I’ve been reflecting a lot this week on the type of work I enjoy doing, and I’m starting my home energy monitoring journey.

I also make heavy use of images from Profound Programmer in this weeks retro. It just felt fitting, given the topic.

Reflections on my love for shit work

Debugging will continue until morale improves, with a man digging a deep hole that he’s standing in

I genuinely love doing little tasks that on the surface don’t seem that important, don’t seem related to my role in security, or maybe seem disparate and disconnected from any primary goal. I am privileged in my position at work to get to pretty much choose my own work tasks and set my own projects, and I have accomplished a great deal thanks to this flexibility.

One of the things I love the most is finding the little things that build up over time, the tech debt, the things other engineers say “I wish we could fix that”, and sweeping it up. A digital sanitation technician, if you will. The sole proprietor of the Tech Debt Collection Agency.

Whether that’s questionable decisions in database design, complicated code that is hard to follow and hard to modify, or even just code repos that haven’t been touched in a couple years – if I look at it and think “I don’t like that”, I love getting to just… fix it. I don’t deal with politics, I don’t wait for permission, I just see a problem and I do my part to make it better. One engineer I work with called this the “Campsite rule” – leave it better than you found it, and I like that.

In my old roles as a red teamer, I really enjoyed getting to look for problems and help people understand why they were problems and how they could fix them. But ultimately, the success of my work boiled down to whether or not the problems I found would actually get fixed, and often times this could take months, or even years, and it was completely out of my control. I felt a lot like this guy, pretending to be a criminal and cheering on the nearby tire fire.

I’m pretty sure I’m helping, as I cheer on a nearby tire fire

This week I inadvertently spent the whole week rewriting our core authentication code. Due to a mistake early on in the lifetime of our Django application, we had to make a large number of compromises to achieve the behaviors we wanted. This all happened well before I joined the company, but the effects were felt years later, nonetheless. Our login process involved several custom classes that subclassed other classes that were provided by third party plugins, used a custom django authentication backend, and did a whole bunch of things just to result in “can we set a session cookie for this user” - a feature that django has supported out of the box for, idk, well over a decade.

It was hard to understand, and worse, it was hard to modify safely. There were tests, but they didn’t account for a bunch of edge cases. It was just a hairy mess. With no offense to the engineers who got us there – it was the constraints they were working with at the time, and they came up with a solution. I just happen to have the privilege of hindsight and can say “yeah how about no.” I have some new security related features in development, and those features required being able to easily look at and understand how a user authenticates to our system, what criteria must be true, what criteria must be false, etc.

Who let you do this, a photo of a utility pole with a ton of messy cables coming off it in every direction

But this is just one example that happens to be directly related to security. I have also done a whole bunch of things that are indirectly related to security. I rewrote our dependency management, twice – not for security reasons, but because determinism in builds is important for developer experience and for system reliabilty.

I introduced flake8 and other linters to our code base and almost single-handedly brought our 400k-loc python project into pep8 compliance. I have engaged heavily in the adoption of mandatory strict mypy checking in our code, often spending hours scouring the code for type ignores and doing whatever I can to fix them, often fixing a wide variety of bugs along the way. I rewrote multiple lambdas that were used in production but that were in a language that isn’t standard for our company, simply to make it easier for other engineers to then make changes later.

These things are not particularly related to security, but I have the privilege of getting to work on them, because I look at security as a pretty holistic process. Security is not the features I bolt onto our code base, bolt onto our infrastructure, bolt on to our product. Security is not the policies we write or the processes we make everyone else go through. Security is the daily grind of finding things that aren’t quite right, and putting in the effort to make them better, before they become a problem. Making them easier to understand. Making it less risky to make changes in the future. Making it harder to write bugs, security or otherwise. Moving the needle, slowly but surely, towards an environment that embraces velocity, but not without regard for safety.

I genuinely love finding some code that makes me go “who even wrote this and why did we let them?” and then developing a plan to make that suck less. Asking myself “how do we solve this problem in a way that is easy to understand and doesn’t do more than we need?” I finish the work and can look back and feel like it’s genuinely better than how I found it.

At least until a little time goes by… and then I look back and the whole process repeats itself.

But I’m good at computers, by Profound Programmer

Home Energy Monitoring w/ Athom Smart Plugs

I received 6 Athom Smart Plugs for ESPHome in the mail today that I had ordered maybe a month ago or so. I’ve been desparately hunting for the source of our 500 kWh power bills, and while I made some progress by switching our thermostat into eco mode and relying on opening the windows more often, it only ended up reducing our actual bill by maybe 15%.

Since I live in an apartment, I have somewhat limited options for smart power monitoring. My friend Adam has written in the past about his condo energy monitoring with the Emporia Vue 2 system, and this idea does really appeal to me. But unfortunately I’m a scaredy cat when it comes to working with electricity, and probably more unfortunately, I don’t have access to the main breaker for my apartment without coordinating with the building management. So installing something like this into my rental seems like maybe more effort than it’s worth, especially since I also don’t know when we’re planning to move out of here.

So instead, I sought smart plugs that I could use. My criteria was, I thought, pretty simple. I wanted the data to be available only locally, I wanted to integrate with Home Assistant, and I wanted to be able to add the smart plug to both spots for any given outlet. This ruled out things like the Kill-a-watt, which are cool, but gigantic, and the per unit price is also kind of absurd compared to the smart plugs I ended up with.

Photo of an Athom smart plug

I ended up with the Athom plugs for about $13/ea, and they came pre-flashed with ESPHome. They were a breeze to setup and I’ve got them monitoring my complete desk setup now. I’m going to expand out to also monitoring the server rack in the closet where all the network gear is, the entertainment system in the living room, and then I’ll probably explore some of the kitchen outlets that might benefit from them.

At this point, I don’t even think I’m going to take much action if I do find the cause. It’s just been haunting me that our power usage is so high each month for our apartment and it doesn’t seem to change that much when I’m gone for a week and my computer is off. It does drop considerably when we’re both gone for a week, in which case we usually unplug both of our desks, the TV, air fryer, etc, and the thermostat goes into eco mode even more aggressively it seems. But I just want to know where the power is going, and with these plugs, maybe I’ll finally start to figure out the answer.

  • Simple Mail Transfer Protocol - My 8th PROTOCOL video, in which I did a lot of animation with excalidraw exports to explain how sending an email works. I’m proud of this one.
  • Libre Computer - A company that specializes in open source single board computers. I haven’t ordered one, but they look like a pretty cool company.
  • 10 Things I Hate about NixOS - I agree, the worst part about NixOS is how insufferable I’ve become about it.
  • Et Tu, Grammarly? - A fun diagnosis of the Grammarly browser extension breaking a website’s styles. Bonus second link, you can use emojis as CSS variables. Unfortunately, the website does not in fact mean “dbus hell”, which was a slight letdown.
  • Digital Echoes and Unquiet Minds - I enjoyed this essay a lot. I sometimes get overwhelmed by the sheer amount of data I leave behind in my wake.
  • Buy Once Software - A repository of software that you can buy once and not have to deal with being milked for recurring revenue. I’m happy to see people celebrating this, and I hope more people embrace it.
  • Write Blog Posts that Developers Read - A post about how to write posts that actually attract readers. I may have tried my hand at this a little bit this time, but also the weekly retro isn’t a format I expect people to be seeking out.
  • Operationalizing Macaroons - A great post from Fly.io about how they’ve operationalized Macaroons as an authentication mechanism. It seems super cool, I hadn’t looked at them very much before, and I’ll probably stick with session cookies for most of my usage, but this is great, nevertheless.

Upcoming Projects

  • Defcon Call for Music/Tracks - I’ve made no progress on this since last week, I need to get it together or it’s going to be too late before I know it.
  • I want to do more live shows at hacker cons. I’ll do it for the cost of getting to the con and the hotel room. If you, or someone you know, is organizing hacker cons and wants some new live nerdy rap shows, please reach out via any of the platforms on my page.