Tag Archives: en

Software design – separation of concern

Still, the separation of concern is as actual as it always was. Consider this website design thing. You still have to separate the concerns between the user management and the website content management. These are totally different concerns. And they have different priorities too.

When you manage the content in your application you basically do not care about users at all. You care only to know whether the requester has the right to see (or modify, whatever) this particular content. So you need some kind of identifier as an input to the authorization management, which is another concern. You really do not need any details of the user that is usually kept by the user management.

While you are in the user management, creation, registration, modification, verification etc. require full knowledge of the user details. So you need to have different data on users here.

What happens is that you really need to have two different concepts of users: one for your user management subsystem and one for your website content management subsystem. And those have little in common. Plus, the website content management requires such user information (besides being useful) that can be quickly retrieved and add minimal overhead. On top of that, user information in both must be kept in sync.

Finally, one comes to realize that the database views are invented precisely for this particular problem. So we can have the same user data underneath but present two different views of that same data to the two subsystems of our web application.… -->

continue reading →

Web security 0.1

I had thus silly idea to quickly throw together a website for myself to list up my motorbikes. Well, not “mine” per se, I do own only one, but the ones I have ridden over the years and have an opinion about. Since I like to do things “my way”, I searched for a rapid development framework instead of heading over to a motorcycle website. Silly me. But that’s besides the point.

I looked at the CakePHP framework and it appears a solid piece of engineering I could be happy with. The only problem is that I have been trying to get the user registration and login set up for the better part of two months now (I have a day job too).

There are plugins for doing user management and complete login and registration libraries but all that I looked at share one thing in common (and with CakePHP itself, too): they are written with a frightening disregard for security. Every single one of them. So much for Open Source and crowd-sourcing. I would not use any of them to manage my website. Period.

So, I embarked on a quest to write my own plugin for CakePHP that would demonstrate what you can do with the user sessions security if you really put your mind to it. I have a first draft running now, very simple actions only but it works. So I am confident that once I get my head around the concept of plugins in CakePHP I will be able to provide a plugin with far better security for user sessions.

Some points that come to mind when thinking what has to be done vs. what is usually done:

  1. The user identifier is usually predictable, allowing often for a user listing. It is either an auto-increment in the database, or a UUID. Neither is unpredictable. A random 64-bit value will be far better, even when the random generator is not all that great.
  2. The user name is the primary identification. This is, in my personal opinion, passe. The user ID is the e-mail address.
  3. The confirmation links (registration, password change) are silly MD5 hashes of the current time. I think, again, a 64-128 bit random will be so much better.
  4. Some send out a new password to the user in an e-mail. Instead of a random token. That is simply not to be done.
  5. The “remember me” cookie is usually implemented by sending a user name and a password hash to the user browser in a cookie. That is plain silly too. This, again, has to be a random token stored in your database and given to the user.

That’s what I come up with just off… -->

continue reading →

Social Engineering

The Dark Reading asked a rhetoric question recently: “When Will End Users Stop Being Fooled By Online Scams?” Well, you probably guessed the answer right away and it is “never”. I do not think it is possible to train the whole population of the planet in the intricacies of security. So the social engineering attacks in all of their variety are here to stay.

From this point of view, the “training” you get early in life matters, I think, quite a lot. I would hazard a guess that people who tried various social engineering tactics on their environment when they were kids are less gullible as a result. So we should not be so hard on our kids when we catch them lying and trying to trick others. Yes, they should know it is not acceptable. But they also should know how it is all done and kind of come to expect this trickery so they can distinguish social engineering attempts directed at them easier. So, do not punish them so hard, better teach them how to do it in a harmless way.… -->

continue reading →

Blog separation

I am wondering whether it would be best to have two blogs, one for posts in English and another – for posts in Russian. The setup seems to be simple enough, so I just try it out. If I do not like it after a while I will merge things back to where they were.

So, head over to domtigra.wordpress.com for the posts in Russian or stay at tigrino.wordpress.com for English.… -->

continue reading →

CakePHP: bind hasMany as hasOne

This is totally brilliant. I came across this marvel somewhere and adapted to my application. See, if you have a hasMany relation, you end up with (1) an extra query and (2) with a lot of data. I have a case where I just need the last (time of creation) row. So I basically want to bind that model in a hasOne relation where the one row is determined by an expression selecting a single row.… -->

continue reading →

Orwell’s rules in security

I came across the “six rules of English language” set forth by George Orwell in his essay “Politics and the English Language” in one of the posts on Jordan Bortz’s Software Architecture Blog. They are:

  1. Never use a metaphor, simile, or other figure of speech which you are used to seeing in print.
  2. Never use a long word where a short one will do.
  3. If it is possible to cut a word out, always cut it out.
  4. Never use the passive where you can use the active.
  5. Never use a foreign phrase, a scientific word, or a jargon word if you can think of an everyday English equivalent.
  6. Break any of these rules sooner than say anything outright barbarous.

These rules are absolutely essential for good system or application security. All too often we have the situation where the real target is to provide an insecure system and it is obfuscated by the use of this “political language”. To turn the words of Orwell to our subject, the great enemy of software security is insincerity. When there is a gap between one’s real and one’s declared aims, one does not get proper security.… -->

continue reading →

The Japanese work etiquette

Sometimes the Japanese may behave strangely in our eyes. I do not mind in the slightest. It is all right, they behave in a totally appropriate manner. You would not mind yourself doing the same thing if you were them. You see, Japanese are a superior race, brought about by Gods to lead the world to total order and prosperity. If you think I am joking, think twice. We are not supposed to be on the same level, if I were to describe it in simple terms, I would say that you and me are the cattle and they are the farm owners. Do not let their friendliness and apparent spinelessness mislead you. They can and will slaughter cattle whenever the need arises.

What does one do then? Well, you have to become totally indispensable to some of them. Those will protect you and use you. This part is really no different from any other company. The difference is that you cannot complain – you are equal, so your complains are only mildly annoying to everyone and may be embarrassing to your protector, nothing else. You cannot object to them using and abusing your work – wouldn’t you find such objections from Roman Empire slaves ridiculous? Keep this frame of mind. They can do whatever they want, you are limited in options. You have the freedom to quit, of course. But as long as you stay you have to follow the game. Invent new and interesting ways to become useful. Invent new works, new templates, new objectives, new obstacles, new projects. Invent ways for your protector to look brilliant in the eyes of peers when he uses and abuses your work. As long as you do that, you will be fine. And if you help your protectors, you can ask for many things in return, as a favor, just do not try to be equal.… -->

continue reading →

Scroogled

I just came across this wonderful piece: Scroogled by Cory Doctorow

“The courts won’t let them indiscriminately Google you. But after you’re in the system, it becomes a selective search. All legal. And once they start Googling you, they always find something. All your data is fed into a big hopper that checks for ‘suspicious patterns,’ using deviation from statistical norms to nail you.”

and I think it is a must read for all of us. And that’s besides it being an entertaining read.… -->

continue reading →

The Factor of Money

I call this interesting thing “The Factor of Money”. What is it? It is one of the things quite wrong with the world from most people’s perspective. Although, to be fair, most of them do not realize it. And there is a minority who abuse the rest so it is quite ok for them. But let’s see.

A society is built on a number of factors that the society considers important. And whoever controls the decisive factor controls the society. If most of the world considers a single factor of utmost importance then whoever controls that factor controls the world.

Factors important, or crucial, for the people in the society may differ. One of the factors quite widespread nowadays is money. Notice how USSR, the Soviet countries overall, were not into money before. like the eighties. And those countries were quite apart from the other countries that were controlled by money. They were independent and powerful, they could not be easily subverted by money. Once they joined the throng in cherishing the money factor, they became a slave to the controllers of the money factor. Notice how quickly their deterioration happened.

Now watch this. China was always quite separate from the money world. They became strong on a basis totally different from money. Now they let the money in. What do you think will happen? Yes, let’s watch them being overtaken by the overlords of money. They stand no chance anymore whatever they may think about it.

The Factor of Money is the factor that leads to enslaving entire countries to the will of the Lords of Money. If you want your society or country to be independent, the first thing to do is to break away from The Money Factor.… -->

continue reading →