Scalable and Secure Systems

On How We Can Teach – Exploring New Ways in Professional Software Development for Students, more...

How do you see software development in the 21st century? Here is how we (Dr. Tobias Jordine and myself) designed and ran an advanced software course at HdM. Feedback very much appreciated.

Health: the looming disaster around the german health card and TK-infrastructure, more...

Is the german health infrastructure that is currently rolled out in many practices really up to date or a disaster waiting to happen? If your are interested in a thesis on this politically and technically challenging topic, let me know. The current solutions are either extremely unsafe or - if hardened - not workable. A security analysis and alternative architectures (cloud?) are required.

On Disruption, more....

A short piece on the concept of disruption against the dark background of Yuval Harari's 21 Lessons for the 21st century.

Causality, Knowledge and Big Data, more....

A few open questions that had been bothering me for quite a while - and an unexpected re-discovery of the past.

Language, Culture and Cognition, more....

(Hopi image: Edward S. Curtis [Public domain], via Wikimedia Commons) I remember reading Benjamin Lee Whorf's famous book on language, thinking and perception of reality and being quite impressed about his discoveries in the Hopi language and culture. Later his methods were seriously questioned and rejected. But in my mind his theory on how the structure of our language influences our thinking prevailed. Now, Lera Boroditsky wrote How Does Our Language Shape The Way We Think. And it looks like things have changed a bit...

Cynefin: Act or sense?

(table from Brougham's paper). As part of our master journal club we read a little piece by Greg Brougham on Cynefin, the famous framework covering the ordered and unordered world. And while Cynefin is interesting in itself, I was reading the "Book of Why" by Judea Pearl at the same time and noticed something: The do-calculus by Pearl is geared toward understand causal relations between things. It is based on intervention. The Cynefin framework goes from "sensing" in the ordered domain towards "probe or act, sense, respond" in the complex and chaotic domain. Well, I guess detecting causality IS deeply connected with doing or acting in every case that is not already well-known. More on the do -calculus in a later article.

On a sideline: I watched a talk by John Snowden, one of the inventors of Cynefin, at the Domain-Driven-Conference Amsterdam 2018 and he made a little remark that shocked me: When he talked about evolutionary mechanisms in the context of complexity, he mentioned a talk he gave to US upper managment in Texas. And he was asked to NOT MENTION EVOLUTION, as it might hurt attendants. More than 50% of US citiziens seem to deny evolution as a principle of nature. Many years ago I thought that we had left religion as a major problem of the future behind us. I was wrong. Humanity is far from accepting scientific thinking.

Telling stories with the help of Little's law

Just my kind of article that Marc Brooker wrote about stories and Little's law. I use stories a lot more than mathematical formulas for two reasons: stories are kind of intuitive and they tend to stick in peoples memory. Little's law says that the number of requests in a queuing systems at any time can be calculated by multiplying arrival rate with the average time spent in the system.

LL can be used for capacity calculations or it can be used to think more about the dependencies in your system. What does "mean concurrency" mean? How spiky is your arrival rate? How much variation is in your processing time? Just painting a diagram of your queues and processing elements gives a chance to mentally change parameters and behavior. What do we need to measure? Should we abort new requests and when should we do so? Should we delay requests which were processed really fast? (think about your clients behavior in this case). Should we try to make all requests equally long? When we have many concurrent requests in processing, what does this mean for contention?

ACIDRain - how to abuse wrong DB-isolation levels

I know Peter Bailis from his excellent work on eventual consistency in NoSQL databases and his clear explanations of isolation levels in RDBMS. From my lecture in distributed systems I know that isolation levels are still a mystery for many developers. A dangerous mystery. Bailis shows that e.g. a missing "read for update" in MVCC systems (like Oracle) or a cheap "read committed" instead of "serializable" allows for a clever attack vector: A DB is put under load and then concurrent transactions from the same account are performed. These TAs read the same values and write the results based on those values. Not locking the "read" during concurrent TAs can cause lost-update effects.

How lessons from nPetya confirm the futileness of conventional IT-Security

I have long stopped preaching the traditional IT-Sec gospel of software-updates, patching and IDS. Instead, my focus is on damage reduction as there is no way to prevent successful attacks on Intranets. Google is doing it right with "beyondcorp" and the example from nPetya shows nicely how todays IT environment invites malware attacks e.g. through "supply-chain attacks". WIRED magazine just published the story of nPetya frome the perspective of MAERSK - the global shipping and port company. Here, external vendors are compromised and IoT devices download malware from those vendors. The WIRED article is very nice to read but does only cover the results of the attack. But between the lines it i a proof for what Robert Graham says in his paper above: the true problem is the lack of segmentation. He shows that the malware spread laterally through Intranets (mimikatz for MS-networks) using abundantly available local admin rights. It was not a lack of patching ETERNALBLUE, it was the absolute lack of damage reduction techniques in Intranets given the sorry state of security in the worlds most used operating system. Segmentation can reduce lateral spreading, but is is rarely used due to domain trust relationships in Intranets.

Just a side note: have you ever wondered why NIC based firewalls never took off? They have very easy rules due to the fact that they have to protect only one machine and not a full DMZ? They are harder to attack from the host (unlike host-based firewalls).

Update on the traffic measurement project

We are making progress on our traffic measurement project. The intention is to have a cheap and easy solution that allows citizens to measure the traffic flow in their region. Noise, type of vehicle and other parameters are measured. A group of four students at HdM built a prototype system and a model for display. Currently we are using ultrasound sensors but we might use LIDAR in the near future as well. Trucks are identified through a sensor pair mounted higher than the ones for cars. The loudness helps to distinguish small delivery vehicles like the Sprinter from Daimler.

In fall, two bachelor thesis will tackle some more problems like using LIDAR and machine learning e.g. to create a fingerprint of vehicles for tracking.

The project might even more relevant as the EU is now tightening the screws about traffic noise too. The regulations for noise measurement somehow remind me of the way fine dust and NO2 pollution are measured in cars. Once I am through with the law and regulations regarding traffic noise, I will post what I have learned.

Dr. Bernhard Scheffold on good and bad software practices, more....

Dr. Scheffold speaks after almost 40 years of software development with authority, when he talks about hypes and buzzwords dominating good software practice. When is "flexibility" an anti-pattern instead of a good thing? At least when it really means sloppy programmed classes which do not enforce their constraints. He also gives a nice example that caused real problems in production. He urges us to stay away from mere hype and hone our abilities in robust software development.

On a sideline: My colleage Prof. Roland Schmitz talked at our GDPR event about the new TLS3.0 and what it changed. And it looks like it did right to dispose of dangerous protocol downgrade options in older protocols like SSL. When flexibility introduces non-determinisms or attack vectors it surely has turned into an anti-pattern.


The article is in German language
19th Gamesday at HdM - more than just fun, more....

Game development is much more than design, arts and fun. It is about platforms, publishing, marketing and last but not least money. So this time the focus is not on game tech. Agenda:


Wann und Wo? am 15.6.2016 um 14.15 im Audimax 011, Nobelstrasse 10, Stuttgart. Wie immer wird der Event aufgezeichnet und kann unter verfolgt werden. Ein chat für Fragen aus dem Internet ist ebenfalls verfügbar. Der Event ist kostenlos und offen für Interessierte aus der Industrie und Akademie sowie für Privatleute.

14.15 Welcome, Prof. Walter Kriha

14.20 "eSports - Neuer Marketingkanal für Spielemacher?" , Mike Fischer, HdM VS 

14.50 „Indie-Publishing: als (gute) Alternative zu Steam?“, Daniel Rottinger , 
      HdM Studiengang PR und Indie-Team How to Dev a Morgue

15.25 Pause

15.30 "Indie-Publishing auf Konsolen: Just do it!", Benedict Braitsch, HdM Studiengang OMM
       und Strictly Limited Games 

16.00 "Mayhem Heroes" - Präsentation zum Milestone vom Games Praktikum HdM, 
      Danny Fearn und Team

16.30 Pause

16.40  "Game Dev beyond Gaming", Andy Stiegler, Creative Technologist, 
       Strichpunkt Design

Any questions? mail to:

Blinded by mathematical beauty?, more....

Todd Hoff quoted a book which claims that physics got blinded by math. beauty and lost its connection to reality. And he asked whether this could be the case for software development as well. Well, this is wrong. We don't do reality (aka empirical verification). Read on.

Quantum Computing, how it works and what it can really do, more....

In our journal club we were dealing first with homomorphic encryption (really hard...) then with elliptic curve crypto (not so hard) and with the question raised about the effects of quantum computing on encryption we landed right in Shlor's algorithm. Some good papers and especially videos made the topic a bit more clear and brought some surprising results. Read on.

Speech Recognition on the Internet, more....

A few comments on the consequences of TTS technology getting more natural every day. About identity becoming a digital property and various sorts of attacks on human-digital assistant communication.

The Client/Server style of the Internet, more....

It is amazing what can be learned from IPV4 addresses and submarine cables about the dominant communication structure of the Internet. A short discussion of two papers from G.Houston.

A new and better Facebook? more....

Is this the right time to start a new social network? What are the features needed to replace Facebook? Should it be distributed or federated? A short discussion of social networks.

Off-chain transactions (PBT)more....

A short discussion of path based transactions and the routing technology needed. It took eight people to make some sense out of it.

What is so special about GraphQL? more....

When do you use GraphQL? What is the difference to REST? Two short tutorials give you the basic know-how on this technology. And some good design rules for APIs are thrown in as well.

Digital Transformation on our first Interaction Day at HdM, more....

Why is digital transformation the core topic for an Interaction Day? Shouldn't we talk about pixels, UI and UX on such a day? Learn about the fast change that is happening in Germanies industry and which affects the way we work deeply. It looks like the industry did read the papers on corporate culture and agility from Netflix, Spotify and others very carefully and is now trying to speed up development using some of the organizational and/or software architectures from the Silicon Valley unicorns.

Culture Code - how to create great teams, more....

Learn about three simple rules for great teams.

Big Data Research at ETH Zurich, Talk by Prof. Karsten Borgwardt

On April 13th Prof Borwardt will hold a talk on Big Data at the University of Esslingen. It starts at 16.00 at Flandernstr. 101, room H4. I am looking forward to the latest research on big data from a well-known expert.

Where has all the power gone?, more...

A short comment on an almost prophetic paragraph from Yucal Harari's book "homo deus" and the current dilemma of western politics.

Byzantine protocols and sybil attacks in the bitcoin system, more...

Frequently over the last couple of years I had a tummy feeling, that we would should look more carefully at byzantine protocols for consensus instead of always depending on a simple fail-stop error model. A discussion of Byzantine protocols in the context of blockchain sytems raised some interesting questions on conspiration and control by external entities.

Measuring traffic with Raspberry Pies/Smartphones and Neuronal Nets, more...

This is an idea for a summer term software project or a thesis. Measuring traffic usually requires expensive devices and is therefore very hard to achieve for small groups of citizens. Cities and villages have little interest in gathering those data, as they could lead to increased awareness, e.g by discovering massive toll avoidance or nightly truck traffic. Sound level meters are available, but they are usually standalone devices, expensive and do not work with Linux. Counting and categorizing traffic is beyond them. Read on to learn about the requirements.

About bugs, security and an interesting year 2018

A short article triggered by Thorvalds response to the Google team, Coylers discussion of Daniel Bernsteins famous qmail paper and the first CPU security bugs.

Lessons learned from teaching Distributed Systems for 15 years

Another reflection on one of my courses, this time over a longer period of time. The forces that made me change it into a largely theoretical lecture are described and a short overview of the developments in distributed systems is given.

How to benefit from Journal Club style seminars

A short note on experiences made with a so called journal club where a small group of students and a lecturer read the same papers and discuss them in a seminar. A very light weight form of class with surprising benefits for both lecturers and students. Learn about the benefits and how to run a journal club.

Concurrency and how to read

A short note on experiences made with flipped learning in a course on concurrency and parallelism. Turns out that many students profit from micro-exams because they realize their reading deficits quite clearly.

Days at HdM - Disruption and Didactic

a special type of lecture that won the University teaching price in 2017 (unfortunately the description is in German and I didn't have the time to translate it yet.) And a big thanks to Verena Kersken for helping me with the presentation!

17. GamesDay at HdM, more...

Four talks on technical or design aspects of game development


Friday 23. June 2017, 14.15 - 18.15 at HdM, room 056. A live stream and chat is available. For directions go to hdm homepage..

Beyond Silicon Valley part 2: Quantum Computing

Dr. Frisch of IBM Böblingen will give a talk on quantum computing at IBM on 21 June 2017 at HdM, 17.45-19.00. Stay tuned for more information. Some really interesting questions come to mind: will QC wipe out existing security algorithms? Are there algorithms which are resistent? How are QC specialist dealing with quantum effects like entanglement? What other areas will be affected by QC? A short intro .

Security Day Results, more...

A nasty talk on fundamental safety problems in software land and three proofs.

Helicopter Prof, more...

Some statements on overprotecting students and a nice quote from Nassim Nicolas Taleb.

Workshop on Social Bots for Research, more...

How do you get the necessary data from social networks in an automated way? The workshop will present our work on a social bot and gather ideas for further tool development to support research in social media. Anybody can attend.

Going blind over scalability?, more...

An interesting comparison of distributed vs. local processing of social graphs. Efficience vs. scalability and the new trend of memory centric computing.

Bic&HdM - The Bosch Cloud and the Internet of Things, more...

Finally a large scale cloud environment in Germany. Dennis Grewe and Julian Weiss of Bosch GmbH showed the architecture, key projects and future plans behind the Bosch cloud.

Transhumanism and CRISPR, more...

A very interesting talk about 3D-printing of organic components, the innovative organization behind it and its future uses. Also a bit on CRISPR - the DNA manipulation tool that might get someone a nobel price soon.

E-Mobility Day at HdM, more...

Well, is e-mobility dead or what? What are the current problem areas and what kind of solutions are companies developing right now e.g. with respect to intelligent charging? Are e-cars economically feasible for companies? Can you go across Germany with an e-car? Learn more about e-mobility at our first E-Mobility Day at HdM with talks from Fraunhofer IAO, Vector Informatik and BridgingIT.


Friday 10. June 2016, 13.45 - 17.15 at HdM, room 056. A live stream and chat is available. For directions go to hdm homepage. And last but not least are we going to test our new smartphone solution for live streaming of events.

Workshop on Concurrency and Parallelism, more...

We are closing the seminar on concurreny and parallelism with a little workshop. A case from the industry will be discussed in the context of several different technologies.

16th GamesDay at HdM - Behind the Scenes, more...

Indi development, new gesture recognition interfaces, multiplayer technology, asset creation for virtual reality and of course: lots of demos and previews at our next games day.


Friday 12. June, 13.30 - 19.00 at HdM, room 056. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Reflections on our Language Day, more...

Just a few comments on our talks. There is more to come in fall 2015, when our second Language Day will take place. We will have talks on Javascript, C#, Rust and functional languages.

A Wishlist for Programming Language Features, more...

Given the sad state of IT-Security, it is about time to fix the basics...

Language Day at HdM - Revolution or Evolution in modern Programming Languages?, more...

Still our most important tool - the programming language, is undergoing drastic changes. New paradigms are introduced, new languages pop up almost every week. What makes a good language in Internet times? Fit to support agile development, continuous delivery and increasing demands for security and usability. Learn about new developments in our first language day. The next one in the winter will probably cover Javascript, C# and Rust/Dust/D.


Friday 10th April, 13.30-17.30 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

4. Security Day at HdM - The End of IT-Security?, more...

In this post-Snowden area we are taking a close look at secure software, critical infrastructures and ways to conquer the threats to critical infrastructures and individual exposures. Specialists from 1&1, Bosch and mpc are joining us for this long overdue event.


Friday 16th January, 13.30-17.30 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

15. Games Day at HdM, Pushing the Boundaries, more...

A bit more technical than the last ones, this games day will deal with advanced concepts in realtime lighting, physically based rendering, games on smart watches and artificial intelligence in games.


Friday 9th January, 13.30-19.15 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

3rd Developer Day at HdM - Design makes the Difference, more...

It was about time for a repeat of our Developer Days at HdM. This time we will have three talks about software design, architecture and frameworks for successfull enterprise software. All based on many years of practical experience with difficult decisions regarding designs. Join us for this interesting session. Developers, architects, consultants and project managers as well es members with akademic background welcome!


Friday 7th July, 13.30-17.15 at HdM, room 11 (please note that the room has changed!). A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

14th Games Day at HdM, The Future of Games, more...

Is the future of games in virtual reality? What is the current state of VR? How does it feel to play a game made for the Oculus Rift? (In case you don't own one: how about building your own? Take a look at the latest gadget from Google I/O . How does it feel to develop a game for virtual reality? Get some background information and practical know how at this games day. And discuss your vision of the future with us. Please notice the change in the agenda: we'll let you watch another game at the end (:-)


Friday 4th July, 13.30-16.45 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Measure your Visitors, 1st Web Analytics Day at HdM more...

Get a better understanding of your visitors! Learn how to collect and analyse behavioral data. Meet tool vendors and users of analytic tools and learn how to test your business profile.

What can you learn from looking at search requests leading to your platform? You are running youtube videos - did they help to increase the number of visitors? There are many things you can learn from analysing the behavioral data of your visitors. But before you can do so, you must collect the data and learn to use the tools needed for analysis and reporting. They are a must for a successful site or blog. In case you are just a user of internet sites, you can get a better understanding of data collection on the web and why it is - to a certain degree - absolutely necessary for sites.


Friday 23rd April, 13.30-16.45 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Who owns the Internet? 3rd Digital Rights Day at HdM, more...

Talks and discussions on current legal affairs around the Internet. Intellectual property rights, escpecially software patents, the NSA and Anonymous and last not least the Redtube streaming scandal. In all these cases, technological opportunities meet economic stakeholders on the battle field of laws and legal actions. And not every technology is legal and not every legal claim is justified.


Friday 25th April, 13.30-16.45 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Speed - 7th Webday at HdM, more...

It's all about speed: how to build fast and responsive web applications, quick application design within the browser and last but not least the realtime and peer-to-peer features of the new WebRTC standard. The 7th webday at HdM lets you meet with experts in those areas and extend your knowledge of HTML5.


Friday 10th January, 13.30-16.45 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Der Blick über den Tellerrand - zur Organisation der "Days" an der HdM

Im Rahmen des Tags der Lehre an der HdM halte ich einen kleinen Vortrag zu meinen "Days".

Mittwoch, 4.12.2013 um 16.45 in 013 in der Nobelstrasse 10, Stuttgart-Vaihingen. Der Talk "Blick über den Tellerrand" beschreibt ein wenig die Hintergründe, Zielsetzungen und Tricks.

Throwable Multi-Party Microphone, more...

The image shows a solution for a rather hard problem: capturing live discussions with little equipment and almost no manpower. And to top it off: in any room. So we are talking a mobile solution too.


The prototype has been usability tested successfully and all it takes now is somebody who can turn it over into a ruggedized product. Let me know if you can do it!

Large Fan-Out Architectures, more...

This week I realized, that splitting up requests into tens or hundreds of subrequests is still a rather hard problem, due to the long-tail distribution of response times. A portal is a typical fan-out architecture. In 1999 I found some solutions for fan-out like controlled backends, replication and incomplete (tainted) requests. Google of course goes much further today.

Strictly timed requests, distributed loads and a close look at everything from the CPU over network buffers, data structures in memory etc. are in the toolbox.

Offline, Online and One-Pass - algorithmic lessons learned from High-Frequency Trading and others, more...

You think milliseconds is fast? Think again. Think about putting algorithms into FPGAs. Think about creating algorithms that fit into L1 caches. Algorithms which do not need much memory and which do not touch data more than once. Learn about the use of one-pass algorithms from HFT. And start thinking about all the places in our computing infrastructure, where latency hides.

Blackout - on the Role of IT in Smart Energy Grids, more...

Is the Internet a good model for power grids? What can energy engineering learn from IT and what should it better do in its own ways? Which patterns work in both areas? What makes a robust solution? This is a short talk on some ideas gained from the Smart Grids Week in Salburg this year. Cultural and technical aspects are covered in my talk on Blackout - on the role of IT in Smart Energy Grids .


Wednesday 27th November, 17.45 at HdM, room 011. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Experiences with Model-Driven Architecture in a large Project

Christian Teutrine, Senior Managing Consultant with Global Business Services, IBM will give a talk on practical experiences with MDA, made in a large project which took 7.5 years from the concept phase to the go-live. 80% of the code had been generated. Mr. Teutrine had the role of a business lead architect in this project, and in his talk, he will look at it from a business architecture point of view: How does MDA influence the contractual situation? The project management? Can agile methods be used with MDA? How well does it work over the years? What if off-shore employees join the project?

This talk is a rare chance to get first-hand experience on the interplay between business and technical aspects in a really large project. It is not so much a technical talk.


Wednesday 4th December, 19.30 at HdM, room 041. Live streaming at can be found at . As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Recommender Day - individualized commercials through clever algorithms, more...

How does Amazon know what we want? Learn about advanced recommender systems which use clever algorithms to match users and items. See how math and computer science shape modern marketing.


Friday 29th November, 14.00 - 17.00 at HdM, room 56. A live stream with chat is provided. As always, the event is free of charge and open to the interested public. Directions can be found at the hdm homepage.

Website re-structured, more...

It was more than time for a re-structuring and renovation of my site. I considered changing to wordpress but finally decided to stick with my xml-based generative approach. But instead of generating my own navigation I am now using CSS3 (without any javascript) for it. Now comes content cleanup...