hands are dirty, and we, the population, get to experience the real pain.

Lots of fuss about Google buzz.

I can see the selling point "integrate the traces people leave round the web into a single point of contact, integrate with gmail, make things like twitter and facebook obsolete". But there were some other goals "make it easy to bootstrap" and presumably "create public pages showing your followers". Why these too? To avoid the facebook problem of it being no value if you don't know which of your friends are on -or if your friends aren't very interesting/active. A big limit on facebook is that for people with no active friends, it's not compelling. Hence their recent privacy changes: if you can publish your activities more, its easier to share them with others. Twitter solves the no-friends problem by having some recommended feeds. Google try and share things through your contacts -they do this with google reader and tried it with buzz. It almost makes sense. Almost.

What assumptions did they get wrong?

1. You want to follow all the people you email. Really, as if I care about other people that much.
2. You want the people you email to follow you. Really, as if they care about me that much.
3. You don't want to keep any of your contacts secret
4. You know what public activities you already get up to online

By glueing you together with your contacts, they may have bootstrapped a social network, but by trying to publish that stuff, they have exposed a bit too much about the communications graph. Indeed, so much that it comes very close to breaking EU data protection rules. Now they are in damage limitation. Yet like facebook, being able to make that communications graph public allows them to exploit that, and make money from it. Hence the continual pressure from once-private apps (gmail, facebook) to turn your actions public. I wonder what they will try next?

For everyone worried that Google is needlessly publishing facts, here are some of the other things they may know about you, that they chose not to share. Which is important: hopefully they recognise the implications of keeping this stuff secret, which is not just that publishing it may be illegal in some jurisdictions and upset people everywhere, but letting your users know you log it may cause them to stop using your services

• Location of use - IPAddr and inferred location. Yes, latitude wants to do this, especially with your phone.
• Time spent in their apps, document and email titles as well as content
• When and where you use the google chat apps, possibly through third-party XMPP clients
• What you've been searching for
• What sites you've been clicking through to from the search results
• If those sites use google analytics, you could probably do some de-anonymisation tricks to work out who you are, even without sharing cookies (the timestamp, IPAddr and referrer header should be enough to correlate)
• What you've been buying using the google payment services
• Photo metadata from picasaweb: location, device info

The interesting one is google analytics. If your browser downloads the analytics .js, it ends up issuing GET requests to google sites that give accurate clock and IP info, if that script can get the HTTP referrer header then they can see where in every web site you go after you go to it via their search engine. Now, if you are proxied/NATed it may be hard to get 100% accuracy, that is assuming nobody else asks for "avonmouth massage parlour" at roughly the same time you do. And if the google clickthrough links are devious enough, they could stick some id on every referral which you don't see but is on the headers and which analytics cares about. Doesn't take much extra effort and before long you've got a track of a users behaviour not just across the google cookied web sites but every other web site you go to via a search. And from there, and the cross-correlation with other people, you've got a very nice model of the user.

So really, those people worrying about Google publishing private info are to an extent overreacting: Google are not publishing most of the data they hold on you, not even a significant fraction of it. But what they were doing was publishing the graph of who you talk to. And that can be quite sensitive. Why did they do it? Because if you can make the entire graph public, you can do interesting things with it.

Currently watching: The Godfather Part II. One of the greatest films ever, especially the slow, strung out endgame when Michael Corleone's own life falls apart, but still he goes out to get revenge on everyone who he feels wronged him. Classic.

I recognise Lake Tahoe; from the way the sun sets behind the mountains as they kill Fredo on the boat, it's clear the Corleone estate is on the Nevada side -makes sense.

What I don't recognise is Havana, now having been there

Having spent time there, its clear that either Coppola filmed it outside Cuba (on account of various embargoes), or the Castro regime restructured large parts of Havana after the film came out. Possibly both.

The small child I own was complaining about passwords. I think his issue is the home PC only gives him 30 minutes a day weekdays, and to get any more time he has to talk to me. He thinks we should all have the same password, like one of his friends

I tried to explain to him the difference between "to own" and "to 0wn", but apart from the spelling, it seemed to go beyond him. Need to work on that, even though there is a risk he will discover privilege escalation attacks before he's ten

On the topic of security, BBC newsnight in a hour promises a ten minute special on Chip and Pin being broken, based on work from cambridge.

This is profound. You can do a Man in the Middle attack in which a stolen Chip and Pin card thinks you are doing signature authentication -and doesn't bother with the Pin auth, while the bank thinks you are doing full pin auth, which is what will show up on your bank statement, after which the bank will assume you are lying when you said it wasn't you

I lost my cards last year, two days before ApacheCon, didn't notice for 12 hours. Amex got me a new card fast, my bank, not for a week. But at least with Chip and Pin I wasn't too worried about the cards -indeed, someone handed in the now cash-less wallet to the police. Now, any stolen card that hasn't been locked is effectively wide open, and any bank account attached to it.

Given the infrastructure investments, I wonder how it's going to be handled. Denial is the cheapest option, I expect that first. Then there's blame the messenger...

James Hamilton -who I have a lot of respect for- has big posting, Private Clouds are not the future.

His Arguments

1. You don't get the scale in hardware purchases
2. Only the big datacentres can justify the investment in free-air cooled, low-power servers, negotiate low cost power from PNW hydro facilities, etc.
3. "Cloud computing providers have some of the best distributed systems specialists in the world.They also have open source experts and depend deeply upon both open source and internally produced software."
4. Costs of keeping High Availability are high, best outsourced

Interesting, but I don't agree with all of them

1. If you are doing something private you don't get the economy of scale of a brand new rack-in-container setup somewhere near Yakima or Eastern Oregon, yes your power budget may be higher. But you don't need any upfront investment in your own hardware, you contact your favourite server vendor and tell them how many you want, where and when.
2. You don't need brand new datacentre facilities. If you can get away with what you have: less capital outlay. Whereas AWS and facebook are spending $$$, and that has be paid for somehow
3. Yes, the providers do have some of the experts. But here's the thing, a lot of that experience can feed back into the source, be it open or closed. When we get some wierd DNS bug or something, that gets patched, the app is better at working in those situations -or a least recognising them. Amazon may think they are gaining a strategic edge by not contributing back any of their bug fixes to the big applications, but all they are doing is forking their code away from everyone elses. In open source, regardless of the license, if you keep your patches closed, you gain a short term advantage, but risk the long-term. And if you roll-your-own app from the ground up (SimpleDB) then anyone who uses it is locked into your platform forever.
4. HA is best outsourced. Maybe so, but I note that apps on EC2 aren't necessarily HA, as the task of keeping the application alive still belongs on that ops team. Only now if something is wrong you don't get access to the datacentre, to its routers, to find out why things are wrong.

I don't see why any infrastructure shouldn't have an API that lets me create VMs from my remote command line, web UI, build tools. Something that lets me share infrastructure with other people, rather than have dedicated machines to dedicated apps. Because in a sufficiently large organisation, there are always some old under-used apps floating around, and those apps that are used have varying demand. Exactly the kind of thing you need an agile infrastructure for

Had a fun event on Tuesday night, come round to some lights on and some noise in the bedroom and it turns out there is a paramedic there and an ambulance outside. For me. In fact, the paramedic had been there for a while talking to me but I don't remember that bit at all.

Apparently I woke my wife up by having some kind of seizure, maybe related to my ongoing Illness that is not Bolivian Haemorrhagic Fever. Anyway, Bina can't bring me round, calls the ambulance, they come round and I do regain my usual half-awake-in-the-morning-consciousness, then go to sleep

The next day I nip in to the doctors with the paramedic report, they make a couple of calls and send me down to this GP-referral-unit at the hospital, which is kind of a second-line support facility. You get coffee and somewhere quiet to sit while the two doctors on duty send you off for tests and bring in people who know more about the subject.

More tests planned next week: MRI and cardio scans; root cause is not known. It may be due to my ongoing illness, as the breathing is still below normal. But maybe not. Nobody knows. They know this though: I am not allowed to drive for the next 12 months unless the cause is discovered and addressed.

I am down for a trip to Berlin Monday and Tuesday, giving a talk with some screen shots: New Roles in the Cloud. Anyone in the area should still plan to attend this seminal presentation, though it may be the medical will staff tell me that I can't fly (altitude) or spend a couple of nights on my own. In which case, no talk. Watch this space.

My stance on developer surveys: go ask the tools is known.

I am pleased to see someone has done this with a lovely presentation on 10 years worth of Firefox bugzilla bugreps.

See that? Far more information than a survey provides, results of interest to developers, rather than just annoyance.