Nathan Christiansen’s Musings

What are “Excellent Computer Programmers”?

My employer recently had to let go a programmer hired for a senior level programming position who was not up to the task of producing senior level  code. The manager (a wonderfully patient mentor) worked with this programmer for over a year, and they were still producing junior level programmer code.

So how can you find one of those computer programmers that can:

• do whatever they are asked to do in any programming language/framework you specify (even if they have no experience in it at all);
• tell you how long it would take to write in that programming language/framework (at only a few hours into it);
• can offer alternate programming languages/frameworks to shorten the time to market;
• can tell you the impact of using the new programming language/framework;
• and can determine when the cost of writing and maintaining the custom solution will be more than the savings for having it.

In other words how do you find an “Excellent Computer Programmer”?

“Excellent Computer Programmers” Are Rare

I have had only four or five co-workers throughout the years (out of dozens) who were “Excellent Computer Programmers” . I, myself, am an “Excellent Computer Programmer”.

If you work with a computer programming department, you can usually determine if you have one on staff.

• Who do your senior programmers ask how to solve complex problems? Is it the same person for a variety of different complex problems?
• Do your senior programmers say something to another programmer like “you could probably do this much faster and better” about a variety of different tasks?
• Does that programmer mentor the other programmers so they can do the complex tasks themselves?
• Is that programmer motivated by the sense of accomplishment or helping others?
• Does this programmer write clean code that does the job and yet the code is elegant in its simplicity?

If so you might have an  ”Excellent Computer Programmer” on staff.

The Wrong Way To Find Them

I have looked closely at many job postings (approaching two hundred) over the last few years.

Many of the job postings are extremely specific in the skills and experience they want like: Hibernate; RichFaces; Eclipse; EJB; and JBoss. Some even put version numbers for the libraries/frameworks/programming languages they list. Nearly all of these want these skill sets as required experience.

It makes me wonder if the hiring manager has given up on finding an “Excellent Computer Programmer” and is settling for junior level or mediocre programmers. Are they looking for the kind of junior level programmers that have a hard time not programming in anything different from the specific libraries/frameworks/programming languages that a wonderfully patient mentor taught them to be moderately proficient in.

Maybe the hiring manager hasn’t had the experience of having an “Excellent Computer Programmer” on their team before. Or maybe they are not aware that HR tends to filter out resumes for them.  An “Excellent Computer Programmer” probably does not have the exact experience they list in the required section, so the programmer’s resume does not get past the HR filter.

I have been on at least one interview where they stopped asking questions and had concluded I could not do the job once they found out I had no experience in a specific library even though I had experience in a similar library. To my surprise, they did not ask about my ability to learn the new library. Since that interview years ago, I have started to volunteer the information of how the library/framework/language they are asking about is similar to something I already have experience with (this requires a slight amount of homework before the interview.)

What to Look For

1. A Variety of Programming Languages. Remember an “Excellent Computer Programmer” can work at a senior level in any programming language, even ones they have absolutely no experience with, so they tend to rack up experience in a lot of different programming languages. If you count up the number of programming languages I have used professionally including declarative languages (like HTML, ANT, XML, and XSLT) they total 20.

2. Three Years or More at Each Employer. Looking at how long they hold down each job can tell you if their variety of programming languages is an indication that: they learn new programming languages as needed; or they jump around from job to job because they have not found a good fit yet. I have been at my current employer for 9 years, yet I have far from stagnated in my career. This is because I have programmed in several programming languages while here. These include Java, JavaScript (DOM Scripting, AJAX, Prototype, and jQuery), PERL, PHP, PL/SQL (Oracle), SQL (MySQL), Flex, Actionscript 2.0, Actionscript 3.0, ANT and C.

3. Pet Projects Outside the Scope of Their Job Description. “‘Excellent Computer Programmers” tend to engage in pet projects that are outside the scope of their job description to fill in time when they: get burned out on the task they are working on; complete a task before the deadline; or during other down time. These usually can help the company they work for. My pet project is Software Development Security (SDS). SDS involves building software that is resistant to attacks like (but not limited to) SQL Injection, XSS, XSRF, Clickjacking, or Session Fixation/Hijacking.

4. Main Motivation Behind Their Programming. Of all the “Excellent Computer Programmers” I have known they all have a specific motivation behind why they chose computer programming as a career. You’ll get different answers, but they all boil down to two categories: personal accomplishment; and helping others. ”Excellent Computer Programmers” get animated and excited (relatively speaking) when talking about how they had a hard problem that they finally were able to solve. They also talk with a sense of pride about how their program was used to help other people. They never have as their main motivation: “to get a paycheck”. My main motivation is that I get a great deal of happiness when I have created a program that makes someone else’s job easier to do.

Conclusion

In order to hire a computer programmer who can do practically anything with any language under practically any environment constraints, including what you are specifically looking for in a programmer. You need to go past the “we need experience in these specific technologies” mind-set. Look for a programmer who: can adapt quickly due to experience in a wide variety of programming languages; is committed to getting the job done by staying at employers for the long haul; keeps doing programming related activities in their spare time; and are motivated by the challenge and impact of their programming.

Posted in programming, Software
Tags: excellent-programmers, LinkedIn, missed-opportunity, programming, toot-my-own-horn

I would like to expound on my previous programming philosophy post (dated over two years ago).

Have you ever found yourself in the following situation? You have a task to accomplish that is just a little over your head. You have gotten a solution ready, but can’t quite get the last piece in place. You find an Open Source library that solved your particular problem because it was required for the library to work, however the library itself is not what you need. You just want to see how someone else solved the problem. Maybe it will give you an idea of how to solve it for yourself, maybe not.

I have had this situation myself a couple of times, so I delved into someone else’s code  to find the answers. In each case I found (especially from Java Open Source projects) that it took hours trying to find where the heck in the object hierarchy the task actually gets done. Some object sends the information up the inheritance tree, where some parent actually encapsulates another library to do the task, where this library sends it up it’s inheritance tree to encapsulate other objects which each does a little of the task.

So why are programmers so adverse to actually writing the code to get tasks done. Do they all think of themselves as “Architects” and that code that actually does stuff is left to the “Implementer”? Is it that they are so steeped in the OOP philosophy (rammed down their throat in school) that they can’t think any other way to code? Paul Graham (one of the authors of Viaweb, and one of the creators of ARC) has suggested that it might do something with OOP making you look busy while you are not actually programming a solution. (See: Why Arc Isn’t Especially Object Oriented)

I think the answer includes some if not all of these ideas, but at the very heart of it comes down to the fact that programming is dull and the software developer wants it to be more exciting. This would explain why for each project certain programmers will spend lots of time re-creating hierarchies of taxonomies of objects to fit a new set of circumstances instead of using the old ones in the previous project. After all, for most programming tasks, defining how the code should complete the task involves more creativity and more brain power than actually writing the code to do the task.

I stand by my previous statement. If there is not a compelling business reason to code something in a particular way, then I will not. This includes Object Oriented Programming. There is no point to define an Interface or an Abstract Class if there is only one implementation of it. There is no point in creating an object that just encapsulates another library and passes the data to it to be processed.

Edited to Add: For me compelling business reasons to use a technology, like object oriented programming, would include: bug fixes (or adding) to the existing/legacy code-base; conforming to policy laid out by management; interfacing with other code in a larger system; and building my code so a team member can work with it and/or take the project over. I would in these instances make the case to management why I think that the code would be better suited to other architecture/technology choices.

Posted in programming
Tags: LinkedIn, programming, object oriented programming

I have struggled in the past to explain to non-technical people the importance of not sending anything of a sensitive nature over email. In this post I will endeavor to provide a poignant analogy that all of the non-technical people I know can relate to.

The Set Up

Imagine if you will, that instead of a centrally controlled, government operated, postal system, we had a postal system that companies owned.

Some companies would specialize in home delivery of postal mail; other companies would specialize in providing postal mail for other companies. Some companies would specialize in sending postal mail from city to city.

Each company would be responsible for paying for their own costs of setting up and maintaining their postal system.

If a company wanted to become part of this postal system they would only need to connect to another company and they could send and receive postal mail.

The Technology

In order to speed up delivery of postal mail, the companies would put in a pneumatic tube system so that they could send messages quickly to other companies.

Because different companies may have unreliable postal systems each company must make a copy of each postal mail piece that comes through the system just in case they need to re-send the postal mail. To facilitate this all postal mail is on postcards.

Each company has several pneumatic tubes connected to different companies. That way if a particular company is getting too much postal mail, it can be routed to a company that has less traffic.

Engineers came up with a way to help speed up the process even further, they created machines that can automatically copy and send the original out another pneumatic tube that will put the message closer to its destination. These machines automatically send the copies to an archive room in case they are needed to resend the postal mail.

The Security Problem

Because each company is responsible for the cost of setting up and maintenance of their own postal mail system, the security they can provide varies greatly.

One company may have armed guards and iris scans to validate the people who enter both the archive room and the postal mail system room. Other companies may only have enough money to pay for a tent to hold their archive and postal mail system rooms.

One company might shred all postal mail copies every day, others might wait months to shred.

Some criminals may opt to break into the archive rooms of companies and steal all of the copies of the postcards.

Because there is no verification of companies, criminals can set up their own postal mail systems and connect them to other businesses. As long as they do not abuse the postal mail system by sending out lots of junk mail, they can go undetected by other companies. They can then copy postal mail at will and use what they see for their own gain.

Some engineering types of criminals would also seek out legitimate companies that have small budgets for security, they would go into the copier room under false pretenses and modify the copiers to not only copy the mail and send it to the archive room, but make a second copy and send it to them.

Other criminals (or government officials) would know where the pneumatic tubes are located as they go through the cities and would drill small holes in the pneumatic tubes and set up cameras to automatically take pictures (make copies) of messages as they went past.

Because each company has its own postal mail system, and each system is connected to several other companies’ systems, it is impossible for you to tell which company’s postal mail system your postcard will go through. So you cannot tell if your postcard will be copied by criminals or by government agencies.

Conclusion

While this is not an exact analogy to the way email works, it is a close approximation. You cannot tell if your email will get copied and put in the hands of criminals, even up to two years after it is sent. Sensitive information like passwords, credit card information, etc. should never be sent over unencrypted email.

Posted in Security
Tags: computers, email, LinkedIn, Security

Background

Sometimes you have to encrypt data inside your database either due to regulations like the PCI-DSS or because it is a good thing to do. Passwords are typically encrypted, so are credit card numbers. But these two sets of data are used differently and therefore should be encrypted differently.

In the case of a password, it never has to be retrieved in it’s original form. All that is needed is to check that the same password was entered in the authentication attempt is the same one entered in the last password change. This can be easily done by a one-way hash function like SHA-256. You just use the same one-way hash function to hash the password entered in the authentication attempt and compare the stored hash with the computed hash.

On the other hand a stored credit card number needs to be unencrypted so that your process that communicates with the payment processor can actually send the credit card number and not an encrypted string. This requires a reversible encryption algorithm like AES-128 or Triple DES. These algorithms’ security rely completely on the ability to keep the encryption key a secret. These algorithms are good crypto, so how can you implement them them badly?

Example

A well intentioned programmer decided to use Triple DES as the underlying cypher and understood that the key must be kept a secret. He created an Oracle package (a group of stored procedures, stored functions, and common data variables) where he included an encrypt and decrypt function. He then used the Oracle “wrap” utility to “encrypt” the package because the key he used was hard coded into the package.

Why is this “Good Crypto Done Badly”?

The underlying cypher is good. And this method will protect the data stored on backup tape. However, it completely negates the need for knowing the key to decrypt the data in a live environment. A SQL Injection attack can reveal the decrypted date (in this case credit card numbers) without knowing the key.

How can it be fixed?

Without any more overhead, the programmer can split the key into two parts. One of which is compiled into the program accessing the database and the other inside the wrapped package. Then the half of key that is compiled into the program is passed into the encrypt and decrypt routines. This alone will greatly complicate the attacker’s job.

Posted in Cryptography, programming, Security, Software
Tags: crypto, evangelism, LinkedIn, programming, Security, software-security

This morning my wife received an email from her step mother. It contained an attachment that she was not expecting and called me over to see if it was safe to open it. The attachment was benign, it was an .eml attachment which G-mail displayed as plain text.

It happened to be a chain letter email warning of a virus. (No the irony was not lost on either me or my wife.) The alert message claimed to be verified by Snopes with a link. The link was a valid link in Snopes verifying that it was a true virus, but had hoax parts also.

I was going to write back with a step by step explanation of how this is a hoax using the conventional list of how to recognize a virus hoax (like here: http://www.rbs2.com/choax.htm ). But I have changed my mind. I am resigned to the fact that I will never be able to educate the end user to what a real security threat is vs. a mostly hoax threat. I will take a different approach. This approach is making a parallel to anti-virus as a utility like electricity.

I will tell them that virus alerts should NEVER be passed on under ANY circumstance (verified or not). By the time they see the email message it is already outdated. (In this case 3 years for the original virus, and 18 months for the “real virus/hoax” combination e-mail.) The anti-virus manufacturers update their products every day to protect against new viruses, so they are more apt to be current than your email inbox.

They should have current anti-virus, anti-spyware, and a NAT enabled firewall to keep themselves safe.

Putting a computer on the Internet without current anti-virus software is like purchasing a computer without having electricity. If they do not have the money to pay for current anti-virus software, then they don’t have the money to put a computer on the Internet.

I am loathe to tell them that they can switch to Linux, because I will have to do their system administration for them.

Enjoy Weird Al Yankovich’s Virus Alert (uploaded by Al himself): http://www.youtube.com/watch?v=KmK1agiw1wE

Posted in Security
Tags: hoax, LinkedIn, Security, virus alerts

I was reading a Incident Handler Diary entry at the ISC (Internet Storm Center done by the SANS institute) by Deborah Hale. It is entitled “Website compromises – what’s happening?” She asked the question, “What are you doing to protect your webpages?” I started to type a response in the comments and realized it was getting way too long for just a comment to the story.

She read my comments and asked if she could use some of them in the update to the Diary entry. She used such kind words as “excellent advice” and “well said”. I agreed to let her use any of my comments. Thank you Deborah for the very kind response.

I am including a full copy of my response below.

I was going to post as a comment to the diary entry but it became too long. So I am putting it into the feedback form.

There are several IT’y and SysAdmin’y ways to protect against this specific attack and attack vector (FTP based website defacement), some of which have been excellently presented in comments to the original article.

Being a web development security professional, myself, I can give my perspective from a development standpoint. It all comes down to risk analysis. Sure anyone can throw together a web page, however not every website is going to be targeted for even most types of attacks.

Website defacement is applicable to any site, but fraudulent money transfers, fraudulent ordering, credit card skimming, and identity theft are not. It really depends on the data you have accessible on your website to determine what kind of measures you use to secure your website.

For example my wife’s genealogy site hosted at our ISP is vulnerable to FTP based website defacement, however that is an acceptable amount of risk for us. We have a backup, we use a complex password, the data itself is non-identifying (it starts far enough back that there is little chance of identity theft without an inordinate amount of work).

At work, however, updates are done over ssh, the ssh port is firewalled to specific IP addresses, change control procedures are in place, nightly backups are done, we are actively working to prevent the vectors of SQL Injection, cross-site scripting, cross-site request forgery, etc. This is not to mention all of the stuff the System Administrators do to protect against attack on the OS and Network level. We have credit card data to protect as well as a lot of customers’ data to protect.

Again it boils down to what is an acceptable amount of risk.

For the ma and pop websites where they just have a little data that is not of high risk of compromise, I would give the advice: If you would not paste it in your house’s windows (like pictures of your child, the combination to your combination lock, a picture of your front door key, your ssn and bank account info) don’t do the equivalent thing online (post pictures of your children, use weak password, post identifying information).

Posted in Security
Tags: evangelism, LinkedIn, SANS, Security, software-security

There is an old joke that was used in the television series “Home Improvement”. It deals with a guy, lets call him Tim, who is looking at a new tool with a version number of 600.

His wife asks, “Don’t you have one of these already?”
Tim says, “No, I have a version 500.”
She asks, “What’s the difference?”
Tim says, “The 600 is 100 better than the 500.”

The reason this joke comes to mind is that I just read an article at New Scientist entitled Ditching binary will make quantum computers more powerful. Mathew Neeley, a Physics Graduate student at UCSB, has been quoted as stating that a given computation can be done with less “quidits” (a five state quantum storage unit) than “qubits” (a binary quantum storage unit). The article, written by Paul Marks, then goes on to state that more powerful computers can be created if we move away from the binary representation in computing to a higher base number system (he said things in a more layman’s way, but that is what he meant). What articles like this fail to mention is that although memory (RAM, Solid State Hard Drives, etc.) would benefit from one memory unit having more than one state, the actual computations (adding, subtracting, multiplying, and dividing) would suffer significant slowdown by moving to a higher based number system.

Most of the tasks a CPU does are comprised of five basic functions: move memory values from one point to another; add values; multiply values; subtract values; and divide values. The binary number system gives us a significant advantage in adding, multiplying, subtracting, and dividing because we can do several shortcuts that we can not do in higher based number systems. The best example I can think of is subtracting one piece of data from another.

While subtracting you need to keep track of possible borrows from positions higher than the current position, this can get recursive up to the high order position. Contrast that to adding where you only need to keep track of a single carry to the next position. When implementing the operation in hardware simpler designs make for faster operations, so most computer arithmetic logic units implement subtracting by adding.

Subtracting By Adding

Mathematicians have taught us the great idea of the Method of complements to subtract by adding. In brief, you take the number you are subtracting and calculate the diminished radix compliment. Add one to diminished radix compliment to get the radix complement. Add the radix compliment to the number you are subtracting from and ignore the carry.

Example base-10:

  873
- 219
=====

Calculate the 9′s complement of 218. Which is basically the number do you need to add to 219 to get 999. This number is 780. Add one to this number to get the 10′s compliment. This number is 781. Add the 10′s compliment to 873 and ignore the carry.

  873
+ 781
=====
 1654

Ignore the carried 1 and you get 654, the correct answer for subtracting.

But wait, I actually had to subtract 218 from 999 in order to get 780, so your method is adding unnecessary overhead to the original subtraction problem.

Here is the beauty of using binary. In order to calculate the diminished radix compliment (1′s compliment) all you have to to is flip the bits. If it is 1 make it a 0, if it is 0 make it a 1. This is a simple logic NOT operation. Then we add 1 to it, then add ignoring the carry.

Here is a binary example:

  01100100  (equals decimal 100)
- 00010110  (equals decimal 22)
==========

Calculate the 1′s compliment = 11101001. Add 1 = 11101010.

  01100100
+ 11101010
==========
  101001110

Ignore the carried 1 and you get 01001110 (equals 78 decimal)

Conclusion

Unless mathematicians can come up with simpler algorithms to do the basic building blocks of computing in a number system greater than binary that can match the speed of binary computing, then binary computing is not going away.

However, the quidit storage unit may have applicability to extremely large memory systems where the largest delay is the transferring of the data to the processor. Jonathan Home at NIST is quoted in the article as saying quidits will help pave the way for large scale quantum computing because it solves the “information transport” problem.

Still this would necessitate a conversion to binary in order for the processor to use those nifty mathematical tricks in order to keep up with the memory retrieval.

I applaud Jonathan Home of NIST for keeping a perspective on quantum computers.

Posted in Math, programming, Software
Tags: computers, LinkedIn, Math, memory, programming, quantum computing

The Story:
My family and I went to our local city celebration on Saturday afternoon to use up the rest of the ride tickets our kids suckered us into buying the day before. I dropped off my wife and kids then looped around the park a few times to find a parking space.

When we met up we were going to see the local ambulance helicopter, but it was out on a call. So we decided it would be a good idea to look at the ambulance and fire engine they had on display. While the kids were in the ambulance, we told them how our oldest flew in an ambulance helicopter when he was a week old and also how daddy (me) rode in a truck ambulance when I got hit on the head at work before he was born.

I looked closer at the fore engine, but the rest of my family was gravitating to the military vehicles on display. The wind has started to pick up and I noticed that the clouds looked a little green. My wife called me and we saw each other. I started walking toward my family as my son decided he needed to use the porta-potty. A micro-burst wind started. I heard a crack and a branch fell on my head.

I grabbed my head with the pain. I did not lose consciousness, but after I looked at my hands and saw a lot of blood, I sat down on the grass as it started to rain. Within seconds of me sitting down there were people around me, one of them said “I know CPR” and took charge of making me comfortable and treating me for shock including lying me down, supporting my neck with her hand.

In the meantime my wife had noticed the branch falling down and though “oh, good it fell between us”, looked around for our daughter then realized she couldn’t see me. She ran to the fire truck (about 30 feet away) knocked on the door (they had all retreated to the inside of the fire truck to get out of the rain) and yelled that her husband had gotten hit on the head with a branch. Another person was knocking on the other side of the fire truck at the same time to tell the same thing.

My wife came back to my daughter (4 years old, and yes she had forgotten her in the panic) took her to stand by me and went to get my son out of the porta-potty. The paramedics got to me, assessed my injuries and took me back to the ambulance (about 50 feet away). I was able to walk to the ambulance. By the time we got to the ambulance the rain was coming down hard.

The paramedics bandaged up my head and released me so that my wife could take me to the hospital. It took my wife a long time to get the car back to us because there was a mass exodus from the festivities because of the rain.

The Irony (or as I like to call it, the funny part):
When my wife brought the car, my kids exited the ambulance first. I realized I needed new shoes (because the tread is gone in my current shoes) when I slipped down the steps of the ambulance and landed on my arms on the steps of the ambulance. I laughed at the time at the irony and still laugh now.

The Conclusion:
At the local community hospital I was treated with six staples in my head and released.

I went back to the park later that day to see the branch that hit me. They had cleaned up the branch and put it in one of the dumpsters, but looking at the broken part the branch was about 3 1/2 inches in diameter where it broke off. The branch was about 8 feet or more in length. It was just the outer edge that hit me in the head. So in a very real sense if I was 6 feet further in the wrong direction I could have been killed.

Posted in Uncategorized
Tags: accident

I had a chance to work in an environment where there was a separate IT operations group (with root access to our development server) and a programming group.

The programming group needed access to the error_log of the Apache web server in order to track down problems. To my surprise the IT operations group allowed sudo access to the ‘less’ program as follows:


$ sudo -l
User [username] may run the following commands on this host:
(root) NOPASSWD: /usr/bin/less /var/log/httpd/*


While this does the job intended, it also has a serious side effect. The program ‘less’ has a command called examine (shortcut e). This allows you to open another file in the same ‘less’ instance. Because sudo only checks the initial launch of the executable for the correct pattern, the process itself runs as root and has all of the read/write access that root has.

What this means is that you can start with something innocuous like:
$ sudo less /var/log/httpd/error_log

Then use the examine function to open another file which is limited to root read access:
e /etc/shadow

Although an attacker can not edit the files though ‘less’ they can read sensitive files that contain passwords only intended for use by the root user.

Posted in programming, Security
Tags: LinkedIn, programming, Security, software-security