* Posts by JoeySter

12 posts • joined 31 May 2019

SELECT code_execution FROM * USING SQLite: Eggheads lift the lid on DB security hijinks


Re: I wouldn't assume this isn't serious

Whether it's serious or not varies. For a lot of people it wont be. For those on shared platforms, it might be.

On a single platform, where multiple services are in play, you have to be careful of just how many security boundaries you put up.

You don't want a fend around everything, then another fence around each thing, then another fence around each thing with in that, etc. You sort of end up with a house looking like an onion and with thousands of tiny rooms and doors for each thing.

Containment can be too granular and in most systems, ultimately, everything has to be able to talk with everything else so it's hard top entirely prevent someone fully propagating the system.


Either way the pointer dereference should be fixed as that's most likely a bug. It's not just about security but integrity. There are occasional debates about trusting the data you lay down, though I wouldn't want file corruption to cause the application to crash that easily when it's such a write heavy process.

As far as privilege escalation goes, it wont effect a lot of people as basically is someone has access to the file system then you're already in trouble.

File permissions are a simple fix. A lot of such privilege escalations exist with just about anything that uses files, even when there isn't a bug allowing execution of arbitrary code.

Neuroscientist used brainhack. It's super effective! Oh, and disturbingly easy



The biggest problem with the growth of technology that if applied appropriately could completely subjugate freedom is that there's no absolute protection for free will at all.

You might find that strange if you believe in things such as rights but the problem is all of those more and legal frameworks lack a solid foundation and can be overridden at will. Even if they has a foundation there's no stopping might makes right.

We this with AI. We have a big problem because at what point do they earn rights? You might say at the point they feel.

The problem is, no matter how advanced we make AI it's impossible to introduce feeling or prove that it exists. You can simulate human behaviour down to a tee but that's merely a simulation.

The problem with this is that if theirs no way to give AI rights then the same applies to humans which are no more than naturally occurring misbehaving AI.

If you consider how often politicians say that some kind of thinking is out dated and should have disappeared then you can consider that there is a very real desire to control the minds of the masses, a notion that's normalised, no one bats an eyelid when a politician says something like that but when everyone carries a mobile, then a headset, then a brain chip then we'd better make sure first what our governments intentions are.

UK cops blasted over 'disproportionate' slurp of years of data from crime victims' phones


There are two sides to this and it's important not to let either of those prevail. Those are...

* People making false claims of rape wanting to get away with it and see a successful prosecution as well as avoiding getting into trouble themselves. Unfortunately it happens, at a higher frequency than people realise and it's complex because the more you dismiss that the more you both enable and entice it. There's a lot of pressure at the moment as well to treat accusations of sexual offences as guilty until proven innocent or "you will be believed" which means that potentially the only way to get someone off the hook, even if there's insufficient evidence to be sure of an offence is a very aggressive investigation to find any inconsistencies with the accuser's story.

* Some police officers would love to go on a fishing trip through people's phones looking for any sign of criminal activity such as posting a meme on facebook, we don't have robust enough laws to protect people from the consequences of police having access so the only solution sometimes is access denied, at least without a contract setting out terms for data collection.

It would actually be better to make regs to keep it out of the hands of the cops and instead have the defence (qualified defence only) gaining access (though potentially through police utilities, IE, police can still potentially possess and guard the evidence but simply not access it themselves). The problem with that is that it still escalates things and takes a little setting up to make sure access by the defence is within the bounds of what's necessary to mount a defence.

The reason to give it to the defence exclusively (assumption prosecution has whatever) is simple, What they can actually do is already tightly restricted, that is, they can only mount a defence. It's not their position to prosecute, snoop or try to dig up crimes arbitrarily, only extract the material which is relevant to the defence. Retention period might be a bit tricky, though after the defence (trial) is done, there's technically no pressing reason to keep the data snapshot for a long period of time other than what the defence has extracted.

JavaScript tracking punks given a thrashing by good old-fashioned server log analytics


This isn't news. This is old skool. The reason people move on from these methods is because they're not the easiest or most reliable methods.

They are however often illegal if you do any more than analytics. There are millions of data breaches each day from tracking based on identifiers such as IP address.

For example, I live in a household that has internet. One modem with one IP address provides internet to many devices. I buy a tshirt at home on my desktop. My flatmate then goes to a website and sees adverts for the same brand of tshirt because he has the same IP address. That's a data breach.

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt


It's not entirely clear what the breach actually was. It sounds like more of a client side attack than a breach of internal data. Something as simple as HTML/HTTP browser settings?

White House mulls just banning strong end-to-end crypto. Plus: More bad stuff in infosec land


Why not simply ban communication? Problem solved.

DeepNude deep-nuked: AI photo app stripped clothes from women to render them naked. Now, it's stripped from web


What I want to know is why it didn't work for rendering men.

We knew it was coming: Bureaucratic cockup triggers '6-month' delay of age verification block on porno in the UK


This ultimately shuts down half the internet in the UK. Any service that takes user content without pre-moderation has to block the UK or implement verification. This is of course deliberate. The UK government wants to be able to censor the internet and they can't prosecute people for blasphemy if they don't know who or where they are (for example the USA isn't going to extradite people to the UK for 1st amendment violations).

The only work around for this that I can see is to create an anonymous identification system or rather age verification, though I suspect all attempts will be made to block anyone from doing that. That would consist of a service you can verify with hosted on an Island nation somewhere which doesn't keep your data but that gives you back credentials and allows other services to verify given credentials against it, which can be generated for each site or which send you over to a login on the verification site then back.

Why are fervid Googlers making ad-blocker-breaking changes to Chrome? Because they created a monster – and are fighting to secure it


Re: Let's stop complaining about Chrome.

The whole reason half, perhaps more (depends whole you look at it), of extensions are made is because people can't implement various legitimate facilities (which may also be down to performance as well as features) with the security restrictions in place otherwise for web development.


The problem here is that extensions are *meant* to be pretty much unconstrained. While there might be areas for improvement, to allow extensions to do things working only within the limit of what they need, ultimately beyond that limiting them tends to limit their utility.

It's a bit of a joke because just to process of downloading an application such as chrome or any other has the same problem. It's not really avoidable. It's a bit like complaining that the bank manager has access to the vault. Workers at the canning factory can put what they like into the mix.

The problem has to be solved at the root. You'd think that might be possible with a centralised and regulated repository but apparently Google's ability to curate is limited. That's a problem in itself.

Refactoring whizz: Good software shouldn't cost the earth – it's actually cheaper to build


I don't particularly respect Fowler as a whizz or an authority. To me he's just another programmer sharing observations and opinions. Though unlike me, he appears to have ultimately devoted more of his career to writing about programming. I'm not someone that particularly pays attention to his writings. I don't know what his code is like and I've only seen bits and pieces of his work. I can't say what I've seen is terrible but it is a single perspective and one person's set of opinions.

I do however intimately know about the impact of his writings in scenarios relevant to what Fowler and those of his cohorts who follow the same philosophy propose here. I've had to inherit many a codebase "architected" by those who follow Fowler and have been given enough time or in this case rope to hang themselves. Whenever I see a monstrosity of a bloated OOP mess, a nightmare, there's a Fowler, a Gang of Four or similar book nearby. There are certain books that if you see them, they're a bad code smell, you can make a guess that the codebase is in a terrible state and you'll be right nine times out of ten. It'll be a specific kind of mess which might take many forms but inevitable comprises tangled layer upon layer of assorted abstractions. It's not that everything in these books is necessarily bad, it's a mix, though I'm not sure if the authors understand their audience, their audience's limitations and if it's even possible for any book to produce a positive effect.

The problem is that people such as Fowler, whether intentional or not, create resources that lend exceptionally well to facilitating process driven blind programming that doesn't actually produce quality software. Fowler is a master of prescribing rituals that people who like to follow rituals can easily adopt.

I can attest that in my experience writing code properly does result in greater productivity despite an initial lag as it has a much higher ceiling. The net result between the two can easily be an order of magnitude, sometimes exponential. Better code really does cost less. I've seen bad code now costing easily hundreds of thousands to millions over the course of a few years on programmers salaries alone. However, following Fowler has virtually no relevant bearing on whether code will be better or not. Nor will assessing whether code is "better" or not according to criteria that might be set out by Fowler either directly or indirectly be all that useful in ascertaining quality level. It's more likely to quickly depress software quality as people rush to implement things that aren't needed so to check all the boxes.

Conversely people that follow Fowler and his crowd tend to make things much much worse when given more time. Fowler provides a lot of things people can waste time doing. More time means more layers of indirection and code for the sake of code. Virtually all of said additions incur a guaranteed cost and non of them provide guaranteed benefit. I'd like to hope that Fowler is aware of this and cautious in his approach, though his advice here has plenty of potential to be a plea to provide budget for this kind of waste which is counter productive.

I might have a backlog like this...

* Users->Feature: Allow users to have more than one X.

* Government Agency->Compliance: Update data collection to include field X.

* QA->Lifecycle: Make mission critical area X is easier to test.

* Audit->Research: Investigate ways of detecting fake users.

* Research->System: Upgrade database to next major version to gain feature X.

* Benchmarks->Optimisation: Use precise indexes for use case X.

* Business->Feature: Allow billing on an annual basis.

While performing these, you might use a variety of different strategies and approaches as a side effect. Refactoring tasks might spawn from them.

A back log inspired by Fowler and friends might look like this:

* Fowler->Code Quality: Implement Specification Pattern.

* Blog->Code Quality: Implement Command Bus.

* CS 134->Code Quality: Implement Unit Testing.

* Conference->Code Quality: Implement Event Sourcing.

* Job Specs->Code Quality: Implement DDD.

* Social Chat->Code Quality: Implement Visitor Pattern.

* Best Practices->Code Quality: Implement REST fully.

When a Foullower is performing these, they might implement some features as a side effect. Code Quality (tm) tasks might spawn from them.

If you write a back log such as the one I originally wrote, don't expect it to solve the problem. All of the items from above will be aliased to those below, most likely respectively.

The code produced by such a follower of Fowler will present you with a riddle, wrapped in an enigma, housed in a mystery, planted in a puzzle, kept in a secret and all tied up into a knot. It might as well actually be encoded which often ironically arises from people following blind processes for the promise of readability.

I very commonly see code that only has to take a simple list from the database and return it to a client in a format such as JSON. If I implement this feature then I end up with very little code. Perhaps a dozen lines. If more than one object or method, almost certainly not exceeding half a dozen. We're probably talking around 50 lines, though do it a second time and that can drop to 10 lines. When it's code following rituals Fowler sets out, you can expect portions of it to be dispersed all through out the system. Dozens of hops, classes, methods, hundreds or even thousands of lines, etc. You'll probably find those things ill construed as ultimately effort will have been divided across such a system. It boggles the mind when people do things like convert a map to an object, send it through a maze then convert it back to a map again only to run a few if statements on a few fields and to rename or cast a few fields.

You can't entirely blame Fowler for this stuff, people can take his stuff and do what they want with it or leave it but you also might think he'd be more aware of this set of problems arising from process driven and fad driven development. Not many people are going to like this but the truth not many people building software know anything about building software either and Fowler isn't particularly effective at improving that despite his efforts. Fowler exploring other shops is good, there's a lot of variety and things to see in software engineering, though I think he needs to see more environments, where he'll surely see that more time than really needed is catastrophic. Though it might not be obvious unless actually working on such a codebase and realising half of it can be tossed. Give away time and money don't expect it to be spent wisely by default. Some programmers will do amazingly but most will squander it. You'll end up with Albanian bunkers.

I think there's also a cultural different. Many people including Fowler talk as if they've been spoiled in certain regards. It would be nice if that were the situation for all programming but the reality is, in the professional world that's by far not normal. Many programmers for not have financial security. Neither do their employers. It's not necessarily possible to pull an unlimited budget out of the air or support a rapid turnaround. The kind of thinking that might make sense for a cashcow such as IBM might not be appropriate for small to medium companies.

I always strive to write high quality software upfront but also take the time needed to bring the software up to a minimum standard almost to the point of no matter what. What I don't do however is excess. Fowler provides plenty of ammunition for those prone to excess. There's always a competing axiom which is the more you do the more you have to do. Whatever you do ought offer the best value. The strongest drivers of cost effectiveness tend to be basic yet abstract principles such as YAGNI, DRY, consistency and good organisation and most of all being dedicated to purpose, not the the gospel of software engineering.

Time is a secondary factor. Things have to be done to a certain level. If not then you lose the game, when you sacrifice the present for the future too much then you reach the point where you have no future. Two thirds of the projects I've inherited are cases where developers have done that then moved on at the point where it just becomes too much for them to handle, onto the next thing for a new start. Usually level two developers end up having to take over level two projects where level one programmers have not only done as much as they can but have driven themselves into a deadend. Individual skill factors in far more than other factors or checklist items.

For me, in these circumstances, ironically code quality is absolutely crucial for a success. Elite teams taking "only an hour" to push a release? Asides from that not being qualified that's not by any means spectacular. This to me suggests a large discrepancy between people where it comes to experiences, expectations and standards It shouldn't be considered "elite" when a system facilitates development to production in under an hour. That's standard. If something takes an hour then there are usually special circumstances involved or it's just terribly constructed. I think to have a set of experiences where that's something to marvel only means he should get out even more to see what's happening in other shops.

Personally, I don't do it by the book and I won't buy the book.

Biting the hand that feeds IT © 1998–2019