Eduard Medvedev, CTO at Tungsten Labs: âWe have grown to the point where technology can cause massive harmâ
If suddenly you did not know, today you can raise the server, start and roll back the deployment, scale the cluster by simply sending a message to the telegram bot.
Eduard Medvedev, CTO at Tungsten Labs (Germany), spoke on the third day of Slurm DevOps with the theme âAutomating Infrastructure with ChatOpsâ and talked about the integration of instant messengers with pipelines. And after speaking over a cup of coffee, he gave an interview.
I was counting on a story about an interesting technology, but in the end, the conversation turned on the topic of it-ethics. About how a person turns into a laboratory rat, which every day runs in a maze of addiction and attention control algorithms, how the war is automated, how arms and drugs trade reaches a new level of anonymity and accessibility, how IT people write code that destroys society and personality - and hiding behind as old as the world "we just carried out the order."
Let's start, as usual, from the very beginning. Once upon a time there lived, coded, deployed ... Tell us about your path, how did you come to where you are now?
He is long and confused. Before I ended up in Germany, I moved a lot, studied a bit in Norway, worked a bit at a startup in the States, mostly on a remote location. I lived a little in Thailand when freelancing is some completely typical story for Russians in my opinion. He came to Germany almost by accident - and more for personal reasons than for work. He ended up at Tungsten Labs in Berlin. Now I have returned to Russia for a short while, I spend a lot of time in Tomsk - I like it there.
What significant steps can you highlight on the way?
Complex issue.
Let's start with higher education?
But this is a simple question. I donât have it. I started with some small part-time jobs back in high school, worked as a layout designer, then as a front-end developer, then switched to a backend, architecture. I like to learn something new, I canât sit still. A lot of freelancing, then he worked full time remotely on different projects. In general, when you freelance, you learn self-discipline, then it helps when you get a full-time job remotely.
Are you CTO at Tungsten Labs now?
Until recently, but no longer. Yes, the last full-time job is at STO at Tungsten Labs, but now I advise more. Tungsten Labs including.
So you decided to become a free hunter?
Let it be for now.
Can you recall the series of technologies that you went through? Like steps.
I can try. I started with layout, so HTML and CSS. A little picking PHP that we had on the backend. There were a lot of JS on the front end and Node on the back end, there was Python. With the last two, Iâm still most comfortable with it, although in recent times I often have to write or add something to Go.
Go is now considered a very promising language. What is your opinion?
I think that there is a lot of hype around Go, and only part of it is justified, but the language is still good and promising. I wonât even joke about generics now.
It was such that you learned some kind of technology, some kind of language - and they became dead? Like the same Perl.
I think this is not. When I learn something, I always try to focus on general concepts, which in any case will come in handy later. Because of this, I do not know the languages ââin depth very well, but at the same time it is much easier for me to learn and use something new. I had a small project on Elixir, I wrote something on Haskell, remade the ML model with Tensorflow. For the competition I had to write on Brainfuck once. All this is much easier to do when some general principles, structures, algorithms are familiar - in general, the base has already been laid. Therefore, I do not think that there is dead knowledge.
What projects and tasks have recently become a professional challenge for you? What brought you particular pleasure in the decision and implementation?
I participate a lot in information security competitions, CTF (Capture the Flag) and the like. Even a small team used to be. Once I won first place in one of the games at DEF CON in Las Vegas. And DEF CON is one of the largest and most famous conferences of this kind. Nearly 30,000 visitors, seriously huge. Several hundred people competed. And here I am the first. It was unexpected and very cool. Now I can always go to DEF CON for free, such a small privilege for the winners.
And what was the task? In short.
In short, this is not one task, but dozens of different ones: vulnerabilities in web applications, binary exploits, traffic analysis and extraction of keys from disk or memory images. Hacking Wi-Fi networks, capturing wireless traffic. Cryptography. In general, it is necessary to absorb and apply a lot of diverse knowledge in a very short time. Everything as I love, we have already talked about this.
What is a value, an indicator of success for you?
For me, an important indicator of personal success is the following question: âWhat would change if I were not here?â That is, if I were not there, something would happen that I did, for example, in my work or not. If someone else would have done it without me, then my presence seems to be not so important. But if I did something that without me would not have appeared or that other people would have done worse ... Another thing.
Do you think it has now become easier to enter the Western IT market from Russia or is it more difficult?
Quite easy to get out if you move. There are a lot of vacancies, and there are still few specialists, so they are often ready to help with a visa, pay for travel. Itâs more difficult if you are in a remote place - you may encounter the fact that you are often looked at as a âdude from Russiaâ. This means that you can pay less - you live in a relatively poor country, how much do you need? This means that you do not have any professional and cultural context that people in the West have - all these meetings, communities, conferences - and you speak a little different language, use other concepts, values. This does not seem so important, because you kind of write the code and write, but when you are a full member of the team, it affects. In Russia, this context is still completely different, especially if not in Moscow or in St. Petersburg. In Tomsk, where I was born and raised, there is not particularly an IT community. There are several good companies, some individuals, rare events. But there are few mitaps or communities that meet regularly. Conferences - one or two per year.
Didn't think to organize something?
I organize or help regularly, but usually not in Tomsk. The problem is not to organize, but rather to gather interested people. And also, again, in context. When you constantly go to such events, you accumulate a certain context, and when you transfer knowledge, you proceed from the fact that people are also in this context. Therefore, itâs more difficult for me to speak in Russia than in Europe - the context is completely different, and efforts must be made to understand what needs to be explained in more detail, what to skip, what to focus on. The most difficult thing is to tell something to people who do not have this context at all, who have not previously participated in any communities. I admire people who are good at telling newcomers. In general, about the same problem as with the remote - everything from the difference in contexts.
In the security sector, do you think AI is likely to solve a number of problems? You, as an information security consultant, what do you see in this area?
In 2016, the Cyber ââGrand Challenge was held, sponsored by the American Agency DARPA (Defense Advanced Research Projects Agency). I already talked a little bit about CTF, when teams are given images of systems with pre-planned vulnerabilities, and the task is to exploit these vulnerabilities from each other, as soon as possible discovering and patching their own. So CGCs are the same competitions, but AIs participate in them without any human intervention whatsoever. That is, the appearance of AI is not just âlikelyâ, it is already developing and very active - robots break robots, robots are protected from robots. A lot of vulnerabilities are exploited and located simply automatically, with a wide scan. Fuzzing - testing with the input of incorrect data to search for vulnerabilities - is also almost completely automated. There are so many things in which AI is used for both attack and defense. But at the same time, information security is as much a story about people as it is about cars.
Do you mean social engineering?
I mean not only social engineering, but also any human factor. We now live in a time when in modern systems the most vulnerable place is not software or a machine, but a person who exploits all this and the mistakes that he makes.
What trends do you see in the sphere you are currently working on?
I see a very strong influence of moral and ethical issues on the whole environment as a whole. When people not only write code, but also think about why this code will be used. And what it will be used for becomes a much more important issue for people than before. Because there is a possibility, quite tangible, that your code will kill people, that your code will be used to discriminate or infringe on someone elseâs rights, that a mistake in your code can deprive a person of his house or put him in jail. People used to think less about such things, it seems to me because we did not rely on technology enough to make decisions of such a plan with their help. Therefore, people begin to think about these issues much more. Not so long ago, Google employees massively protested against participating in Project Maven (a project to develop AI for the US Department of Defense) - and as a result, the contract was canceled.
At the same time, the Google leadership, as they say in some media, is working with intelligence agencies. And the real confidentiality of information on the same Google email services sometimes raises questions.
It is more likely not about leadership, but about developers, about ordinary âordinary" employees. I know people who basically will not participate (and have already refused to participate) in such projects.
That is, you think that the network is gradually growing up. A carefree and reckless childhood passes.
Yes. We have grown to the point where technology can bring very real, very tangible, very massive damage. And until the moment when IT-corporations have grown so much that they can do it without outside help.
I have long been interested in issues of manipulation, addictive scenarios and the ethics of social networks. Large social networks use a number of technologies that influence attention grabbing, retention ... In some cases, they can form a personâs addiction, which can lead to dopamine burnout, depression, and ultimately suicide. That is, the code can lead to real death. I noticed that American Republican Senator Josh Hawley recently proposed the Social Media Addiction Reduction Technology Act (SMART) bill. Hawley demanded that social networks stop "exploiting human psychology or brain physiology" for their own purposes. The bill lists four âforbidden practicesâ practiced by large social networks: automatic downloading of data in the publication stream and the inability to scroll through it to the end, an attack with excessive amounts of content, rewards for activity on social networks, and the function of automatically playing music and videos. Do you think the network ethics of the 21st century will be formed in the near future? Or will large companies in every possible way resist and block such initiatives?
It seems to me that large companies will always resist. This is a business, and the main goal in it will always be making money. Of course, itâs easiest to make more money if people use your product a lot and often, and yes, they will be dependent on it.
Only, it turns out, there is a conflict between developers who work for these large companies, but form a new ethics for the developer, and the large companies themselves, which are only interested in profit.
Already there are quite high-profile, massive cases where developers stopped working for specific companies because of ethical differences - the same Maven. They are still rare. But it seems to me that there will be more of them. Because good developers always have a choice, and IT now is a market where, rather than companies, developers are dictating their conditions. And such a forcing of moral and ethical standards can begin from below, and then go up, which is now happening in general.
Developers can now dictate terms, because there is a large shortage of talented and experienced developers on the market. With an increase in the number of developers, the deficit will decrease, which means corporations will be able to dictate.
Maybe yes, maybe no. The number of experienced developers will increase. But developers, experienced at the moment, will also grow. And the demand for this level will also appear. The profession is relatively young after all. But the turning point, yes, right now. Perhaps this period will end soon.
And what trends do you see?
I see the whole trend for movements that go from bottom to top, coming from employees. They are trying to force the leadership to accept some of their goals, which are associated not only with profit. And companies have to change something, not only because itâs good and right, but also because then people will go to them and existing employees will stay and not go somewhere else. I think that until some point this will gain momentum, and eventually some moral and ethical standards and norms will be formed that will be accepted by everyone. In hiring practices regarding the same discrimination. If we talk about diversity, which is now constantly discussed in the West, then most of the initiative just comes from below. People say: "I will not be hired by a company where there is nobody who understands me, who looks like me, who has gone through the same problems as me." Or they say: âIâm unlikely to get much useful out of the conference, where all the speakers have a background that is as similar to each other and very different from mine.â And companies have to change. This is again, in many ways, a question of the cultural context, in Russia this is now less.
Have you heard about communities that are already trying to create a new ethic for developers in particular and the network as a whole?
There are so many groups that fight for diversity, so many people who engage in online activism, the fight against censorship and political persecution on the net. These are mainly people close to journalism, to non-profit organizations. Internet Freedom Festival is a good conference on this subject, for example. But I, unfortunately, do not know the large communities that would specifically deal with the issues of new morality and ethics on the net. I suspect that they are, because they cannot but exist. But the fact that I do not know about them, although I was interested in the issue, still speaks of something.
PS The conversation left an interesting impression: to freely talk about these topics, you need a person living in Europe or the United States. One, the small-town part of me in the course of the interview thought: âIT ethics, sabotage ... They snickered a little there.â And another, universal, answered her: âMaybe we will someday grow up to this.â
All Articles