The Heartbleed Bug or “Why you shouldn’t reuse passwords”

The Heartbleed Bug was discovered last week, which is a vulnerability in OpenSSL which powers the HTTPS services of most major websites today. The bug can be quite adequately explained by this XKCD comic.

This brings to light the importance of not reusing passwords. Even if your password is fairly impossible to guess and mathematically improbable to crack it’s still useless if you use it for multiple websites. Because it only takes one website to leak your password through a vulnerability like this to compromise all of your accounts where you reused the same password. So don’t, or at least enable two-factor authentication.

Hack

Facebook released Hack last week, which is a new language based on PHP that requires the use of their virtual machine,┬áHip-Hop (aka HHVM). But it’s important to remember that Hack is not PHP, while it understands PHP in much the same way that C++ understands C it isn’t always possible to migrate from the default interpreter to HHVM since they have chosen to not support all of PHP’s features, for better or worse.

There have been a lot of mixed sentiments on the internet over the new language, though the biggest concern appears to be that the naming choice will make it difficult to find anything actually related to the language. Imagine searching for “hack language” or “hack facebook” for example.

Personally I think the release of an independent version of PHP could be positive for the community, regardless of the name. PHP has always been quite careful about backwards compatibility and stability while leaving performance, consistency and, in a sense, security at the side. Hack have already introduced a lot of cool features (really just stuff that you would normally expect from a modern language) that PHP will probably never see the light of, type annotations and collections being my favourites so far. And HHVM have already made significant improvements to the performance of PHP.

I hope that Hack can become a platform for language features and changes that the core PHP language might not be ready for. Since Facebook uses PHP as a base for their new language they might be able to get a lot of traction from developers shifting their code bases to Hack, and maybe this shift can cause PHP to transform into something that not only gets the job done but also something that doesn’t allow “clever” code, inconsistent behaviour and other general headaches.

On the success of Flappy Bird

Apparently there’s a new mobile game called “Flappy Bird” which has taken over the mobile gaming market. I had honestly not heard of this game before I read that it’s being taken down by its creator for being too successful (what?).

IGN put up a review explaining the game concept which is so ridiculously basic it’s almost embarrassing. The fact that this game is so immensely successful only shows to prove what people like David Heinemeier Hansen have been talking about for a very long time which is to “underdo your competition“.

By removing as many features as possible you’re also making your product easier and more accessible to use by lessening the learning curve. This means that you can essentially expand your market by making your app smaller.

Flappy Bird might be an extreme example of “less is more” but it have also accomplished something that many app developers can only dream of.

Setting up two-factor authentication everywhere

I’m studying computer security this term and it has a way of making you very paranoid about security matters, and recent articles like this and this really doesn’t help either. Therefore I’ve decided to set up two-factor authentication everywhere possible to help protect myself to some degree for the uselessness of passwords.

Two-factor authentication essentially means that you use two authentication factors to log in instead of only one. An authentication factor is one of three things, something you know, something you have or something you are. A password is a good example of the first, while a card or cellphone is in the second category.

What this means is that for someone to hijack one of my accounts they will not only need to know my password but they also need my cellphone to generate a temporary one-time key to log in. While my phone can also be remotely tracked and locked down in case it’s stolen, and through backed up recovery keys I will still be able to access my accounts.

It might sound complex and difficult but it really isn’t, and the major security gain is a worthwhile tradeoff. To enable two-factor authentication you merely have to download an app (like Google Authenticator or Authy), use it to scan a QR code for the account you want secured and then you’re done. The next time you log in on a new computer you open your app, get a key to type in and you’re logged in as usual.

There’s a fairly comprehensive list of services which support two-factor here.

My thoughts on Vagrant

Vagrant enables a developer to isolate their project to a dedicated virtual machine while still coding in the same environment they use for other projects. You can essentially edit your project files in Windows and access the result through Windows while everything is running on Linux without having to do any of the tedious work of setting up and installing a virtual machine.

The cool thing about Vagrant is how the configuration file for the project can be redistributed with the rest of the code base to give other developers access to an exact replica of the original development environment.

The really cool thing about Vagrant is how ridiculously easy it is, they have a guide for setting up a first project which takes about 30 minutes to complete and goes over all the aspects of setting everything up.

The major thing that bothers me is that it’s somewhat slow, a virtual machine has a huge overhead compared to running directly on the host machine. It also takes about fifteen minutes to set up a Vagrant box the first time, which is actually negligent compared to the many hours it would take to do it manually but still feels like a long time.

Provisioning could also have been made simpler, but there are a lot of alternatives and even more examples for setting up any imaginable environment so it isn’t really a problem per se.

Mostly Harmless

I found these unexpectedly profound quotes while reading through “Mostly Harmless” by the late Douglas Adams. It’s almost possible that he was an engineer in some earlier life.

“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when the thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.”

And just a few pages later there’s another similar gem.

The thing he realised about the windows was this: because they had been converted into openable windows after they had first been designed to be impregnable, they were, in fact, much less secure than if they had been designed as openable windows in the first place.

I simply had to share these since I suspect most engineers probably don’t read The Hitchhikers Guide to the Universe.

Good interview questions

There are tremendous amount of posts about shitty interview questions, especially for programmers. What there aren’t so much of are posts about the good questions to ask, so here’s one of my favorites.

What did you learn this week?

The question is really good because it gives you instant feedback whether or not the candidate is interested in programming. A programmer with a genuine interest is bound to try to learn new things all the time and will have no problem answering this question. While someone who is less motivated and less interested will have bigger problems coming up with a meaningful answer.

The question also gives insight about what the candidate is interested in and on what level they’re trying to challenge themselves. It also opens up for some, more or less, obvious follow-ups such as “Why did you learn this instead of that?”, “How have learning this affected your workflow?”, “What do you want to learn next week?” and so on.