Websites are Hard to Build
"It's just a small site, how hard can it be?"
"I thought you could do it for me as a favour. It's not a complicated site."
"This would take me an afternoon, but I don't have time, can you do it for me?"
Have you ever heard these comments before? Have you heard ones that are similar? I've been hearing them a lot in the last few weeks and it's starting to get to me.
I have just had a chat with a mate who is also suffering this pain, and that conversation is what inspired me to write this, the first random rant in a while.
OpenDNS is Wicked
Over the last couple of weeks the DNS timeouts and lags I've been experiencing at home have made the web experience a little dire. My ISP is actually pretty darned good, but for some reason they seem to have glitches with their DNS servers every now and then.
.NET-fu: Signing an Unsigned Assembly (without Delay Signing)
This article is also available in: Italian
The code-base that I am currently working with consists of a large set of binaries that are all signed. The savvy .NET devs out there will know that any assembly that's used/referenced by a signed assembly must also be signed.
This is an issue when dealing with third-party libraries that are not signed. Sometimes you'll be lucky enough to be dealing with vendor that is happy to provide a set of signed assemblies, other times you won't. If your scenario fits the latter (as a recent one did for my colleagues and I), you need to sign the assemblies yourself. Here's how.
Microsoft want to Annoy you, Cancel or Allow?
Before I even started using Vista, I hated UAC. I read about it all over the place, and laughed at the stupidity involved in asking users to constantly "cancel or allow" every action they wanted to take. As soon as I was forced to use Vista for work (both on my work laptop and on site with the client) I turned off UAC on both installations.
How to be an Idiot
I've just done something stupid. I attempted to install a new plugin for WordPress without verifying the contents of the package. The result? I lost most of the file system under this website. From what I can see in the script, it also attempted to various other nasty things such as deleting files from outside the web root, and emailing certain files to other websites. It's a good job I have file permissions set up so that the web server can't access the file system outside of its root. I'm lucky it didn't attempt to trash the database too!
I've requested a partial restore of content from our web host so that I don't have to go through the pain of adding all the content again. Hopefully it'll be back up soon.
I'm not happy, but I only have myself to blame. Whatever you do, unless you're grabbing from the official WordPress plugin repo, make sure you check out the contents of the plugin before you attempt to install it!
Biosham ™
I can fully understand the desire a developer has to protect their creation from being copied illegally. I can understand why some steps would be taken to mitigate the risk of losing money due to piracy. What I can't understand is why some companies go so far with their anti-piracy measures that it starts to have an impact on the honourable, paying customers.
I have bitched in the past about how activation is a pain in the neck. But that example is nothing like what 2K Games have recently inflicted on the buyers of their latest creation, Bioshock. Rather than throw a few links to a bzillion blog and forum posts that have covered it already, let me just give you the short version:
- Bioshock comes with SecuROM.
- It requires online activation before it can be played.
- It can only be activated twice.
On the surface this might not sound so bad, but when you think about it a little deeper it becomes obvious why this is such a pain in the arse.
Digg is Being Used Against Itself
Over the last day or so, stacks of people have been hammering digg as a revolt against their recent actions. For those of you who don't know, HD-DVD encryption was cracked recently and the master key which allows all movies to be ripped has been released across the web. Digg, in their infinite wisdom, decided to kill off the original blog post (and apparently banned one or two users? - unconfirmed), resulting in an avalanche of posts preaching "free speach" and "fuck you Digg". Digg is now being dugg big time, and as a tool it's being used as a weapon against itself.
This is quite an interesting issue. Digg are obviously in a position where they have to remove anything that may be considered an infringment of copyright, otherwise they could be subject to hefty lawsuits which could result in the site being closed (have a read of this for a bit more information), but by the same token it almost goes against their whole business idea - sharing information that people want to have shared in a democratic fashion.
At the end of the day, the encryption key is just a bunch of numbers, and most people have a problem with the idea that a bunch of numbers can be patented/copyrighted. I have to say that I agree with them. A number is a number, it exists in so many forms, and can have so many meanings. Trying to prevent people from posting these numbers is a waste of time. There are some smart people out there using some pretty funny and clever ways to post the number without actually stating that the number is the encryption key - which is perfectly legal.
Regardless of the politics, the cat is out of the bag. And from this point on, the 'Net community will no doubt be pushing to spread this number as far and as wide as possible.
What are your thoughts on this?
Edit: Kaz just sent me this awesome link. I wonder if they'd have the power to rip the shirt off your back?!
Edit 2: So, the masses have been heard! Digg has changed its tune and will no longer be attempting to stop said key being shared. Hats off to them for taking a stance. The thing is, whether they try to stop it or not, the encryption key will not be removed from the web - it's out there, and people won't let it be brushed under the carpet.
Edit 3: Couldn't resist posting this, it's bloody awesome (I'm talking about the pic).
DVD Cracker Nails Apple’s iPod Code
You gotta hand it to this guy, he says that he "doesn't like closed systems", which is pretty darned obvious 
The man, Jon Lech Johansen, who years ago cracked the DVD encryption known as CSS, and released (with two other unknowns) the software that could be used to decrypt DVDs (called DeCSS), has taken his code-breaking career to a new level - he's nailed Apple iPod's ecosystem (or so he claims) by breaking their FairPlay DRM software.
I have no reason to find his claims outrageous, since he's quite clearly experienced in this area (he was 15 when he cracked CSS after all), so it looks like Apple have got themselves an issue to deal with. It'll be interesting to see if they take steps to stop him and his new DoubleTwist venture from taking off, or releasing any information/software pertaining to the crack.
Check out this SMH article for a bit more info.
Google Code Search
The Search Kings have come up with another rippin' tool which allows you to crawl through source code for examples and whatnot. The Google Code Search is quite a cool utility - but it doesn't come without it's issues. I found an interesting link worthy of reading which talks about a few amusing results returned from this facility, which I reckon lots of people should check out and be aware of.
So this begs the question: Is this going to be a tool which allows hackers to get acceess to bugs in software a heck of a lot quicker? I believe so. Is that a bad thing? No, I don't think so. In fact, it'll teach developers (the hard way) that they need to be aware of security issues well before they release the code - which can only be a good thing as it should have a positive affect on the software.
As a small side note, there can also be some embarrassing snippets revealed which will make the big names cringe. So, maybe this will also teach developers to be a little more professional!
Learning Code Security
As a regular read of Scott Gu's blog (see blogroll) I often find nuggets of information that are handy for the work that I do, but I also often end up with a few questions
The latest one that fired up a bit of thought was his post on guarding against SQL injection attacks. The information posted very handy, and is something that I would assume most web developers already know, but it made me wonder how many devs out there are actually aware of these kinds of issues while they're building their applications.
I starting hacking code together from a young age, and I've written my fair share of code that I hope to God never made it onto the web I'd like to think that over the time that I've spent reading, writing and working I've gained a pretty good coverage of the code security issues that are faced when building all kinds of applications - though I'm sure I have a stack more to learn! One thing struck me though, and that was that almost none of this stuff was covered during my course of formal study at University.
I transferred to different Unis during my time as a student, and out of the 3 that I went to, none of them had any form of code security as part of the core syllabus. Sure, there were special subjects that you could take which focussed on things such as this, including SQL injection, buffer overflows, etc, but you actually had to choose the subject out of a stack of others to get a good amount of exposure to the principles.
As time goes by, it becomes harder and harder for the developer to get themselves into trouble when writing code due to the nature of the languages and the support that you get via the accompanying frameworks - but we do manage to find new and startling ways of creating holes in our softy that the malicious and crafty can exploit.
So I do think that learning at least the basics of code security (particularly in web-based environments) is something that every developer should do. Sure, if you're using C# you might not have to worry about buffer overflows. If you're not using an SQL back-end, you won't have to worry about SQL injection. Regardless of the application and language, there are always different ways in which you can slip up. Coverage should be mandatory in courses at any formal education centre so that budding developers are aware of those issues before they hit the streets. To me, this is as obvious as having English and Maths as mandatory subjects during school if you're going to work as a coder!