&. |

A software developer’s musings on software development

Speaking at NCDevCon This Year

A bit of an announcement: I’m going to be speaking at NCDevCon this year! Here’s the abstract for my session:

Web Application Security 101

Do you nod in agreement when your coworkers talk about SQL injection or XSS, afraid to admit you don’t know what they are talking about? Do security experts make you feel like you can’t learn security if you don’t already know security? If so, this session is for you! I will go over the most common security vulnerabilities in modern web applications, explaining how an attacker might attempt to use them, and how you can protect against them. I’ll demonstrate with practical code examples in Javascript, PHP, and ColdFusion.

This is the first time I’ve applied to speak at one of these things so I’m not quite sure how it will go. I lead training sessions like this at work every once in a while, so hopefully the skills will transfer. In fact, finding out that my topic was selected was actually the main thing that got me to actually set up a new website. After all, I’ll need somewhere to point people to when I say the obligatory “you can find my slides on my website” at the end of the session.

print "Hello World!";

So, I’m blogging again. Yay!

It has been a little over a year since I took my last website off the internet. This time around, I plan to focus only on things related to software development. No movie or video game reviews, no family photos, no introspective blogging on my birthday, no political opinions (except maybe in the cases where it relates directly to software development—maybe).

If you’re wondering about the URL ampersand.space: pretty much everything I could think of with a dot com was taken. I noticed dot space in the list of affordable TLDs in my registrar of choice (Namecheap). It is supposed to be for websites about space exploration and astronomy... but it also works for making a domain name that is thoroughly confusing to say aloud.

This site is obviously still a work in progress. The current UI, that I threw together in a few hours, is supposed to evoke one of those low-res eighties-beige CRT monitors with green text. I intentionally broke a few UX guidelines, because that is how trendsetters set trends.

My feed is available at ampersand.space/feed.

Some of my code is now on GitHub

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

For various reasons, but mainly to learn a little bit about Git, I have created a GitHub profile. I’ve added six repositories, for some of the code that I’ve posted on this website over the years. The only one I still actively put any effort into is QuickReplace, since it is a tool that I use on a near-daily basis. This is all code from hobby side-projects, since most of the other code I have written over the past decade is owned by the companies I wrote it for.

What's it like working from home?

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

As of yesterday, I have been working from home full-time1 for two years. Something that I get asked a lot is “How do you like working from home?”. My general answer is that “it’s great!”, which usually lead to a bunch of follow-up questions. I thought I’d collect a few of the answers here.

I don’t work in my pajamas, in my underwear, or in the nude2. Even on weekends, I feel like a slob if I don’t take a shower and put on normal clothes once I get out of bed. On a few rare occassions I have worked in my pajamas if I had an early meeting, or if I just felt like sleeping longer. But, given that I work from home, I usually have no problem getting up early enough to take a shower before “early” meetings. Or sometimes I stay in my pajamas because I’m planning to go running at lunchtime, and there’s no reason to take a shower when I know I’m going to need to take another in a few hours.

I do get to wear climate-appropriate clothing. This means shorts and a t-shirt and barefoot in the summer.

My wife and the kids don’t distract me very much. They generally stay downstairs most of the day, when they are home. My daughter is in kindergarten now, and my son has started preschool, so there are a lot of quiet days. The bonus room, which doubles as my office, is isolated enough from the rest of the house that they don’t usually bother me. When they do come upstairs, I can close my door if I need to. I would say I have less distractions here than I would being at the office.

A lot of people tell me they could never stay focused working from home, or that they would go crazy. I can see that, and it’s not for everyone. It takes a certain type of personality. I would go crazy in a job where I had to talk to strangers all the time. To each his own.

I will confess to multitasking during meetings. Anyone who says they are paying complete attention to an online meeting is lying. But people do the same thing when they’re sitting in the conference room with a laptop open. Some meetings require very active participation, and some meetings are just someone talking for an hour when only five minutes of that actually concerns me. I use my best judgement to figure out where I am on that continuum.

I get to play my ukulele at work! That’s something that would probably be frowned on in most offices. It’s a good way to pass time when I’m waiting on everyone to dial-in for a meeting, or when I’m waiting for some big file to upload/download. I have Hey Soul Sister pretty much nailed.

My internet connection has been extremely reliable. In the past two years, I’ve only had the internet go out out during the day twice. Once I lost about half a day’s work, but the other time I only lost half an hour. We pay the extra $10 for increased internet speed, and I can join in to teleconferences while talking on a VOIP phone while my wife is streaming Netflix downstairs with no problem. I would love some Google Fiber, but it seems I am living in the wrong suburb of Raleigh...

There is one part about working from home that I do not like at all. And that is when I get an email that say “Bagels in the breakroom!”

  1. Well I guess I am technically only eighty-seven percent remote, not full-time remote, since I go into the office for two days every three weeks. 

  2. I realize that, for some people, all three of those are the same thing. I am not one of those people. 

An Interesting Bug (Dates Are Weird)

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

Not too long ago I was tasked with coding and designing a fairly simple calendar control. After I got it up and running and did some additional testing, I ran into an interesting problem: anytime I viewed a date in November, the calendar would look like this:

It only took me a minute to realize what I was doing wrong. Here is the jist of the algorithm (written in plain English so that hopefully non-geeks can understand it):

  1. Determine the first date that will be displayed on the calendar.
  2. Determine the last date that will be displayed on the calendar.
  3. Set DrawDate to FirstDate
  4. Do a loop while DrawDate <= LastDate
    1. If the current day of the week is the first day of the week, start a new row
    2. Draw DrawDate on the calendar
    3. Set DrawDate to DrawDate + 24 hours

Now when you look at the calendar, the most obvious thing is that there is a week with only one day. But the real problem is that November 2 is on the calendar twice.

What I forgot when initially coding this is that a day is not always twenty-four hours! If you observe daylight saving time, there is one day a year that is only 23 hours long (the day you “spring forward”), and one day that is 25 hours long (the day you “fall back”).

When I create a date, but don’t include time, it gets created with a time of 00:00:00 (midnight). So when I add 24 hours to November 2, 2014, I get 11pm on November 2, 2014, not midnight on November 3, 2014.

The fix is pretty simple: instead of adding 24 hours, add one day. The language already is smart enough to account for daylight saving time when you do this.

Computer Security For Non-Geeks

Warning: I wrote this blog in 2012. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

A little over a year ago I wrote an article on how to come up with a secure, easy-to-remember password for every site you visit, even if you aren’t a geek. I would recommend you go read that now if you didn’t the first time around.

This is a follow-up post about something very simple that you can do to make your identity much more secure. But this advice is only for GMail users. If you don’t use GMail, you can stop now. Still with me? Okay. As a GMail user, you can enable two-step verification. This means that whenever you sign in to GMail from a new computer, Google will text you a six-digit verification code which you must also enter. This way, even if someone got your email password, they cannot log in to your email without also having your phone. It sounds like it would be a huge pain, but you really only have to go through two-step authentication once a month, which I have found to be not a big deal at all.

I used to think that this was only for really paranoid people, not for me. I don’t have anything all that confidential in my email. I daresay that if the contents of my GMail were posted to Wikileaks tomorrow, I would only be a little embarrassed by what people could read. But then it was explained to me1 like this:

Your email is the master key to your online identity, everywhere.

Think about it this way: If someone gets access to your email, they have access to everything. For example, say they go to your bank’s website and click the “forgot password” link. Your bank will ask for your email address, then dutifully create a new password for the account associated with that address, then send the new password to that address. Voila- now they can access your bank account!2

  1. I think Jeff Atwood gets credit for this idea

  2. If you’re lucky, the website has a secret question that they won’t be able to figure out by searching through your email. 

Photo Mosaics

Warning: I wrote this blog in 2011. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

Over the holidays, my wife and the in-laws were working on a jigsaw puzzle which featured an image from Winnie The Pooh, which was made up of hundreds of tiny animation cells from Winnie The Pooh cartoons. The puzzle was super tedious, but it did inspire me. I realized it would be a fun programming exercise to try to write a program to generate one of these mosaic images. So that’s what I did that evening, staying up till about four in the morning.

Here is the original image I’ll be working with in this example:

To start with, I take a library of images and reduce them all to 12x9 pixels. This takes a while, so this library is cached. I then use these simplified images to determine which image to use for each tile in the mosaic.

In my first try, I picked the best match possible for each tile. Unfortunately, this results in a lot of duplication, which doesn’t actually look that great.

So, my next attempt was to prevent any image from being used twice. Unfortunately, you need lots of suitable images for this to work; my library of photos wasn’t sufficient. Additionally, because I was processing tiles column-by-column, from left to right, the mosaic generally was truest to the original image on the left, and furthest from the image on the right.

My next idea was to allow an image to be reused, but to limit reuse. So I implemented a system where an image receives a “penalty” each time it is used. The next time I check to see how suitable that image is for a given tile, I add the penalty to that tile’s score. This has the effect of allowing other similar images to be substituted. But after other similar images also have the same penalty, the original image will be selected again. And it will get another penalty. This produces a better image, but it still has the problem of the image getting worse as you go from left to right.

So, I next decided I would fill in the tiles in a random order. This gives better results:

Next, I had the idea that instead of filling them in randomly, I should fill in the tiles with the most detail first. (For those curious, I calculate the level of detail in a tile by computing the average RGB color of each pixel in the tile. Then I take the standard deviation of the “distance” of each pixel’s color from the mean color in the RGB color space. So the most detailed image would be one that is half black and half white. And the least detailed would be one that is one solid color. This isn’t perfect: a tile that is a black and white checkerboard pattern is more detailed than one that is half white and half black, split evenly down the middle. I suppose a better approach would be to do a frequency analysis, and find the areas of highest frequency changes. Similar to the way JPEG compression works. But I thought that was too much work for what I was trying to do.)

So now we have something that I’m pretty pleased with. The next step was just to up the resolution. The image below has 4560 individual tiles:

I’m not releasing the program right now because the code is way too bad. It is very sloppy, nothing is parameterized. (I adjust the parameters right now by editing the code and running from within Eclipse.) Plus, I’m sure there are programs out there already that do the same thing better. If you’re really interested, you can email me. If there’s enough interest, I can try to make the code presentable. But I don’t have any plans for that now.

Don't copy that floppy

Warning: I wrote this blog in 2011. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

During a meeting today, I got to wondering: do today’s kids even know what the commonly-used save icon represents?

Screenshot of Microsoft Word with floppy-disk save icon

Is this confusing to kids? Or do they just learn that this thing, whatever it is, generally represents saving? Surely the percentage of people under the age of fifteen who have ever used a floppy disk must be less than five percent, but I wonder what percentage even knows what one is.

More on HTML5 video

Warning: I wrote this blog in 2011. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

Four months ago I blogged about the frustrations of using HTML5 video. I said at the time that I have to transcode the video into 4.1 different formats (mp4, ogv, webm, flv, and jpg). However, I was reminded today (at NC Dev Con) that Flash supports h.264, which is to say, MP4. So I don’t need to transcode to FLV for the Flash player fallback; I can just send the MP4 file to the flash player. So I’ve updated the player on my site to drop the need for FLV. I’ve also switched my flash player from OSFLV to the nicer Flowplayer. Not that you would notice any of this, unless you’re using IE 6/7/8.

Password tips for non-geeks

Warning: I wrote this blog in 2011. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

I’ve been thinking about passwords recently, as I have gone and changed passwords for pretty much every website that I can remember having a password for. For me, this was prompted by the hacking of PlayStation Network, which led to my PSN password being compromised. And, like most people, I used the same password for PSN that I used for many other sites. This is generally a Bad Thing, but what are you going to do?

Well, for geeks, the answer is “have a separate, randomly-generated password for every site, and the password must be long and contain numbers, lowercase letters, uppercase letters, and symbols.”

I realize that this is impractical for normal people.

So here’s my advice for non-geeks. Come up with a sentence. A really random sentence. Try to include some numbers in the sentence. Then take the first letter of each word. This will be your base password. Here, I’ll make up an example:

forget about the last 7 things u Heard 2-day

That gives us: fal7tuH2d

Believe it or not, it’s really easy to remember a sentence like this. You can leave out articles, conjunctions, and/or prepositions if you like, and you can replace “are” with “r”, “you” with “u”, etc. Whatever is most natural for you to remember. Making at least one of the letters uppercase and including some kind of punctuation is good. Make sure there are at least 7 characters, since a lot of sites use 8 characters as the minimum length of a password.

Next, come up with a rule for how you will include the company name in the password. For example, “use the last letter of each word in the company name, and capitalize the last one”. Using this rule, my password for Amazon, PayPal, and Gmail might be as follows:

Amazon: fal7tuH2dN
PayPal: fal7tuH2dyL
Gmail (Google Mail): fal7tuH2deL

Now, if someone somehow obtains your password to one site, they won’t have your password to every site you use. And hopefully they won’t be able to figure out the rule for the last few characters (this is why using something other than the first character of the site name is a good idea). And no one’s ever going to guess a password like that.

Of course, this isn’t fool-proof. But it is a lot more secure than using the same password for every site, and it’s a lot more secure than using a word that can be found in a dictionary or your pet’s name or your birthday or something like that.

Note: If you really want to do it the geeky way (a long, random password for each site), you can get applications that will generate random passwords and store them securely. This makes it so you only need to memorize one password, and that password lets you access all your other passwords. I like KeePass, and it runs without an installer on PC and (I think) Mac. I keep it in my Dropbox so I can use it from home or work. But I don’t do it for every site; mainly, I just do this for really sensitive sites (like bank and credit card websites). And remember, if someone really wants your password, they can probably crack it in a few hours with just five dollars of equipment.