Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at John@JohnMuellerBooks.com.

 

Web Security, A Lot More Complicated Than It Seems

I recently finished writing Security for Web Developers. During the months that I worked on the book, I became aware of a serious problem in the reporting, handling, and supposed fixes for the problem of web security—everyone seems intent on making things fast and easy. Depending on the source, you also see a fair amount of finger pointing at play. Sources put the blame on just one or two entities in most cases. Unfortunately, the picture is far more complex than simply applying a bandage to one or two potential security problem sources. I started understanding the problem when I wrote HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies, but it wasn’t until I wrote this book that I began to understand the true enormity of the problem. It isn’t just one or two or three sources—it’s all the sources combined. In this latest book I explore a lot of different sources of security problems and provide advice on how to overcome these issues to some extent.

  • Users
  • Application Developers
  • Third Party Library, API, and Microservice Providers
  • Administrators and Other IT Staff
  • Product Distributors
  • Data Service Providers

Many other groups appear in the book as well. The more I dug, the more I found that just fixing one problem or educating one group wouldn’t solve anything. Hackers look for easy ways to gain access to applications and the current system provides them with plenty of opportunities. The current strategy of responding to just one potential threat will continue to fail simply because the hacker will move on to another threat. Unless an organization is willing to take a holistic approach to security, hackers will continue to enjoy overwhelming success without a whole lot of work. In writing Security for Web Developers, I attempted to provide a broader view of the security picture so that development teams that include all of the stakeholders involved in an application effort can finally work together to resolve the security issues in their individual areas of expertise (including users who are susceptible to too many kinds of attack to mention).

A reader recently asked me whether the strategies in my book will prevent attacks, which is a loaded question and one that is hard to answer. My view of security is that a determined hacker will always gain entrance to your system, so you must remain vigilant at all times. If someone wants your data, they’ll gain access, but if you’re equally vigilant, you can keep the damage to a minimum. For that matter, you might be able to prevent any real damage. However, you need to realize that no security measure you take is going to succeed all the time.

What my book does is help make your system less appealing. In other words, if a hacker is just looking for a system to invade and not specifically your system, then making your system less appealing will see the hacker move to other systems. Like anyone else, a hacker seeks to minimize effort and maximize gain. Making your system less appealing by employing a holistic security approach will increase the effort the hacker must employ and make it less likely that the hacker will continue probing.

Unless you really want to see your organization’s name join the victim list in the trade press, you really do need to employ security across an organization, which means vetting software fully, educating users, having appropriate policies in place, reviewing software before placing it in production, and so on. Using just one or two measures simply won’t work. Let me know if you have questions regarding my upcoming book at John@JohnMuellerBooks.com.

 

Getting Python to Go Faster

No one likes a slow application. So, it doesn’t surprise me that readers of Professional IronPython and Beginning Programming with Python For Dummies have asked me to provide them with some tips for making their applications faster. I imagine that I’ll eventually start receiving the same request from Python for Data Science for Dummies readers as well. With this in mind, I’ve written an article for New Relic entitled 6 Python Performance Tips, that will help you create significantly faster applications.

Python is a great language because you can use it in so many ways to meet so many different needs. It runs well on most platforms. It wouldn’t surprise me to find that Python eventually replaces a lot of the other languages that are currently in use. The medical and scientific communities have certainly taken a strong notice of Python and now I’m using it to work through Data Science problems. In short, Python really is a cool language as long as you do the right things to make it fast.

Obviously, my article only has six top tips and you should expect to see some additional tips uploaded to my blog from time-to-time. I also want to hear about your tips. Make sure you write me about them at John@JohnMuellerBooks.com. Be sure to tell me which version of Python you’re using and the environment in which you’re using it when you write. Don’t limit your tips to those related to speed either. I really want to hear about your security and reliability tips too.

As with all my books, I provide great support for all of my Python books. I really do want you to have a great learning experience and that means having a great environment in which to learn. Please don’t write me about your personal coding project, but I definitely want to hear about any book-specific problems you have.

 

 

Scoring Your JavaScript Library

Choosing a library for your Web application can be difficult. Both HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies emphasize the need to choose libraries with care. There are all sorts of considerations, such as whether the library enjoys popular support and has a good upgrade policy. You also need to know whether the library is secure and performs all the tasks you require of it in the manner you want them performed. These books do a great job of helping you understand the requirements for choosing a library.

At the time I wrote these books, jQuery was the most popular library available. In fact, both books emphasize use of jQuery for programming needs. It turns out that jQuery is still the most popular library around and for good reason, the producers of jQuery have done just about everything right, so developers continue to support them. If you need general interface and low level programming support, jQuery and jQuery UI are good places to start. What it really comes down to is reducing costs and getting work done faster. Money drives everything on the Internet, including your next project.

Two libraries simply can’t meet every need. Developers often use a wide variety of libraries to get the job done. Choosing the right library can be difficult. There are literally hundreds of them, all purporting to do the job faster, better, and for less money (when money is directly involved in the equation). Choosing the wrong library can incur huge penalties. That’s why a site such as Libscore is so important. You can use Libscore to find the top:

  • JavaScript Library
  • Script
  • Site Using JavaScript

The last option is the most important because it tells you what the top sites are and which libraries they use to achieve their goals. By viewing the site and seeing how it uses a library, you can make intelligent decisions for your own site. Exploring Libscore doesn’t take long, but can net you huge gains in productivity that translate into reduced costs and fewer errors.

I receive more than a few e-mails each week about JavaScript, HTML5, and CSS3. Readers really do want to know my opinion about this library or that. Unfortunately, my ability to test every library out there is limited. In fact, let’s be practical—even if I were to attempt to perform the task full time, I still wouldn’t have time as an individual to test all the options. So, using a site such as Libscore is the best option that I can offer you. I’d love to hear your opinions about Libscore or any other site offering the same functionality at John@JohnMuellerBooks.com. If you send me information about another library scoring site, please make sure it actually works with JavaScript or another viable Web technology.

 

Python Used for Common User Interface Needs

My upcoming book, Beginning Programming with Python For Dummies, describes how to start working with Python. You discover how to perform all the basics and I even provide a few real world examples. However, once you’re done with the book, you might ask how Python can be used for real world programming of the sort that you need to do. One of the most common tasks is creating a user interface. Just about every application out there requires a user interface and it has become popular to make user interfaces touchable. Fortunately, Python developers have access to a huge number of libraries to make seemingly hard tasks simple. In fact, that’s one of the advantages of using Python—the immense number of really practical and useful libraries at your disposal. It’s possible to find a library for just about any need.

One of the more interesting libraries available for Python is Kivy. This library makes it possible to create multitouch applications without having to do all the heavy lifting yourself. The interesting thing about using Kivy for this task is that it helps you avoid some of the problems with other sort of multitouch application environments, such as using a combination of HTML5, CSS3, and JavaScript (where a less than compatible browser can ruin your chances of making the application work properly). This is a native code library that works on the Linux, Windows, OS X, Android and iOS platforms, so you have a good chance of finding precisely the support you need in a package that will perform well on the chosen platforms. Like all Python applications, the application you create on the Mac will work just fine on Windows too.

Of course, there are tons of libraries for Python, so why did I choose to talk about this particular library? It turns out that Kivy is proactive about obtaining as much developer support as possible, to the point of running contests (yes, that’s more than one of them) to see what sorts of things people can do with Kivy. I’ll admit it, I was bedazzled looking at all the eye candy on this site. What I thought was a five minute scan of the example applications turned out to be more than an hour of perusing what’s possible with Kivy and Python. All you need to do to try one of the applications out is to click its link, download the code, and start running it. Nothing could be easier (or time consuming as it turns out). Soon, you’ll find your days consumed by checking out Kivy applications too.

Fortunately, Kivy is also free. All you need to do is download the copy for your platform and install it. So, you get this great library that you can use for your business applications and it doesn’t cost you a dime. What I’d most like to hear about is whether someone is using Kivy in a large scale business application and how its performing for them. Speed is always an issue with Python, despite all the other amazing features it provides, so finding libraries that use every bit of speed Python has to offer is essential.

I take a lot of time looking for various tools, libraries, applications, and other resources for readers to use with my books. I’m not looking for anything cheesy, crippled, or difficult to use—I want well written, popular, and preferably free resources I can share. If you have a resource that specifically meets the needs of my readers, please let me know about it at John@JohnMuellerBooks.com.

 

Examining the Calculator in Windows 7 (Part 2)

A while back, over two years ago in fact, I uploaded a post entitled, “Examining the Calculator in Windows 7.” Since that time, a number of people have asked about the other features that the new calculator includes. Yes, there are these rather significant problems that Microsoft has introduced, but there are some good things about the new calculator as well.

The good thing appears on the View menu. When you click this menu, you see options at the bottom of the list that provide access to the special features as shown here.

The View menu includes options for unit conversion, date conversion, and worksheets.
The Windows 7 Calculator View Menu

The Unit Conversion and Date Conversion options are the most useful. However, the worksheets can prove helpful when you need them. Of the new features, I personally use Unit Conversion the most and many people likely will. After all, it’s not often you need to figure out a new mortgage, vehicle lease amount, or the fuel economy of your vehicle (and if you do such work for a living, you’ll have something better than the Windows Calculator to use). To see what this option provides, click Unit Conversion. You see a new interface like the one shown here:

The Unit Conversion display makes it possible to convert from one unit of measure to another.
Calculator Unit Conversion Display

You start using this feature by selecting the type of unit you want to convert. As you can see from this list, the kinds of conversions you can perform are extensive:

Select a conversion type to determine what options are offered in the From and To fields.
The Calculator Supports a Healthy List of Conversion Types

The option you select determines the content of the From and To fields. For example, if you want to convert from kilometers to miles, you select the Length option. After you select the type of unit, type a value in the From field and select the From field unit of measure. Select the To field unit of measure last. Here is what happens when you convert 15 kilometers to miles:

The output shows that converting 15 kilometers to miles equals 9.32056788356001 miles.
Converting Kilometers to Miles

I’ve found use for most of the entries in the types list at one time or another. Every one of them works quite well and you’ll be happy they’re available when you need them. The Data Calculation option can be similarly useful if you work with dates relatively often, as I do. However, I can’t see many people needing to figure out the number of days between two dates on a regular basic. Even so, this feature is probably used more often than any of the worksheets.

The ability to perform conversions of various kinds and to access the worksheets that Windows 7 Calculator provides isn’t enough to change my opinion. The implementation of the Calculator is extremely flawed and I stick by my review in the first posting. However, you do have the right to know there are some positives, which is the point of this post. Let me know your thoughts about Calculator now that you have a better view of it at John@JohnMuellerBooks.com.

 

Review of Essential Algorithms

Working in computer science means knowing how to work with computer languages, but it also means knowing how to use math to obtain the results you want. Some math is relatively straightforward, but some becomes so complicated that you really do need some type of process or procedure for working with it. Essential Algorithms by Rod Stephens, “defines steps for performing a task in a certain way.” The first chapter begins by defining what an algorithm is and moves on from there to show you how they can help improve your ability to write complex applications.

The examples are written in a pseudocode that the author explains in Chapter 1. In fact, the explanation is accompanied by some examples of how to turn the pseudocode into an actual programming language. I’m almost positive some readers will take exception to the use of pseudocode because it doesn’t relate the example in their specific programming language, which would make implementation of the code as easy as possible for the reader. In this case, the use of pseudocode is impossible to avoid because the book would be far less useful without it.

This text could easily be used in a college. Each chapter ends with exercises that help the reader understand the concepts better (or at least determine whether any of the material actually sunk in). The answers to the examples appear in an appendix at the end of the book. However, in a college setting it might be possible to create a student version of the book without the appendix and a teacher version that includes the answers. The author also uses many of the same examples that I used when I was a student in college, but with an emphasis on diagrams to pictorially show how the examples work. The addition of graphics makes the examples considerably easier to understand.

The early chapters discuss specific kinds of algorithms that are used in every programming language that exists. For example, the author tackles the topic of randomizing data and ensuring that the randomizing process is fair. Of course, getting truly random data on a computer is impossible, but it’s possible to create random sequences of such complexity that the average human would never notice they aren’t random. This book discusses the topic at a length that I wish the text I had used in college would have provided.

Don’t get the idea that Essential Algorithms is light on the computer science aspects of using algorithms. For example, you’ll find coverage of all the basic structures used by most languages: linked lists, arrays, stacks, and queues. I could have wished for coverage of dequeues because many languages modify dequeues to create stacks and queues. Understanding how this essential structure works would have been great.

There are separate chapters for sorting and searching. These two tasks are performed so often by applications that an in depth knowledge really is a necessity for any computer scientist. All the common sorts are covered in sufficient detail that the reader should understand them with relative ease: insertion, selection, bubble, heap, quick, and merge. In addition, you find the counting and bucket sorts (two types of sorts that are completely missing my my college text—I took the time to check). The list of searches are likewise complete: linear, binary, and interpolation.

The opening chapters are finished with chapters on hash tables and recursion. I thought the chapter on hash tables was a bit light and their use as dictionaries in languages such as Python is only mentioned in passing. The chapter on recursion was far better done. I found the material on the various kinds of curves: Koch, Hilbert, and Sierpinski, exceptional.

The middle of the book (starting with Chapter 10) is taken up with trees, networks, and strings. There should be enough material here for anyone who really wants to learn the information. The author seems to hit his stride in these chapters—they’re both interesting and well written.

The end of the book starts with cryptography in Chapter 16. It’s the part of the book that just about anyone will find helpful and it’s also the part that separates this book from being a mere college text and more of a reference book. The chapter on complexity theory is exceptionally nice. Even if you’re already an expert in other areas of this book, it’s likely that you’ll find some new ideas in this part of the book—enough ideas to make it well worth the purchase price.

Overall, Essential Algorithms is the text I wish I had when studying the topic in college and it’ll make a fine addition to my bookshelf. I’ll likely use it as a reference book when trying to understand how various programming languages are implementing a practical need, such as determining how to work with structures such as stacks. I don’t delve deeply into security issues very often, but I’m sure that material will see use as well. There are some holes in the book, but I wouldn’t consider them deal killers and could provide great fodder for the author in the form of articles and blog posts. This is a great book and one that you need on your shelf.

 

What to Check When You Review My New Blog Setup

A number of people have written to ask specifically what to check when they look at the new blog setup. Here are the issues I’m most concerned about now as I get the configuration done:

 

  • Does the blog size well when you use your device? I’m especially concerned about how the blog looks in smartphones and tablets, but it has to look great on a PC too.
  • Is the text easy to read?
  • Does the blog size well when you make the text smaller or larger to meet your specific viewing needs?
  • Are the features working well? For example, when you perform a search or click on a tag to view related articles, are you seeing what you expected?
  • Do the colors work well for you? I’m especially interested in hearing about the highlighting on features like the calendar.
  • Are you seeing anything you didn’t think you’d see?


I’m also interested in your opinion about the new software. How does it improve on the experience you had with the old software? What do you miss about the old software? Does the blog seem to work faster or slower? Anything you can tell me about the content, appearance, or performance of the new software would be helpful. This the best time for me to make required tweaks. Please be sure to contact me with your concerns at John@JohnMuellerBooks.com.

 

Blog Questions

A number of people have written with questions about the blog update. A lot of these questions will be answered later. Please keep the questions coming because they help me ensure that the new blog will meet your needs.

The one pressing question is about things people have noticed are missing. There are two items that won’t move to the new blog: subscriptions and comments. The comments are pretty much gone unless people want to make them all over again. However, the subscriptions will be easy enough to make again. I’ll post instructions for you after the blog is completely changed over. Please don’t create a new subscription until after I post instructions for you.

I’m adding the tags back in as I move the posts. That’s one of the reasons that the move is taking so long. The tags have to be added by hand (as do the graphics). As of today I’ve moved 293 posts, so there are only 376 more to go !

Thank you again for your patience. This move really shouldn’t have been so hard, but that’s how things go sometimes.


UPDATE 6/24

There are other problems that you’ll notice with the posts that I’ve moved. The most noticeable is that the source code in my posts isn’t moving correctly. Actually, it appears pretty much unusable. The information is there, but you’re going to have to look hard to use it. I’m looking into WordPress compatible source code add-ins to make the source code look nicer. If someone has experience in this area, please contact me at John@JohnMuellerBooks.com. I’d prefer to see an example of the add-in output if you have one to provide.

Another issue has been tables. I think that all of the tables are currently usable, but please let me know if you spot something that doesn’t look quite right and I’ll do my best to fix it.

Blog is Moving!

Hi Everyone,

Never in my life did I imagine that moving my blog to the new software would take so long or come with so many hurdles. However, the time has come to make the move. Please be patient over the next few days as I continue to move posts from one location to the other. Eventually, you’ll find the new software running on the current blog URL and will be able to access it just as you always have. In the meantime, if you truly can’t wait to play with the new software, you can check it out at: http://blog.johnmuellerbooks.com/.

So yes, to answer all your queries, I am aware that the old blog is going away because it’s finding a new home . Please hold your questions for now. The new site setup requires tweaking, but the information you find on it is content complete. After the move, I’ll be uploading posts asking for your input on the new setup. For now, please do test the new software with your cellphone, tablet, and PC. It should run well on any device you choose. The new software is also more accessible and should be considerably easier to read.

Thank you again for all your support. This blog wouldn’t exist without you!

John