Another Day, Another Java-In-The-Browser security hole

This one affects even fully patched, up to date browsers.
It works like so:

1. use any browser with java enabled
2. visit a page
3. owner of page can now execute arbitrary code on your computer

I love java, but, damn if it doesn't suck in the browser. This is just the latest, if you still have it enabled in your browser, now is the time to disable it. 

Do it now.

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

http://thenextweb.com/insider/2013/01/10/new-java-vulnerability-is-being-exploited-in-the-wild-disabling-java-is-currently-your-only-option/

Resume Visualization: What does your resume look like?

my resume, according to Tagxedo

I like to keep my resume up to date. Every time some new task comes along, I'll add that in there somewhere. Then if a new job comes up, I'll just edit out the old stuff, make a quick attempt at removing the irrelevant things, and mail it out. 

So what is my resume saying? 

Well on the advice of my wife I threw my resume into a word cloud generator. There are a few of them, but I picked tagxedo. 

So what does it say about me? Well not a whole lot about the technologies that I use, but a bunch about "management", "product", "design". I suppose that would be great if I were mostly focused on more management. Or if I were a product manager. But I'm probably not.

Now lets look at some of the jobs that I might be interested it.

I just took a stab in the dark: I like kindle, I like enterprise software, so I threw in the first job description from the kindle team that caught my eye. The result: a very different word cloud.

A Kindle SDE Job Description

Now I'm not saying you should lie on your resume: that will always come back to bite you very quickly. But your resume is basically just the sign on the front of a restaurant. I've done a bunch of things, and they'll all be reflected on my resume, but I am clearly spending much more time talking about things I've done that aren't relevant to the jobs I want than I should.

Because I'm in software and everybody needs them I get reasonably good responses when I apply for jobs, but I suspect now, that I'm getting this traction in-spite of my resume, not because of it.

Time to update.

Write your complicated, shared code once

write once, sorta runs everywhere

One of the deadly sins of software development is duplicating logic. I won't attempt a software engineering 101 class in a blog post: but you are more or less guaranteed to create bugs when you have logic doing the same thing implemented in two different places.


There was a time when this was easy: just don't cut and paste your code. Put everything in a library, then just use your library across projects. This time pretty much ended when we started using javascript to do Interesting Things on the web. When we started also doing interesting things on phones, it was long past.

Now we end up writing lots of code twice or more, because your server is probably written in java or .net, or php, or ruby and your phone is written in objective-c, or java, or something else.

Take a look at the fairly amazing diff-match-patch library used for keeping text documents in sync:

http://code.google.com/p/google-diff-match-patch/source/browse/#svn%2Ftrunk

Neil Fraser has written that library in python (both 2 and 3), java, javascript, c++, c#, lua, dart, and objective-c. While I have to admit a certain amount of awe for that guy's multilingual skills and the attention to detail necessary to get that stuff written in a way that all those implementations talk to each other correctly, I am not sure I want to spend that kind of time.

I also don't want to try to shoe-horn a project into a single common language. We tried that with Java once upon a time, we are currently trying it with javascript (in the form of node.js, and phonegap). These solutions always force you to accept some unacceptable compromise. Maybe phonegap and node.js works for your product. But chances are, someone else has something that is much better written in python and objective-c.

Write-once, run everywhere remains a non-starter in the general case.

What makes a whole lot more sense to me is to write only the code that must be shared once.

Figure out what your complicated, shared code is. If you are writing a shared text editor using diff-match-patch, it is that algorithm that is complicated, and must be shared across platforms.

Write _that_ in javascript.

Embed it in your code using a hidden WebView in IOS, Rhino in java, or maybe Ringo in Python.

There are a million embedded javascript solutions out there.

Then you are free to write the rest of your client and server independently of one another.

Slate (or How I Learned to Hate The Finder)

Sometimes I find myself tolerating something that sucks because I haven't really thought about how much better it could be. Moving, hiding, and window switching in Apple's Window manager is one of those things.

I didn't realize how much it sucked until I discovered Slate (Installer & Github site). It's a great little tool that allows you to bind hotkeys to window focus, move, or hide events.

It is a hyper-configurable (in fact it'll be mostly useless to you without a configuration file; but I'll point you at my configuration as a starting point) app for managing focus, size, and position of your windows with hotkeys.

A few examples that I've set up:

Command-Shift-B: bring my browser into focus.
Command-Shift-T: bring my terminal app into focus.
Command-Shift-Space: hide everything other than whatever window I have in focus.
Command-Shift-Delete: hide the current app.
It would be worth installing as just a replacement for command-tab as a window switcher, but you can do super-complicated things by chaining a bunch of operations together like so:

Command-Shift-=: hide everything except safari, eclipse, and iterm. Then move eclipse to the right side of the screen taking up 80% it. Then move iTerm to the other side and Safari to the bottom left. Finally, bring eclipse to the foreground.

Oh, and if you find yourself moving between laptop and monitor (or monitors) you can set up operations like that one to be triggered automatically when you plugin your monitor and get your apps into the right positions on all your monitors as soon as the OS detects them.

Here is my current configuration file:
http://code.google.com/p/geekery-blog-code/source/browse/trunk/src/main/scripts/slate.config

If you want to install it, just download it, and save it to ~/.slate with terminal or something.

And here are a few more resources I've found:

The Github Site: https://github.com/jigish/slate

Closure could be a bit more javascripty

My new years resolution for this year has been to take javascript more seriously. In that time, one of the things that has caught my attention (and affection) has been the closure compiler.

I do love closure, I do but as it is now, it can't really think of itself in a universe where one would write code that would _ever_ be executed uncompiled.

Until there is a (working) realtime compilation plugin for Eclipse, I'm going to need to run my JS uncompiled until I get it right, and then compile it.

Consider the following two types: ns.Type1 and ns.Type2.

var ns = {};
(function() {

 /** @constructor  */
  ns.Type1 = function() {
  };
  
})();

/** @constructor  */
ns.Type2 = function() {
};

/**
 * @param{ns.Type1} bar
 */
function foo(bar) {
}

/**
 * @param{ns.Type2} bar
 */
function baz(bar) {
}

They only differ in that ns.Type1 is created inside a closure. This lets you have actually private variables in javascript and generally allows for the sort of encapsulation that javascript should have had built into it. The second one, just defines everything out in the global namespace.

Everything works great for Type2. For Type1, you get a warning (and a failure) for attempting to reference the type in @param{ns.Type1} in your function at the bottom.

If you are always going to run your code compiled with ADVANCED_OPTIMIZATIONS, it really doesn't matter. You'll define your privates private with annotations and any illegal usage is going to fail compilation. Thats great. Except if you do your development and debugging in naked JS, you won't find these problems until you compile.

Is that a bug? Hard to tell: I suspect, given what I've read from the closure discussion groups, that this sort of thing was designed in.

And it gets worse, the further you go off the reservation. Consider Crockford would have us believe (and I am pretty sure he is right, at least I'm not sure he is wrong and he is smarter than me) that we would do well to define our functions for our Types in their constructor. Thats great, but in both cases there seems to be no way to tell the compiler that your Types expose various properties.

At any rate, I love closure. It makes for better javascript, but it could go a long ways towards making better javascript easier by simply adopting some of the best practices that have evolved over the years for making javascript safter without compilation. As an added benefit, these sort of things would make it much easier to make tools like jQuery compile with ADVANCED_OPTIMIZATIONS.

Your Binary Search Implementation Is Wrong

I've lost count of how many times I've written:

     public static int binarySearch(int[] a, int key) {
         int low = 0;
         int high = a.length - 1;

         while (low <= high) {
             int mid = (low + high) / 2;
             int midVal = a[mid];

             if (midVal < key)
                 low = mid + 1
             else if (midVal > key)
                 high = mid - 1;
             else
                 return mid; // key found
         }
         return -(low + 1);  // key not found.
     }

On someone else's whiteboard, usually as a warm up to something more complicated.

Turns out every time I wrote that I was wrong (along with most everyone else). Why? The bug is in this line:

int mid = (low + high) / 2;

Why? Our good friends at google research pointed this out few years ago. Good read it to find out what the bug is and then do it right next time someone asks you to whiteboard binary search (or most other divide and conquer algorithms).

http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html

Binary String Decryption Via Bottom Up DP

This question is primarily lifted from TopCoder, but has been extended slightly. It is, however, very similar to a question I've seen at Amazon as well and the pattern (bottom up dynamic programming) is highly useful for interviews and, occasionally, for real life problems.

Suppose you want to encrypt a string of digits in some radix (binary works well, but the astute reader will realize that this implementation will break down with any radix greater than 4) by traversing the string and for each digit, adding the sum of its adjacent digits.

So 111101 becomes 233201

Algebraically described, encrypted[i] = source[i - 1] + source[i] + source[i + 1]. Where the string is assumed to be padded with 0's before the start and after the end.

Or, setting i to i - 1 and rearranging: source[i] = encrypted[i - 1] - ( source[i - 1] + source[i - 2] ).

Since there is no encrypted value of -1, source[0] can be anything available within the specified radix, so we'll try to decrypt based on each possible value of source[0], eg: 0 - radix - 1 and check that each computed value of source[i] is valid for that radix.

so our recursive definition is

source[0] = {0,1 ... RADIX - 1}
source[1] = encrypted[0] - source[0]
source[i > 1] = encrypted[i - 1] - source[i - 1] - source[i - 2]

    public String[] decode(String in, int radix) {

        String[] mResults = new String[radix];

        for(int i = 0; i < radix; i++) {
            mResults[i] = decode(in, radix, i);
        }

        return mResults;
    }

    private String decode(String in, int radix, int startValue) {

        char[] mString = in.toCharArray(); //
        int[] mEncrypted = new int[mString.length]; //encrpted
        int[] mDecrypted = new int[mString.length];
        //int[] mP = new int[mString.length]; //original
        //bottom up dp
        for(int i = 0; i < mEncrypted.length; i++) {
            mEncrypted[i] = Integer.parseInt(String.valueOf(mString[i]));
        }

        int mPreviousPrevious = 0;
        int mPrevious = 0;
        for(int i = 0; i < mEncrypted.length; i++) {
            
            if(i == 0) {
                mDecrypted[i] = startValue;
            } else {
                mDecrypted[i] = mEncrypted[i - 1] - (mPrevious + mPreviousPrevious);
            }
            if((mDecrypted[i] < 0 || mDecrypted[i] >= radix)) {
                return "NONE";
            }
            mPreviousPrevious = mPrevious;
            mPrevious = mDecrypted[i];
        }
        //now check to see that the last one makes sense
        if( mEncrypted[ mEncrypted.length - 1 ] != mDecrypted[mEncrypted.length - 1] + mPreviousPrevious) {
            return "NONE";
        }

        return intArrayToString(mDecrypted);
    }

    private String intArrayToString(int[] intArray) {
        StringBuilder mBuilder = new StringBuilder();
        for(int i = 0; i < intArray.length; i++) {
            mBuilder.append(intArray[i]);
        }
        return mBuilder.toString();

    }

So, what is the quick and dirty for solving something like this in an interview:

For any function F(x) that can be define with constants and F(i) where i is always less than X:
1. Define the function. Eg: F(x) = input(x - 1) - (F(x - 1) + F(x - 2))
2. Cache the values of F(x) as you compute them (though only as many as you need, in this case our mPrevious, and mPreviousPrevious)
3. Define the base cases and either initialize the cache, or check for them in a loop (we checked for them so we didn't have to do additional logic to catch the cases where the array is one or two digits long.

The rest is just string manipulation which you should be able to do in your sleep.

When I find some more time, I'll do another one of these for calculating the Levenshtein Edit Distance for two strings. A classic!

By the way, I doubt this is secure encryption so please don't kick my ass if you happen to be a security aficionado.