Sunday, June 26, 2011

#DevTO - You don't just write code

#DevTO started out with @kevinkvs and @jonezy thinking about the need to have a regular meet up for developers in Toronto to share and learn from each other. I first heard of this idea on Twitter from Chris and was immediately intrigued and offered to help out. @clickflickca also joined in later on the fun and brings his experience organizing and running other events around Toronto.

A big part of our jobs involves learning; from yourself and others around you. The challenges you encounter are as wide as the job titles. The other big part of the job, is showing off how you solved that problem and what you have learned.

Some of us are lucky to have a team of awesome developers that you work with every day to learn from, bounce ideas off and show off the end result. Some of us might not have that daily. How to convince your boss that the database needs optimization? How can you reduce your build time in half? Need to know about common pitfalls building mobile sites? Got some IE6 horror stories and the scars to prove them? This is where #DevTO comes in.

No matter what technologies you have used, are currently using or are thinking of learning #DevTO is for you. The broader the audience the better. This event is not just limited to developers. Kevin co-founder and Community Cobra Commander of #DevTO said it best:

If you are liking the sound of this so far then make sure you RSVP to our second event tomorrow night:

Thursday, June 16, 2011

All developers are not created equal - hence not interchangeable

Earlier yesterday I came across this article on the New York Times: Thieves Found Citigroup Site an Easy Entry. At first I thought, "Man, another big site had their customer data compromised", but as I continued reading this incident is a little bit different; especially the nature of the attack that was described in the article. The marketing and PR departments for these brands - and in this case Citigroup - need to be a little more careful about the kind of technical information that gets released when shit hits the fan.
Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.
After reading through the article and the retarded nature of the attack you can't think of it as a mansion with a high tech security system; not even close. Some context on this attack:

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
So, all these thieves needed to do is basically log in with their own or even someone else's Citigroup account and lo and behold this account number was present in the address bar after login. Changing it gave them access to someone else's account. A little script to repeat this for thousands of accounts and scrape the details.

This process was described by "security experts" as "especially ingenious". Really?!? This is the oldest trick in the book; i.e. mess around with the URL until you get somewhere. These "security experts" should get fired if this kind of attack was surprising.

The "what can we do, we got hacked" wagon got extremely popular in recent years, especially this year, but this Citigroup incident is different. There is no excuse for being on the "we are retards, we got hacked" wagon. When your "high-tech security system" is composed of changing account numbers in URLs, then what else can someone find if they look harder?

How does one get to this position? I think at the root of the problem is the thinking that people working in technology are interchangeable cogs in a giant machine. When you are building the pyramids, yes you can get 40,000 slaves and have them drag giant slabs of rock into place and stack them with virtually no way for an error to occur. And yes you can get another 40,000 slaves and replace the first 40,000 and they will still drag and stack the rocks as good as the previous 40,000 did. That mentality works when the tasks at hand are fairly simple and mechanical such as building the pyramids, or the production line at Ford. It is absolutely not valid in technology, yet there are many executives, project managers, and software architects today that think its possible.

The other part of the problem has to do with measuring expertise. The above assumption that developers, architects, designers, etc. are interchangeable also leads to the flawed assumption that a developer with 10 years of experience can replace any other developer with 10 years of experience as well. It is easy to get to that assumption when you think of these tasks as mechanical such as building the pyramids, or putting the wheels on a car. 10 years of experience developing doesn't have the same weight it did 30 years ago. Most developers today got into while they are teenagers, and hence by the time they graduate university they already have 10 years of experience developing stuff. Also, there are more technologies today that are available to the average developer to experiment with and try out, than there was 30 years ago. Hence why building technology systems  and development in general is a combination of science and art. The Sistine Chapel would have looked different if Leonardo da Vinci painted it instead even if he got the same directions from the Pope. The Pyramids would have looked the same regardless where the 40,000 slaves came from.

So for an online application that has to do with people's credit card accounts to fail at this level doesn't give me the warm fuzzy feeling that I should be getting when I read "Citi has implemented enhanced procedures to prevent a recurrence of this type of event." - if I were a customer.

Where else did you not do the due diligence you owe your customers? What other skeletons are in the closet? The New York Article should have started out like this:
Think of it as a tent with a zipper — but the zipper wasn’t closed.