Keepin’ it short

August 29, 2008 in en, rant, software engineering

I am wondering how should I write this blog. For example previous post about false sense of security was supposed to be a longer rant originally. In the end I shortened it considerably and focused on Perspectives. Why?

Well the main reason is, that I realized that there are a lot of essays/rants about perception of security. Maybe I could write a really good essay if I took some time to think it through. But if you are interested in privacy or security then you already know all these things. And if you are just another ordinary computer user who does not care if his email account gets cracked, my blog will not change that.

Actually Jeff Atwood wrote some time ago about unreachable type of software engineers (or for that matter any professionals). Paragraph that completely describes my feelings is this one:

The problem isn’t the other 80%. The problem is that we’re stuck inside our own insular little 20% world, and we forget that there’s a very large group of programmers we have almost no influence over. Very little we do will make any difference outside our relatively small group. The problem, as I obviously failed to make clear in the post, is figuring out how to reach the unreachable. That’s how you make lasting and permanent changes in the craft of software development. Not by catering to the elite– these people take care of themselves– but by reaching out to the majority of everyday programmers.

Writing for the masses is not easy, and I don’t think I’m up to it. Yet. It makes me angry that not everyone loves his job or profession, but I cannot change that. So I will keep writing about my passions the way I see fit and hopefully one day, I will become good enough software engineer and writer in one person, that I will be able to influence the 80%.

Note: If you are wondering what’s up with 80% – 20% thing, then I recommend article by Ben Collins-Sussman about two types of programmers

Lack of security is not a problem

August 28, 2008 in en, rant, security, software

False sense of security is. As Dan Kaminsky pointed out recently, there have been numerous BIG security problems with fundamental Internet services. All of them undermine basic principles on which Internet is based: routing or DNS.

Can we trust the other side? How can we know that we are “talking” to the same computer as few days ago? This question is usually answered by encryption of communication and authentication through SSL (https). Most websites use self-signed certificates, but these provide only encryption, not authentication. There are quite a few good examples of security pitfalls of self-signed certificates.

Recently I also managed to stumble on nice Firefox extension called Perspectives. Usually only your browser checks security certificate of https server you are connecting to. If attacker takes over path between you and destination server, trying to execute MITM attack, Perspectives would detect this and warn you. It would even warn you if the certificate changed recently. This makes even self-signed certificates somehow more secure. Without Perspectives you could be easily lured in a den of wolves. For more in-depth explanation on how Perspectives works, see original publication.

The basic principle still stands. You are most vulnerable, when you don’t expect an attack. In other words:

Little paranoia never hurts

So next time you see a warning about invalid/outdated/self-signed certificate, don’t accept it without thinking about consequences.

Strong passwords suck, but they don’t have to

August 26, 2008 in en, rant, security

Amrit Williams wrote a nice piece on sucking passwords. But as Martin McKeay pointed out Amrit didn’t provide any real solutions except maybe using passphrases. Passwords are gate to online existence of most people. Most people know that there are certain rules for creating strong passwords (at least I hope so). But only a handful of people use really secure passwords. Moreover you should have different passwords for every program/email account/social networking site/etc. Why? So that when one account becomes compromised (by whatever means), others will stay safe.

You can find a lot of rules for chosing good passwords all around Internet. There is only one problem with them. If we would like to really follow all the rules, most of us would end up with 20+ passwords, every one longer than 8 characters, most of them without any meaning. Good luck with remembering them. But hey! We are in computer age, we don’t have to remember stuff anymore right? Why not use a decent password manager? Then you have to remember only one password (but it better be REALLY secure).

This approach creates one more problem for us though. Mobility of our passwords. You want to access website x.y.com? I hope you have your password manager with database at hand. Otherwise you’re screwed. I see two solutions:

  • If you use some kind of UNIX-like system, and you have a public IP, you could use command-line password manager to access your passwords from anywhere.
  • Carry your password manager with your database around.

I like the second method more because you don’t have to worry about firewalls, proxys and similar stuff.

Recently I found out about PortableApps. It’s a set of open source applications designed to be run from USB thumb drive without leaving anything behind after you close them. No registry changes, no temporary files etc. One of applications offered is KeePass Password Safe. It uses AES encryption to securely encrypt database of passwords. This Windows-only set of applications provides means to have strong, unique passwords that you can carry around with you. So what are you waiting for? Make them unique!

Note: I tend to use gpass password manager (Unix-only, but I usually have access to my machine) and I remember most important passwords by heart. I’ll probably migrate to some other multiplatform solution soon (maybe PasswordSafe?)

Note2: Apparently there is similar (or even better) software for MacOS X (1Password) I haven’t tried it though.

Developer isolation

August 23, 2008 in en, rant, software engineering

I recently stumbled upon blog post about TraceMonkey (thanks to Sisken). TraceMonkey is codename for new improvments to SpiderMonkey (Firefox Javascript engine). Results are very impressive, with speedups ranging from 2x to more than 20x. I love Firefox and I’m looking forward to every new version bringing more exciting features. But what struck me most in the post was this statement:

I fully expect to see more, massive, projects being written in JavaScript. Projects that expect the performance gains that we’re starting to see. Applications that are number-heavy (like image manipulation) or object-heavy (like relational object structures).

Now don’t get me wrong. I get excited about new features just as much as every other geek :). I see a problem here though. Firefox is biting more of market share pie every month. But however we put it, it’s still at most at 30% in some parts of Europe (US is dominated even more by IE). So how can Firefox create incentive for developers to create web applications for ONE specific browser? Sure, few years from now Javascript performance will be much better in other browsers too. What until then? You think that “Sorry, this site was designed for Firefox 3.1 or higher” is any better then “Sorry, this site was designed for Internet Explorer 5.0 or higher”?

You may ask “What about in-house applications, for one company?”. In-house applications are already dominated by IE and ActiveX. That’s not gonna change overnight. Or maybe I’m wrong.

GDevs (Geeky Developers) are rightly proud of their creations. The problem is when they fail to see the surrounding world. Now almost famous blog post from Ben Collins-Sussman about two types of programmers contains this pearl:

Shocking statement #1: Most of the software industry is made up of 80% programmers. Yes, most of the world is small Windows development shops, or small firms hiring internal programmers. Most companies have a few 20% folks, and they’re usually the ones lobbying against pointy-haired bosses to change policies, or upgrade tools, or to use a sane version-control system.

Shocking statement #2: Most alpha-geeks forget about shocking statement #1. People who work on open source software, participate in passionate cryptography arguments on Slashdot, and download the latest GIT releases are extremely likely to lose sight of the fact that “the 80%” exists at all. They get all excited about the latest Linux distro or AJAX toolkit or distributed SCM system, spend all weekend on it, blog about it… and then are confounded about why they can’t get their office to start using it.

Fortunately for OpenSource community, people like John Resig, Andreas Gal, Mike Shaver, and Brendan Eich are in the 20% crowd. Let’s just hope they won’t lose sight of the rest of us :)

Lorem ipsum?

August 14, 2008 in en, rant

I created this blog some time ago, but so far I did not create any posts. Why? Well I am reading a lot of blogs and the best ones are usually those that have certain criterias:
  • interesting content,
  • interesting form,
  • lot of interlinking to other sources of information,

and most importantly: they are updated regularly.

Can I do all of those things? Well, we’ll see… If nothing else this will be nice to read in 20 or so years (If I manage to keep it up for at least a few months :) ) I will try to update this blog twice a week and we’ll see how that goes.

Topics that I will most probably write about include:

I will most probably get a lot of ideas from other blogs that I read. If you just want to get an idea what I am interested in you can always look at my shared google reader feeds.

So long and thanks for all the fish.

P.S Oh yeah…one more thing. English is not my primary language so there may be occasional “hiccups“. Sorry