So, Delft has a Fringe Festival

This weekend’s vacation achievement unlocked: we learned hot to use the shower-sauna! Electric showers, with all the fancy buttons and symbols are interesting but the ones in this flat didn’t seem very useful at first. However, after a bit of study yesterday, we are happy to report that we figured out how to make the water hot, something one might expect to be somewhat self-explanatory (sadly, no) and how to make the jets of steam rising from the floor act like more than intermittent volcanic exhalations. We are rather proud of ourselves. Of course, we’re mainly showering with cold simply because it’s so incredibly warm here.

It’s been unbelievably balmy, and today it was nearly 80 degrees. It’s a little different to experience that kind of warmth in humidity, but the sea breezes kept coming, and there’s plenty of trees in this green and pleasant land, so we were mostly fine. After the slightly terrifying day we had in Amsterdam – with several trains and miles of walking and seeing so much artwork and architecture and riding in a cyclecab through insane traffic, littered with bikes and cars and buses at rush hour on a Friday – today we kept it simple and tooled around Delft. We visited Nieuwe Kerk, Oude Kerk, and people-watched, enjoying the vibrant outdoor weekend life of this busy little town.

Netherlands 2018 275

Delft’s “Marktplaats” is in the center of its medieval downtown, loosely bracketed by the oldest church in the town, on one end the “new” church, and opposite that their city hall. The market square hosts two weekly markets, the first on Thursday, with a huge flower market, the second on Saturday, with a vast antique/flea market. At both, fruit, veg, candy, clothes, household goods and sundries can be purchased. After a leisurely breakfast we began our day with Nieuwe Kerk.

Nieuwe Kerk has two viewing galleries open to the public (there are a few other doors which are locked, on the long climb up to the top). So, of course, despite the rather warm day and the D. had to climb them. This resulted in some fabulous photos … but, as D. said when T. texted him to ask how it was going, “Terrifying. Coming down now.” The ledge is about 2 feet wide and the railing comes up to about 10 inches below D’s waist. Fiddling with multiple cameras (yes, multiple: a Canon 80D, a Canon M3, 4 lenses, plus the cell phone because it does panoramas so well), in the breeze, at the top of one of the tallest churches in The Netherlands is a bit fraught, particularly when there are other visitors who want to get past. Was it worth it, to get a picture of the flat we’re staying in? Perhaps. We’re staying in the pair of windows with the sheer curtains drawn, right in the middle of the photo below.

Netherlands 2018 343

There are apparently 377 stairs to get to the very top, with about half of those being as nice and spacious as those pictured below. The rest are narrower. Passing your fellow tourists going in either direction is also not anything to want to go through again.

Netherlands 2018 355

The view is, of course, wonderful. Here’s the town hall, just across the town square from Nieuwe Kerk.

Netherlands 2018 340

And, after visiting Nieuwe Kerk, we went to visit Oude Kerk. Thankfully, there doesn’t seem to be a publicly accessible gallery, so D. had to be content with photographing other things.

Netherlands 2018 339

Tomorrow may involve riding a canal boat, going to several museums, and hopefully a return to the fabulous Stadsbakkerij de Diamanten Ring for more tasty treats (and, perhaps, to contemplate the mural telling us that William of Orange’s assassin slept here the night before he shot William.). We shall see.

Netherlands 2018 360

Our friend L leaves the day after tomorrow and our friend Thing-1 shows up that evening. We shall endeavor to take plenty of photos, of course (we’re up to 449 photos and a half dozen or so videos, since arriving late Wednesday night … so, 3 days of being tourists). After Thing-1 leaves we’ll make a point to spend time away from Delft (Gemert, with friend S and Wannepeerven & Gierthoorn with D & fam) because the Delft Fringe Festival begins, and it’s already lively enough, being so close to the pedestrian center in the marktplaats!

-D & T

Market Day Is Wild, in Delft!

No lengthy post today, as we’ve been wandering and enjoying the (rainy) day, only making it back to the flat after 11 p.m. We must say, though: Delft market has ALL of the things! D. picked up 1kg of licorice – half of it salty, half sweet, all of it black. We picked up cheese. Oh, the cheese. We also had to visit the guy with the portable, gas-powered, player organ. Click through from the photo below to a video of said organ.

Delft 1

-D & T

The Joys of Arriving

In case you didn’t know, we’re off to The Netherlands for a vacation and to visit friends (some of whom live here, some of whom are visiting from Scotland). We are staying just off the main square in Delft, so we get to enjoy the tolling of the bell of Nieuw Kirk at all hours of the evening (it’s just after 2 a.m. here and we’ve just heard it toll a single bong… and we heard it toll 12 bongs at 1:00 a.m…. so we’re not sure what’s up with it).

Netherlands 2018 18

We shall see how much we get up to tomorrow. It could be that we visit a few local museums and stay pretty close to the flat, as we’re sure we’ll need naps. All in all, though, travel this time wasn’t as bad as it could have been. We actually managed to get a few hours of napping in, and schlepping our luggage from plane to train to cobblestone streets wasn’t as awful as it could have been. It’s sunny (we don’t have enough hot-weather clothes, but there are stores) and humid.

We will be painting pottery at the Delft factory store, though. It may not be in the morning, but it’ll happen in the next couple of days, for certain.

-D & T

Little Bobby Tables

Every now and again I explain to people what “SQL Injection” is. I generally do this by writing a bit of an SQL string for them, using a string which can be manipulated (one which is vulnerable to this particular exploit, down at the database level of the application). And I then show them this XKCD comic:

So, for example, I’d define the following as an example of a vulnerable stored procedure:

create procedure SaveStudent
	@StudentName	nvarchar(256)
as

declare @sql nvarchar(max)

set @sql = 'insert into Students ( StudentName ) select '
set @sql = @sql + '''' + @StudentName + ''''
exec(@sql)

go

I would then put in the example name from the XKCD comic above to demonstrate just what ends up happening. Let’s say you were to call that stored procedure, passing in Little Bobby Tables’ name as the variable:

exec SaveStudent 'Robert''); DROP TABLE Students;--'

The stored procedure would then execute the following commands:

insert into Students ( StudentName ) select 'Robert'); DROP TABLE Students;--'

So … why is this a problem? One salient point is that the apostrophe character is used to enclose strings in quotation marks. The way Bobby’s name is constructed allows for a malicious command to be sent to the database (the Students table is erased by the command DROP TABLE Students;), and no error being necessarily returned, because Bobby’s name fits in perfectly with how SQL works – he’s got a proper semicolon, terminating the command that comes before, so he was added to the table … but then the table was dropped, using a valid command, and everything after that is commented out (the double-dash is a comment marker), so there wouldn’t necessarily be any errors at all coming out of this – it’s perfectly valid, it’s running in a privileged context (it has been “blessed” by being turned into a stored procedure, so it’s trusted to run).

All of this is the lead up to the punchline, which is this company, apparently registered in the UK (or, something used for testing, I suspect, as this is the beta for UK Government’s Companies House): ; DROP TABLE “COMPANIES”;– LTD. This, passed into the above sample procedure, will yield the following SQL string:

insert into Students ( StudentName ) select '; DROP TABLE "COMPANIES";-- LTD'

Now, this one’s going to throw an error, because it’s actually improper syntax no matter which database you pass it to (well – any of those I have used, anyway, which is … way too many). However, if this is indeed used for debugging or as a demonstration, it will 1) throw an error if you feed it to anything that’s vulnerable to this exploit, 2) hopefully not throw an error anywhere, because the UI is supposed to be sanitizing these inputs, so it should be properly formatted (“escaped”) so as not to cause this problem. I can see this value being used both to test the UI (put it in & see if some database code which is intentionally vulnerable to this exploit throws an error) and also to test the database code, for scenarios which do not use a user interface such as loading in data from another application or a programmatic interface.

This technique is not just dangerous because it allows things to be broken; this technique is routinely used to exfiltrate data such as usernames and passwords, credit cards, or whatever other juicy details are in the database. If an adversary can figure out just which poor programming technique was used, and can figure out how errors are presented to the webpage, then they can intentionally cause errors which return data which should remain secret, or they can simply replace the query that’s supposed to do something legitimate (pull back a list of toasters, for example) with a query that returns that sensitive data right onto the webpage.

In any event, once you understand this humor as a programmer, your programming fundamentally changes, as there are only a handful of bad programming techniques which allow for this kind of vulnerability – so, you quickly eradicate those techniques from your practice (and hopefully go back and clean things up in older code). The fact that a huge number of websites are vulnerable to this tells you something (bad) about the competency of people who write and test code. I will not rant here about the many programmers who think about databases as being simply dumping grounds for data, rather than fully-functional programming environments.

-D

A little National Poetry Month

You, neighbor god, if sometimes in the night

You, neighbor god, if sometimes in the night
I rouse you with loud knocking, I do so
only because I seldom hear you breathe
and know: you are alone.
And should you need a drink, no one is there
to reach it to you, groping in the dark.
Always I hearken. Give but a small sign.
I am quite near.

Between us there is but a narrow wall,
and by sheer chance; for it would take
merely a call from your lips or from mine
to break it down,
and that without a sound.

The wall is builded of your images.

They stand before you hiding you like names.
And when the light within me blazes high
that in my inmost soul I know you by,
the radiance is squandered on their frames.

And then my senses, which too soon grow lame,
exiled from you, must go their homeless ways.

— Rainer Maria Rilke, Poems from the Book of Hours

Some Jobs are Better than Others

Every now and again I remember a horrible job I’m happy to have left. It’s far rarer that I reflect upon a job I’m happy to have turned down. Let’s do so now.

Hanford 1

The picture above was taken from a parking lot on the Hanford Nuclear Reservation. I was there to basically have a tour of the site, finish up the paperwork, and meet the programming team I was to lead. Some of the contract terms didn’t line up as promised, so I backed out. As news about Hanford has trickled out over the past year or so I’ve found myself very happy it fell through. This is particularly true reading this article about plutonium contamination drifting over the region.

“…site was ringed by 8-foot-tall piles of radioactive debris with little to prevent dust from blowing off.”

-D

Jazz Hands, Buttons & Irony

2013 Benicia 005

A chilly, damp, late winter morning, and already the doves are creating their mindless racket atop the neighbor’s house. The fake owls do absolutely nothing to convince the doves of their ferocity, so they’re nesting next to it. Doves in chorus sound a great deal like chickens volubly remarking upon the laying of an egg, so you know there’s all sorts of raucous nonsense going on. Whoever likened the cooing of doves to something pure and mild clearly never lived anywhere near them. Typical.

Fremont 98

Inasmuch as the time change has thrown us completely – when will someone take seriously the idea to do away with such indignities!! – it is, at least, a sign that this winter of diseases is crawling to a close. If you’ve been one of those who have ridden the coughing carousel, unable to dismount, you have our empathy. Fortunately, after the January/February illness phase, we’ve been healthier, if exhausted. Not so much from dreich, gray skies and the eternal fogbank in which our house sits, but because of … enforced levity. Who knew smiling could be so tiresome? Oh, yes – our comedy show is coming up this weekend, and in this household, we are heartily sick of a.) lines concluding with “fa-la-la-la,” b.) Gilbert and Sullivan, c.) songs ending with “jazz hands” d.) songs containing tubas, e.) kazoos. And did we mention fa-la-las?!

On one hand, we frequently remind ourselves that our director’s insistence that we MEMORIZE such gems is staving off the encroachments of Alzheimer’s. On the other hand, should one keep singing songs with fa-la-las, dementia is practically assured…

Pleasant Hill 170

All snark aside, T has had her six month meeting with her doctor regarding her autoimmune, and after numerous blood tests and kidney tests, appears to be as well as medical science can make her just now. Though the grinding grey exhaustion continues, and the medication only ameliorates some of the symptoms, because it is so toxic, we’ve decided to keep it as minimal of a dose as possible. This means that the excessive collagen buildups, which produce thick harpy fingernail/claws continues – but the autoimmune continues to attack the nailbeds, soooo… the nails fall off. Neat, huh? The breakdown of skin also affects hair follicles, so while hair grows quickly, it also fills the brush and dusts the shoulders in a continual silent fall.

…one never imagines oneself as particularly vain until one is female and facing massive hair loss. And then, one discovers, oh, suddenly, painfully, that one is VERY VAIN INDEED.

Life is just full of opportunities to learn one’s limits, is it not? Wouldn’t it have been fun to learn about this limit, oh, never?! But, alas.

Button Clips 1

One of T’s more random hobbies has been to take interesting old buttons and, adding them to various clips or jump beads or other findings, make some sort of hair jewelry or brooch or whatnot. It’s something mentally freeing to do whilst listening to podcasts, and has been a convenient means of creating small, handmade gifts for small people… and herself. Knowing T’s predilection for hair jewelry, for her birthday this year, her parents presented her with, among other things, a lovely set of bejeweled combs from Macy’s… the day after she’d hacked five inches from her hair and given up on doing more than wearing a headband.

O. Henry’s “The Gift of the Magi,” came to mind, both awful and amusing at the same time. T. quietly rewrapped the combs and returned them, not having the heart to mention it to her parents.

Hair comes, and hair goes, and seasons, ever-changing. Fa-la-la-la.

Knowing When NOT to Work Hard

Last night I dreamed that I was called upon to give a lecture and I was unprepared. Apparently, though, I have some lectures that I give often enough that I’m able to pull one up on the fly, and my dreaming mind knows that I can always give the standard one I give to junior developers at some point: Be Intelligently Lazy.

Twenty-three years ago, I was working a full-time job doing data entry for a payroll processing company. This involved opening mailed-in timecards, “coding” them (sorting them into piles, basically), and entering their data into a Peoplesoft payroll system, with data entry done on Windows 3.1. After a couple months of doing this, I realized that I was typing the same thing over and over (each district manager had a markup rate, a name, a zip code, a phone number … and the fields probably went right in that order, actually), and it was incredibly boring and stupid, particularly when there was Windows Macro Recorder.

I set about assigning the 12 function keys to my 12 area managers’ information, typing in the information and tabbing through the entry fields as quickly as I could. When I was done and I’d written down which manager was on which key, I could type in the person’s name and their hours worked and then press F5, say, to key in the rest and press “submit” to send the timecard into the database.

My manager noticed this (well, I was probably excited and told her about it) and asked me to do the same thing for the other entry clerks in the group. A few days after completing that, the database administrator came to visit us, to ask what on earth we were doing, because the data used to trickle in all day long and now only came in before lunch (yes: I had cut the data entry time from 8 hours down to 3, for the entire group). When my manager told him what I had done, that was the end of my days as a data entry clerk: I was assigned to work in IT, working on macros in Excel or something.

So, yes: I became a programmer because I was intelligently lazy. That is part of what makes a good programmer: knowing when something can be automated. To be a truly effective programmer, though, takes a whole lot more experience in figuring out automation and figuring out when to automate and – more importantly – when not to automate. This is actually the real point of the lecture.

Your average junior to mid-level programmer will spend a ton of time automating things which could be done via brute-force. This is the classic trap of spending more time building automation than it would have taken to do it by hand. Building the skills to be able to estimate this takes a whole career, honestly. Knowing that you need to do this, though, is something that you can give to one another: simply print out the comic below and show people how to read it.

For example, I read this chart and know that every time I visit someone with multiple monitors, I need to tell them how to use the Window+Shift+Arrow shortcut. Why? Because your average person with multiple monitors will generally spend about 5 seconds 1) restoring an application window, 2) dragging it over to the other monitor, 3) maximizing the window … and they’ll do that at least 5 times per day. When you read those values into the comic above (5/day on the top axis, 5 seconds on the left axis) you get 12 hours spent in that activity over 5 years. In other words: every person I teach this trick will save 12 hours of labor over 5 years. That starts to be some real savings for the whole company, it takes me nearly no time at all, and it makes people really happy to learn as well!

This can also be useful for deciding whether to do projects, and help in deciding the importance of those projects (for example, if one person in your organization spends a day a month doing something that could be automated, that’s 8 weeks of savings over 5 years if you can automate it). That’s a whole other discussion, though it’s the same skill: so, maybe learn that skill, because making those kinds of decisions are important in moving into decision-making roles.

The other thing I tell junior developers in this talk is usually to get over the idea that there’s a perfect tool for things; the perfect tool is the one that gets the job done, and it may be that it’s clunky and kludgy but that doesn’t matter. I give the example here of how I use Excel to load data (I use Excel formulas to build SQL strings), or how I use Excel formulas to write C# code (I wrote some VBA code behind Excel & wrote some SQL code to feed data into Excel, which I’ve used to generate literally hundreds of thousands of lines of repetitive C# code), or how I use Excel formulas to write repetitive HTML (like, oh, a bunch of emails with different names & hyperlinks to their downloads). Even more importantly is the example of figuring out when to brute-force something (“Only 200 photos to crop? We’ll just use a photo editor rather than programming it. 40,000 photos to crop? Let’s write some Python and use CV2 to find the faces for us, so we can crop automatically.”)

There are plenty of examples to give, and plenty of tools that I use on a regular basis… but it basically comes down to using the same old set of tools because I know how to use them and because I’m efficient in using them. Yes, it would likely be faster for me to learn how to use RegEx … that is, if I knew RegEx way better than I do, I could be even more efficient than I am in Excel … but we come back to that chart and decide that it wouldn’t save me more than it would cost me. Likewise, if it’s only a few things & they can be hammered out using something simple, just spend the 20 minutes doing that rather than wasting more than that on building a tool for it.

Applying this kind of thinking to your own coding practice and knowledge acquisition is when you reach mastery: when you can look at a tool or language, determine how long it would take to master, determine how much time it would save you in the tasks you regularly perform, and decide whether or not to invest in learning it. That calculation is something which truly proficient programmers make on an intuitive basis, and which contributes to them sticking to the same things that have worked previously. If you’re conscious and intentional about it, though, it will lead you to some better decisions than, “oh, this is showing up on Hacker News, I should learn it!” That’s not to say that you shouldn’t learn new things (I’m dabbling in Python and convolutional neural networks these days), but that you should be aware that there’s a trade-off and it’s perfectly logical to decide not to learn the cool new tool / language.

So. That’s my usual talk on how to be intelligently lazy.

-D