Profile picture
Lea Kissner
@LeaKissner
, 11 tweets, 3 min read Read on Twitter
A few years back, Abhishek Parmar (at the time, the TL of Bigtable) and I started Zanzibar to handle access control for Google products. Like... basically all Google products.

The paper is public (and will be in ATC '19):
ai.google/research/pubs/…

Other bits not in the paper 🧵🧵
Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from hundreds of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube.
[Z] scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people It has maintained 95th%ile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use
The paper describes the interface and technical design & implementation. What it doesn't describe (and I should go and write this down) is *why* the interface is designed how it is. The short version is the access control semantics are designed to do a few things:
1. The access control model is designed to be flexible in many ways, like allowing you to express. "this image should be viewable by Alice as well as whoever can view the document in which it is embedded". It's also carefully *not* flexible in certain ways to avoid user confusion
2. The access control semantics are designed to be strongly consistent. For those of you who don't work in distributed systems, "consistent" is a word with a special meaning: different parts of the same system give the same answer.

en.wikipedia.org/wiki/Consisten…
A lot of systems use a model called "eventual consistency" which is "um, all the different bits will catch up eventually but until then you might get the old answer". This semantic does *not* mix well with access control!
Eventual especially does not mix well with a world where access control data lives in one place and the actual data lives in multiple places. To avoid that, Zanzibar is strongly consistent not just with itself, but has a feature to coordinate with object data changes.
... This is really hard to describe in a Tweet thread. But please, read the paper and let me know what you think of the interface and access control semantics. They were my best thinking at the time and seem to work well, but access control is still not a solved problem.
... I just noticed the Wikipedia page on "consistency model" is labeled as "may be confusing". Given how much 🤯 I get every time I explain to people that distributed storage systems often aren't consistent, that seems about right.
There's also a story behind that project name. That is not the original project name. The original project name was force-removed by my SVP. Once my hands are free again, I can explain.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Lea Kissner
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @LeaKissner see all

Profile picture
Lea Kissner
@LeaKissner
Let's talk tech policy about privacy! Unlike a lot of folks who talk tech policy, I'm tech-primary: my PhD is in cryptography, I've been a software engineer, I've run privacy engineering for big and small tech companies and we've developed a lot of the techniques.
So what I want to talk about today is how policy can work with and support getting good privacy work done. Regulation is clearly needed. *Good* regulation is needed. Bad regulation can easily make a bad situation worse and not everyone in the regulatory space understands in depth
No one understands everything! That's why we collaborate. So let me give you a bit of what I've been thinking from a privacy engineering point of view, in conversation with @yonatanzunger

(And please, ask questions. Any time. My DMs are open.)
Read 25 tweets
Profile picture
Lea Kissner
@LeaKissner
@chadloder @kevinriggle @joejerome @SteveBellovin OK, here goes: a true story about social scientists, gay men, and differential privacy.

Not so long ago in the US it was exceedingly difficult to figure out what %age of the population was gay. Being gay was subject to censure and prosecution.
@chadloder @kevinriggle @joejerome @SteveBellovin So some social scientists used a clever mechanism to figure out who was gay, using a room and a coin.

Put a subject in a room alone, give him a coin to flip. If he got heads, he should answer honestly whether he was gay or not.

The clever part comes in if he flipped tails.
@chadloder @kevinriggle @joejerome @SteveBellovin If he got tails, then he should say he as gay, whether he was or not.

So if a subject said he was gay, then he probably just flipped tails on the coin and wasn't gay at all. Each answer on its own doesn't tell you anything interesting, but combined those answers tell a story.
Read 8 tweets
Profile picture
Lea Kissner
@LeaKissner
I am thrilled to announce a brand-new conference that @lorrietweet and I have been bringing together for a while: PEPR, the conference on Privacy Engineering, Practice, and Respect.

usenix.org/conference/pep…
Aug 12–13, 2019 (co-located with USENIX Security)
Santa Clara, CA
PEPR is focused on designing and building products and systems with privacy and respect for their users and their communities.

Our goal is to improve the state of the art & practice of building for privacy and respect and to foster a community of practitioners and researchers.
Does PEPR sound awesome? Hope to see you there! Fair warning: space is limited so register early.

Even better: submit a talk! We're looking for talks from both practitioners and researchers about design proposals, research, deployed systems, case studies, and experience reports
Read 7 tweets

Related threads

Profile picture
J⭕️lli 🌈
@rk_jolli
Hankcon airplane crash/stranded in the mountains AU because it's DBHmas and I want to thread for a little bit in the spirit of it. CW for some injury stuff and for Cole being recently dead (and also a warning that I know nothing about medical stuff so bear with me 😂)
Hank feels like he's moving through a fog as he waits to get through security at the airport. It's odd, the way the world keeps moving even though something crucial has been cut out from within him. He's wounded, a gaping, ugly thing that he can hardly bear, but no one even knows
He thought something died a little bit inside him when Jen first told him she was leaving Detroit. They had been split for a while, and Hank was slowly adjusting to this new normal where he only saw Cole on weekends. It wasn't so bad, especially when he looks back on it now.
Read 723 tweets
Profile picture
Lea Coligado
@leacoligado
1/ 2 years ago, a couple months after joining #Google, I first noticed him. A white man in his 50s who must have toe-tally mistaken the Google bus for his personal Tinder because he was using it to hit on multiple Asian women. @googlewalkout
@GoogleWalkout 2/ I had just settled in for the long ride. I remember watching him board the bus, bee-line for the seat right next to mine, then stare at my feet like it was his job for Three. Whole. Hours.
3/ I thought, There’s no way this dude’s been staring at my feet this long! But an adherent to rigorous testing, I moved my foot to gauge his reaction, and his whole goddamn head moved with it.
Read 19 tweets
Profile picture
Article Group
@ArticleGroup
Back in 1896 men didn’t call women sluts.

They called them “bicycle face”.

Why? Because bicycles <gasp!> helped women 💪 make their own dating choices.

IOW bikes were the first dating app. That scared men.

Let’s talk about it.

Hold on to your bodices people, THIS IS A THREAD
1/ a few years back we were engaged by a dating app to do some strategy work

One of the big problems on dating apps?

Men behaving badly.

So per our remit, we did some research. Here’s some of what we found.
2/ About 120 years ago, men warned women that riding a bicycle could permanently deform their face.

Their chin would jut.

Their brows would furrow.

Their cheeks would freeze in an unbecoming rictus.
Read 37 tweets
Profile picture
Connor Ratliff
@connorratliff
45 Days Of @ElvisCostello: a twitter megathread in anticipation of the Oct 12 release date of LOOK NOW, the new LP by Elvis Costello & The Imposters

This is either a bright idea or a brilliant mistake, but this is only, this is only, this is only the beginning...
I did something similar to this 5 years ago, in anticipation of EC & @theroots' Wise Up Ghost LP, on tumblr.

(You can still find all those posts if you look, although a lot of the YouTube links etc are now dead ends. It was 40 Days Of EC then, so for 2018 I'm upping it to 45.)
Mostly I will be going chronologically from the early years right up to the present, but it feels right to start out with Costello's 2002 song, "45."

Music Video directed by @jessebdylan


(There's an alternate "diner" version I can't find anywhere online)
Read 2378 tweets
Profile picture
Chris Mihos
@ChrisMihos
Time for a little research update, highlighting our recent discovery of a really diffuse object/galaxy/ubersmudge in the Leo I galaxy group.

The full story can be found in our paper, posted last week on ArXiv: arxiv.org/abs/1807.11544
First, thanks to collaborators @therealCCarr, Aaron Watkins,
@Valeandromeo and Paul Harding. Aaron took the optical imaging, Chris discovered the object and worked on photometry, Tom provided the HI data, and Paul made the Burrell Schmidt the amazing LSB imager it is today.
This is the Leo I galaxy group, at a distance of 11 Mpc. A few years back we imaged it using CWRUAstro’s Burrell Schmidt telescope, searching for diffuse intragroup light. Even though our imaging went really deep (muB,lim=30), we didn’t find much, just a few small tidal streams.
Read 18 tweets
Profile picture
Connor Ratliff
@connorratliff
Almost all of the Road Runner cartoons are available via the @BoomerangToons app.

I subscribed for $5 & decided I'm gonna watch & tweet about 'em all in chronological order, even the later, terrible ones, for which I have an irrational affection.

Here we go.
#BeepBeep
#MeepMeep
Boomerang lists them alphabetically not chronologically so Chuck Jones masterpieces sit side-by-side with 1960s atrocities (& later 'revival' attempts.)

I am going to start at the beginning. I will also be including Wile E. Coyote/Bugs Bunny & Ralph Wolf/Sam Sheepdog shorts, FYI
September 17, 1949: "Fast And Furry-ous"

Chuck Jones intended this short to be a parody of cat & mouse "chase" cartoons. Instead, he accidentally created the definitive chase cartoon series of all time.
Read 1189 tweets

Trending hashtags

#WakeUp #Newsbud #Crumbs #PILGang #ElvisCostello #İnsanhakları #khasoggi #redpill #Arab #BinLadenDeath #EmptyThePews #SaudiGov #Brexit #FinancialCrash #InternetBillofRights #BM #LivePd #RecordStoreDay2019 #UN #GreatAwakeningWorldwide #Soros #Iraq #Yemen #AGRI #RightTime
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!