Apr 6 2010

Retweet March 2010

From time to time I just blast tweets about software development, project planning, team dynamics, or whatever else comes to mind. Here is a synopsis of recent tweets and rants. If you want to follow the conversation follow me at techknow and/or juixe and I’ll be sure to follow back.

Software Development

  • Security pet peeves: captchas, security questions, having to login after changing my password.
  • A supercomputer won’t solve the incompetence of bad programmers on a deadline.
  • All software is in beta.
  • The Like button needs to be killed.
  • \-: “premature optimization is root all of evil.” (-: “That’s what she said.”
  • This must be a record. I just improved our app’s memory consumption by 80%, some 400MB, by changing one line of code.
  • I love technology because I can now blame my misspelling on my iPhone.
  • Where 2.0 is the new meme. Is your website Where 2.0 aware?
  • Building a community and building a business around a community are not the same thing.
  • The linked list was recently patented, I’m going to patent something critical to civilization, like calculus or pottery.
  • Dear debugger, I wish you could introspect my feelings and put a breakpoint on my heart break.
  • A slew of computer bugs are caused by assumptions made by the programmer.
  • You know things are bad when you get error code 0000.
  • Bugs grow organically.
  • It is possible to make spaghetti code out of Obeject Oriented Programmmmmming?
  • Rule of thumb: use immutable objects as keys to hash maps otherwise get to you your debugger.

Team Leadership

  • The best ideas are free.
  • No matter what, you will never be less busy.
  • Let’s be honest, anywhere from 10-30% of a resume is a stretch.
  • So as not to forget anything, remember nothing.
  • When you give someone else time, you waste you own.
  • Don’t give any answer, give the right question.
  • If you have a one trick pony, ride it until it is ready to be put to pasture.
  • Problems are meant to be solved only if they can’t be ignored.
  • The one best possible thing you can do to make any situation better is to not make it worse.
  • One can lead by asking questions, just as well as giving orders.
  • If you build it, they will come. But if you make it to complex or change it to often, then they will leave.
  • The secret ingredient is to believe there is a secret ingredient.
  • I don’t express myself best when speaking, but when reflecting.
  • Praying may not change the world, but it can change your perspective which is helpful to change your world.
  • Folks usually want the what first but I think that the why and the how is more important than the what.

Product Placement

  • Facebook announced a major investment by the CIA. It was reported that the US Gov will push for Facebook Connect as a National ID program.
  • PayPal just sucks. I can transfer money to former Soviet Bloc countries faster than I can between PayPal and my bank.
  • Spam is like a staple in Hawaii. So it comes as no surprise that Mahalo is one of the most spam ridden sites online.
  • My suggestion to cable companies: give away basic cable to every American with on demand features. Add value outside the cable box.
  • Which will provide better value/info for businesses, yelp or foursquare?
  • The current Apple Appstore approval time is rand() * Months.
  • McDs should make a tofu McMuffin.
  • A sign at a Palo Alto church: redeem your soul, there is an app for that.
  • Purple Cow Thinking: don’t be boring, safe is risky, design rules now, very good is bad.


  • If there is a limit, you should, you must test it. – Seth Godin/Purple Cow
  • Vision without execution is hallucination – Thomas Edison
  • Success is not the key to happiness. Happiness is the key to success. If you love what you are doing, you will be successful. – Herman Cain

Mar 30 2010

Top 25 Most Dangerous Programming Errors

I’ve always been interested in understanding common programming errors so that I can easily recognize and diagnose problems, hopefully without spending hours staring at my breakpoints in my debugger. Previously, I’ve written on Common Groovy Errors and Top Worse Java Errors.

The US Department of Homeland Security, under the Common Weakness Enumeration initiative put out the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Most of the errors noted related to web application security programming errors.

  • Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
  • Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  • Cross-Site Request Forgery (CSRF)
  • Improper Access Control (Authorization)
  • Reliance on Untrusted Inputs in a Security Decision
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Unrestricted Upload of File with Dangerous Type
  • Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Missing Encryption of Sensitive Data
  • Use of Hard-coded Credentials
  • Buffer Access with Incorrect Length Value
  • Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
  • Improper Validation of Array Index
  • Improper Check for Unusual or Exceptional Conditions
  • Information Exposure Through an Error Message
  • Integer Overflow or Wraparound
  • Incorrect Calculation of Buffer Size
  • Missing Authentication for Critical Function
  • Download of Code Without Integrity Check
  • Incorrect Permission Assignment for Critical Resource
  • Allocation of Resources Without Limits or Throttling
  • URL Redirection to Untrusted Site (‘Open Redirect’)
  • Use of a Broken or Risky Cryptographic Algorithm
  • Race Condition

Mar 8 2010

Facebook, Zuckerberg, and Plain Text Passwords

Speaking about the public allegations that Mark Zuckerberg, alleged founder of Facebook, hacked into Harvard school email accounts of rivals and school journalists Kevin Rose said that the allegations don’t even sound technically possible. The way the allegations are described, Mark Zuckerberg used the passwords of Facebook users he wanted to track on other systems. Since many online users tend to have one or two different username and/or passwords, if you have the password for on online service you might guess a the login password to another service for that same user. Clear text passwords are a real security concern. On This Week in Tech # 238, Kevin said, “I doesn’t make sense, I don’t see it happening. … Nobody really stores passwords in plain text anymore, I can’t imagine Facebook would have done that.” I’m a fan of Kevin’s Diggnation podcast but I have to call him on this social media bullshit on technical grounds. It might be that his social graph is clouding his judgment. The sad truth is that even today, some large companies have be called out for storing passwords in clear text. In fact, a long time sponsor of Diggnation, Go Daddy was recently accused of storing passwords in plain, clear, simple to read text. Surely, he must have known or heard of the Go Daddy privacy mishap. His explanation that no one really uses clear text passwords anymore is very naive, it sounds like the advice given in the many tech conferences that Kevin is known to attend. I very much doubt that some “copy and paste” programmer in some college dorm room in 2004 would develop a website with 2010 best practices and user experience.

I would hope that Facebook does not employ practices such as these now, but I sure don’t trust them with my account and do the bare minimum on Facebook that is required to keep up with friends. An anonymous Facebook developer in an interview stated that any Facebook developer can impersonate any user and all data is unencrypted so any developer can possible run SQL queries to look up your data.

You have to think about it, for a social networking site, why can’t you befriend it’s founder, Mark Zuckerberg, like in other sites. I mean, Tom is in my top eight on MySpace. Don’t trust the 800 pound gorilla as far as you can trow it especially if it is riding the elephant in the room.