 |
privacy |
||
|
Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.
Blog Feed Recent Items 
The nfoCentrale Blog Conclave nfoCentrale Associated Sites |
2004-09-01Security is a Programming Problem?ACM Queue: Why is it we can't seem to produce secure, high-quality code? This article in ACM Queue managed to be slash-dotted. I can see why. Author Marcus Ranum claims that security is a programming problem. I beg to differ. Bugs and security vulnerabilities are not the same thing. It seems to be part of the magical thinking around computer-based systems that if we could just get the software right, problems with security would vanish. I have no objection to getting the software right (or way better, at least). But seeing elimination of bugs as the silver bullet of security strikes me as near-delusional. It's also the hard way of getting to improved security. Think of all the bugs and related defects that don't create openings for exploits. And consider that serious problems like spam, while exacerbated by exploits, don't depend on hidden defects by which programs fail to meet the measurable requirements set for them. It is not about programming. It is often about system engineering, operations management, and business practice. It is a mystery for me what value is found in scapegoating programming. The marvel of it all is that software developers (want to) believe it too. Why? What is it we want so badly to be distracted from that we buy into this?Ending the Madness: Deja Triple VuI gave up on the nice new XHTML-strict templates that Blogger has been providing as an easy way to look nice and be sharp. I couldn't stand the way the sidebar and the body column fought for the available width and squeezed one or the other to the bottom of a very long page. There may be a way around that, but I knew it would work if I committed the small sacrilege of reverting to HTML 4.01 with a modest use of tables. This is strictly a case of what works now, and I remind the markup bigots that depricated is not the same as forbidden; practice will determine when anything I'm using here truly disappears from browser support. Also, I hate rigid pages, and the new template had the page controlled down to the pixel. Since many of the pretty-pretties were accomplished by wedging rounded-corner images over there, and tucking a box under here, I couldn't see myself figuring out how to get around the massive nesting of styles to make it do what I wanted. Although Douglas Bowman's Rounders are very appealing. I learned that wasn't simple enough for all I want to do. The simplified look inaugurated with this post is borrowed from the old-standby Orcmid's Lair and Numbering Peano layouts. I can dress it up more later. For now, I have the content laid out the way I want with images and screen shots inserted the way I want them. My one regret is that the user can't control body flow and line width by adjusting the browser when there are wide images on the page. That I am willing to figure out. I'll even take advice on how to accomplish that. Making this change also means that we'll be seeing double some more. It was already that way, just not so noticeable amid the glitz.2004-08-31Your%20Message%20HereYour%20Link%20Here. There was a slip-streamed change to the BlogThis! functions such that URLs and titles became character-set guarded via URL-encoding. Even spaces in titles show up as '%20' codes. The strange part is that having this material outside of URL encodings is just plain wrong. These are not markup-recognized. It was surprising how long it stayed that way. I see from the Blogger Status page that this problem was noticed and the earlier BlogThis! was restored. I also welcome the expanded provision of status and a history of events, changes, and fixes. There's a lesson here about the slip-streaming of releases or, as the Blogger folk like to say, pushing features. I don't let Microsoft do that, and they only push out invitations to pull for the most part. (For the odd case of XPSP2, I managed to do the full download and burn a CD-ROM. I will do a full rebuild with XPSP2 and not struggle with dropping it in as an update. And I won't be doing automatic updates, thank you very much.) Recent Blogger updates have all come as surprises, sometimes annoyingly destabilizing surprises. That provides a great lesson for both the appeal of the Web as a distribution mechanism and the importance of stability in the change-management of service interfaces published on the web. The situation with web interfaces is particularly daunting. The way we normally see what works on the web is to turn it on and see what happens. It is the ultimate extension of the code-and-fix mentality. The resulting cost of randomizing users is way too high, especially if there is something much more involved than delivery of static content. The active web requires a different approach to change-introduction and controls. I was already thinking about how to stamp out surprises as I was increasing my own ability to activate incident-response procedures in the face of some misadventure with my web sites. I have already resolved to never willingly breaking a link to a page that I have ever published, so I religiously leave tombstones for anything that I finally have to move. I'm now looking at what it takes to make other changes in ways that minimize disruptions to users, even though I may never know if there was anyone who might be impacted. The Blogger feature-pushing practice, and its propensity to surprise some portion of a large population is an useful lesson. It has me be far more attentive to how easily I can make careless alterations that disrupt my blog sites. Out of those experiences I am raising the level of transparency and accountability for operation of the site. It might not matter that much here, with a small population of visitors. Even so, I expect the practices I learn to be of immeasurable value. What I find the most daunting is the realization that others may have unacceptable experiences visiting my sites, and I won't be aware of it. Unless someone happens to mention it, or show it to me, I might never know. I don't run every browser, with every combination of plug-ins and security settings, combined with firewalls, intranet proxies, and whatever else there is that can alter the end-user experience. And I didn't mention accessibility yet. As much as I resist it, I suspect that dealing with accessibility and failure modes that preserve accessibility is going to be what matters. Now there's a worthy challenge. I see two lessons of my youth that apply to the deployment of software. Although I was hardly keen to wrestle or play football in high-school, I always remembered that before try-outs we were first taught how to fall and to avoid injury. When I started skiing, I remember that the first lessons were about how to get up after falling and then how to fall safely, even as a way to avoid danger. My physical-education teachers and ski instructors might be surprised to see where I now apply those lessons. They certainly do apply: When our software creations break, and they will, how do we minimize the impact and how will we be prepared to make repairs and amends.Just Ducky, Simply Ducky. And You?Well, it seems there is more slip-streaming at Blogger (they call it pushing out changes, I call it pooping in the punch-bowl) and I will have to figure out what this mucking up of my HTML is all about. (See the previous post.) Meanwhile, there are some other oddities, but the main point is solved. All blogs are operating and now there is just the ordinary noise to deal with. Time for breakfast. Later.All Clear: End of Test #1All Clear: End of Test #1
The delays were mine. I was compulsive about manually confirming rapid incident-response and lock-down processes before I would would post anything more to my blogs. I'm now satisfied that if there's another bad-upload failure, I can respond quickly. There's more to do. The critical path I followed (if you can believe that) is one that has all sites up and operating. I now need to de-stress, collect my thoughts, and update my notes, etc. And we do seem to be on the air here. Heh. updated 2004-08-31T20:55Z I don't know what is happening. I was ranting to Anderbill about how Blogger messed up my posting. When we looked at the HTML in our browsers, I saw that I must have misplaced a <br /> element. That is what broke the element that made the nice green color and other features. I just now came back into Blogger prepared to eat humble crow [?!] and fess up. I thought that Blogger must have messed up because there were other weird things happening and I figured wrecking this page must be more of the same. That's the leap I took. And I needed to confess that I think I was the one who blew the colors in the first post. Well, it is weirder than that. When I came back in to correct the presentation of this particular note, all of the HTML was working just fine, and the preview is just great! Now I don't know what to say. I'm happy to have the blog working, and I am miffed that there are ways Blogger rewrites my carefully-tuned HTML that makes FrontPage look like an extremely well-crafted HTML editor. This is so weird. I am going to stop now, cross my fingers, and post this. I have now lost the urge to do a guest appearance on causticTech. Maybe next time.
from:
|
||
|
You are navigating Orcmid's Lair. |
template
created 2004-06-17-20:01 -0700 (pdt)
by orcmid |