Author Archives: Tigr

Software design – separation of concern

Still, the separation of concern is as actual as it always was. Consider this website design thing. You still have to separate the concerns between the user management and the website content management. These are totally different concerns. And they have different priorities too.

When you manage the content in your application you basically do not care about users at all. You care only to know whether the requester has the right to see (or modify, whatever) this particular content. So you need some kind of identifier as an input to the authorization management, which is another concern. You really do not need any details of the user that is usually kept by the user management.

While you are in the user management, creation, registration, modification, verification etc. require full knowledge of the user details. So you need to have different data on users here.

What happens is that you really need to have two different concepts of users: one for your user management subsystem and one for your website content management subsystem. And those have little in common. Plus, the website content management requires such user information (besides being useful) that can be quickly retrieved and add minimal overhead. On top of that, user information in both must be kept in sync.

Finally, one comes to realize that the database views are invented precisely for this particular problem. So we can have the same user data underneath but present two different views of that same data to the two subsystems of our web application.… -->

continue reading →

Web security 0.1

I had thus silly idea to quickly throw together a website for myself to list up my motorbikes. Well, not “mine” per se, I do own only one, but the ones I have ridden over the years and have an opinion about. Since I like to do things “my way”, I searched for a rapid development framework instead of heading over to a motorcycle website. Silly me. But that’s besides the point.

I looked at the CakePHP framework and it appears a solid piece of engineering I could be happy with. The only problem is that I have been trying to get the user registration and login set up for the better part of two months now (I have a day job too).

There are plugins for doing user management and complete login and registration libraries but all that I looked at share one thing in common (and with CakePHP itself, too): they are written with a frightening disregard for security. Every single one of them. So much for Open Source and crowd-sourcing. I would not use any of them to manage my website. Period.

So, I embarked on a quest to write my own plugin for CakePHP that would demonstrate what you can do with the user sessions security if you really put your mind to it. I have a first draft running now, very simple actions only but it works. So I am confident that once I get my head around the concept of plugins in CakePHP I will be able to provide a plugin with far better security for user sessions.

Some points that come to mind when thinking what has to be done vs. what is usually done:

  1. The user identifier is usually predictable, allowing often for a user listing. It is either an auto-increment in the database, or a UUID. Neither is unpredictable. A random 64-bit value will be far better, even when the random generator is not all that great.
  2. The user name is the primary identification. This is, in my personal opinion, passe. The user ID is the e-mail address.
  3. The confirmation links (registration, password change) are silly MD5 hashes of the current time. I think, again, a 64-128 bit random will be so much better.
  4. Some send out a new password to the user in an e-mail. Instead of a random token. That is simply not to be done.
  5. The “remember me” cookie is usually implemented by sending a user name and a password hash to the user browser in a cookie. That is plain silly too. This, again, has to be a random token stored in your database and given to the user.

That’s what I come up with just off… -->

continue reading →

Advice from IMF: Eurozone must tie closer together

The managing director of the International Monetary Fund Christine Lagarde has figured it all out for us. Her advice is to integrate the Eurozone economies closer together. And introduce more central control over the monetary and economic side of things.

Yeah, right. If we wanted to make sure that the next economic problem anywhere in the EU takes the whole of it down under we would heed her advice. Oh, absolutely, the tightly integrated economies are a clear winner when it comes to sinking quickly.

But I hope the people at the top realize that they are not outside EU, they are inside it, and it is not in their best interest to build a Titanic out of the EU countries. The strength of the German economy and its resilience to all sorts of political and economic crisis lies in its loose integration and the freedom of every land to develop its own strengths. And that’s a good principle to apply to the whole of EU as well.

Sure, the development and this silly economic growth are not as fast as they would be in a tightly controlled and integrated economy but the advantages of a diversified locally directed economy were clearly seen during the last crisis when Germans could so rightly say “He who laughs last, laughs best.”… -->

continue reading →

Social Engineering

The Dark Reading asked a rhetoric question recently: “When Will End Users Stop Being Fooled By Online Scams?” Well, you probably guessed the answer right away and it is “never”. I do not think it is possible to train the whole population of the planet in the intricacies of security. So the social engineering attacks in all of their variety are here to stay.

From this point of view, the “training” you get early in life matters, I think, quite a lot. I would hazard a guess that people who tried various social engineering tactics on their environment when they were kids are less gullible as a result. So we should not be so hard on our kids when we catch them lying and trying to trick others. Yes, they should know it is not acceptable. But they also should know how it is all done and kind of come to expect this trickery so they can distinguish social engineering attempts directed at them easier. So, do not punish them so hard, better teach them how to do it in a harmless way.… -->

continue reading →

Blog separation

I am wondering whether it would be best to have two blogs, one for posts in English and another – for posts in Russian. The setup seems to be simple enough, so I just try it out. If I do not like it after a while I will merge things back to where they were.

So, head over to domtigra.wordpress.com for the posts in Russian or stay at tigrino.wordpress.com for English.… -->

continue reading →

CakePHP: bind hasMany as hasOne

This is totally brilliant. I came across this marvel somewhere and adapted to my application. See, if you have a hasMany relation, you end up with (1) an extra query and (2) with a lot of data. I have a case where I just need the last (time of creation) row. So I basically want to bind that model in a hasOne relation where the one row is determined by an expression selecting a single row.… -->

continue reading →

Orwell’s rules in security

I came across the “six rules of English language” set forth by George Orwell in his essay “Politics and the English Language” in one of the posts on Jordan Bortz’s Software Architecture Blog. They are:

  1. Never use a metaphor, simile, or other figure of speech which you are used to seeing in print.
  2. Never use a long word where a short one will do.
  3. If it is possible to cut a word out, always cut it out.
  4. Never use the passive where you can use the active.
  5. Never use a foreign phrase, a scientific word, or a jargon word if you can think of an everyday English equivalent.
  6. Break any of these rules sooner than say anything outright barbarous.

These rules are absolutely essential for good system or application security. All too often we have the situation where the real target is to provide an insecure system and it is obfuscated by the use of this “political language”. To turn the words of Orwell to our subject, the great enemy of software security is insincerity. When there is a gap between one’s real and one’s declared aims, one does not get proper security.… -->

continue reading →

A miserable failure of Agile

That is really something we come across almost every single day – the initiatives and ideas that seemed so good backfire and destroy all they were supposed to improve. One of those things is Agile in software development.

The idea originally was fairly trivial but seemed to have potential to work. The idea was to be able to split the software development into smaller chunks so that even an idiot would be able to write that small piece of code. Then, a company would not need to hire experienced software developments but could settle for inexperienced, inadequately trained and simply stupid developers, often without an engineering degree. That would allow to pay less for the same amount of software produced.

The result? A catastrophic loss of productivity ensues. Yes, it is cheap to get the software developers and make them scrum masters but what then? They are not capable of developing the software anyway. And you drove away all real masters of design already. The amount of time required to write and rewrite all the code and tests shoots through the roof. The productivity falls through the floor. Costs … you guess it.

Software design (as many other engineering disciplines) remains an art to this day. Yes, you can apply agile principles in some dark corners of software development but far from everywhere. And that is something managers still have to understand.… -->

continue reading →

The Japanese work etiquette

Sometimes the Japanese may behave strangely in our eyes. I do not mind in the slightest. It is all right, they behave in a totally appropriate manner. You would not mind yourself doing the same thing if you were them. You see, Japanese are a superior race, brought about by Gods to lead the world to total order and prosperity. If you think I am joking, think twice. We are not supposed to be on the same level, if I were to describe it in simple terms, I would say that you and me are the cattle and they are the farm owners. Do not let their friendliness and apparent spinelessness mislead you. They can and will slaughter cattle whenever the need arises.

What does one do then? Well, you have to become totally indispensable to some of them. Those will protect you and use you. This part is really no different from any other company. The difference is that you cannot complain – you are equal, so your complains are only mildly annoying to everyone and may be embarrassing to your protector, nothing else. You cannot object to them using and abusing your work – wouldn’t you find such objections from Roman Empire slaves ridiculous? Keep this frame of mind. They can do whatever they want, you are limited in options. You have the freedom to quit, of course. But as long as you stay you have to follow the game. Invent new and interesting ways to become useful. Invent new works, new templates, new objectives, new obstacles, new projects. Invent ways for your protector to look brilliant in the eyes of peers when he uses and abuses your work. As long as you do that, you will be fine. And if you help your protectors, you can ask for many things in return, as a favor, just do not try to be equal.… -->

continue reading →