&. |

A software developer’s musings on software development

Half A Lifetime Ago

One of the cool things about being a software developer is this: if something doesn’t exist, and you want it to exist, you can make it exist. Today I was thinking about the fact that almost half of my life has been since high school. Then I started to wonder when exactly half a lifetime ago was.

This is easy enough to solve with one line of javascript:

new Date(Date.now()/2 + new Date(birthYear, birthMonth-1, birthDay)/2)

This seemed like the kind of thing that normal people would be interested, so I spent a little time this afternoon making a workable (but still pretty ugly) UI around this one line of javascript: tilde.ampersand.space/half-a-lifetime/

The code is also on GitHub: github.com/kiprobinson/halfALifetime

You Won't Believe How Many Hello World Programs Can Fit On A T-Shirt!

I’ve designed a t-shirt that is especially for programmers. It contains the simple hello world application, written in forty-seven different programming languages.

Click or Tap or Otherwise Activate This Hyperlink to Buy!

T-Shirt with Hello World in Forty-Seven Languages

Below is the “key”, for anyone interested. A few of these aren’t technically programming languages (like binary, QR), and a few are just frameworks within another language (like Angular, Swing). I’ve ordered one of the shirts myself and it looks pretty nice—I had to make sure of that before I offered it for sale. I’ll probably work on a version that works against a dark background, when I get the time.




public class Main {
  public static void main(String[] args) {
    System.out.print("hello world");


<input type="text" ng-model="sometext" />
<h1>hello {{ sometext }}</h1>


object HelloWorld extends App {
  println("hello world")


<?xml version="1.0"?>
<greeting>hello world</greeting>


program hello
  print *, "hello world"
end program hello


main = putStrLn "hello world"

8086 Assembler

.model small
.stack 100h
msg  db  'hello world$'
  mov  ah, 09h
  lea  dx, msg
  int  21h
  mov  ax, 4C00h
  int  21h
end start


<?php echo 'hello world' ?>


package main
import "fmt"
func main() {
  fmt.Println("hello world")


(print "hello world")

Flex (MXML)

<?xml version="1.0"?>
<Application xmlns="http://www.adobe.com/2006/mxml">
  <Label text="hello world" />


68 65 6c 6c 6f 20 77 6f 72 6c 64


createTextField("hello", 0, 0, 0, 100, 100);
hello.text = "hello world"


@echo off
echo hello world


print "hello world";


  DISPLAY 'hello world'.

Visual Basic

Imports System
Public Module modmain
   Sub Main()
     Console.WriteLine ("hello world")
   End Sub
End Module


write('hello world'),nl.


hello world


state start:
  pstr("hello world\n");




SELECT 'hello world' AS hello

Java (Swing)

javax.swing.JOptionPane.showMessageDialog(null, "hello world");


(let ((hello-world (lambda() (display "hello world")(newline))))


#include <cstdio>
int main() {
   puts("hello world");


puts 'hello world'


program HelloWorld;
  writeln('hello world');


Print["hello world"]


10 PRINT "hello world"


<cfoutput>hello world</cfoutput>


$(function(){$('body').text('hello world');});




···→··→ ···↲
→   ↲
·····→  →   ··→ ·→  ↲
→   ↲
·····→  →   ·→  →   ··↲
→   ↲
·····→  →   ·→  →   ··↲
→   ↲
·····→  →   ·→  →   →   →   ↲
→   ↲
·····→  ·→  →   ··↲
→   ↲
·····→  ·····↲
→   ↲
·····→  →   →   ·→  →   →   ↲
→   ↲
·····→  →   ·→  →   →   →   ↲
→   ↲
·····→  →   →   ··→ ·↲
→   ↲
·····→  →   ·→  →   ··↲
→   ↲
·····→  →   ··→ ··↲
→   ↲
·····→  ····→   ↲
→   ↲


Transcript show: 'hello world'.

C Sharp

public class Hello {
  public static void Main() {
    System.Console.WriteLine("hello world");


print("hello world")


document.write('hello world');


<% HelloWorldLabel.Text = "hello world"; %>
<asp:Label runat="server" id="HelloWorldLabel"></asp:Label>


Hello World program in Piet

Objective C

#import <Foundation/Foundation.h>
int main (int argc, const char * argv[])
  NSLog (@"hello world");
  return 0;


with Ada.Text_IO; use Ada.Text_IO;
procedure Hello is
  Put_Line("hello world");
end Hello;


QR Code encoding the text Hello World


#include <iostream>
int main() {
  cout << "hello world" << endl;


disp('hello world');

No Excuse for No Security

A long, long time ago, in 2015, securing a website was an expensive, tedious process. Then along came Let’s Encrypt, a non-profit certificate authority that provides SSL certificates completely for free. Real (not-self-signed) certificates that get a green padlock in your address bar. And they make the process super easy and automated. If you’re on shared hosting it might be a little harder, but your host should be able to implement it fairly easily. Dreamhost made it basically one click for me. You should read that post it’s pretty good. One thing to note is that Chrome and Firefox both have plans to start marking http connections as insecure, rather than default neutral status (the current status quo).

JSON Formatter

In the last two days I’ve written a new, simple JSON Formatter. This is a very simple tool that allows you to prettify/uglify JSON data. It is basically just a textarea tied to the JSON.stringify() method that is built-in on every modern browser.

I created this after being frustrated with other online formatters that don’t work well for large data because they require the data to be submitted to a server for validation. My tool runs entirely client side. Live preview here.

You can even run it without an internet connection. Tool is written entirely with Vanilla JS, a hot new Javascript framework that is all the rage these days.

View Project on GitHub.

y2k16 bug

This website is now in its second calendar year. Which means the code to print the copyright at the bottom of the page just went to an untested branch of code. Turns out it had a bug!

y2k16 bug on this site

I have squashed the bug. Happy New Year! :)

Never Forget

In a previous life, I operated another blog. In the decade I spent running that site, I blogged 432 times. I have gone through the archives of that pile of random thoughts, and brought over twenty-eight posts. Think of it as my greatest hits collection.

Actually doing this turned out to be a huge task—I decided with this site that I would use Markdown to compose my posts, rather than the HTML I used on the old blog. Some things like <em> and <strong> were simple enough to search/replace, but others turned into a manual process. Then I had to deal with links within the site which would no longer work, and I had to find and move over attached images.

Anyway. Here are a few of my favorites:

Web Application Security 101: Slides and Demo App

I previously announced that I would be presenting at this year’s NCDevCon. Well, I tried! The conference suffered a complete power outage partway through the second day. I still tried to give my presentation in a dark room using only my laptop’s screen pointed at the attendees, but then we hit another snafu when a fire alarm cleared out the whole building.

As a result, I only got four slides in, and there is no video recording even of that part of the presentation.

I have put my slides and demo application on GitHub. You’ll find instructions there on how to set up the demo application.

One of the things I’m really disappointed that I didn’t get to discuss is Incentivizing Secure Code (slides 38-43). Here is the gist of what I wanted to say:

Our kneejerk reaction when we see insecure code is to say that the developer is ignorant or incompetent. But sometimes the developer is just making a rational decision to spend his or her time churning out as many features as possible, rather than spending more time doing something that probably won’t get recognized or appreciated (writing secure code). There’s often no incentive for the developer to make the code better. Given the rate of turnover in this industry, it’s quite likely that the developer who wrote the code for Target or Sony Pictures or Office of Personnel Management, or any other recent high-profile hack, is long gone from that job. They are not being dragged before Congress to testify. Their ex-boss’s boss’s boss is.

So, how do you solve this problem? Developers need to be incentivized to do the right things. I don’t mean monetary incentives. I mean the same kind of incentive you have to produce code that runs fast, or code that is stable, or a nice looking UI. Namely, that if you do those things well, you don’t have QA and product managers telling you that a million things are broken, and you have time to move on to your next task.

In my view, the best way to incentivize secure code is to train QA on how to test security. If the developer knows that security will be tested, and that QA actually knows how to test it, then he or she will be more likely to spend time covering security basics to begin with. In my company, we have a document that I worked with QA to develop, which provides guidelines for basic security testing. In a lot of cases it is as simple as “Enter <b>test</b> in every form field. If you see bold text, there is an XSS vulnerability”. Or “Enter a single-quote character in every form field. If you get errors there is a SQL Injection vulnerability.” QA needs to know how to use browser developer tools to modify hidden fields and select boxes.

None of this guarantees that your code will be secure. It should at least reduce very common and very preventable security vulnerabilities. There are other factors that are beyond the scope of this “101” level presentation. And sometimes it isn’t even in your control. It doesn’t matter if you won the Emmy for Best Coder last year; if you used OpenSSL you had a HeartBleed problem.

In Defense Of Stack Overflow

A few months ago an article made the rounds about The Decline of Stack Overflow. For the most part, this article included screenshots of issues that were resolved a long time ago. You can read a rebuttal here. I don’t want to just repost that content here.

What I’d do is remind everyone just how bad getting answers to programming questions was in 2008. Back then, googling a programming question would usually bring up an answer on Experts Exchange. But clicking on the link would reveal a page that said “Hey! We have the answer! But you will have to sign up to read it!”. That’s something Stack Overflow set out to solve, and they did so very quickly.

A lot of the criticism is about the treatment of new users, and to be fair, I don’t know what the new user experience is like nowadays. I joined the site as soon as it went public. At that time the site was very different, and allowed any question related to programming even if it was “What’s your favorite programmer cartoon?” or “What’s the worst habit that programming has given you?” It took the site a few years to figure out the basic rules, and they are still working on them.

Something that the criticism often misses is that there are distinct groups of people who use Stack Overflow. The site seems to cater to these groups in the following order:

Users Without An Account

This group is by far the largest group, and they have a great experience. They never enter stackoverflow.com into their browser’s address bar. All they do is google a programming question, click on the first link (very often Stack Overflow), read the answer (frequently a very good answer, which is just under the question), and go on with their day.

Very Active Users

This group is small but it is the one that makes Stack Overflow valuable: the users who are active on the site answering and voting on questions. A lot of the earlier decisions on the site were designed to keep these users around. One of those things they figured out is that the people who answer questions get really tired of answering the same questions over and over, and they get really really tired of answering bad questions. So they gave people the ability to vote to close questions for being low quality. This is where a lot of new users get upset. As I understand it, questions are no longer closed, they are just put “on hold” for five days, and the asker is given some tips about the kinds of things that can improve questions.

Occasionally Active Users

I guess this is where I fall now. I think a lot of users get frustrated at the fact that they try to answer a question and in the time it takes them to type the answer, someone else has answered it. I know that’s why I don’t participate much lately. It seems like a supply and demand situation that will naturally reach some level of market equilibrium. I’m not sure how else you solve this.

Users Who Want To Ask Questions

Most of the criticism concerns the treatment of this group. I don’t think it’s entirely misplaced, and I think the people at the company are trying to improve the experience for these users. But there is no shortage of people asking questions, and a lot of them are not very good at it.

If I must come to some form of conclusion, I would say that the “demise” of Stack Overflow is quite an exaggeration. The site’s not perfect, but things are way better for programmers seeking help than they were seven years ago.

On the other hand, some other websites sites with large, active communities have evaporated very quickly (e.g. MySpace, Digg). It is possible that I’m seeing things through the same rose-colored glasses that caused me to defend The Office well into season six. If Stack Overflow really is as bad as it sounds, it wouldn’t be that hard for someone to create another Q&A site. In fact, Stack Overflow provides all of their questions and answers in a regular data dump licensed under a Creative Commons Attribution-ShareAlike license (fulfilling an early promise to the community). This means it would be perfectly legal to create a brand new Q&A site seeded with all of the data from Stack Overflow. But I suspect you would find that building the community is much harder than building the website.

Speaking at NCDevCon This Year

A bit of an announcement: I’m going to be speaking at NCDevCon this year! Here’s the abstract for my session:

Web Application Security 101

Do you nod in agreement when your coworkers talk about SQL injection or XSS, afraid to admit you don’t know what they are talking about? Do security experts make you feel like you can’t learn security if you don’t already know security? If so, this session is for you! I will go over the most common security vulnerabilities in modern web applications, explaining how an attacker might attempt to use them, and how you can protect against them. I’ll demonstrate with practical code examples in Javascript, PHP, and ColdFusion.

This is the first time I’ve applied to speak at one of these things so I’m not quite sure how it will go. I lead training sessions like this at work every once in a while, so hopefully the skills will transfer. In fact, finding out that my topic was selected was actually the main thing that got me to actually set up a new website. After all, I’ll need somewhere to point people to when I say the obligatory “you can find my slides on my website” at the end of the session.

print "Hello World!";

So, I’m blogging again. Yay!

It has been a little over a year since I took my last website off the internet. This time around, I plan to focus only on things related to software development. No movie or video game reviews, no family photos, no introspective blogging on my birthday, no political opinions (except maybe in the cases where it relates directly to software development—maybe).

If you’re wondering about the URL ampersand.space: pretty much everything I could think of with a dot com was taken. I noticed dot space in the list of affordable TLDs in my registrar of choice (Namecheap). It is supposed to be for websites about space exploration and astronomy... but it also works for making a domain name that is thoroughly confusing to say aloud.

This site is obviously still a work in progress. The current UI, that I threw together in a few hours, is supposed to evoke one of those low-res eighties-beige CRT monitors with green text. I intentionally broke a few UX guidelines, because that is how trendsetters set trends.

My feed is available at ampersand.space/feed.