Preston Lee's Blog

Author: preston.lee

  • Network De-Perimeterization: The Jericho Forum

    The presenters from the Jericho Forum at DEFCON 14 this year did an acceptable job of highlighting the principle that border firewalls are much less beneficial that they used to be for security purposes. WiFi, VPNs, MANETs etc. provide constantly changing IT environments which are not realistically plausible for IT to completely control. Our new challenge is to accept that hostile things may exist on the network, and we must solidify the security of individual services despite high-priced blue-colored networking hardware connecting it all. Their DEFCON session was unfortunately unclear on the specifics of how one accomplishes this, but I nevertheless agree with many of their core principles.

    This Decades Security Challege (good .pdf slides)
    De-perimeterization is the way to go for network security
    De-perimeterization: Jericho Forum misses the mark

  • Encryption: Use it, lest ye be thieved.

    Each time I go to DEFCON, sniff a network or see an ad for an infosec product, I’m harshly reawakened to the general publics detachment for security concerns. When using a virus scanner, firewall and pop-up blocker, most users seem comforted enough to go about daily business with a satisfactory feeling of a “secure” experience.

    A large gap with this frame of thought is of what we’re trying to secure. The most valuable thing on your computer—the stuff you want to secure if nothing else–is your personal data/information, NOT the machine itself. Most white-collar folk, in a worst-case scenario, could cough up the bones to cope with a stolen or broken machine, or re-install the OS after a bad virus attack. The data on that machine, however, may be priceless memories, confidential trade-secrets, or other information which you’d highly prefer to remain private and well backed up. As a resident of Arizona–the new U.S. capital for identity theft (per-capita)–we must recognize that the Bad Guys on the tubes do not have the primary intent to annoy us. They’re trying to make money. Compromising your system is merely a means for collecting sellable usage habits, relaying \/i@gr@ ads, stealing/selling your identity etc. We simply need to recognize that we protect system assets largely to protect our information.

    In that vein, one of the largest commonplace no-nos is sending sensitive information over ordinary email. We’ve all done it, and most will continue. Emails can pass through systems that are maintained by people you don’t know and most certainly don’t trust, so don’t be a bonehead: encrypt your email, especially if it’s sensitive material. (If your email client is a horrible bitch-goddess that makes encryption a pain to deal with, please poke the vendor with a sharp stick until they make it trivial.) Mail.app and Keychain Access.app (OS X) make it ridiculously simply to manage and use X.509 public/private keys, which you can obtain for free from Thawte. If you use Mail.app, you’re out of excuses.

    Should your machine be stolen, sold, repaired, or otherwise leave your possession, how do you know your not handing over the keys to the kingdom to a complete stranger? You can wipe the drive, but that isn’t convenient if the machine will be returned to you. A simply way is to use TrueCrypt for Windows, encrypted .dmg files for OS X, or encrypt your entire freaking home directory with FileVault. (OS X).

    OS X users have no excuse but to encrypt everything. Linux and Windows users may have difficulties, but easy wins are still possible. Encrypt your email. Encrypt your backups. Encrypt your calendar. Encrypt your address book. Encrypt your financials. Encrypt your music. Encrypt your photos. Encrypt your life.

    Encrypt everything.

  • Singletons Cause Cancer

    It’s been said before. I’ll say it again. The singleton pattern sucks. From a pragmatic point of view, it has two primary drawbacks: reuse and testability.

    Reuse

    A public static getInstance() method is, by definition, statically bound at compile time. Since you can’t override static methods, reusing singleton code via inheritance means you’ll need to create a new getInstance2() method. No matter how creative you get with this method name, you have to accept that users of your code will periodically call the parent types public getInstance() method instead of your spiffy new getInstance2(). Working off an interface largely becomes a moot point since the developer must know the exact type of singleton they want to use at compile time in order to invoke the correct getInstance() method.

    How do you configure a singleton without a parameter to getInstance(), which would not be consistent with the intentions of the pattern? Since the instance is constructed internally using a non-publically-accessible constructor, there isn’t a convenient way of introducing configuration information before it’s created.. unless the singleton is aware of a configuration source at compile time with yet more static binding. This makes the code very inflexible, as developers intending to reuse it will be at the mercy of your pre-chosen configuration mechanism, which may not be appropriate for their circumstances, or even unit testing.

    Testability

    Unit tests generally require control over the lifecycle of the class under test to fully validate proper state transition and contractual validity. Since you, the master of the known universe, are writing the software, you’ll certainly write negative scenarios into your unit tests to assert proper failure handling. If intentionally introducing a negative test results in an irrecoverable state, how do you throw out the singleton and start the next case with a new one? You can’t. What if your test case is creating a tricky concurrency scenario emulating multiple systems within the sandbox of a single JVM? You can’t (trivially). What happens when you discover you need multiple instances of the singleton within your application? You can’t. Time to refactor.

    Additionally, unit testing of code using static singleton dependencies has a high potential of awkwardness due to an inability to swap out implementations for mock objects. Under the principle of designing for testability, quality and maintainability, hackishness is not a quality to aspire to.

    Conclusion

    Singletons can be hazardous to your health, seriously jeopardize your family’s safety, and have been classified as ‘terrorist patterns’ by the U.S. government. The fact that an application only needs one instance of something does not mean the object should be designed that way, and there aren’t very many scenarios where singletons are appropriate. Do as the Jedi do and use them with consideration and responsibly.

  • Back From Baja

    We’ve just returned from our getaway to Baja and California. Brief, self-explanitory electrocolorogram highlights here.

  • On Brooks

    I’ve written this same basic argument for small teams three or four times now, so to comply with the Don’t Repeat Yourself (DRY) principle I though I’d post it. In short, this argument repeats Brooks’ Mythical Man-Month concept 🙂 , and asserts that you must restructure the communications dynamics of a team when it changes in size, regardless of whether or not your project is late.

    To paraphrase one of the points made in Frederick Brooks’ The Mythical Man Month, complexity in a system scales with the number of interfaces. Applied to a team communications system of N people, the worst-case number of total communications channels is when everybody talks to everybody else. This can be expressed by N(N-1)/2. In other words, a given person in the team (the Nth person) is communicating with everyone else (N-1 people). So the problem with large horizontal teams is that as N increases, the communications overhead of being able to operate has the potential to increase exponentially.

    As a member of a 5 person team, keeping open, frequent communication with 4 others is no big deal. Even with 5(5-1)/2 = 10 different relationship combinations, all 5 people can keep current with the other 4.

    If this team grows to 15 people, however, communicating is not as simple. In the worst case, not only do you have to communicate with 14 other peers, there are now 15(15-1)/2 = 105 total relationships between people, each with their own dynamics and influences. The team is only 3x bigger, but now has 10.5x the number of interpersonal relationships. And the majority of the information going across those channels may be irrelevant to your job, but if it’s relevant to the team as a whole, you’ll be sucked into meetings and email threads spending time and mental cycles just on overhead of keeping the collective ship floating in the right direction.

    Now, this is all worst-case abstract theory, but does highlight the scaling problems of communication in teams of fluctuating size. As your team scales, you need to reevaluate communication culture to keep operating overhead low and excessive communication to a minimum.

  • Avoiding if(DEBUG_ON)

    Consider the following Java code..

    public class Counter {

	private final static boolean DEBUG_ON = false;

	protected int mCount = 0;

	public int getCount() {
		return mCount;
	}

	public void increment() {
		if(DEBUG_ON) {
			System.out.println(“about to increment! count=” + getCount());
		}
		mCount++;
	}
}

}

    Some people use “debug” or “test” flags because they can provide a fast way of troubleshooting situations that would otherwise be inconvenient to debug. If increment() was recursive, for example, it may be convenient to simply keep an eye on stdout rather than set breakpoints and have to step through it. (Note: see an earlier post on conditional breakpoints to avoid this entirely.)

    While the extra DEBUG_ON code is fairly harmless and benign, it’s nevertheless unnecessary code that could potentially break a production system, and even when/if you do remember to comment it out, it distracts the reader from the meaningful, real code you’re trying to express.

    An alternative solution? Simple. Subclass it. Try this instead..

    public class Counter {

	protected int mCount = 0;

	public int getCount() {
		return mCount;
	}

	public void increment() {
		System.out.println(“about to increment! count=” + getCount());
		mCount++;
	}

}

public class TestCounter extends Counter{

	public void increment() {
		System.out.println(“about to increment! count=” + getCount());
		super.increment();
	}
}

    Now you can leave your print statements intact, and just use TestCounter as a drop-in replacement for Counter in your unit tests. Alternatively, you could use one of many design patterns to aggregate or compose the Counter rather than extend it, or use dynamic proxies or aspects if you’re looking to intercept calls that exist in a horizontal manner.

  • Zen And The Art of Software Design

    Japanese Tea Garden
    As you sit on a bench with a hot cup of jasmine tea in the middle of the Japanese Tea Garden in San Francisco Park, you can’t help but be overwhelmed by the tranquil beauty of the garden that surrounds you from every direction. It’s a great way to spend an afternoon. I arrived at the garden expecting a wonderfully uncomplicated demonstration of Zen-like simplicity in design after seeing some very provocative pictures of Japanese Zen Gardens online. In this respect, I left disappointed.

    The garden is brilliantly beautiful, but its beauty is achieved by bombardment of the exotic, rather than elegant simplicity. In the attached photo, for example, the frame almost bursts at the boarders with colors and plants. Very pretty, but is all that really necessary? Does each plant in the photo really serve a purpose that would be unfulfilled in its absense? Would the garden be any less beautiful with half as many plants? The tree from the Six Feet Under opening sequence is plenty inspiring on its own, even though it’s the only thing in the frame.

    I liken the gardens design to the conception of many software systems, particularly many F/OSS projects. Doing less, well, seems to often go undervalued in an attempt to appeal to a wider audience and satisfy all the I-would-use-it-only-ifs presented by the potential userbase. Take this screenshot from easytag, for example. Does this look easy to you? To me this looks like an ugly, unusable piece of shit. Granted, the software appears powerful in that it allows you to customize your process to a very fine level of detail, but wait.. isn’t this software supposed to be easy to use?

    To me this functionality is an example of a speculative generality code smell, combined with a very developer-oriented project culture the equates more features to better software. The vast majority of the important cases trying to be achieved here could probably be accomplished without trying to allow for every single possible permutation of tags that is mathematically possible (at least in the user interface).

    Less: It’s the new more.

  • E-Prime For Software Engineers

    I recently restarted reading Quantum Psychology by Robert Anton Wilson. (Not the easiest read. If you put it down for to long you may have to start over.) The most practical thing I’ve gotten from it thus far is the usefulness of E-Prime. You may already use it and not realize it.

    To attempt to summarize E-Prime with a single example, consider the following two statements..

    1. Alice’s code is broken.
    2. When I ran the unit tests this morning, all the code last checked in by Alice (according to the logs) failed to pass. Thus, I think her code is broken.

    While the first statement is concise, I’d much rather prefer the second because it conveys information about the observer in addition to the observation.

    • The means of measuring brokenness are specified (“the unit tests”). The reader otherwise does not know how the conclusion of brokenness is being determined. Without this information, how is Alice supposed to go about reproducing the issue?
    • A timeframe of failure is specified (“this morning”). Alice may have made the same observation and made fixes shortly after the unit tests were run. The code may have indeed been broken, but only appeared so at the time it was measured.
    • The observations is attributed to the observer (“[w]hen I ran”, “I think”), rather than claiming the an intrinsic state of brokenness about the code.
    • The scope of the brokenness is described (“all the code last checked in by Alice”). All of Alice’s code probably isn’t broken.
    • It is acknoledges that the observation is limited by the means of measurement (“Thus, I think..”). When judged by another means, the code may appear fine.

    In short, E-Prime acknowledges that our capabilities or understanding seem to be limited by our instruments of perception (be them eyes, ears, unit tests or ammeters). Take a looksy at some other examples.

  • Java Development w/The Eclipse IDE: Five Underused Features

    Conditional Breakpoints

    Have you ever wanted to suspend execution only under a certain circumstance while debugging, such as every hundredth loop iteration? You can. Set your breakpoint, right-click it, select “Properties”, check “Enable Condition” and enter a condition in normal Java code that will be evaluated every time the breakpoint is hit to determine whether or not to suspend the JVM.

    Remote Debugging

    Sometimes things work on everybody’s box.. except Bob’s. You’ve watched him produce the issue and have tried to reproduce it on your development machine, but it just ain’t happenin’ for anybody but him. It’s time for a remote debugging session. Start up the JVM on Bob’s box like so..

    java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,suspend=n,server=y
    -jar YourApplication.jar

    Within Eclipse IDE on your development machine, select Run -> Debug… and create a new “Remote Java Application” configuration. Select the project that contains the source code, enter Bob’s boxes hostname (or IP address) and the port his JVM is listening on (8000 in this case). Click the “Debug” button to close the dialog and your “Debug” view should now show a new session, connected to Bob’s JVM, and the threads of your application just as if you were debugging it locally. You can set breakpoints and use all the other features described in this article, or impress your mom by starting another instance of your application locally and step through both Bob’s and your own JVM instance simultaneously, side-by-side!

    Dynamic Variable & Code Replacement

    If you’re debugging a tricky piece of SQL in a servlet that isn’t working right, it’s tempting to abide by the typical write, compile, deploy, run, debug, repeat cycle every time you need to tweak the String. This is tedious and time consuming. Instead, set a breakpoint someplace after the String is defined but before it is used. When you hit it, right-click the variable in the “Variables” view and select “Change Value…”. You can figure it out from there. (Note: This doesn’t seem to work for “final” variables, and so-so with statically declared things.)

    If you modify and save a class while you have a debugging connection established, Eclipse will try its best to update the code on the remote JVM without having to restart it. This doesn’t always work (especially if there are stack frames using the changed code), but you’ll be notified if the remote JVM could not be updated. This is especially useful when testing a complex algorithm in a situation that is a pain in the arse to set up.

    Custom Code Templates

    Typing “fore[autocomplete]” in a block in Java code will add a “foreach” code template that you can fill in using the TAB key. These are customizable, and you can even add your own. For example, I prefix all generated local variable and Iterator declarations with the “final” keyword, and have added my own custom templates for inserting my most frequently used Java 5 annotations. Go to Window -> Preferences… -> Java -> Editor -> Template and have some fun.

    Refactoring Actions

    All of the refactoring features of Ecilpse IDE are worth learning. I can’t think of one that isn’t. Once you have a method defined and used, there isn’t much reason to manually modify the declaration. “Move”, “Change Method Signature…”, “Pull Up…”, “Push Down…” etc. give you basic, commonly used tools, and actions such as “Extract Interface…”, “User Supertype Where Possible…” etc. provide support for larger jobs. Understanding what all these do helps relieve some of the pain felt when refactoring heavily used, public APIs, and helps keep you focused on the bigger picture by taking care of the details.

  • If A Unit Test Fails In The Woods, Does It Make A Sound?

    No, it doesn’t. Unit tests that execute a large amount of code but fail to make assertions along the way give you a false sense of confidence in the code. They pass when they should fail. These problems, formally known as type 2 errors, are a huge liability for a development team because the tests are believed to be verifying the intended behavior of the software, but are really doing nothing in a really lengthy way.

    For a new person maintaining the code under test, the problems worsen. The new maintainer will not understand what the code is supposed to be doing: what it’s currently written to do or what is implied by the possibly out-dated and incomplete unit tests. Good luck finding API documentation if the unit tests suck, and have fun with those future API changes when you must attend to the “unit tests” that need to be updated to successfully add no value to the project, just as they were originally written. No thanks.

    Units test exist to prove that software is behaving as intended, not simply “mock” user actions. This means being particular about states of things during a process, and doing mean negative testing by passing nil into that function that clearly requires a non-nil value. The rule of thumb is this: if, for whatever reason, you cannot write, fix, or otherwise finish work for a correct and complete unit test, assert false. You have not proven the software works correctly, so it doesn’t work. Period.