Version Control and Plumbing

Version control is essential for any software development (see #1 on the seminal Joel Test), but I can understand why those who come to coding from other fields may not understand how vital it is. I've worked with many brilliant people -- including scientists, engineers, and astronomers -- that started writing software not because they wanted to be professional developers, but because they had some tools on hand and a problem to solve. It reminds me of how I approach home repairs. The washing machine is broken? The dishwasher won't drain? I've got a toolbox, I'll take care of this! Sometimes this works. Other times, I call my neighbor and apologize for making a simple problem ten time worse with my amateur efforts while asking him to please fit me into his work schedule.

Why can my neighbor fix things around the house that regularly defeat me? He happens to be a professional plumber. He has a truck full of specialized tools and parts. But that's not why he succeeds where I fail. My neighbor could give me his entire stock of tools and parts, and I'd still end up swearing at some leaky faucet or stopped drain. No, the reason his jobs succeed where mine fail is that, unlike me, he knows what to do -- and what not to do -- with all of those tools and pipes and fittings. He knows the names of all the bits and pieces, knows what each of them is supposed to do, understands why they are one way instead of another.

Having the tools without the understanding will eventually lead to wasted time, effort, and money, in plumbing or software. (And in many other areas of life, come to think of it.) Sure, you can write software without version control; you might even be able to successfully collaborate with someone by copying files back and forth. But sooner or later, not following best practices will burn you. At best, you'll waste days chasing down some bug or issue introduced because your collaborator accidentally changed something you didn't catch; at worst, you may be forced to abandon the work entirely.

My neighbor has thousands of dollars in tools and inventory, and has spent years in training and apprenticeships before starting his own successful business. Thankfully, unlike plumbing, both the tools and the knowledge needed to build software are free and readily obtainable; they cost only time.

If you want to build software well, either for work or just as a hobby, you must understand version control. Git is one of the most widely used, and The Git Parable by Tom Preston-Werner is the best description I've yet seen about how -- and more importantly, why -- it works. I highly recommend it.

Gone Fishin'

I'd hoped to begin 2015 with a stack of writing and information ready to post. I had plans for articles on enterprise security, BYOD, how I've set up my Raspberry Pi as a headless file server, and recommendations for apps and workflow improvements. Instead, I've been dealing with a death in the family, multiple illnesses that my young children have brought home from school, harsh winter weather, and now a major house renovation.

But spring is here, bringing with it both brighter weather and better health. Of course, as I sat down to finally get back to doing some writing, I was reminded that security problems wait for no one, and warmer weather doesn't have any impact on IT headaches.

As an IT professional, I get a regular stream of friends, family, co-workers, and acquaintances all asking the same thing -- what computer should I buy? I go through the usual questions: what are you planning to do with the machine? Does portability matter to you? What about future upgrades? Do you need to run specific applications? Are you planning to use it for games? Do you have specific hardware you need to use? Until recently, the answers usually led to either a recommendation for some sort of Mac, or, for those who needed/wanted Windows or were on a more constrained budget, a Lenovo machine. Unfortunately, that has to change.

I've been a fan of the ThinkPad line for decades; I used one all through college, and supported them in multiple IT jobs after graduation. I like the design. I like how easy it is to pull the drives and shell swap -- important in an enterprise setting. I like how the cases have drains to minimize damage from liquid spills. I love the TrackPoint.

Unfortunately, after the Superfish fiasco, I can no longer recommend any products from Lenovo, even if the ThinkPad line itself is not impacted. The way the company handled the disclosure was also lacking. Lenovo's CTO initially dismissed the very real security issue as nothing more than "theoretical concerns", and the company initially defended the SSL-breaking and ad-injecting software as something that would "help customers potentially discover interesting products while shopping". Margins for PC manufacturers are razor thin, but inclusion of undisclosed adware that also creates an enormous security hole is at best incompetent, and at worst outright malicious. (And to add insult to injury, Superfish apparently didn't even do much for Lenovo.)

You can test to see if your machine as been comprimised by Superfish at: https://filippo.io/Badfish/; if you have it on your system, Lenovo has provided a Superfish removal tool on their Web site. The good news is that the technical part of the damage is simple to correct; the damage to Lenovo's reputation and user trust will be much more difficult.

findstring

I have this little library of scripts and configuration files for my Unix environment that I've carried with me across different systems, employers, and jobs. I've had versions of .bashrc, .vimrc, and various utility scripts for years; many have been with me since college. Some have been modified or replaced as my needs or the tools I use change, but they are always first things I copy over whenever I get a new login.

One of these essential tools is a simple bash script called "findstring"; it returns the names of any files in a selected path that contain a given search term. I originally used it when working on some cross-platform C++, using it to find out what files used a given function or where a certain class was defined. Use of the script is simple:

findstring search path

where "search" is the string you're looking for, and the (optional) path is where to begin the search; if not specified, it defaults to the current directory. The entire script is below -- let me know if it's useful to you, or if you have suggestions for improvement.

#!/bin/bash
# Usage: findstring search path
# prints files in path containing string search (case insensitive)

# If second argument is omitted, default to current directory
if [ -z $2 ]
then
searchPath="."
else
searchPath=$2
fi

find $searchPath -type f -exec grep -i -l "$1" \{\} \;

Autocorrect in OS X Mavericks

My wife finally replaced her aging Macbook Pro a few weeks ago, and has been making the shift from using Snow Leopard (10.6) to the most recent version of OS X, Mavericks (10.9). One feature that she's been getting used to is autocorrection -- the way OS X will attempt to fix spelling mistakes and typos as you enter text. I find the feature quite useful, but Hanna hates it.

If, like her, you want to turn off autocorrect in Mavericks, you can do so by:

  1. Open System Preferences, and click on the "Keyboard" icon.


     
  2. On the Text tab, uncheck "Correct spelling automatically".

Note that some programs such as Microsoft Office and Mozilla Firefox don't use the system-wide text entry, and you may have to change spelling and grammar settings for those applications individually.

TLS, SSL flaw in iOS, OS X

From Ars Technica:

For the time being, people using Macs should avoid using public networks, a step that can thwart many criminal eavesdroppers but will do little to prevent surveillance by the National Security Agency and other state-sponsored spies. Because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn't be considered a panacea.

The flaw, according to researchers, causes most iOS and Mac applications to skip a crucial verification check that's supposed to happen when many transport layer security (TLS) and secure sockets layer (SSL) connections are being negotiated. Specifically, affected apps fail to check that the ephemeral public key presented by servers offering Diffie Hellman-supported encryption is actually signed by the site's private key. Attackers with the ability to monitor the connection between the end-user and the server can exploit this failure to completely decrypt and manipulate the traffic by presenting the app with a counterfeit key.

An attacker "can basically set up a connection and pretend to be Google.com," Matt Green, a Johns Hopkins University professor specializing in encryption, told Ars. The attacker "can basically say: 'Hey I'm Google, here's my signature. And since nobody is actually going to check the signature, [the attacker] just puts nonsense in there."

Keep an eye out for updates to OS X, and patch your iOS devices as soon as possible.

The Day We Fight Back

Since Edward Snowden revealed to the world the breadth and depth of the NSA's surveillance, much has been written. The EFF, Bruce Schneier, Glenn Greenwald, and Ars Technica have all covered this extensively, as have many others. Some of the best include (and this is by no means a complete list):

But just documenting the extent of the abuses and pointing out the many flaws and dangers contained with this type of mass surveillance isn't enough; we need to demand changes. To that end, I urge you to go to fight back. Call your government representatives, and demand they hold the NSA accountable and exercise real, meaningful oversight.

https://thedaywefightback.org