The Crypt

Apparently assertions work (reddit thread). embedded.com notes that “assertions find at least twice the number of bugs identified by static analyzers”.

Why, WHY are we surprised to find this? The very first lesson of CS 101 that handles modularisation opens with the sentence “Check input parameters”. The second paragraph says “check return values”. The very first lesson of programming security is “check all user inputs”. WHY are we surprised that these practices actually work?

Moreover, why are we not using them? These simple techniques provide effective protection against many SQL injection attacks, XSS flaws, buffer overflows and logic bugs; yet we are too lazy (or too obsessed with “the performance impact”) to use them.

Software Engineering will remain a joke rather than a profession until we start taking evidence-based decisions. Parameter checks and peer review have been demonstrated to offer among the best returns compared to their costs, but they are seldom the favoured tools in a developer’s toolkit. Instead we like to proclaim the latest anecdotally-supported technology or approach.

Some time back I wrote OpenID: the bad and the ugly which was mostly just a redirect to Stefan Brands’ “The problem(s) with OpenID”. Numerous conversations later I am still finding that most Internet users - even developers who understand web security - just don’t grok OpenID security.

And finally I know why: “you” and “your account” have boundary issues.

When I say “an attacker can target a web site and access your account” these people hear “an attacker can target a web site that I use, attack me, phish my details, steal my OpenID and access my account”. Because that’s the most common mode of attack against password-based authentication on the web.

But it’s not how you attack OpenID. There is no “you” in many OpenID attacks. There is just the attacker and your account … make that your ex-account.

Continue reading »

While browsing Reddit I came across what looked like a promising article: A Programmer’s Communication Skills. Turns out to be not so interesting, merely taking a swipe at the popular notion that “communication skills” are important for programmers. I’m all for debate, but perhaps one should understand the (un)subtle distinction between “communication” and “presentation/seminar” before taking such swipes.

Good communication skill means the ability to convey ideas succinctly, to receive and understand ideas, and to seek clarification when you don’t understand. It’s important when presenting a talk in an auditorium, gathering requirements from a customer, explaining to a subordinate how to implement a module, explaining the project status to your boss, writing a user manual, and documenting your source code (especially if you believe that code is self-documenting).

But I still haven’t got to the real reason that communication skills are important for programmers … you see, when we write a program we use a programming language. That language is the medium through which we communicate our intentions to the computer and with other developers.

If you can’t describe to me how you are going to implement something, I don’t trust that you can describe it to a computer (which has far less capability to work out what you’re trying to say).

In the last few days I’ve read a few articles on the programming reddit that have dealt with technology hype.

In the article XML Backlash? Brennan Spies looks at the achievements of XML, and how its position may be under threat from newcomers like JSON and Google’s protocol buffers. Nothing new there - I’ve been warning of the shortcomings in XML for years - before it became a popular passtime.

Continue reading »

I’ve written before about bad stats, but a video currently getting a lot of attention on the web is an excellent example of bad research. Which doll is the nice doll purports to show racial self-hatred in black children.

The video is a version of Kenneth and Mamie Clark’s doll experiments. Anyone who has studied research methodology should immediately pick up some of the problems with this video:

• The same population size and selection. The MSNBC article covers 4 children, all black, with no evidence given of their background. The sample could easily be biased, and there is no control group.
• Children are known to have a tendency to please authority figures, which is why interviews with children are problematic. Often a child will give the answer they believe will please the interviewer or audience. If a child perceives the interviewer as feeling racially inferior (if black) or superior (if white), or notices cues that the interviewer is expecting a particular answer (often too subtle for adults to notice) he/she will respond accordingly.
• At least one of the children may have been displaying gender bias, perceiving the white doll as female and the black doll is male (the genders - if they were gendered - were not clear in the video). Most cultures display a gender bias that perceives women as more attractive than men.
• According to anthropological research many societies showed a preference for light skinned women (in particular) even before contact with the West (see for example Fair Women, Dark Men). While this may be “colour prejudice” it is not a self-perception of racial inferiority.
• The order of questions biases the research. The children are asked to indicate the “pretty” and “nice” dolls first; they may choose the white doll for any of the reasons above. When asked to indicate the “ugly” or “bad” dolls they are logically forced to indicate the black doll.

As it happens the Clarks’ original research was criticised as being unfalsifiable, but bad research like this just keeps popping up whenever someone wants to “prove” a point.

Bad Research ultimately hurts everyone. In the short term it is effective at persuading most people (often to their detriment), but in the long term it hurts the credibility of those who use it. It’s a lose-lose situation. Friends don’t let friends do Bad Research.

For my next trick I won’t be looking at climate change research …