Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at John@JohnMuellerBooks.com.

 

Source Code Placement

I always recommend that you download the source code for my books. The Verifying Your Hand Typed Code post discusses some of the issues that readers encounter when typing code by hand. However, I also understand that many people learn best when they type the code by hand and that’s the point of getting my books—to learn something really interesting (see my principles for creating book source code in the Handling Source Code in Books post). Even if you do need to type the source code in order to learn, having the downloadable source code handy will help you locate errors in your code with greater ease. I won’t usually have time to debug your hand typed code for you.

Depending on your platform, you might encounter a situation the IDE chooses an unfortunate place to put the source code you want to save. For example, on a Windows system it might choose the C:\Program Files folder (or a subdirectory) to the store the file. Microsoft wants to make your computing experience safer, so you don’t actually have rights to this folder for storing your data file. As a result, the IDE will stubbornly refuse the save the files in that folder. Likewise, some IDEs have a problem with folder names that have spaces in them. For example, your C:\Users\<Your Name>\My Documents folder might seem like the perfect place to store your source code files, but the spaces in the path will cause problems for the IDE and it will claim that it can’t find the file, even if it manages to successfully save the file.

My recommendation for fixing these, and other source code placement problems, is to create a folder that you can access and have full rights to work with to store your source code. My books usually make a recommendation for the source code file path, but you can use any path you want. The point is to create a path that’s:

  • Easy to access
  • Allows full rights
  • Lacks spaces in any of the path name elements

As long as you follow these rules, you likely won’t experience problems with your choice of source code location. If you do experience source code placement problems when working with my books, please be sure to let me know at John@JohnMuellerBooks.com.

 

Security = Scrutiny

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, “Chinese hacker group among first to target networks isolated from Internet.” So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Headlines such as “Advanced Attackers go Undetected for a Median of 229 Days; Only One-Third of Organizations Identify Breaches on Their Own” tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at John@JohnMuellerBooks.com.

 

Programming Your Way

I’ve been working with Python for a while now. In fact, I’ve worked on three books on the topic: Beginning Programming with Python For Dummies, Professional IronPython, and Python for Data Science for Dummies. Of the languages I’ve used, Python actually comes the closest to meeting most of the programming needs I have (and a lot of other developers agree). It’s not a perfect language—no language can quite fulfill that role because of all the complexities of creating applications and the needs developers have. However, if any language comes close, it’s Python.

There are a number of reasons why I believe Python is a great language, but the issue I’d like to discuss today is the fact that you can actually use four completely different programming styles with Python. Care to guess what they are? In order to find out for sure, you’ll need to read Embracing the Four Python Programming Styles. Before I encountered Python, I never dreamed that a language could be quite so flexible. In fact, the single word description of Python is flexible.

Realistically, every language has potential issues and Python has them as well. For example, Python can run a bit slow, so I probably wouldn’t choose it to perform low level tasks on a specific system. It also lacks the User Interface (UI) functionality offered by other languages. Yes, there are a huge number of add-on libraries you can use, but nothing quite matches the drag and drop functionality provided by languages such as C#.

However, negative points aside, there aren’t any other languages that I know of that allow you so much flexibility in programming your way. You have four different styles to choose from. In fact, you can mix and match styles as needed within a single application. The ability to mix and match styles means that you can program in the way that feels most comfortable to you and that’s a huge advantage. Let me know what you think about Python’s ability to work with different programming styles at John@JohnMuellerBooks.com.

 

Using My Coding Books Effectively

A lot of people ask me how to use my books to learn a coding technique quickly.  I recently wrote two articles for New Relic that help explain the techniques for choosing a technical book and the best way to get precisely the book you want. These articles are important to you, the reader, because I want to be sure that you’ll always like the books you purchase, no matter who wrote them. More importantly, these articles help you get a good start with my coding books because you start with a book that contains something you really do need.

Of course, there is more to the process than simply getting the right book. When you already have some experience with the language and techniques for using it, you can simply look up the appropriate example in the book and use it as a learning aid. However, the vast majority of the people asking this question have absolutely no experience with the language or the techniques for using it. Some people have never written an application or worked with code at all. In this case, there really aren’t any shortcuts. Learning something really does mean spending the time to take the small steps required to obtain the skills required. Someday, there may be a technology that will simply pour the knowledge into your head, but that technology doesn’t exist today.

Even reading a book cover-to-cover won’t help you succeed. My own personal experiences tell me that I need to use multiple strategies to ensure I actually understand a new programming technique and I’ve been doing this for a long time (well over 30 years). Just reading my books won’t make you a coder, you must work harder than that. Here is a quick overview of some techniques that I use when I need to discover a new way of working with code or to learn an entirely new technology (the articles will provide you with more detail):

  • Read the text carefully.
  • Work through the examples in the book.
  • Download the code examples and run them in the IDE.
  • Write the code examples by hand and execute them.
  • Work through the examples line-by-line using the debugger (see Debugging as An Educational Tool).
  • Talk to the author of the book about specific examples.
  • Modify the examples to obtain different effects or to expand them in specific ways.
  • Use the coding technique in an existing application.
  • Talk to other developers about the coding technique.
  • Research different versions of the coding technique online.
  • View a video of someone using the technique to perform specific tasks.

There are other methods you can use to work with my books, but this list represents the most common techniques I use. Yes, it’s a relatively long list and they all require some amount of effort on my part to perform. It isn’t possible to learn a new technique without putting in the time required to learn it. In a day of instant gratification, knowledge still requires time to obtain. The wisdom to use the knowledge appropriately, takes even longer. I truly wish there were an easier way to help you get the knowledge needed, but there simply isn’t.

Of course, I’m always here to help you with my books. When you have a book-specific question, I want to hear about it because I want you to have the best possible experience using my books. In addition, unless you tell me that something isn’t working for you, I’ll never know and I won’t be able to discuss solutions for the issue as part of blog post or e-mail resolution.

What methods do you use to make the knowledge you obtain from books work better? The question of how people learn takes up a considerable part of my time, so this is an important question for my future books and making them better. Let me know your thoughts about the question at John@JohnMuellerBooks.com. The same e-mail address also works for your book-specific questions.

 

Understanding the Continuing Need for C++

I maintain statistics on all my books, including C++ All-In-One for Dummies, 3rd Edition. These statistics are based on reader e-mail and other sources of input that I get. I even take the comments on Amazon.com into account. One of the most common C++ questions I get (not the most common, but it’s up there) is why someone would want to use the language in the first place. It’s true, C++ isn’t the language to use if you’re creating a database application. However, it is the language to use if you’re writing low-level code that has to run fast. C++ also sees use in a vast number of libraries because library code has to be fast. For example, check out the Python libraries at some point and you’ll find C++ staring back at you. In fact, part of the Python documentation discusses how to use C++ to create extensions.

I decided to look through some of my past notes to see if there was some succinct discussion of just why C++ is a useful language for the average developer to know. That’s when I ran across an InfoWorld article entitled, “Stroustrup: Why the 35-year-old C++ still dominates ‘real’ dev.” Given that the guy being interviewed is Bjarne Stroustrup, the inventor of C++, it’s a great source of information. The interview is revealing because it’s obvious that Bjarne is taking a measured view of C++ and not simply telling everyone to use it for every occasion (quite the contrary, in fact).

The bottom line in C++ development is speed. Along with speed, you also get flexibility and great access to the hardware. As with anything, you pay a price for getting these features. In the case of C++, you’ll experience increased development time, greater complexity, and more difficulty in locating bugs. Some people are taking a new route to C++ speed though and that’s to write their code in one language and move it to C++ from there. For example, some Python developers are now cross-compiling their code into C++ to gain a speed advantage. You can read about it in the InfoWorld article entitled, “Python-to-C++ compiler promises speedier execution.”

A lot of readers will close a message to me asking whether there is a single language they can learn to do everything well. Unfortunately, there isn’t any such language and given the nature of computer languages, I doubt there ever will be. Every language has a niche for which it’s indispensable. The smart developer has a toolbox full of languages suited for every job the developer intends to tackle.

Do you find that you really don’t understand how the languages in my books can help you? Let me know your book-specific language questions at John@JohnMuellerBooks.com. It’s always my goal that you understand how the material you’ve learned while reading one of my books will eventually help you in the long run. After all, what’s the point of reading a book that doesn’t help you in some material way? Thanks, as always, for your staunch support of my writing efforts!

 

Central Clearing House for Book Contacts

A reader wrote to me the other day with an idea for creating a central place where any reader could contact any author with book-related questions. It would be a social media type idea along the lines of Facebook, Twitter, or LinkedIn, but with a book focus. The way this idea works is that a reader could leave a question on the central site and then the author would receive a notification through e-mail about the question. The question and its answer would remain public. That way, other readers with the same question would see the answer and not have to ask the author about it again.

This blog fulfills the idea that the reader has to a certain extent. When I receive e-mails from readers, I determine whether the question has enough interest to affect a large number of readers. When the question is better answered publicly, I put an answer up here, rather than answer it privately. Of course, there are times when a reader question needs and deserves a private answer. Using the blog approach does make it easier for me to handle some questions discretely, but nothing would keep me from including an e-mail address for that purpose in the book. The problem with this blog is that reader need to know to look here for answers. Even though I publish the URL for this blog in all of my books, readers still managed to miss it somehow and I get queries in e-mail about the availability of such a central knowledge store.

Wrox provides a centralized location for readers to exchange information of the sort that the reader mentioned, but it’s not as well known as the social media sites and I didn’t think to include the URL for it in my book (the publisher does include it as part of the Introduction). My experiences with Professional IronPython, Professional Windows 7 Development Guide, and C# Design and Development tell me that the concept is good, but reader participating is often poor. I actually get a lot more input on my blog.

I like the idea this reader has because it provides a social media type approach to a pressing need authors have to service reader requests for information. The problems are figuring out how to present the idea publicly, implement the idea in software, and then to make the site popular enough that it actually does what it’s supposed to do.

Of course, I’m always looking for input from you on making things work in a way that’s easy for you. What do you think about this concept? Is it possible to create such a site and have it become a success? Would you even frequent such a site? Let me know your thoughts on the matter at John@JohnMuellerBooks.com.

 

Where is Python 3?

A number of readers have been sending me e-mail about Beginning Programming with Python For Dummies and why I chose to use Python 3.3 instead of one of the Python 2.x versions. In general, I believe in using the most up-to-date version of a language product available because that’s the future of programming for that language. So, it wasn’t too surprising to me that I noted in a recent InfoWorld article that Fedora 22 will have Python 3 installed by default. I’ve started noticing that Python 3 will be the default with other products and in other environments too. Choosing Python 3.3 for this particular book looks like a really good choice because anyone reading it will be equipped to work with the latest version as it becomes adopted in a wider range of environments.

I do talk about standard Python in Professional IronPython. Of course, this book is targeted toward IronPython users, not Python users, but talking about standard Python and how you can use both libraries and utilities from it seemed like a good idea when I wrote the book. You need to remember that a solid version of Python 3 wasn’t available at the time I wrote this book and that Python 2 was really popular at the time. If there are readers of this book who would like me to create a series of posts that discuss using Python 3 libraries and tools with IronPython (assuming it’s possible), you need to let me know at John@JohnMuellerBooks.com. I try to accommodate reader needs whenever I can, as long as there is an interest in my doing so. At this point, I haven’t had a single reader request for such support, which is why I’m making a direct request for your input.

This leaves my current book project, Python for Data Science for Dummies. It turns out that the Data Science community is heavily involved with Python 2. My coauthor, Luca, and I have discussed the issue in depth and have decided to use Python 2 for this particular book. The limitation is that the libraries used for Data Science haven’t been moved to Python 3 completely and the entire Data Science community still uses Python 2 exclusively. If it later turns out that things change, I can certainly post some updates for the book here so that it remains as current as possible.

Python is an exception to the rule when it comes to languages. There are currently two viable versions of the language, so I can understand that some readers are completely confused. I encourage you to contact me with your thoughts, ideas, and concerns regarding the use of specific Python versions in my books. I want you to feel comfortable with the decisions that I made in putting the books together. More importantly, your input helps me decide on content for future books, articles, and blog posts. Unless I know what you need, it’s really hard to write good content, so please keep those e-mails coming!

 

Getting Python to Go Faster

No one likes a slow application. So, it doesn’t surprise me that readers of Professional IronPython and Beginning Programming with Python For Dummies have asked me to provide them with some tips for making their applications faster. I imagine that I’ll eventually start receiving the same request from Python for Data Science for Dummies readers as well. With this in mind, I’ve written an article for New Relic entitled 6 Python Performance Tips, that will help you create significantly faster applications.

Python is a great language because you can use it in so many ways to meet so many different needs. It runs well on most platforms. It wouldn’t surprise me to find that Python eventually replaces a lot of the other languages that are currently in use. The medical and scientific communities have certainly taken a strong notice of Python and now I’m using it to work through Data Science problems. In short, Python really is a cool language as long as you do the right things to make it fast.

Obviously, my article only has six top tips and you should expect to see some additional tips uploaded to my blog from time-to-time. I also want to hear about your tips. Make sure you write me about them at John@JohnMuellerBooks.com. Be sure to tell me which version of Python you’re using and the environment in which you’re using it when you write. Don’t limit your tips to those related to speed either. I really want to hear about your security and reliability tips too.

As with all my books, I provide great support for all of my Python books. I really do want you to have a great learning experience and that means having a great environment in which to learn. Please don’t write me about your personal coding project, but I definitely want to hear about any book-specific problems you have.

 

 

NumPy and SciPy Update

As books age, some of the resources used to create them get abandoned or simply don’t work right. Such is the case with Professional IronPython. There has been an ongoing conversation about NumPy and SciPy support for the product. In fact, you’ll find the first signs of trouble in my NumPy and SciPy Support in IronPython 2.7 post, followed by an update in NumPy and SciPy Support in IronPython 2.7 – An Update. At the time I uploaded those posts, Enthought was still engaged in producing a NumPy and SciPy library for IronPython. Recently, a reader notified me that the support is no longer available from Enthought—a problem that I’ve since verified.

Of course, my posts alerted to you issues with the Enthought library and things have only gotten worse from what I understand. As a result, I can’t even recommend you download and try the Enthought library an longer, unless you’re running an older version of IronPython and just happen to find a compatible version. There is a version on the SciPy site. However, when you review the FAQ on this site, you see this information related to .NET installations:

Does NumPy/SciPy work with IronPython (.NET)?

Some users have reported success in using NumPy with Ironclad on 32-bit Windows. The current status of Ironclad support for SciPy is unknown, but there are several complicating factors (namely the Fortran compiler situation on Windows) that make it less feasible than NumPy.

So, the chances of the SciPy installation working are relatively small. There are some additional sites you could try, but given that I haven’t actually tried them myself, I can’t guarantee success. Please contact the site owners if you have questions about their software. With this caveat in mind, you can try these locations:

If someone has actually tried these extensions and used them successfully, I’d really like to hear from them. It would be nice to have a working solution for the book. In the meantime, there is a message thread at https://mail.python.org/pipermail/ironpython-users/2014-May/017067.html that could provide helpful information about the situation. Anyone with book-specific questions should feel free to contact me at John@JohnMuellerBooks.com.