My Security Nightmare

Filed Under Programming

As Willie Sutton didn’t say, “I rob banks because that’s where the money is.”

I work for a bank, and so I worry more about security than most programmers. After all, if a hacker were were truly motivated and competent who would they pick to go after? Probably a bank (the other good option is political or corporate espionage). Recently I saw two security-related stories which, when combined, form my ultimate nightmare: an effective attack for which I cannot imagine a possible defense. Read more

Threadsafe Java Servlets - a solution

Filed Under Programming

In a previous post I wrote about how nearly all web applications built on Java servlets suffer from potential threading issues. Web browsers can make multiple simultaneous requests, which will result in multiple threads concurrently modifying the (not threadsafe) HTTPSession. Most people just ignore the problems (which strike rarely), some serialize all requests for the same session, but neither of these works as well in a world where AJAX-based user interfaces are becoming more common. I hope to describe the basic outline of a solution; explaining, as I go, the reasoning I used in coming up with it. Read more

Threadsafe Java Servlets

Filed Under Programming

Web servers are inherently threaded applications: their primary purpose is to serve up a website or web application to a large number of users. Essentially all of the frameworks for creating web applications, such as Java’s “servlet” specification and all of the structure built on top of it, provide built-in support for handling queries from different users simultaneously, and they make it possible for these threads to operate “safely” (without data corruption) so long as a few basic rules are followed (”Don’t store anything in the servlet instance variables.”, and “Don’t access anything stored in static variables unless it is threadsafe.”).

However, threading issues for web servers are not limited to the fact that there are multiple simultaneous users — it is also possible to be processing multiple HTTP requests a single user at the same time. Read more

The Secret to Making Chrome

Filed Under Programming

ChromeGoogle has released a new browser, “Google Chrome“. It features quite a few innovations: some user interface innovations include tabs above the menus and URL bar, a single field combining the URL and search fields, search and status bars that disappear when not in use and a home page showing small versions of your 9 most-visited sites. Perhaps most interestingly, it runs each tab and plug-in in a separate process so errors or slow-downs in one cannot affect the rest. It also features a strikingly fast JavaScript engine (for those fancy “Web 2.0″ AJAX pages) and some interesting security innovations like “scoping” pop-ups to remain over the page that generated them. And it supports a porn mode… sorry, “Incognito Mode” where no record is kept of your browsing (is this because Google knows something about our browsing habits?). Read more

Metaphorical Programming

Filed Under Programming

Unlike computers, humans tend to think in metaphors. That is, when we want to reason about something new or unfamiliar we reason by analogy with something familiar. This is a great mental trick and it is part of what allows humans to be flexible and to deal with unanticipated circumstances (exactly the kind of thing that computers cannot do), but there is a danger as well: where the analogy chosen is not a close match, our thinking can be led astray. One place where these analogies are often poor is in thinking about the process of programming. Read more

Go Easy on the Maintenance Programmer

Filed Under Programming

Maintenance Programmer“: This common, and underappreciated species of programmer is often heard muttering and cursing under their breath. Sometimes bald from tearing their hair out in frustration.

From time to time we all have to do it: simple changes and maintenance to code - often other people’s code. And the truth is that most code spends far more time in maintenance mode than it did in design, coding, or initial debugging. Yet maintenance programming is notoriously difficult (even if it does tend to get assigned to the most junior developers on a team). I will identify the main reason I think maintenance is difficult, and suggest one specific programming practices that can make your code easier to maintain. Read more

A random selection algorithm

Filed Under Math, Programming

Suppose you want to select k things randomly from a list of n items, with no duplicates. Read more

Two more uses for a Secure Hash

Filed Under Programming

In a previous article I talked about using salt with a secure hash, but all of the examples assumed that the secure hash would be used to validate passwords. Secure hashes can be used for many other purposes, and I’ll illustrate that by describing two other possible uses. Read more

Why User Stories?

Filed Under Programming

Any software project needs a Business Requirements Document (BRD)—a document which describes what the deliverable is supposed to do once it’s been built. The traditional (waterfall) way is to write it in paragraph form, but several agile development techniques recommend writing it in the form of a collection of “User Stories”. Read more

Always use Salt

Filed Under Programming

I’m not a very good cook. One reasons is that I’ve never mastered the art of tasting the food as I go along and seasoning it properly. When cooking, I never seem to add the right amount of salt. As a programmer, though, I always use salt. Read more