&. |

A software developer’s musings on software development

y2k16 bug

This website is now in its second calendar year. Which means the code to print the copyright at the bottom of the page just went to an untested branch of code. Turns out it had a bug!

y2k16 bug on this site

I have squashed the bug. Happy New Year! :)

Never Forget

In a previous life, I operated another blog. In the decade I spent running that site, I blogged 432 times. I have gone through the archives of that pile of random thoughts, and brought over twenty-eight posts. Think of it as my greatest hits collection.

Actually doing this turned out to be a huge task—I decided with this site that I would use Markdown to compose my posts, rather than the HTML I used on the old blog. Some things like <em> and <strong> were simple enough to search/replace, but others turned into a manual process. Then I had to deal with links within the site which would no longer work, and I had to find and move over attached images.

Anyway. Here are a few of my favorites:

Web Application Security 101: Slides and Demo App

I previously announced that I would be presenting at this year’s NCDevCon. Well, I tried! The conference suffered a complete power outage partway through the second day. I still tried to give my presentation in a dark room using only my laptop’s screen pointed at the attendees, but then we hit another snafu when a fire alarm cleared out the whole building.

As a result, I only got four slides in, and there is no video recording even of that part of the presentation.

I have put my slides and demo application on GitHub. You’ll find instructions there on how to set up the demo application.

One of the things I’m really disappointed that I didn’t get to discuss is Incentivizing Secure Code (slides 38-43). Here is the gist of what I wanted to say:

Our kneejerk reaction when we see insecure code is to say that the developer is ignorant or incompetent. But sometimes the developer is just making a rational decision to spend his or her time churning out as many features as possible, rather than spending more time doing something that probably won’t get recognized or appreciated (writing secure code). There’s often no incentive for the developer to make the code better. Given the rate of turnover in this industry, it’s quite likely that the developer who wrote the code for Target or Sony Pictures or Office of Personnel Management, or any other recent high-profile hack, is long gone from that job. They are not being dragged before Congress to testify. Their ex-boss’s boss’s boss is.

So, how do you solve this problem? Developers need to be incentivized to do the right things. I don’t mean monetary incentives. I mean the same kind of incentive you have to produce code that runs fast, or code that is stable, or a nice looking UI. Namely, that if you do those things well, you don’t have QA and product managers telling you that a million things are broken, and you have time to move on to your next task.

In my view, the best way to incentivize secure code is to train QA on how to test security. If the developer knows that security will be tested, and that QA actually knows how to test it, then he or she will be more likely to spend time covering security basics to begin with. In my company, we have a document that I worked with QA to develop, which provides guidelines for basic security testing. In a lot of cases it is as simple as “Enter <b>test</b> in every form field. If you see bold text, there is an XSS vulnerability”. Or “Enter a single-quote character in every form field. If you get errors there is a SQL Injection vulnerability.” QA needs to know how to use browser developer tools to modify hidden fields and select boxes.

None of this guarantees that your code will be secure. It should at least reduce very common and very preventable security vulnerabilities. There are other factors that are beyond the scope of this “101” level presentation. And sometimes it isn’t even in your control. It doesn’t matter if you won the Emmy for Best Coder last year; if you used OpenSSL you had a HeartBleed problem.

In Defense Of Stack Overflow

A few months ago an article made the rounds about The Decline of Stack Overflow. For the most part, this article included screenshots of issues that were resolved a long time ago. You can read a rebuttal here. I don’t want to just repost that content here.

What I’d do is remind everyone just how bad getting answers to programming questions was in 2008. Back then, googling a programming question would usually bring up an answer on Experts Exchange. But clicking on the link would reveal a page that said “Hey! We have the answer! But you will have to sign up to read it!”. That’s something Stack Overflow set out to solve, and they did so very quickly.

A lot of the criticism is about the treatment of new users, and to be fair, I don’t know what the new user experience is like nowadays. I joined the site as soon as it went public. At that time the site was very different, and allowed any question related to programming even if it was “What’s your favorite programmer cartoon?” or “What’s the worst habit that programming has given you?” It took the site a few years to figure out the basic rules, and they are still working on them.

Something that the criticism often misses is that there are distinct groups of people who use Stack Overflow. The site seems to cater to these groups in the following order:

Users Without An Account

This group is by far the largest group, and they have a great experience. They never enter stackoverflow.com into their browser’s address bar. All they do is google a programming question, click on the first link (very often Stack Overflow), read the answer (frequently a very good answer, which is just under the question), and go on with their day.

Very Active Users

This group is small but it is the one that makes Stack Overflow valuable: the users who are active on the site answering and voting on questions. A lot of the earlier decisions on the site were designed to keep these users around. One of those things they figured out is that the people who answer questions get really tired of answering the same questions over and over, and they get really really tired of answering bad questions. So they gave people the ability to vote to close questions for being low quality. This is where a lot of new users get upset. As I understand it, questions are no longer closed, they are just put “on hold” for five days, and the asker is given some tips about the kinds of things that can improve questions.

Occasionally Active Users

I guess this is where I fall now. I think a lot of users get frustrated at the fact that they try to answer a question and in the time it takes them to type the answer, someone else has answered it. I know that’s why I don’t participate much lately. It seems like a supply and demand situation that will naturally reach some level of market equilibrium. I’m not sure how else you solve this.

Users Who Want To Ask Questions

Most of the criticism concerns the treatment of this group. I don’t think it’s entirely misplaced, and I think the people at the company are trying to improve the experience for these users. But there is no shortage of people asking questions, and a lot of them are not very good at it.

If I must come to some form of conclusion, I would say that the “demise” of Stack Overflow is quite an exaggeration. The site’s not perfect, but things are way better for programmers seeking help than they were seven years ago.

On the other hand, some other websites sites with large, active communities have evaporated very quickly (e.g. MySpace, Digg). It is possible that I’m seeing things through the same rose-colored glasses that caused me to defend The Office well into season six. If Stack Overflow really is as bad as it sounds, it wouldn’t be that hard for someone to create another Q&A site. In fact, Stack Overflow provides all of their questions and answers in a regular data dump licensed under a Creative Commons Attribution-ShareAlike license (fulfilling an early promise to the community). This means it would be perfectly legal to create a brand new Q&A site seeded with all of the data from Stack Overflow. But I suspect you would find that building the community is much harder than building the website.

Speaking at NCDevCon This Year

A bit of an announcement: I’m going to be speaking at NCDevCon this year! Here’s the abstract for my session:

Web Application Security 101

Do you nod in agreement when your coworkers talk about SQL injection or XSS, afraid to admit you don’t know what they are talking about? Do security experts make you feel like you can’t learn security if you don’t already know security? If so, this session is for you! I will go over the most common security vulnerabilities in modern web applications, explaining how an attacker might attempt to use them, and how you can protect against them. I’ll demonstrate with practical code examples in Javascript, PHP, and ColdFusion.

This is the first time I’ve applied to speak at one of these things so I’m not quite sure how it will go. I lead training sessions like this at work every once in a while, so hopefully the skills will transfer. In fact, finding out that my topic was selected was actually the main thing that got me to actually set up a new website. After all, I’ll need somewhere to point people to when I say the obligatory “you can find my slides on my website” at the end of the session.

print "Hello World!";

So, I’m blogging again. Yay!

It has been a little over a year since I took my last website off the internet. This time around, I plan to focus only on things related to software development. No movie or video game reviews, no family photos, no introspective blogging on my birthday, no political opinions (except maybe in the cases where it relates directly to software development—maybe).

If you’re wondering about the URL ampersand.space: pretty much everything I could think of with a dot com was taken. I noticed dot space in the list of affordable TLDs in my registrar of choice (Namecheap). It is supposed to be for websites about space exploration and astronomy... but it also works for making a domain name that is thoroughly confusing to say aloud.

This site is obviously still a work in progress. The current UI, that I threw together in a few hours, is supposed to evoke one of those low-res eighties-beige CRT monitors with green text. I intentionally broke a few UX guidelines, because that is how trendsetters set trends.

My feed is available at ampersand.space/feed.

Some of my code is now on GitHub

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

For various reasons, but mainly to learn a little bit about Git, I have created a GitHub profile. I’ve added six repositories, for some of the code that I’ve posted on this website over the years. The only one I still actively put any effort into is QuickReplace, since it is a tool that I use on a near-daily basis. This is all code from hobby side-projects, since most of the other code I have written over the past decade is owned by the companies I wrote it for.

What's it like working from home?

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

As of yesterday, I have been working from home full-time1 for two years. Something that I get asked a lot is “How do you like working from home?”. My general answer is that “it’s great!”, which usually lead to a bunch of follow-up questions. I thought I’d collect a few of the answers here.

I don’t work in my pajamas, in my underwear, or in the nude2. Even on weekends, I feel like a slob if I don’t take a shower and put on normal clothes once I get out of bed. On a few rare occassions I have worked in my pajamas if I had an early meeting, or if I just felt like sleeping longer. But, given that I work from home, I usually have no problem getting up early enough to take a shower before “early” meetings. Or sometimes I stay in my pajamas because I’m planning to go running at lunchtime, and there’s no reason to take a shower when I know I’m going to need to take another in a few hours.

I do get to wear climate-appropriate clothing. This means shorts and a t-shirt and barefoot in the summer.

My wife and the kids don’t distract me very much. They generally stay downstairs most of the day, when they are home. My daughter is in kindergarten now, and my son has started preschool, so there are a lot of quiet days. The bonus room, which doubles as my office, is isolated enough from the rest of the house that they don’t usually bother me. When they do come upstairs, I can close my door if I need to. I would say I have less distractions here than I would being at the office.

A lot of people tell me they could never stay focused working from home, or that they would go crazy. I can see that, and it’s not for everyone. It takes a certain type of personality. I would go crazy in a job where I had to talk to strangers all the time. To each his own.

I will confess to multitasking during meetings. Anyone who says they are paying complete attention to an online meeting is lying. But people do the same thing when they’re sitting in the conference room with a laptop open. Some meetings require very active participation, and some meetings are just someone talking for an hour when only five minutes of that actually concerns me. I use my best judgement to figure out where I am on that continuum.

I get to play my ukulele at work! That’s something that would probably be frowned on in most offices. It’s a good way to pass time when I’m waiting on everyone to dial-in for a meeting, or when I’m waiting for some big file to upload/download. I have Hey Soul Sister pretty much nailed.

My internet connection has been extremely reliable. In the past two years, I’ve only had the internet go out out during the day twice. Once I lost about half a day’s work, but the other time I only lost half an hour. We pay the extra $10 for increased internet speed, and I can join in to teleconferences while talking on a VOIP phone while my wife is streaming Netflix downstairs with no problem. I would love some Google Fiber, but it seems I am living in the wrong suburb of Raleigh...

There is one part about working from home that I do not like at all. And that is when I get an email that say “Bagels in the breakroom!”

  1. Well I guess I am technically only eighty-seven percent remote, not full-time remote, since I go into the office for two days every three weeks. 

  2. I realize that, for some people, all three of those are the same thing. I am not one of those people. 

An Interesting Bug (Dates Are Weird)

Warning: I wrote this blog in 2014. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

Not too long ago I was tasked with coding and designing a fairly simple calendar control. After I got it up and running and did some additional testing, I ran into an interesting problem: anytime I viewed a date in November, the calendar would look like this:

It only took me a minute to realize what I was doing wrong. Here is the jist of the algorithm (written in plain English so that hopefully non-geeks can understand it):

  1. Determine the first date that will be displayed on the calendar.
  2. Determine the last date that will be displayed on the calendar.
  3. Set DrawDate to FirstDate
  4. Do a loop while DrawDate <= LastDate
    1. If the current day of the week is the first day of the week, start a new row
    2. Draw DrawDate on the calendar
    3. Set DrawDate to DrawDate + 24 hours

Now when you look at the calendar, the most obvious thing is that there is a week with only one day. But the real problem is that November 2 is on the calendar twice.

What I forgot when initially coding this is that a day is not always twenty-four hours! If you observe daylight saving time, there is one day a year that is only 23 hours long (the day you “spring forward”), and one day that is 25 hours long (the day you “fall back”).

When I create a date, but don’t include time, it gets created with a time of 00:00:00 (midnight). So when I add 24 hours to November 2, 2014, I get 11pm on November 2, 2014, not midnight on November 3, 2014.

The fix is pretty simple: instead of adding 24 hours, add one day. The language already is smart enough to account for daylight saving time when you do this.

Computer Security For Non-Geeks

Warning: I wrote this blog in 2012. That is a long time ago, especially on the internet. My opinions may have changed since then. Technological progress may have made this information completely obsolete. Proceed with caution.

A little over a year ago I wrote an article on how to come up with a secure, easy-to-remember password for every site you visit, even if you aren’t a geek. I would recommend you go read that now if you didn’t the first time around.

This is a follow-up post about something very simple that you can do to make your identity much more secure. But this advice is only for GMail users. If you don’t use GMail, you can stop now. Still with me? Okay. As a GMail user, you can enable two-step verification. This means that whenever you sign in to GMail from a new computer, Google will text you a six-digit verification code which you must also enter. This way, even if someone got your email password, they cannot log in to your email without also having your phone. It sounds like it would be a huge pain, but you really only have to go through two-step authentication once a month, which I have found to be not a big deal at all.

I used to think that this was only for really paranoid people, not for me. I don’t have anything all that confidential in my email. I daresay that if the contents of my GMail were posted to Wikileaks tomorrow, I would only be a little embarrassed by what people could read. But then it was explained to me1 like this:

Your email is the master key to your online identity, everywhere.

Think about it this way: If someone gets access to your email, they have access to everything. For example, say they go to your bank’s website and click the “forgot password” link. Your bank will ask for your email address, then dutifully create a new password for the account associated with that address, then send the new password to that address. Voila- now they can access your bank account!2

  1. I think Jeff Atwood gets credit for this idea

  2. If you’re lucky, the website has a secret question that they won’t be able to figure out by searching through your email.