A friend of mine recently told me about a conversation he had with a junior developer.

The developer was having trouble with a how a file was being read by Java. After being read by Java, the file was being parsed and used as in an HTTP post to  URL. My friend suggested he try changing the file encoding to see how it would be read.

The developer sent back his code and my friend struggled to find the changes. Finally he noticed that the developer had found a method named URLEncoder and tried to use that.

I shouldn’t need to tell you that this wasn’t the correct solution, but it highlights the need for curiosity in computer science. If  developer had a little curiosity to ask, “What’s file encoding?” Or to read the documentation for URLEncoder he would have quickly realized he wasn’t moving in the right direction.

Instead he decided to program by word association. Sometimes this strategy works, other times, it can land you in a lot of trouble.

As a programmer you should always be curious. You should always ask, “Does this actually work the way I think it does? Does it always do what I think it should do?” And always read any documentation you have available (It’s rare enough to find, you’ll eventually get excited when you do find it).

In summary, be this guy:

I heard a statement today that interested me greatly. I’ll quote it directly for accuracy:

“Our auditors accept screenshots for proof of our licensing use, but not spreadsheets because spreadsheets can be manipulated.”

Now that is an interesting proposal. Let’s examine it.

No security is 100%, it is only meant to raise the level of effort required to defeat above what an attacker is willing to contribute (I’m not going to discuss whether or not believable images can be created. If you’ve used the internet in the past decade, you already know that).

The assumption our un-named auditor is making is that editing an image and making it believable is too much effort for someone to put in. Perhaps they’re right. If an attacker’s options are to buy proprietary library for $50 a year or to spend time zooming in and out in photo shop, they might pay the money.

If their options are to spend a little time in photo shop instead of buying Microsoft Office for hundreds of dollars the attacker might be willing to put a little more time and effort into the project. Let’s not mention the fact that most Enterprise level software sells for thousands or tens of thousands per year. Suddenly the hourly rate might make it worth while.

My point is that the man in picture was never going to be eaten by a shark, there are no spider-mice, and auditors should be a little more careful.

And the water is all of the topics you’re expected to keep
track of and have ready on a moments notice when your boss or coworker asks you about them. There is no way you can actually keep track of all of these topics, some of them spill off and you need a refresher before you can talk about the intelligently.

Then, if you’re trying to learn, you’re brain does this.

Recently I encountered a file permissions issue. Long story short, I had a service that needed to run a .bat file, but because of a Windows quirk, it needed list access to the root of the drive the file was on. I called up my friends at our Information Security department and after getting transferred around a bit, I was informed that their policy was to not grant special access to the root of any
drive.

Rather, their preferred solution was to create a file share and grant the ID access to that, and then require the ID to reference the share through it’s UNC path name.

The computer scientist in me balked at the idea (thankfully I kept it all internal). “Are you kidding me? I’m not sure windows is smart enough to figure out the share is local, the service might wind up bouncing off of a switch or router somewhere to get to a drive on a machine it’s already on! Clearly this is not a good solution.” (It’s like typing “google” into Chrome’s awesome bar to pull up google.com and search for something).

I took some time to think about it and try to come up with a better solution (because there are better solutions out there) but then I stopped to think about it. This is a business, and the goal of every business is to make as much money as possible and spend as little as possible making it. Our information security department has a system they understand and are comfortable with and are providing a workable solution to allow my project to continue (round-a-bout as it may be). The argument, “We can’t do that! It’s….it’s…..bad!” Isn’t going to hold much water.

From a business perspective, there’s no noticable performance drain, no monetary reason not to use the solution that’s in place. It would also cost a significant number of hours to research a “better” solution and train the employees on how to implement and use it.

We computer scientists often think we are working on Platonic computer science. Computer science for computer science’s sake, make it as correct as possible just because it’s more correct. For better or worse, we don’t. We all want to get paid for what we do, and for that to happen, we need to be making the company money and not wasting more than we need to.

I’m not saying we’re going to stick with this solution, I discussed with my manager long enough to get some time to look into a more correct solution. But before you go after your business area for implementing a less correct or less technical solution, do some quick mental cost/benefit analysis of what you want to suggest and make sure it’s as good for the wallet as it is for correctness.