Wednesday, August 28, 2013

Spam has moved to copy/paste and URL hashes

One of my responsibilities is to create an email newsletter for some friends of mine. In order to do that I scour the Internet using Google Alert, RSS feeds and other nefarious means like that. The job consists of opening each page, copy pasting the URL, the title and then finding the most effective way to express the content of the page, which is often one of the first paragraphs. And what do I get when doing that? A sort of weird marketing spam that is as annoying as it is (in my view) pointless.

Here is what happens: first you go to a page using a normal URL, let's say you googled it. Once it loads you look at the address bar and see what is called a hash added to the URL, probably used to identify your visits for marketing purposes. Example NewScientist: mouse over the link to see the actual URL, then click on it to see what actually happens. I have tracked this to the AddThis scripts, when configured with the parameter data_track_addressbar:true. So in case you wondered if the site you are visiting chose to add that ugly hash there, yes it has!

Another thing that happens: You select a paragraph of a page, you copy it, you paste it in your email only to see added stuff to the text, like "See more - some URL". Check it out at Astro Bob's. Try copying something from the blog and pasting it into Notepad. The crappy string at the end is added by ShareThis, usually by its WordPress plugin. This time it was their fault, as they added some crap in the plugin. All Astro Bob has to do [hint! hint!] is to disable the feature.

Now all that remains is to understand why. According to marketing reports, the sharing of information on the Net via copy&paste is more than 80%. So they want people to be able to control what happens with the information they publish, and it is a reasonable goal, but this is not the solution. Instead, what users will do is either get annoyed with the spam they have to clear from URLs and pasted text or, and that should concern the site owners, not copy from them at all. And if you thought having your information disseminated on the Internet without your knowledge and/or consent was bad, wait until nobody cares about it at all.

Sunday, August 25, 2013

Re-boot

I wrote a bunch of posts regarding my past employment, but said nothing about the new one. In fact, I was a bit superstitious, didn't want to jinx what was going to happen. Now it shall all be revealed! Well, long story short I will be relocating to Italy (re-boot, get it?)and working at the European Commission's Joint Research Centre in Ispra. That's it, cheers!

Just kidding. How does one get to, first, have the opportunity in the first place and, second, actually decide to go? For the first point I would have to say pure blind luck. I happen to have a LinkedIn profile that shows a lot of experience in the field of Microsoft .NET and so they called me, since they needed someone like that, and I turned out not to be a complete wacko (only a partial one) at the interview. The second point is actually the most complicated. Most Romanian developers of my experience are rooted, so to speak. Married, many with children and obligations, relatives and social circles, they often find it too hard or completely impossible to relocate to another country. Luckily for me, I have no children, I don't have any social circles to talk about, I will probably talk to and visit my relatives just as much from Italy as from Bucharest and I have one of the most understanding wives one could want. She stays behind, at least temporarily, to mind the fort, continue her own career and take care of the dog, while I go on to the adventure of my lifetime.

I may be exaggerating, but I will check out several experiences that I have never had before:
  • living alone - I know it sounds strange, but in 36 years I have never lived alone. I was either living with my parents, with my business partner or with a girlfriend or wife
  • living in another country - I have worked in Italy before, a few disparate weeks, but never lived in another country for long enough to understand the local culture and experience the way locals see the world
  • living in a small town - Ispra is a 5000 people enclave, so it's not even a small town, more of a village
  • working for the European Commission or some other governmental organization like that - I am afraid of the bureaucracy, frankly, I hope there is some sort of separation between devs and that sort of thing
  • working with actual new technologies - I thought there are some people that inflate their resumes in order to get jobs they don't really deserve, but I never imagined that most companies would misrepresent themselves to appear more attractive as a workplace. I've heard a lot about what great new project I will be working on, only to be relegated to some legacy crap that no manager wants to rewrite even when it's bankrupting their company. Oh, I really hope the JRC people didn't bullshit me about an ASP.Net MVC 4.5 web site with Web API's, AngularJS and Google Maps.
  • staying separated from my wife, but not being mad at each other - not that I have ever stayed separated from her while being angry, but still. Our relationship started as a long distance one, since we were living in different cities, and only after a year we moved in together. I am curious as to how this reversal will affect us. I believe it will strengthen our bond, but there are alternative scenarios.
  • working and living in a truly multicultural environment - the place will have Italian, French, German, Swiss, Romanian and who know what many other types of people. I will have the opportunity to relearn all the European languages, express myself in them, learn about other cultures from the horse's mouth, so to speak.

All in all, this is the gist of it. You can see that I am excited enough (setting the stage for future disappointment). My plane leaves Bucharest next Friday, on the , while actual work begins on the . Hopefully this will generate a deluge of technical blog posts that will compensate the lack experienced in the last two years.

ASP.NET MVC 4 Recipes, by John Ciliberti

Book cover When I first opened the ASP.NET MVC 4 Recipes, by John Ciliberti I was amazed. It seemed to transcend the reference book and go into a sort of interactive path thing. You know interactive books, where you read the book and at certain points you get to choose what the characters do by going to read one page or another? This is what Recipes seemed to be. You get to a point where the author tells you which chapters to read and in which order based on your role in the organization. That is and will remain a wonderful concept and I would see more books steal it for themselves. However, the actual content of the book did not feel as great as its presentation, I am afraid to say. This is not to mean it is a bad book, only that I expected a lot more from it from reading its "mission statement". The book is Microsoft centric, obviously, but it says very clear that it will solve problems with Microsoft products as a rule. For example it favours KnockoutJS as a JavaScript framework. But that's not really annoying, though.

I think what bothered me most was that the content was all over the place. There are some chapters in which there are specific problems. The problem is described, then the solution is provided. Very nice. But then there are some problems that are vague and general with a very specific solution, lending a lot of lines to some issues and moving past others in a hurry. Of course, I would have liked all of the problems to have their own book and that was impossible, but the compromise here did not feel as great; I thought some of the problems were not really something someone would have more than once, and sometimes never, so using the book as a reference helps only so much. Some examples of problems to be solved: You would like to begin working with ASP.NET MVC Framework, but you do not understand the MVC pattern and why it is beneficial. - why would you start reading an ASP.Net MVC book if you don't even understand the MVC pattern? You would google something first. Or: You have started using the new .NET asynchronous programming pattern and love its relative simplicity compared to other programming models. However, you would like to have a better understanding of the code generated by the compiler so that you can improve the designs of your asynchronous methods. So you jump from not knowing what MVC is to wanting to read IL. Maybe I am just mean, but it soon turned into a very hard to read book from jumping from one issue to another like that, from level to level. Not to mention some "loaded" problems that have a description several lines long in the form of "you have found that your company strategy sucks, because of 1,2 and 3, and you want 4,5 and 6 because 7,8 and 9". It doesn't sound like my problem at all :)

Bottom line: I have not started working with ASP.Net MVC, yet, nor do I believe that my first job with it would be as an architect, so I will have an opinion on how it works in real life in a few months, probably. The book seems useful now, but not the ASP.Net MVC start to end tutorial that I wanted when I started reading it, and maybe that is why I had such a critical eye for it.

Thursday, August 22, 2013

Bradley Manning gets 35 years in prison, Snowden is on the run, journalists get harassed and you are being under surveillance for reading this article

In a recent news article I've read that Bradley Manning has received a 35 years prison sentence. I can't even begin to understand how to feel about this. On one hand, he was a member of an organisation that specifically prohibited what he has done. On the other hand, the same organisation was swearing to anyone having ears that it doesn't do what Manning revealed they did. The multiple levels of "law" that are apparent both in this case and the Edward Snowden case are sure to make even jurists scratch their heads. In cases where some guy is arrested based on a secret law, incarcerated and pretty much tortured in a secret prison then sentenced by a secret court, it all seems like an alternate reality. We've had people close their web businesses, then declaring they can't discuss why they did it because it would be illegal. Please feel free to read the links above, although that may well put you in a special category for US surveillance, for all I know. (OK, let's not be mean!)

The thing with Manning, though, is that he was a mere private, a kid. By the accounts revealed in the court, he was the product of an alcoholic mother and had gender identity issues, as well. He revealed some information (I will be discussing that in a moment), then he was pretty much caught and incarcerated. Do pay attention to the last paragraphs of the Ars Technica article on his sentencing:
During one period of his pretrial incarceration, Manning's clothing was confiscated every night, and he was then forced to stand for inspection by guards while naked. He was also prevented from sleeping between 5am and 8pm and not allowed to have sheets on his bed.
. Then they sentence to guy to 35 years in prison, maybe he can get out in 8 if he "behaves well". This is the story of a screwed up kid with a conscience that now gets even more screwed up. Of course, there is the possibility that he gets out of prison, writes a book, sells the movie rights and becomes a rich hero of the masses...

Then there is the extent of the information he leaked, information that was then published by another entity, Wikileaks, which at least in theory should have restricted publishing any material that exposed specific people to harm. Wikileaks continues to do well, just as the news outlets that published information like this from Manning and Snowden (arguably harassed by governments, but still in business), which for me makes no sense, since that should mean the publishing of those articles is legal. So the only illegal thing these guys did was give information that is legal to publish to publishing entities. It is hard to see this as anything else than punishing people for telling on you. I see it like a bad teacher beating children who told on him to their parents, bureaucratic institutions that are flexing their muscles when being confronted with even the idea of oversight. Can anyone explain to me how this is different?

Now, obviously the upbringing and psychology of the guy leaking government information shouldn't even be on the table here. What we should be discussing is what is reported in those leaks and what the effect on the people (and their serving government) is. However, that is way over my head. I can read reports of torture of an American private by Americans and be flabbergasted, I can feel disgust when watching the video of a helicopter pilot shooting dead a dozen people kilometres away because he thinks he sees an RPG, and they are actually reporters with a camera, but there are a lot of documents that were leaked, from foreign diplomacy and espionage on allies to reports of wrongdoings by army and intelligence entities. I can't claim to know enough about this stuff to make a statement, but as far as I can see, nobody really appears to know enough about this. It seems like the little government oversight we expect as people was missing to begin with. And that is what worries me. Stop making examples out of people who come forward with untoward things because you can't adapt to the reality of the people who hired you!

Monday, August 19, 2013

LSD: My Problem Child, by Albert Hoffman

Book cover This is the second book about LSD that I read, after The Center of the Cyclone: An Autobiography of Inner Space, by John C. Lilly and it is also the autobiography of a scientist, but unlike Lilly, who seemed to have gone bonkers while writing his book, Hoffman maintains a scientific attitude about the whole thing, objective when needed, subjective in more personal chapters that he clearly delimits from the others. LSD: My Problem Child is the story of the invention of the drug, straight from its inventor, Albert Hoffman, a then chemist for pharma company Sandoz. In a nutshell I loved the book, the style, the author's integrity and the fine ironies that he slips from time to time. As you can see in the link above, the book is already free online so there is no real reason not to read it.

Hoffman explains in the book how, while researching the chemical properties of the ergot and attempting to potentate substances already discovered to have positive medical effects, he created Lysergic acid diethylamide. The substance had no visible effects on the test animals so he went on testing other substances. Five years it took for Hoffman to return to LSD in order to further understand its function. Usually a very thorough chemist, he touched some of the substance and only then the effect was understood. This simple anecdote hints on how many interesting chemicals we might have gone unnoticed, even after someone created them.

The method by which chemists work to find useful chemicals in nature is also very interesting. They take a plant, let's say, that has a specific effect that is testable via animal experiments. They isolate the active substance that produces that effect. Then they attempt to recreate the substance synthetically. After doing that, they test all kinds of related substances that they create via simple chemical operations from the original substance. This often leads to more powerful drugs or even completely new effects. Quoting from the book: "Of the approximately 20,000 new substances that are produced annually in the pharmaceutical-chemical research laboratories of the world, the overwhelming majority are modification products of proportionally few types of active compounds. The discovery of a really new type of active substance - new with regard to chemical structure and pharmacological effect - is a rare stroke of luck."

It took another five to ten years for LSD to reach mainstream. Until then psychologists and psychiatrists were using it to more effectively reach the patients and LSD was considered a wonder-drug. Sandoz was extremely happy with Hoffman's discovery. But then it became a subject of abuse. A counterculture of recreational use for LSD led to an institutional backlash that made the drug illegal, even if it was not addictive, not toxic and one could not overdose accidentally. However, it was essential to take it in a controlled environment, with someone to act as a guide and safety net. Many people did not do this and hurt themselves or others or had psychotic breaks. To get someone out of an LSD trip was simple: either guide them via calm words or (the technical solution) give them a calmer agent like cloropromazine which immediately cuts off the "high".

How come the black market is filled with toxic, addictive, nasty drugs, but someone considers LSD to be a problem? Anyway, I am quoting again from the book, a little bit that talked about experiments on primates, but one that I took to be a fine ironic jab at society's reaction to the drug: "A caged community of chimpanzees reacts very sensitively if a member of the tribe has received LSD. Even though no changes appear in this single animal, the whole cage gets in an uproar because the LSD chimpanzee no longer observes the laws of its finely coordinated hierarchic tribal order."

What I liked about the book very much was how thoroughly and objectively Hoffman researched LSD and other psychedelics (he also identified and separated psilocybin, another psychoactive substance present in "magic mushrooms" used by native Americans in religious rituals). He not once preached the recreational use of the drugs, deplored the misuse of these kinds of substances, but he also kept a strong position that they do no harm and can have amazing effects when used for medical purposes and the correct way. Far from being a "druggie" book, this is one of those autobiographies that you can't let down from your hands until finishing reading it. I recommend it wholeheartedly.

Wednesday, August 14, 2013

Double Dexter, by Jeff Lindsay

book cover The sixth book in the Dexter series is not really better than the others. I would have thought that five rehearsals would have resulted in a slightly better book, but instead it seems as if Jeff Lindsay is slowly losing the inspiration he started with book after book. In Double Dexter, the police is impossibly incompetent and this time even Dexter falls into the same category. It takes him chapters to do and act like he was supposed to and a lot later than even an average reader would see it coming. The opponent is inconsistent and not really a challenge, if it weren't for Dexter's apparent drastic drop in IQ.

If you have not read any of the books so far and maybe just watched the CBS series, be warned that they are completely different beasts. The show writing is clearly better and the plots are divergent to the point of being different stories altogether, but with the same character. Not that this eighth and final season is great writing anymore, but that's a different subject altogether.

Bottom line: Having read Double Dexter, I cannot say that I hated it, I really like the character, but I think Lindsay is bored with Dexter. Maybe he should just invent someone else and start writing better books.

Sunday, August 11, 2013

AngularJS, by Brad Green, Shyam Seshadri

Book cover I have been hearing about the AngularJS library for a few months now, people often praising it as the new paradigm of web development. It is basically a JavaScript MVC framework that makes heavy use of markup language in order to declare the desired behaviour. Invented at Google by Miško Hevery, it uses cacheable templates, databinding and dependency injection to combine the various components that otherwise are independent and testable. It also comes with its own testing framework (unit and end-to-end) and a way to describe unit tests Jasmine (BDD)style.

So I started reading about this new framework in the book intuitively called AngularJS, written by Brad Green and Shyam Seshadri. They start with an anecdote, discussing how they were working on a web application at Google. They have already written 17000 lines of code in about 6 months and it was almost finished, albeit with great frustration related to development speed and testability. This guy, Miško Hevery, tells everyone that by using a framework that he wrote in his spare time (you gotta love devs!) they could rewrite the whole application in two weeks. He was wrong, they did it in three weeks and at the end the whole thing has only 1500 lines of code and was fully testable. This was a great beginning for the book, as it starts with a promise and then (sorry, couldn't help the pun - you will see what I mean if you read the book or know AngularJS already) it describes how to achieve your goals. The book itself is not large, about 160 PDF pages, and can be used as both a primer and a reference. It describes the basic concepts of AngularJS and how they can be put to work, with some small app examples at the end. Of course, you have a link to where to download all their code samples.

What do I think about the book? It was pretty good. It shows the authors' preference towards Linux setups, but it is not annoying. Each chapter is clear and to the point. The framework itself, though, is original enough that after a few chapters it is almost impossible to understand everything without tinkering with the code yourself. Unfortunately I didn't have the time and disposition to do that, so just because I've read the book doesn't mean I know how to work with Angular, but I am confident that when I will actually start working with it, it will all come together in my mind. Also, as I was saying, the book can easily be used as a reference. It is not a complete overview, not every AngularJS feature and gotcha can be found in its pages, but it's good enough.

What do I think about the framework? It seems pretty spectacular. My only experience with JavaScript MVC frameworks is from a short brush off with BackboneJS. At a time I thought I would be working with it a lot and was boasting here that interesting posts would appear. Alas, it was not to be. Sorry about that, maybe better luck with Angular. Backbone was pretty interesting, but it had a horrendous way of working with data models and it was very easy to break something and not realize where it came from. There seems to be a lot more thought put into Angular. An interesting point is that the writers advertise TDD as a way of actually working and claim they do so themselves. I have seen many people trying and giving up, but I have hopes for JavaScript. You don't need to compile things, you don't need complicated servers or time consuming deployment steps: just change stuff and run the tests and/or refresh a page. I like the fact that the creators of AngularJS put this much work into making everything testable.

So go ahead: read the book and try the framework!

Update 24 Aug 2013: I've started reading dev blogs again and I've stumbled upon a 70 minute video by Dan Wahlin presenting AngularJS. His explanations seemed a lot more down to Earth than those in the book so I felt that his video really complements rather well what is written there. Here it is:

Wednesday, August 07, 2013

On borders

I was watching this spy movie where a general was talking about "turning" all kinds of nationalities to their cause. And it got me thinking: what is the real difference between them? Nationalities, I mean. When guys like Snowden or Manning spill out secrets to the press, what are they betraying, and to whom? When a spy sells the secrets of his country to other spies, from another country, what is really at stake?

The problem, as I see it, are borders. I've seen borders in my life. I may leave my city block and move towards the poorer ones. There is a border there, not physical, but social. Same applies to when I leave town and go into the country. You never know exactly when the city ends and the country begins, but the border exists. I've also passed between country borders. Spent a lot more time and money, of course, in order to do that - one has to have the proper papers and documents and IDs - but I've never seen a smaller difference between the people from one side and the other as I have seen with national borders. Of course, one country may be a lot richer overall than the other. See Mexico and the US, for example, as a brutal example, but everywhere I went I saw people from one side infiltrated, working or visiting, the other side. When you take those people into account, the border blurs.

Is Snowden more of an American than he is a conscientious member of the human race? He says no. Is a British spy selling secrets to the Russians more of a British than he is a spy? I would bet no. At least he doesn't feel that way, for sure. Who is the owner of secrets spilled? The country, one says... What does that mean? The land? The buildings? The people? Are the people really so different as to need those secrets? Are the borders between nations really necessary?

I really didn't mean to make this a long post. My point, as always rather unclear, is that I am more alike to software developers in Russia and the US than I am with a lot of my countrymen. The nationality of a person doesn't really matter except to the people that manage that nationality. They are the one that put those borders there in the first place and they are the ones that consider they have ownership of a country's secrets. Normal people usually don't give a damn. Am I very different from a Muslim terrorist? Yes I am, but that difference has been nurtured and created by these border managers. I do have to wonder, if those borders weren't there, would the terrorist still exist?

What is the modern purpose of borders anymore? I have no idea, frankly. Why can't I just move around wherever I want, speak the language I like, settle where I have space and work and, maybe, protect the secret of the people that employ me, rather than of those that are employed by me - like a government. What would happen if borders would suddenly be abolished, everywhere? I just don't know. It seems to me a lot of noise, about nothing.

Sunday, August 04, 2013

Old Man's War, by John Scalzi

Book cover Old Man's War is the first book in a space opera series that spans five books (at least at the moment). People recommend it highly and I do have to admit that it is well written, with an easy going style that is also well read. John Scalzi is not trying to create the perfect world, with details that always make sense and with crushing emotional depth, though. The book is something that you can finish in a day or two, with no sleep lost on what the characters are going to do next. For a while it did remind me of the excellent, if repetitive, Seafort Saga, by David Feintuch, but while that series felt dated because it was inspired by the British navy and was written in 1994, Old Man's War was written in 2005 and had no real reason to, but it did. If you haven't read Seafort's Saga, especially Fisherman's Hope, the fourth book, I would recommend it over this.

What is it Old Man's War about? Well, in the future, old people from Earth are joining the army when they are close to death because the CDF, or Colonial Defence Force, has the technology to rejuvenate them in exchange for a limited conscription. I won't spoil for you the exact method, but let's just say that it has a lot of logical problems that are compounded by the concept of the Ghost Brigades. So you have this main character, a funny old fart that joins at 75. One can assume that in the future 75 old people are still humorous and reasonably mentally and physically fit, as opposed to now, but even so, Scalzi was 36 when the wrote the book. What made him feel like he could pull off a character twice his age, with all the wisdom and particularities one gathers at that age? In my opinion, he rather failed, as John (why do people use John as their leads in books and scripts? Is the name really that common in the US? I have to admit that Lost ruined that name for me. Every time I hear about a guy named John I hear the phony people in Lost intone it with grave meaning while they're saying absolutely nothing important. Arrgghh! Anyway...) comes off closer to the writer's age (and having the same name, too). I might even have an issue with the title, since John is an old man for a third of this first book and then he's young and fit.

The rest of the book is about how he intelligently and valiantly rises from the rank of corporal (which he earned in training in an equally smart way) to captain in a few months and has a series of unlikely events happening to him (and here I am not making a pun of their explanation of "skipping", either). He makes connections to some people, which the writer attempts to infuse with meaning, but somehow fails, as when some died I didn't feel anything. Scalzi gets it right towards the end of the book, but then the book ends, and ends in a less satisfactory manner than I would have expected.

To summarize: I will probably read the next books to see what happens. However, it does seem a bit too light, too rational (in writing style), to make an impact. I do feel that John Scalzi has a lot of potential as a writer, but that somehow he misses the emotional component necessary for a book to "click" with the reader. On the other hand, I've seen a lot of rather failed first books that only led to the writer blossoming in the following publications. I do hope that's the case here. The fact that Paramount Pictures optioned the book in 2011 only shows it is rather shallow, as the really deep ones never make it to film. This doesn't mean I didn't have fun reading it, but most of the time I waited for something to happen. I felt that everything was a setup for something grand. When the book ended I was a bit shocked, as I thought I was in the middle of the story at least and still waiting for that big thing to occur. It's not a hard sci-fi book, it's not a personally jarring one and it is not a military heavy story. The obvious bias towards the human hero makes it all feel surreal.

Friday, August 02, 2013

The creepy experience of installing Windows 8.1 (when you are paranoid about security)

Update 1 June 2014: Somewhere in the blog post I recommended Truecrypt. Strange events happened today when suddenly, in the wake of a crowdfunded security audit, the Truecrypt page changed to recommend switching to something else, mainly Microsoft's BitLocker, published a version that only decrypts and does not allow creating encrypted disks and basically went "poof!". It is noteworthy that the developers of the encryption tool were and have always been anonymous. Strange indeed. Read more here.

Update 24 Aug 2013: Just forget what I said about having a secure and anonymous Windows 8 computer. Read this link here: LEAKED: German Government Warns Key Entities Not To Use Windows 8 – Links The NSA.

I wanted to see how Windows 8 looked and felt, as I didn't really see or try it beyond looking from afar at those obnoxious icon things they called tiles. Also, as a prerequisite that I added myself, I wanted to be as anonymous as possible, using new emails that have no connection with my previous names or nicknames and hiding as much as possible about my identity. So far, I can only describe the experience as creepy.

But let's start with the beginning, as they say. I plugged a Windows 8.1 Preview bootable USB stick in a laptop and started the machine, after previously making sure it could only boot from USB devices. On a black screen a little fish appeared, a strange little creature that blew air bubbles, then a funny looking 'waiting' logo that looked like beads trying to catch other in a circle. It entered a pretty standard interface that allowed me to upgrade or install a new version of Windows. I took the latter, as I wanted a clean, anonymous install. I've reconfigured the partitions, formatted them, but, to my surprise, a warning appeared informing me I could not install Windows on the newly created partitions, as the computer could not boot from them. This was all related to the settings in BIOS that allowed only USB devices to boot. It was an unexpected surprise, both pleasant (they thought about the drive not being bootable) and unpleasant (I had to restart the laptop, add the hard drive to the boot list and start over.

Starting over I had to immediately connect my computer to the Internet. It was not mandatory, but I didn't really have an easy alternative. As a warning, connecting the machine to the Internet gives away your location (especially if it's your broandband IP which is contractually linked to your name and address) and probably pins it to that location. In truth what I should have done is use some sort of anonymous Internet source, like via GPRS from a disposable card. The best option that I can think of is to create a TOR router and use it exclusively with this machine. Now, using a cellular Internet source is not a grand idea, either, as to use it they need to triangulate your position anyway, but we're already getting into more details than needed. After all, this is all a test for now and the blog entry is mostly about Windows 8.

Choosing a colour theme was a bit annoying. That colour theme defined at least the background colour of my desktop. I had a lot of colours to choose from, but they were all overly bright. The best one (which was my favourite anyway) was chosen by default, which forced me to choose another. The only other option that was remotely acceptable was grey, but a bright version of grey. I wanted black, but there was no option for that.

Choosing a username was the real creeper. The username was actually an email. I chose to create a new Windows account, but this would not actually create a new email, just use the email provided by you to associate it with Microsoft. I had to give them my email, my password, my phone number, a security question, my alternate email. I refused to enter my phone number, but they forced it anyway, as they needed two ways of recovering my password and I didn't want to enter an alternate email, so I entered a bogus phone number. The password was the funniest part. I entered a password, one that would be safe from cracking, only to be met with an alert "Your password cannot have more than 16 characters". Are they trying to make passwords easy to crack? Apparently (with emphasis on that word) they don't, as they suggest or require all the other "standard" solutions for a safe password: upper and lowercase letters, digits, special characters. As a famous Xkcd comic shows, that's just stupid.

Just another detour towards personal security and anonymity: giving them an email as the account name normally means you already had that email. I entered a bogus one, but eventually I would have to create it. Any access to that email will be logged somewhere. The email that you use (and by extension the Microsoft account) should be accessed only from this machine and only when the network is secured (via TOR or other mechanisms), otherwise connecting you with the laptop and finding you will be trivial. Obviously the phone number should not be real, nor the alternate email. Also, there were the options that you could Customize. Even if I left all the options as suggested, there were a lot of them set to true by default that did things like: send files to Microsoft in case of crash, remember searches and location in order to optimize Bing searches, send to Microsoft browsing history in order to preload pages in Internet Explorer, etc. Spooky, indeed.

After all this, the screen turned grey (obviously) and a large text appeared slowly: "Hi". Then a long pause, then the text was replaced just as slowly by "We are setting things up for you" or something to that effect. During the "set up" stage, the background cycles the hue from colour to colour. This was by far the creepiest part of the setup. Perhaps I've seen to many horror movies, or perhaps the Windows startup designer has, but I half expected a screeching sound and something jumping from the screen, or maybe a quiet voice coming from a big red eye calling me Dave or something.

To summarize the security bit (of which I am not an expert, mind you): the setup was creepy enough, but after being prepared a plan should be more clear. The most fragile part of the anonymising process is the Internet, actually. No matter how you do it, it identifies you and your location rather directly. There is something called TOR to save you, but to be certain your software always uses it for Internet access, a true external hardware router should be set (there are several solutions, the one that I like best - without actually trying it - is the Raspberry PI version). Even so, anything you do from Windows 8 will likely be associated with the Microsoft account, so the first thing you do after setup is use some sort of encryption on your drive (TrueCrypt sounds like it has both the required features and spirit), then make sure you only use this laptop for things that have nothing to do with your real life. You don't send yourself emails, you don't visit your own blog, you don't lookup restaurants near your location, talk to friends who know who you are on the messenger, or anything that has to do with your real life.

All that pretty much sounds like having a dedicated laptop for a completely different part of your life; a bit schizoid. But consider what that means: there is almost no one on this planet that cannot be traced or located on the Internet. The technology is more and more connected and there are numerous ways to circumvent the meagre security measures that are put in place for most software. Even TOR is not perfectly safe and besides, it only proxies TCP packets, so it's not a full replacement. So: Human nature, the connected nature of operating systems and software these days, numerous vulnerabilities that can be exploited by both evil hackers and governments, they all conspire to make you visible on the Internet. You are not "safe" on the Internet because it provides you with anonymity, but because no one cares enough to get to you.

Thursday, August 01, 2013

ASP.NET MVC 4 and the Web API: Building a REST Service from Start to Finish, by Jamie Kurtz

book cover ASP.NET MVC 4 and the Web API, by Jamie Kurtz, is the one of the new breed of technical books that read like a blog entry, albeit a very long one. The book is merely 100 pages long, but to the point, with links to code on GitHub and references to other resources for details that are not the subject of the book. The principles behind the architecture are discussed, explained, the machine setup is described, the configuration, then bam! all the pieces fit together. Even if I don't agree fully with some of Kurtz's recommendations, I have to admit this is probably a very very useful book.

What is it about? It describes how to create a REST web API, complete with authentication, authorization, logging and unit testing. It discusses ORM (with OData), DI, Source control, the basics of REST and MVC, and all other tools required. But what I believe to be the strength of the approach in the book is the clear separation of modules. One can easily find fault with one of the pieces recommended by the author and just as easily replace only that component, leaving the others as is.

The structure of the book is as follows:
  • Chapter 1 - A quick introduction of ASP.Net MVC4 as a platform for REST services, via the Web API.
  • Chapter 2 - The basics of REST services. There are very subtle points described there, including the correct HTTP codes and headers in the response and discoverability. It also points to prerequisites of your API in order to be called REST, like the REST Maturity Model.
  • Chapter 3 - Modelling of an API. This includes the way URLs are formed, the conventions in use and how the API should look to the client.
  • Chapter 4 - The scaffolding of your Visual Studio project, the logging configuration, the folder structure, the API DTOs.
  • Chapter 5 - Putting components together: configuring NInject, designing your classes with DI and testability in mind.
  • Chapter 6 - Security: really simple implementation with a lot of power provided by the default Microsoft Membership Providers.
  • Chapter 7 - Actually building the API, making some smoke tests, seeing it all work.

The complete source of the project described in the book can be found on GitHub.

My personal opinion of the setup is that, while all seems to fit together, some technologies are a bit over the top. NInject, I had personal experience with it, is very good, but very slow. The ASP.Net Membership scheme is very verbose. While I wouldn't really care about it as implemented in the book, I still cringe at the table names and zillions of columns. Also, I am slightly opposed to ORMs, mostly because they attempt to mould you into a specific frame of thinking, that of CRUD, making any optimization or deviation from the plan rather difficult. I've had the experience of working on a project that had all of its database access in stored procedures. To find what accessed a table and a column was a breeze, without knowing anything about the underlying implementation. But even so, as I was saying above, the fact that the author separates concerns so beautifully makes any component replaceable.

I highly recommend this book, especially now, when the world moves toward HTML and Javascript interfaces built on web APIs.