Structure and Interpretation of Computer Programmers

You keep using that word. I do not think it means what you think it means.

Posted on 2008-12-02 by Graham Lee

In doing a little audience research for my spot at MacDev 2009, I’ve discovered that the word “security” to many developers has a particular meaning. It seems to be consistent with “hacker-proof”, and as it could take most of my hour to set the record straight in a presentation context, here instead is my diatribe in written form. Also in condensed form; another benefit of the blog is that I tend to want to wrap things up quickly as the hour approaches midnight.

Security has a much wider scope than keeping bad people out. A system (any system, assume I’m talking software but I could equally be discussing a business process or a building or something) also needs to ensure that the “good” people can use it, and it might need to respond predictably, or to demonstrate or prove that the data are unchanged aside from the known actions of the users. These are all aspects of security that don’t fit the usual forbiddance definition.

You may have noticed that these aspects can come into conflict, too. Imagine that with a new version of OS X, your iMac no longer merely takes a username and password to log a user in, but instead requires that an Apple-approved security guard – who, BTW, you’re paying for – verifies your identity in an hour-long process before permitting you use of the computer. In the first, “hacker-proof” sense of security, this is a better system, right? We’ve now set a much higher bar for the bad guys to leap before they can use the computer, so it’s More Secure™. Although, actually, it’s likely that for most users this behaviour would just get on one’s wick really quickly as they discover that checking Twitter becomes a slow, boring and expensive process. So in fact by over-investing in one aspect of security (the access control, also sometimes known as identification and authorisation) my solution reduces the availability of the computer, and therefore the security is actually counter-productive. Whether it’s worse than nothing at all is debatable, but it’s certainly a suboptimal solution.

And I haven’t even begun to consider the extra vulnerabilities that are inherent in this new, ludicrous access control mechanism. It certainly looks to be more rigorous on the face of things, but exactly how does that guard identify the users? Can I impersonate the guard? Can I bribe her? If she’s asleep or I attack her, can I use the system anyway? Come to that, if she’s asleep then can the user gain access? Can I subvert the approval process at Apple to get my own agent employed as one of the guards? What looked to be a fairly simple case of a straw-man overzealous security solution actually turns out to be a nightmare of potential vulnerabilities and reduced effectiveness.

Now I’ve clearly shown that having a heavyweight identification and authorisation process with a manned guard post is useless overkill as far as security goes. This would seem like a convincing argument for removing the passport control booths at airports and replacing them with a simple and cheap username-and-password entry system, wouldn’t it? Wouldn’t it?

What I hope that short discussion shows is that there is no such thing as a “most secure” applications; there are applications which are “secure enough” for the context in which they are used, and there are those which are not. But the same solution presented in different environments or for different uses will push the various trade-offs in desirable or undesirable directions, so that a system or process which is considered “secure” in one context could be entirely ineffective or unusable in another.

Posted in conference, metadev, rant, security, usability | Leave a comment

Free apps with macdev ticket

Posted on 2008-12-02 by Graham Lee

The Mac Developer network currently have a Special Offer running until christmas eve, get a free copy of Changes and Code Collector Pro with your ticket. Both are useful apps for any developer’s arsenal.

Posted in conference, macdevnet | Leave a comment

Some bloody genius

Posted on 2008-11-23 by Graham Lee

Link to the image, because I know it’s too wide for the Blogger template to display properly.

Posted in itunes | 1 Comment

More on MacDev

Posted on 2008-11-04 by Graham Lee

Today is the day I start preparing my talk for MacDev 2009. Over the coming weeks I’ll likely write some full posts on the things I decide not to cover in the talk (it’s only an hour, after all), and perhaps some teasers on things I will be covering (though the latter are more likely to be tweeted).

I’m already getting excited about the conference, not only because it’ll be great to talk to so many fellow Mac developers but due to the wealth of other sessions which are going to be given. All of them look really interesting though I’m particularly looking forward to Bill Dudney’s Core Animation talk and Drew McCormack’s session on performance techniques. I’m also going to see if I can get the time to come early to the user interface pre-conference workshop run by Mike Lee; talking to everyone else at that workshop and learning from Mike should both be great ways to catch up on the latest thoughts on UI design.

By the way, if you’re planning on going to the conference (and you may have guessed that I recommend doing so), register early because the tickets are currently a ton cheaper. Can’t argue with that :-).

Posted in conference, macdevnet, metadev, security, Talk, usability | Leave a comment

I’m sorry, I haven’t a Clu

Posted on 2008-11-04 by Graham Lee

One of my many “repeat-until-funny” jokes, anyway here is what I have to say on Mr. Cluley’s blog regarding iPh0wn.

Posted in whatevs | Leave a comment

Solaris iPhone Edition

Posted on 2008-10-30 by Graham Lee

Apple’s one new feature in Snow Leopard is support for Exchange, which if not squarely an Enterprise lure is certainly bait for medium businesses. But here we hit Apple’s perennial problem; they want to sell more into businesses (because that’s where at least 2/3 of all PC money is to be made) but they want to design their systems for home users. When a system is designed to cover every possible potential use for a computer we end up with Windows, which is the kind of “few things to all people” solution that Apple are – rightly – keen to avoid. But as Tim Cook’s “state of the Mac” segment in the recent laptop event showed, one of Apple’s biggest growth areas is education which is organised along enterprisey lines.

Their solution thus far has been a partial one; we get Mac OS X which is basically a consumer OS, and then we get Mac OS X server which is the same OS with a few configuration changes and extra apps to support being used as a workgroup server. This is less distinct than the changes between Mac OS X and iPhone OS X, but the principle is the same; the same technology is used in different ways, so we get different interfaces to it. Note that these aren’t really very divergent products – a UNIX expert could set up an Open Directory Master on a standard Mac OS X box were they so inclined. We get the Mac Pro and the XServe as nods to the existence of more powerful hardware than the iMac. While Apple do have a network of business development managers, enterprise sales people, sales engineers and so on who can support larger customers, their capabilities and freedom are restricted by working on a consumer product in a consumer organisation.

Assuming that Apple aren’t going to retreat and consolidate all of their effort on the consumer/prosumer, the logical plan seems to be “the same only more so”; carry on the scheme of applying a common technology base to multiple markets, but with the product interfaces and configurations being specific to the role in which they’ll be used. Empower those enterprise sales, support and development teams to make the changes required in both the shared technology base and the domain-specific parts in order to advance their own cause. Allow them to do so in such a way that the consumer focus of the standard products is not diluted. To do all this, what Apple would need is to clearly delineate their Core OS, Consumer OS and Server OS engineering groups, while adding staff, expertise and intellectual property to their Server OS, Server Hardware and Enterprise Support groups.

The bit about “adding staff, expertise and intellectual property to their Server OS, Server Hardware and Enterprise Support groups” can be easily achieved by using the Blue Peter principle. Here’s one I prepared earlier. And no, I’m not going mad. Sun have plenty of experience in supporting larger customers and what marketing people like to call vertical markets, and have some good technology: hardware, operating systems software, enterprise services and applications. Their only problem is that they can’t make any money on it. On the other hand with Apple it seems that the money is there to be made, and the problem is stepping up to that plate without compromising the consumer products. Consolidating Mac OS X [+ Server] and Solaris 10 would not be trivial but is not beyond the realms of fantasy. NeXTSTEP ran on SPARC hardware, and as we know that Mac OS X runs on PPC, two different Intel architectures and ARM it’s likely that the effort to port Mac OS X to SPARC would not be great. But perhaps more useful in the short term is that OpenStep ran on Solaris before, and could do again. Even though Sun have switched Solaris to a SYSV-derived platform, due to Apple’s recent push for standardisation with Leopard the two OS are likely more source-code compatible than NeXTSTEP and SunOS 4 ever were. Getting Cocoa up on Solaris would mean that application portability (for the sorts of apps that server admins will want – including Apple’s own server admin tools, not for OmniDazzle) becomes viable while the combined company (Snapple?) concentrate on integrating the core tech. They could even get Jonathan Schwartz to do the coding.

Another factor in this proposition is that JAVA is cheap. Apple currently have about $20B in cash and Sun’s shares are worth $3.6B, but taking into account that Sun have lost 98% of their dot-com-boom value without slowing their R&D projects, the value for money when you want them for their tech, smarts and goodwill rather than their user base is astounding.

Oh, and speaking of JAVA, what about Java? Java currently represents Sun’s main income due to the licensing scheme, but Apple’s investment in the platform has declined over time from the Rhapsody days of “everything is Java”; currently the available Java on Mac OS X lags behind Sun’s version and isn’t ppc64 compatible. The WebObjects team (and hence the Apple store and iTunes) have a heavy Java investment, while other teams have dropped Java (Cocoa) and still others eschew it completely. The iPhone has a very busy developer ecosystem – and absolutely no Java. Where the hypothetical Snapple would leave Java is entirely open, but the option of packaging up the combined company’s Java assets and re-selling them would seem unnecessary, unless you thought that even $3.6B was too much to pay.

Posted in AAPL, Business, Java, msft, nextstep, openstep, solaris, sunw | Leave a comment

All you never wanted to know about temporary files and were too ambivalent to ask

Posted on 2008-10-19 by Graham Lee

In the beginning, there was mktemp. And it was good.

Actually, that’s a load of rubbish, it wasn’t good at all. By separating the “give me the name of a temporary file” and “open the file” stages, there’s a chance for an attacker to create the temporary file with the name you’ve chosen between the stages, or create a symlink with the same name.

Next there came mkstemp. And that was better. But not by much. mkstemp opens the file for you as well as choosing a name, so the file was guaranteed to not exist beofre you tried to use it, and will definitely have the ownership and permissions you want.

There is yet another step which the über-paranoid application could take in order to ensure that no other process can see its temporary files, and that is to unlink the file as soon as you get it back. Unfortunately there’s no “mkstempr” function (and it might get confused with the equally non-existent mkstemp_r), so this is still a two-stage operation. Unlinking a file which you have open removes it from the directory listing, but doesn’t change the fact that you have it open; it’s now exclusively yours.

Posted in security, UNIX | Leave a comment

It was asked for: the “features” post

Posted on 2008-10-15 by Graham Lee

Someone anonymous once said:
I’m intrigued by your feature comment. Please publish said blog post!
Where said comment was:
The fact that I have stopped using the word ‘feature’ in many contexts is an entire blog post and a few therapy sessions in itself.
So here, for your delectation, is that entire blog post.

When you’re trying to decide what software people want, and indeed how to tell them that they want whatever software they’re going to get instead, that’s marketing (mainly – it’s partly sales, and there’s yet another tangential post on why I occasionally deliberately conflate marketing and sales). Marketing works in terms of features, which for the purposes of marketing means “properties or qualities of the software which we think might make people interested in that software”.

When you’re trying to decide what software to build, or trying to build the software, more specific terms are used. Initially people split requirements into two distinct groups, functional (what the system is capable of) and non-functional (how the system goes about its capabilities), but a more precise organisation is often needed. For instance, a requirement of system security might result in both functional and non-functional aspects of the system being specified.

Of course, some or all of the capabilities are also features, in fact it’s generally true that the set of all features, the set of all known requirements and the set of things the customer wants are intersecting subsets of the set of all possible qualities of a software system. Companies without an intersection between any two of these sets tend to go out of business very quickly. But the sets rarely perfectly overlap.

For instance, it’s a feature of Windows 7 that it’s named differently from Windows Vista, because Microsoft’s marketing requires that customers believe that they’ve put Vista behind them. However, it’s also a feature of Windows 7 that it not be very distinct from Vista, because marketing require that application compatibility doesn’t get broken. Hence we have the interesting situation that Windows 7 is also Windows 6.1. And if Microsoft think they’re being innovative in that version numbering policy, they should try looking up the history of SunOS/Solaris version numbers. BTW, indeed I haven’t switched my SUNW tag to JAVA, because I already use the java tag to mean the Java language and the Java platform. Marketing people can be funny sometimes.

Another example, less confusing though more contradictory, is Apple’s Snow Leopard collateral. The fact that marketing are telling us there are no new features in Snow Leopard means that “no features” is something they believe we might want to buy, which in turn makes it a feature… confused?

So anyway, I try to avoid using the word “feature” when I’m talking about software, because I’m usually instead talking about a capability or property of a software system, and not about marketing that software system. For instance, in Properties about a year on I described properties as a capability of the Objective-C 2.0 language, which indeed they are. It happens that properties is also a feature of the language (don’t believe that programming languages have marketing departments? What else do Apple’s tech evangelists do, if it isn’t marketing?), but in the case of that post I was talking about what can be done with properties, how properties can be used, and not how they can switch developers to Leopard from Tiger or .NET.

And in other news, it seems that badly-parked tech company founder Mercs are back in fashion.

Posted in AAPL, Business, msft, rant, sunw | Leave a comment

The view(s) from the hotel

Posted on 2008-10-05 by Graham Lee

Which two buildings are across the street from my current location?

and

anyone might think it had been deliberately chosen for comedy purposes…

Posted in personal, pictures | Leave a comment

Properties about a year on

Posted on 2008-10-04 by Graham Lee

Leopard has now been out for nearly a year, which means that (publicly) we’ve had Objective-C 2.0 for the same amount of time. At the release many developers were champing at the bit to talk about the new language capabilities[], including properties. There were arguments on both sides of the divide, and even a little bit of discussion. But now that we’ve been using these things for a while, and because I’m ~~bored~~ ~~awake~~ ~~grouchy~~ ~~vocal~~ opinionated, let’s have a look back at what they’ve given us.

There is a broken abstraction in traditional Objective-C, which is the accessor-method-as-property-declaration. Essentially an object can give you two things; work (i.e. it can do stuff) and state information (i.e. it can say stuff about itself and let you change it). In traditional object-oriented languages, because ‘saying’ and ‘changing’ are verbs which can be ‘done’, the two have both been expressed using the same method (heh) as the expression of work. This is not the case in much object-oriented design, for instance in UML a class always has separate “attributes” and “operations”.

Properties fix up this abstraction by giving us orthogonal ways to express the two concepts. Work is done in methods; state is got/changed in properties. Now it may be that the state information is actually backed by a method (although it may bang on the ivar directly; more below), but we don’t need to know that any more than we need to know in the interface that a property is synthesized or dynamic. All we do need to know is that it is there for us to use, and has certain attributes such as being read-only.

The “on more below” bit is that discussions of KVC-like mechanisms – such as KVC :-) – often involve someone pointing out that they break encapsulation, because it’s possible to access an @private ivar with no accessors by retrieving it by key. That’s really thinking about the design of a class in terms of the way it’s executed rather than its interface contract with the developer, because the @private ought to tell the developer not to touch that particular ivar. Properties neither help nor hinder breakage from the execution side, but from the design side they do provide a stronger distinction between “properties I’m telling you about in the interface” and “things you shouldn’t touch”. Now we can all get back to using the class’s interface to observe how to use it, and that C struct bit at the top to observe how to extend it, as nature intended. It’s both a blessing and a curse that Objective-C allows things to appear in source files which don’t make it into the executable code, but that doesn’t stop such information being useful to the developer in the same way that code comments can be read but not executed.

One of the popular complaints about ObjC properties is the syntax for referring to them in methods (OK, or indeed in functions), where it is argued that myObject.someProperty = 4; doesn’t readily tell you whether myObject is an ObjC object, a C struct or a C union. That seems to be at worst a straw man argument to me, and at best a hypothetical issue; in well-designed software it will be rare to mix code at various levels of abstraction except in limited circumstances such as adapter classes. Besides, if the code has been written such that it can be inspected or reviewed (i.e. to some agreed style and standard) and the reviewer is paying attention then it will be easy to distinguish use of the various types. At some conceptual level the C . and Objective-C . operator are doing the same thing anyway; they’re both saying “this attribute of that thing”.

[]The fact that I have stopped using the word ‘feature’ in many contexts is an entire blog post and a few therapy sessions in itself.

Posted in cocoa, objc, ooa/d | 4 Comments