Nerderati

As some of you may have noticed, I recently changed the design of Nerderati.

While I quite liked the last design — Charcoal — I wanted something lighter, and that put more emphasis on the content. Moreover, I had made the decision to switch from Habari, to WordPress.

Habari is a fantastic blogging engine. It’s design & architecture is particularly well done, and is how WordPress should have been done in the first place. Their community is both active and knowledgeable, having put out three minor releases since I had started Nerderati last year, as well as releasing a great deal of plugins.

So why the hell would I switch to WordPress, of all things?

I realized that I was eternally attempting to tinker with Habari; A plugin incompatibility here, an issue with the media browser there, and a sprinkling of minor missing features. While every problem I had experienced was minor and should be expected for relatively new (and pre-1.0 release) software, they were additional psychological barriers between me and posting new articles.

Then, I had an epiphany: I was looking at my blog from the perspective of a Developer, instead of a User. WordPress’ internals might not sit well with me on a technical front, but who cares? I’m not developing for it. I’m not designing for it. I sure as hell don’t have the time to be continually tinkering with a blog engine (and I have no interest whatsoever in blog engines, not just WordPress). I have no doubt that Habari will one day compete toe-to-toe with WordPress feature-wise, but that’s not today.

So I decided to apply my normal work philosophy, and use the best available tool for the job at hand. And as soon as I stopped thinking of it from a developer point of view, the choice was obvious.

I just have to make sure to never look at the source code of this damned thing.

One trick that seems to be all the rage these days is to show off fancy results from functional languages in their imperative counterparts. Now, I love functional languages; OCaml/Haskell/Erlang give me a programmer hard-on that imperative languages can only dream of. In that vein, I present to you a very clever implementation of the y-combinator in PHP 5.3 that Nate Abele came up with a few nights ago while we were discussing fixed-point combinators over instant messenger:

(see the original Twitter post)

Sexy, right?

If you’re keen on fooling around with the gist, your first challenge is to implement a memoized-version of the above y-combinator. Your second (which will take you significantly longer), is to come up with a valid reason to actually use this in in production code.

When a programmer takes his/her first steps in a new language, the first example program he/she codes (or skips over) is usually the prototypical “Hello, world”, or a variant thereof. I thought I might run through a few of the classical “Hello, world” examples from programming languages that I find interesting.

This first example is from Factor, an example of a concatenative (as opposed to applicative) language:

I’m trying to find more reasons to toy with Factor, simply because it is such a huge departure from the programming languages I’ve used in the past. Some of the interesting features:

• A postfix syntax
• Stack-based
• Classes can be predicate and union based

The next is from Haskell, my favourite functional programming language:

My favourite Turing-complete joke language, LOLCODE:

As a crazy side note, it appears that the Turing completeness of LOLCODE was in part proven by using it to create a Brain Fuck interpreter (where BF has already been proven to be Turing complete).
That’s fairly mind-blowing to me, especially considering that BF is pretty much as incomprehensible as it gets (by design), and LOLCODE syntax is based off of subtitles from funny cat pictures.

Fortran which is still heavily used in high performance computing, benchmarking and scientific analysis (e.g. computational physics) due to it’s extremely stable and robust floating point arithmetic and floating point exception handling. I still wouldn’t touch it with a ten-foot pole these days, however.

Got any favourite languages that aren’t “mainstream”? Let me know in the comments.

In democracies, power is held by the citizens. The problem with this (at least in terms of open source software) is that, by and large, people are dumb.

The root of the problem lies in the fact that many people approach code in a selfish, rather than Utilitarian, manner. Of course, this is a non-issue in circumstances when you are writing code that will never be released to the public. But for those of us that do work and contribute to open source codebases, utilitarianism is a smart (and thankfully prominent) modus operandi. If the core developers of some popular web frameworks started adding classes and methods in their respective codebases to properly parse Flickr LOLCODE, I’m sure a few concerned voices would be heard.

Open Source is not a Democracy. It’s a Meritocracy.

Plato seemed to have addressed this issue in his famous Socractic diaologue of The Republic, suggesting that the ideal form of government was one formed of philosopher-kings. If we disregard the pompous title of ‘philosopher-king’, Plato’s idealized form of government is quite similar to how most open source projects are managed. Core members are not elected by the community. Rather, they are appointed to their position based on their qualifications, and are tasked with governing in such a manner that will yield the greatest good for the greatest number of people. This resembles most open source organizational methods quite well¹.

As such, I’ve come to this conclusion: Open Source is not a Democracy. It’s a Meritocracy. There are no political parties, campaigns or lies and promises. Instead, a person is judged entirely by the code that they write, and the relative usefulness of the later to the community at large. No one is ‘elected’ into an open source team. You get invited, usually (and hopefully) on the basis of your individual merit and perceived dedication to the project.

And the crazy part? This actually works. Open source produces some fantastic software. Much of the internet and the web runs on open source stacks, and those numbers don’t seem to be dropping anytime soon. Add to that the incredible advances that have been made in the last decade in open source desktop and so-called ‘enterprise’ software, and the above conclusion is undeniable.

Is a Meritocracy the best philosophy under which we should write code? Perhaps not. But I can’t think of anything better.

If it ain’t broke, don’t fix it.

^[1] The only exception that I know of is FreeBSD, where they hold elections for the core team every two years. This (surprisingly) seems to work extremely well for them.

After attending & speaking at CakeFest 2009 in Berlin, Germany, I decided to take a week off and explore the city. Since the hotel that I had been lodged in for the conference had free Wifi, I assumed that this was the norm in mid-range to high-end hotels in and around Berlin. And, as you may have noticed from the title of this post, it seems as if I was mistaken.

Crazy prices

There’s no way in hell I was going to pay 69€ for the five days that I was staying at that hotel. So, like any good free loader, I first checked the other available networks that I could connect to.

The Intrigue

After a bit of recon on signal strength with iStumbler, I tried to connect to the only other moderately strong network that wouldn’t make me stab my own eyes out.

Available networks

It turned out to be another managed Wifi from the hotel across the street, but these guys offered a ‘Free’ connection in addition to their ‘Business’ connection (which was about as crazily priced as the one I was trying to desperately avoid paying), the difference being some bullshit options like not actively blocking VPN ports and prioritized traffic. Oh well, free is still better than nothing. Plus, I thought, I could always just tunnel whatever ports & services I needed.

The Turn

Of course, that would have been too easy. To actually use their free Wifi, you needed to input your room number, as well as the name of the person who registered the room in the first place. Seems that this particular establishment didn’t like the idea of letting people not actually staying at the hotel using their ‘free’ wifi.

After trying a few random room numbers and gibberish names to verify that data validation was actually being performed on the server-side, I figured I had nothing to lose by trying a few standard SQL injections to see if I could bypass the whole process.

On first blush I thought that this error message meant that my attempts were in vain, since the application seemed to be escaping my input and determined that no relative of Bobby Tables was currently in room 228.

The Revelation

However, I know how developers can sometimes be lazy, and this lazyness sometimes manifests itself in slightly incorrect error messages. So I tried a different room number.

And lo and behold, success!

I wasn’t going to be downloading torrents with a 200mb/50mb daily transfer limit, but it was good enough to check emails and do the occasional

on some projects.

It Shouldn’t Be This Easy

Sometimes I wonder how any web developer worth his salt can overlook such a simple SQL injection vulnerability, especially one that is both well documented and easy to protect against. Worse, I’m pretty sure that this application was developed for multiple hotel locations, which means this brain dead attack vector exists in all of those spots.

Now, I only tried this attack on the ‘Free’ wifi, but you can see all the trouble that could be caused by performing this same process on the ‘Business’ wifi option, which would have billed the room occupant at the end of his stay. I wouldn’t like to be the desk clerk when that person checked out of the hotel.

With tools like SQL Inject Me available at the click of a button, it’s never been easier to test (and hack) forms for a variety of simple injection vulnerabilities. Couple that with any half-decent developer who can figure out a few details about the internal structure of your application, and you’re just asking for trouble by not sanitizing your input.

But at least I didn’t have to pay for wifi.