Building Software, Evil and Getting Things Done

Jeff Atwood  wrote a passionate blog entry about Craigslist and the demise of the Personals section (amongst others) now that Evil forces have taken over with the help of ever more sophisticated tools and creative solutions. Wouldn't you agree such is the natural result of the open approach used by Craigslist? Anyone can post an ad. If they had not taken this approach Craigslist would not have been so successful. Lowering the bar for getting your classifieds in meant getting more ads, because everybody could do it, without having to sign away their life. Just like tourist destinations attract pickpockets (and loose women?), open high-traffic websites attract spammers.

Craigslist was a great idea. A great idea that became more than just an idea, it actually got implemented. Maybe the implementation was not perfect by today's standards but it worked and has paid the bills for over thirteen years! A proper threat-modeling session in the early days would surely have brought these issues to light, and business-need would have overruled security/abuse. Unfortunately this business model might have seen its' longest days by now.

Nowadays such openness is no longer feasible. Spammers and crackers are abusing the system every which way they can for personal gain forcing our software solutions to be able to handle every known attack angle and mitigate the future ones as much as possible. Any programmer that takes himself seriously should invest in getting properly educated on the security aspects of programming. Not just because he should create solid code, but because sooner or later it will become a liability. Everybody with a little knack for logic and the ability to use google can cut and paste together a piece of software. Creativity and innovation flourishes! But... would you send your kids out on the road in an innovative car with no brakes? I think not!

When you make a living writing business software there is a constant struggle between getting things done, and getting them done right. Being able to get things done right generally means you already need to know how to do them right because there is no time to search the web all day for the perfect solution, that deadline is approaching fast. What's worse, you might not even be aware there is a problem with the chosen implementation. If you are a contractor, do you invest in your security education, or do you focus on getting up to speed on the latest fizz-buzzwords? If you are a wage-slave, does your company invest in your education, or are you merely a mindless implementer of business requirements? Do you invest in yourself?

Invest in yourself!

How do I invest in myself? Personally I still prefer a good book over online reading. The author of a book has put an effort into putting together a cohesive set of information to help you advance. When you randomly pull a single chapter out of a book you generally miss context or concepts. Browsing the web is like pulling a subtract of a chapter out of a giant book and all the other related information goes wasted on you. You get a quick answer to a specific detail to a problem, but never get to grasp the whole problem. When I do decide to stick with using the free online resources I make sure I do my research properly; Follow links, make sure I get the context. Granted, most bloggers/authors on the web put a lot of effort into their content, slowly weaving a never-ending book online, but that is not the same as having a book covering a specific topic. :) (Some day we might all go the way of the Kindle, but I prefer the feeling of a solid paper book.)

In the end we are all responsible for the solutions we produce, so next time you get to implement a great idea make sure you (know how to) do some threat-modeling first (online, book). That shortcut you were about to take might have changed the fate of the planet!

Does Universal Beautiful Code Exist?

A lot of debate is going on about "Beautiful Code". How can you measure the beauty of code? Is it "solid" code? Or perhaps easily readable for humans? An efficient algorithm, or a fast one? Terse sample code that shows a concept, or production code that is robust and fault tolerant? Perhaps a clever solution to a problem, or code that follows coding conventions and guidelines? Or should it be patterns based? What about curly-braces, indentation, comments, letter-casing (NO SHOUTING, IT'S RUDE!) or programming language? Should it exploit all features of the language it was written in, or only use some generic feature-set, libraries or framework commonly found in the language type (imperative, functional, .Net, C-Libraries)? What about cyclomatic complexity and other software metrics?

Most of those "beauty metrics" are purely gut-feeling based and enforcing metrics like a low cyclomatic complexity generally does not improve code beauty (good luck polishing a coal until it's a diamond). In my experience code often mirrors the authors' understanding of the problem and thought-process. No amount of computer assisted code analysis can improve that.

Beautiful code can come in the form of little one-liner gems, or huge elegant architectural diamonds that solve a real-world problem. You will generally find more little gems than big diamonds.

In the end nobody can win: Beauty is in the eye of the beholder!

I cannot put it better than David Hume:

Beauty in things exists merely in the mind which contemplates them.

Code beauty is determined by the observers' frame of reference; programming exposure (languages (C, C++, Java, Visual Basic, F#, Ruby, Lisp), Patterns, Algorithms, Operating Systems, formal training, experience (how many times has the beholder been burned by mistakes?), etc.), native language, organizational position (Junior Programmer vs. Senior Architect vs IT Director, they have different stakes in the code produced) and even aesthetical preferences.

Back to my original question: Does UNIVERSAL beautiful code exist?

Think about that for a minute, I'll wait... What do you think the Greys use as their programming language? Something based on hieroglyphs and flow-charts? What about my Ferengi friend Quark? Quantum languages like QCL or QFC?

Good luck getting consensus on that! :)

So, is there Beautiful Architecture?

Process Explorer for Windows Mobile

My iPAQ with Windows Mobile was acting sluggish, so I went hunting for a Task Manager/Process Explorer like utility for it and came across this little gem. Saved me some coding! In the end I  was unable to figure out what exactly caused the slugginesh because the problem went away, but next time it happens I will be prepared!

TaskMgr for WM* is a must-have for every Windows Mobile user, like a Swiss Army Knife my Leatherman (don't leave home without it)! All the basic tools a user needs to keep the system running smooth: Process manager, CPU usage, Application Manager, Service Manager, Device Manager (only WM2005 and above), Windows Manager, Notification Manager, IP Config utility, Ping utility, Net Stats utility, Registry Editor and a 'Run program' utility. Kudos to Dotfred!

<rant>I should not need a tool like TaskMgr to keep my system running smoothly. Windows CE is supposed to run a mobile phone, which can be a life-saving device... Last thing I need is a frozen (phrozen?) phone!</rant>

Monitor Your System Performance With Samurize

Have you ever wondered what is going on under the hood of your Windows system? Why is it so sluggish and slow (read: sloooooooooow)? Why is my harddisk continuously blinking? Or that CPU fan sounding like a jet engine? - As a software developer with a passion for code quality and performance I always strive to produce solid code and software algorithms, but you will not know how it actually behaves until you measure. Even though software the development environments of today come with an army of sophisticated tools to help you squeeze out the numbers during a test run they do not give you a general feel of how your system normally performs. Windows comes with perfmon, but configuration and interpretation of those graphs is a pain at best. Samurize to the rescue!!!

Samurize to the rescue!
Using Samurize and a little imagination you can build a very slick system status display that will make your friends turn green with envy! The configuration I use looks like this:
Once you have settled in on a base set of performance counters and how you would like them displayed, CPU-, Memory- and Disk-Usage histograms are a good place to start, it is easy to expand your configuration to include more items you want to monitor like SQL Server, Network traffic, etc. After creating and selecting your configuration you will want to set the display position to "docked" so the meters are always visible.

Here is a link to download the configuration I currently use.


I will explain how to interpret the different sections of this configuration in future posts.

Update: Replaced configuration file contents with a download link.