Looking back at 100 blog postsI found recently, somewhat to my surprise, that as of my last post I had written exactly 100 of these dispatches. Spread over 49 months, this is not a very high posting rate; but I promised myself when I started that I would limit myself to writing when I felt that I had something worth saying, and would not indulge in the common trend towards excessive introspection (or, in the words I used back in 2005, "adolescent gutspill"), and I believe I've done a good job of holding myself to this standard. Nevertheless, I think this is a good time to look back at four years and a hundred posts and say a few words about this blog.
First, writing each post takes a deceptively long time. I'd say on average it takes me about six hours of research, writing, and editing, usually spread over two or three days, per post. Items which fall into the general category of "news items" are generally much faster, while posts one might refer to as "essays" generally take longer -- which isn't particularly surprising, since they are longer: usually over 1000 words, compared to a median of about 500 words. I've been told that my writing sounds as if I just sat down and wrote, and I take this as a compliment: Just like good music, good writing has a natural-sounding flow which should make it seem easy.
Looking at my HTTP access logs, there's a clear trend in which posts attract the greatest readership. Four of the top five posts concern upgrading to FreeBSD; in order, upgrading from one FreeBSD release to a later major version, upgrading from one FreeBSD release to a future release within the same major version, upgrading from FreeBSD 6.1 to FreeBSD 6.2 (written a year before the more general "same major version" upgrade post), and remotely upgrading a system from Linux to FreeBSD. The other four posts in the top eight are all editorial in nature; on order, an exhortation to think before starting to write code, a discussion of the "security mindset" and how it relates to mathematics, a call for companies using open source software to acknowledge authors by sending schwag, and a set of guidelines for users of cryptography. One post which is not in this top rank yet is my post last month about the security cost of excess complexity, but I expect it will reach that level soon -- a month after posting it is still receiving significant attention and is thus moving up in the rankings.
While I think the above all deserve the attention they have received, there are some other posts which I believe deserve more attention than the little they have received. My post in December 2008 providing details concerning the security flaw in Amazon Web Services version 1 signatures has received very few readers, in spite of its importance; and my post in October 2008 concerning the hackability of the Amazon S3 SLA, while not particularly important, is certainly interesting enough as a mathematical exercise that I think it deserved a larger audience than it received. I think my post with the greatest "readership deficit", however, is a post from March 2007, in which I wrote about the important of knowing your attacker and pointed out that security is really a multidimensional concept: In short, the most secure option given the attackers you want to defend against is not necessarily the most secure option given the attackers I want to defend against.
Whither next? I'm sure I will continue to write about topics ranging from FreeBSD to mathematical puzzles, but -- subject, of course, to having something I think is worth saying -- I'd particularly like to write more about security and cryptography: both about how to do it right, and also about how to recognize when it is done right. (These are not nearly as related as they seem -- knowing how to make a movie and being able to judge a movie's quality are very much disjoint skills.)
I have two reasons for wanting to write about security and cryptography. First, as an academic (albeit one presently embedded in industry) I value learning very highly, and feel a duty to help educate people about fields in which I have expertise. There are some people who argue that the dangers posed by novices meddling in cryptography are so great that we should avoid anything which might lead them into such attempts -- that we should instead wrap the field in mystique and teach people only that they should use pre-existing libraries. While I have great respect for my colleagues who espouse such views, I find them entirely wrong-headed in this regard; I do not feel that any knowledge is so dangerous as to make its research and teaching to a reasonable audience undeserved.
My second reason for wanting to write about security and cryptography is rather less philosophical and far more selfish: I believe that my Tarsnap online backup service is exceptional in its security -- but as long as most people are unable to distinguish good security from bad, this does little to attract new users to the service. I did not make Tarsnap secure because I thought it would win me many customers -- I made it secure because I don't want to be responsible for someone losing their data -- but the fact remains that I'd love to see more people using Tarsnap, and educating the world about security is one way to do that.
The above notwithstanding, my selection of topics on this blog -- or, more precisely, the decision, given an interesting topic, of whether or not to take the time required to write about it -- is not entirely based on my own personal preferences: I have acquired a modest audience (I was astonished to find that my RSS feed has over 1000 subscribers) and to a certain extent my writing choices are influenced by feedback from readers.
So tell me, dear readers: What would you like me to write about?