programming and human factors
by Jeff Atwood
In Why Isn't My Encryption.. Encrypting? we learned that your encryption is only as good as your understanding of the encryption code. And that the best encryption of all is no encryption, because you kept everything on the server, away from the prying eyes of the client.
In The Bathroom Wall of Code we learned the potential danger of copy-pasting code from the internet, and the continued importance of regular peer review for every line of code that enters your codebase, from whatever source.
I didn't anticipate this series becoming a trilogy, but apparently it has, because Thomas Ptacek of Matsano Security wrote a long blog entry about it. A blog entry masquerading as an overly dramatic college screenplay, but still. These guys, unlike us, are real security experts, so it's worth reading.
But you don't have to read that screenplay, because I'm going to reveal the twist in the final act right here.
Mr. Ptacek is absolutely right. The root problem was that we were working at the wrong layer of abstraction.
Rather than construct code from the low-level cryptography primitives provided in .NET, we should have used a library to handle our encryption needs. I'm reminded of a common Stack Overflow joke:
Q: How do I write this in JavaScript?A: You don't. You use JQuery.
You can save a tremendous amount of time and effort by using the browser-independent framework that JQuery has spent untold man-hours testing, debugging, and proving in the field. While there's nothing wrong with writing JavaScript, why not speed your development time by writing to the library instead? As I've always said, don't reinvent the wheel, unless you plan on learning more about wheels.
Abstractions are important. You could view most of computer programming history as slowly, painfully clawing our way up the evolutionary tree of abstraction -- from assembly language, to C, to Java, to JavaScript, all the way up to JQuery, where the air starts to get pretty darn thin. We've already layered an operating system, web browser, and interpreted scripting language on top of each other to get to this point. It's a testament to the power of abstraction that any of it works at all.
Getting back to specifics: how can you stop programmers from working at the wrong layer of abstraction? One solution would be to disallow the .NET encryption primitives entirely. This is akin to Steve Gibson's holy crusade against raw socket programming in Windows XP. That's one way to do it, I suppose. But putting roadblocks in front of programmers is tantamount to a challenge; why not offer them more attractive alternatives, instead?
Hiding the low-level encryption primitives feels like a temporary solution. That said, I'd strongly recommend marking some of the older encryption methods as deprecated, so programmers who do stumble down some dusty old code path at least have some warning sign that they're using an algorithm with a lot of known vulnerabilities. I'm envisioning a Clippy that pops up with something like:
"Hey! It looks like you're using a method of encryption that's widely regarded as insecure by security experts! Would you like to see alternatives?"
One of those alternatives would be a full-blown library, perhaps something like Bouncy Castle, or Keyczar, or cryptlib. What could be easier than a EncryptStringForBrowser() method which has security and tamper-resistance built in, that's part of a proven, domain-expert-tested set of code that thousands if not millions of developers already rely on?
Using encryption libraries doesn't mean that crucial encryption mistakes will magically disappear overnight. But these libraries, because they force developers to work at a higher level of abstraction, do make it harder to misuse cryptography. And perhaps more importantly, usability improvements to the library can be better handled by the specialists who created the library, rather than the generalists working on the .NET framework itself.
So the next time you set out to write code -- not just encryption code, any code -- ask yourself: am I working at the right level of abstraction?
i must say i agree with you on some 12 points of yours, but the diary thing was a bit troublesome.
links of london on August 26, 2009 1:40 PMTiffany Jewellery barely 2-year-old result called Iridesse is set to the more Tiffany Key Rings South Coast Plaza setting was the jeweler’s supreme tome branch stockTiffany Bracelets diamonds are about more than absolute condition, cut and beauty - they are one of our diamonds underscores.Tiffany Sets reputation as a world premier jeweler synonymous with diamonds of the finest feature,” added Bennett.
tiffany jewellery on August 28, 2009 3:08 AMi must say i agree with you on some 12 points of yours, but the diary thing was a bit troublesome. of course, the reason why some web space is given to you is undefined,
abercrombie and fitch on August 28, 2009 1:10 PMImagine doing some low key list building in the store…maybe by having a free prize draw.
general electric servisi on September 5, 2009 8:06 AMi must say i agree with you on some 10 points of yours, but the diary thing was a bit troublesome
kadın olmak on September 6, 2009 4:17 AMi must say i agree with you on some 10 points of yours, but the diary thing was a bit troublesome
Using a JS library is not analog to using a C library.
komik oyunlar on September 19, 2009 9:15 AMWhen we can, use a decent pre-existing library. When we can't, write our own library and use that - most problems aren't unique
sevgiliye hediye on October 1, 2009 1:47 PMOn the down side, probability states that on average only half the keys need to be tried. The above calculations I used are based on that fact. In fact, proability states that half the time you try to crack an encryption you will find the key BEFORE hitting the half way mark
iç giyim on October 7, 2009 4:31 AMGreat post and draw. Thank you for sharing.
wow power leveling on October 21, 2009 7:07 AMThis is a great article. Something which would be useful when trying to explain to my clients why their gallery is costing them a fortune. Optimise your images before you upload them! Nobody wants to see a 3000px x 3000px image. Brilliant, Thanks for the info!
okey oyna on October 22, 2009 4:24 AMWhy don't you stop writing this stupid blog until your stock price recovers. Your shareholders don't want you wasting time on this when you should be spending every minute getting the price up.
okey oyna on October 22, 2009 4:28 AMYou really think Jonathan writes this himself? He has to have a "communication manager" handling this writing. Or it is dictated.
okey oyna on October 22, 2009 4:29 AMThanks for your information, i have read it, very good!
ed hardy clothing on October 22, 2009 9:23 AMHi,
really good article
have a nice day
Chris
Thanks for your information, i have read it, very good!
Very cool! Congrats on the pairing.
street lamps on October 24, 2009 2:51 AMthank you
pasta tarifleri on October 26, 2009 7:24 AMThe Wrong Level of Abstraction
Very good article.thanks very much.
The root problem wasn't failing to understand the encryption.
The root problem wasn't copy and pasting code from the internet.
The root problem wasn't failing to peer review the code.
These three question are very difficult for me.Thanks
very good.You can save a tremendous amount of time and effort by using the browser-independent framework that JQuery has spent untold man-hours testing, debugging, and proving in the field.
butterfly valves on November 4, 2009 6:24 AMthank you
bursa avukat on November 5, 2009 3:03 AMvery good.You can save a tremendous amount of time and effort by using the browser-independent framework that JQuery has spent untold man-hours testing, debugging, and proving in the field.
Büyücü on November 5, 2009 4:17 AMYes storage space is cheap. They have dedicated computers attempting to crack the information, and as time progresses they are more and more successful at getting historic information.
mini gps on November 7, 2009 2:35 AMThe longer the data needs to remain private, the longer it should take to unencrypted the data. The time taken to unencrypted given the CORRECT key is directly related to the time taken to crack the encryption with ANY key.
böcek dinleme cihazları on November 7, 2009 2:41 AMVery useful informations here . thank you
dinleme cihazı böcek on November 7, 2009 2:44 AMthank you. Herkesi bekleriz.
adulteviniz.com on November 7, 2009 7:11 AMThese are probably also the same sorts of people who claim migration among programming languages and platforms is trivial. They simply do not have a professional level of experience invested in a given ecosystem.
casus telefon on November 7, 2009 10:30 AMGreat information useful post thanks a lot.
casus kamera on November 7, 2009 10:52 AMyes When we can, use a decent pre-existing library. When we can't, write our own library and use that - most problems aren't unique.
casus bilgisayar on November 7, 2009 10:58 AMVery informative post. i just wanted to say thanks.
verici tespit cihazları on November 7, 2009 11:04 AMThanks great information
plyometric training on November 8, 2009 2:21 AMOne of the best blog i hv ever seen. thanks
verici tespit cihazı on November 8, 2009 7:54 AMvery effective post. thanks to author for the post >>the wrong level of abstraction.
cep telefonu aksesuarı on November 8, 2009 7:59 AMHmm I think current processor technology not yet supported testing as much as 4,000,000,000 keys per second.
casus telefonlar on November 9, 2009 5:57 AMYes i think currently there is no pc in the world with that much super fast proccessor . Coul'd be in the future.
casus telefonlar on November 9, 2009 6:03 AMVery soon super fast proccessors coming up in us. Nasa have very fast super proccessors even now.
jammer on November 9, 2009 6:08 AMYes it is really hard to belive that there is some computers on the market which can test very much more than the 4,000,000,000 keys per second.
araç takip fiyat on November 9, 2009 7:54 AMHey casus elefonlar please read this carefully; ''Thinking Machines Corp., the four - ear-old Cambridge company, yesterday said that it has developed the world's most powerful computer for complex scientific problems -- a machine more than 50 times as fast as the most powerful mainframes produced by International Business Machines.''
mikor ses kayıt cihazları on November 10, 2009 4:27 AMI wish i had one that fast. But i m not gonna use it for hacking someting just for playing games:)
casus telefon on November 11, 2009 7:42 AMHey guys you are doing alright keep it on vey useful post.
Thanks
The driver (yes “le pilote” in french ;-) that is missing
sikiş on November 12, 2009 1:41 AMThe driver (yes “le pilote” in french ;-) that is missing
sikiş on November 12, 2009 1:42 AMThank you comment
porno on November 12, 2009 1:44 AMdoom gecti buradan
travesti on November 12, 2009 1:44 AMtşkler dostum
porno filmler on November 12, 2009 1:45 AMdeneme 1 2 3 geliyor
zayıflama on November 12, 2009 1:46 AMVery soon super fast proccessors coming up in us. Nasa have very fast super proccessors even now.
basketbol oyunları on November 13, 2009 4:13 AMVery soon super fast proccessors coming up in us. Nasa have very fast super proccessors even now.
basketbol oyunları on November 13, 2009 4:14 AMyes they have dedicated computers attempting to crack the information, and as time progresses they are more and more successful at getting historic information.
ücretsiz araç takip on November 14, 2009 6:54 AMcasus telefon programı gizlidinleme cihazı cep telefonu dinleme programı jammer sinyal kesici verisi tespit dedektörleri.
ücretsiz araç takip on November 14, 2009 6:58 AMcasus telefon programı gizlidinleme cihazı cep telefonu dinleme programı jammer sinyal kesici verisi tespit dedektörleri.
gizli dinleme cihazı on November 14, 2009 6:59 AMvery informative thanks dinleme cihazı böcek en yeni teknoloji en küçük boyut.
dinleme cihazı böcek on November 14, 2009 7:51 AMThey simply do not have a professional level of experience invested in a given ecosystem.
mikro gps on November 14, 2009 7:55 AMen ucuz en uygun fiyatlar bizde.
en ucuz fiyat on November 14, 2009 11:31 AM
[url=http://www.efes.org]esed[/url]
hkj
Cep telefonu dinleme ve takip yazılımı telefon dinleme programları
TELEFON DİNLEME on November 18, 2009 3:04 AMthanks for all
medyum on November 19, 2009 2:11 AMA blog entry masquerading as an overly dramatic college screenplay, but still. These guys, unlike us, are real security experts, so it's worth reading.
robocops on November 20, 2009 1:03 AMits going well and it would be great. thanks your patience.
youtube ~
izle on November 22, 2009 5:18 AMthank you sir.
izle on November 22, 2009 5:19 AMvery good, thanks.the best encryption of all is no encryption, because you kept everything on the server, away from the prying eyes of the client.
bayramören on November 23, 2009 8:26 AMvery good, thanks.the best encryption of all is no encryption, because you kept everything on the server, away from the prying eyes of the client.
indir on November 27, 2009 1:56 AMI 3 Clippit!
http://bdkowert.com/wp-content/uploads/2007/11/familyguyclippy.png
I got the most awesome reCaptcha ever:
lorena ©1969
And of course, filling in "lorena penis" worked.
If you don't know why "Lorena" is a perfect match, search for "Lorena Bobbitt".
If you don't know why "penis" worked instead of "©1969" search "recaptcha penis flood".
Well, I agree with the benefits of coding to a higher level of abstraction, but that is not without it's own problems.
If I want to write some code, I can write it myself, or grab a library which makes it easier. However, I then need to get up to speed on the library I've chosen. If I have problems, is it in the code I've written, or in the library?
Let's say I use two components on my web site which depend on a common library - say, SWFObject - but they use different versions, so component A won't work with the version of SWFObject that component B uses. Then I find that SWFObject is 10k of Javascript condensed into 7 lines, so it's a hige pile of work to debug it, and if I do fix it, what else will break?
As always it's a cost/benefit trade-off. It's OK once you get up the learning curve for the library, but maybe for what I need it would be quicker, and more maintainable, to write it myself.
I don't have a definitive answer, but I think the trade-off is worth considering!
Seems to me that as far as the encryption saga is concerned, the biggest lesson is that all the abstraction layers in the world won't help you if you genuinely don't know what you're doing.
Simon on February 6, 2010 11:16 PMI think Taylor has hit the nail on the head with his “roll your own” comment.
Winston on February 6, 2010 11:16 PMAs programmers, we tend to think that the more we go down to the bits and octets, the more we go towards reality. But for regular people, the reality resides in the analogic macro world, not in the numeric world of micro chips.
telefon dinleme
telefon dinleme on February 6, 2010 11:16 PMhmm..I completely agree that we ahould use standrd libraries for these kind of stuff, but I am just adding that to write secure code, get a developer who knows the naunces of security. That is in a way another layer of abstraction, isn't it?
telefon dinle on February 6, 2010 11:16 PMReal good information here in your page. Thanks for the great post and comments.
telefon dinleme on February 6, 2010 11:16 PMThe products vary in their basic properties, but as a group they introduce excellent antifoaming in a wide range of applications and conditions flocculant. They have the same properties as the powder form, the only difference is that they is able to also be applied in watery solutions. Antifoam powder covers a group of products based on modified polydimethyl siloxane. They are odorless, tasteless, non-volatile, non-toxic and they do not corrode materials wastewater treatment chemicals. The only disadvantage of the powdery product is that it cannot be used in watery solutions. The antifoams are chemically inert and do not react with the medium that is defoamed coagulant. Antifoam Emulsions are aqueous emulsions of poly dimethyl siloxane fluids.
Aseptic Valve on March 8, 2010 10:49 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |
