afongen

Not enough good things can be said about this. Joe Hewitt has released a public beta of Firebug 1.0 and announced that it will continue to be open source. Any donations he gets are well deserved. Firebug is amazing, and 1.0 just blows me away. It is an invaluable part of a web developer’s toolkit.

The network monitoring is a nice enough addition, because who doesn’t want to know more about how long files/pages take to download? But it goes one step further.

Hover over one of the lines to get not just the fully qualified URL for the request, but if the request is for an image, Firebug also displays any images requested, scaling them to thumbnails if necessary. A small touch that really makes a difference.

JavaScript debugging is better than ever. Conditional breakpoints (“break only if the variable has this value”), profiling… very nice indeed. HTML and CSS inspection and manipulation, Firebug Lite for using a Firebug console in browsers other thank Firefox… heaven.

I’m still putting it through its paces, but already the new version saved me a lot of time today during a big bug stomping session. Go get Firebug now.

Scott Mark points to Burton Group’s new Identity Blog, and he’s right: it’s quite good (in the American, not the English sense of the phrase). Subscribed.

He goes on to praise their enterprise licensing. I agree. When my employer first took advantage of this licensing and gave us all accounts, I had two reactions. First, I was put off because the email from Burton announcing my account came out of the blue and I assumed it was spam. Bad form. Second, I wondered why the hell I would even want access in the first place. I had no idea who Burton Group were, and my impression of large analyst firms had been very negatively colored by experience with Forrester and Gartner (“writing” reports in PowerPoint? WTF?), neither of which I had direct access to but that seemed to have led to some sadly uninformed decisions.

I ignored the service completely until earlier this year, when I felt suddenly compelled to learn everything I could about digital identity and read everything I could get from Burton Group. (If you ever explore identity management, you need to read a lot, because none of it makes sense until you’ve read it all.)

Now I read almost everything they publish. Why? Eric Sink makes a distinction between developer and programmer that I find useful. A programmer specializes in writing code, but a developer gets involved in many ways in developing software. I am not just a code monkey. As much as I live writing code, not only would focusing on that to the exclusion of all else be bad for my career, it would be boring. Instead I find myself contributing in a number of ways to any project I touch. I need and want to understand the business behind what we’re doing, the big picture behind the technology I work with, the industry trends that are informing decisions being made at the top. Burton Group’s papers generally drill down into a reasonable level of detail, so I don’t feel like I’m just getting the highlights.

The benefit to my employer should be obvious.

So to whoever set up this access: thank you.

It’s also good to see Burton Group doing more blogging. The CEO has a blog on the site, which is interesting enough, but until the Identity Blog, that was it. You have to dig on your own to find their analysts’ blogs (e.g. Mike Gotta’s), which are hosted elsewhere. Too bad. Despite the strength of the white papers and the research behind them, I’m still probably influenced more on a day to day basis by analysts’ blogs.

This is where, without adequate transition, I point to RedMonk, whose work I follow a bit too closely for my own good.

I’ve spent my life immersed in language. By the time I graduated from high school, I’d studied at least a dozen: French, Spanish, Italian, Esperanto, Russian, Mandarin, Irish Gaelic, German, Latin… French is the only one I learned very well, but still I developed a profound appreciation for how study of one language can enrich my understanding of others, including and especially my native tongue, English. In college, as a French major with a linguistics emphasis, I of course studied even more languages. Frequently I found myself better able to express or understand certain ideas in languages other than English.

My father was a programmer and often expressed his conviction that there is a connection between languages used for programming and those for human communication, asserting that they occupy the same area of the brain. I have no idea whether that’s true, but it sounds reasonable and I’d believe it. He, too, had occasion to learn new languages for his work, although the only ones I ever knew about were C, C++, Ada, and possibly COBOL. I think it no accident that the first programming language in which I felt truly at home was Perl, which is strongly influenced by linguistics and ideas about human language and expressiveness (see, for example, Allison Randal’s “On Topic“).

It should come as no surprise that now, as a working programmer, I believe the study of multiple programming languages to be not only extremely valuable, but essential. And maybe it’s close-minded of me, but it surprises and disappoints me when other programmers do not feel the same. I work on a team of Java programmers, and with one exception I am the only one who is even remotely interested in things outside the Java world. This is crippling. That sounds like an exaggeration, but I believe it to be true. A monoculture is limiting and dangerous. It doesn’t matter whether you’re working with .NET, Java, Ruby, or whatever. Working under the assumption that a single tool can be an effective one-size-fits-all tool is a serious mistake. It limits your thinking, it limits your creativity, it limits your ability to solve problems.

Here’s some advice I recently gave someone who was looking to hire a .NET web developer:

I’m not suggesting that you hire someone who isn’t strong in .NET. If you don’t currently have strong .NET skills, then obviously that’s a very important consideration. Neither am I suggesting that you look only at developers with experience in .NET and something else. I’m suggesting that a candidate who has experience with .NET and another platform may — may — turn out to be a stronger candidate because s/he can critically assess what .NET has to offer rather than blindly follow the One True Microsoft Way.

I work with Java programmers. That’s what they are: Java programmers who happen to be working on web apps. Except for maybe something like Scheme covered in an intro computer science course, they don’t have experience with anything but Java. And it hurts us. Because when they look at a problem, all they see is Java. When I suggest a way of doing things that isn’t a canonical approach in the Java world, I get strange, uncomprehending looks. And we end up with overarchitected, overcomplicated application designs that solve problems we don’t have — or that fail to solve the ones we do have.

Example. An complicated call stack for a form submission that retrieves search results. POST form, push criteria to the call stack, redirect to a GET to the results display page, pull criteria off the stack. Okay, the call stack isn’t complicated, but the code behind it was. The programmer who designed this spent a long time working this out and unsuccessfully trying to address problems like dealing with multiple windows. Solution? Submit the form with GET in the first place. Dead obvious to a web developer, not so much to a Java programmer who’s not used to the web. But maybe that’s not fair since it’s a domain problem.

Example. A former coworker insisted that the text output of a certain COBOL program could never be parsed and made into something more meaningful. Why? Because he was exclusively a Java programmer, and Java’s a pain in the ass for text manipulation. Well, I work with languages like Perl and Ruby, steeped in a history of text manipulation. I munge text for breakfast. I looked at the problem and figured it would take about half an hour with a few regular expressions. Java didn’t even have regular expressions in the core API until four years ago, so this way of approaching a problem still doesn’t occur to most Java programmers.

Example. I find myself cleaning up a lot of clunky JavaScript code, written by people who treat it as “Java Lite” and who don’t understand JavaScript’s object model, which is quite different from Java’s. Different, not worse — and certainly not the One True Java Way.

I’m not writing this to rag on Java programmers, it’s just that they happen to be the source of my daily frustrations.

All this said, it’s quite possible to have an excellent web developer who knows only Java, or .NET, or ColdFusion, or PHP, or whatever. Regardless of whether they’ve worked in a diversity of languages or have been steeped in a monoculture, I think it’s worth asking about the strengths and weaknesses are of their chosen platform, because it’s a strong indication of how carefully and how creatively they’re thinking about the problems before them.

This is part of why I worry about what to suggest instead of Java EE, or rather what we can introduce to Java EE to be more productive. Part of my growth as a developer has been learning that not everyone has an easy time learning another language. I have always had an easy time learning languages, whatever the sort. I love to learn a new language, to stretch my mind and see what it has to teach me. This is far from universal. But I have to keep reminding myself of that, especially when I have trouble understanding why so few people are interested in extending the Java platform with non-Java languages.

More on that another day.

Google Maps is cool, sure, but last night I saw Google Maps Mobile. That is impressive.

Now I’m starting to get irritated. I was reviewing the syntax of PHP date functions and discovered date_sunrise and date_sunset, which do just what you expect: return the time of sunrise and sunset for a given date and location. Expect that you probably didn’t expect them to be in the language core.

As time goes on, I’m becoming more curmudgeonly about decisions like this.

A prediction: if a couple years from now I am still mired in a Java monoculture, I will strangle someone. Probably myself.

As I have explained before, and with some apology for the double negative to which I am about to subject you, I do not believe that Java can never be viable for web application development, or that it is a bad language. I simply assert that it is an exceedingly poor choice for the web applications that I work on. Because it’s past 1 a.m. and my son will be waking me up in less than five hours, and maybe because despite my curmudgeonly nature I am reasonably polite after all, I will spare my employer the (mild) embarrassment of an all-out rant. Suffice it to say that working among the Convinced as I do, I am very much in the minority in my belief that Java EE — really, a Java monoculture — is the number one culprit for the project I’m working on being so very, very late. It isn’t the only problem we have, but it’s a big one.

The question I’m left with is this: what do I propose as an alternative?

.NET is out. We’d need lots of new hardware and be locked with a single, closed-source vendor. Please do not bring up Mono.

Cold Fusion? Same single-vendor problem, and I remain unconvinced.

There are Python frameworks like Django and TurboGears. I like them. They’re just not compelling enough for me to suggest using them.

Tcl? Sorry, private joke.

To my mind, it comes down to PHP (using any of a number of frameworks) or Ruby on Rails.

We would stand to benefit more from both Ruby and Rails, but I am concerned about deployment scenarios. Large-scale Rails deployments are possible, but it’s still a new enough platform that people are still working out the kinks for how to do it well. To be honest, we’d just be talking about a medium-size deployment, but the same concerns apply. Could we do it? Yes. I have faith in our system administrators and our developers. I would just feel really guilty about going to them every 3-6 months with a new way of setting up the servers to deploy Rails apps. I admit that I haven’t been following that scene for a while, but it does seem every time I poke my head in that there’s something significantly different.

On the other hand, I’m satisfied that we know how to work well with PHP, at least from a sysadmin perspective. On the development side we would certainly move a lot faster than we do with Java. As PHP becomes more Java-like, you’d think that a transition from Java would be easy. That’s the whole point, right? PHP has a low barrier to entry. On the other hand, its similarities to Java (at least in the object model) may make the transition harder, as I’ve found that Java programmers are somehow blinded to or misunderstand significant platform differences — e.g. PHP’s share-nothing architecture. We would also struggle with maintaining a large PHP codebase, much as we struggle maintaining Java code in reasonable order.

But honestly? In my gut, I hesitate to propose PHP because of the language itself. It doesn’t feel that much better to write PHP code than Java code — sometimes it’s worse, especially some of PHP 5’s Java-inspired syntax. Mostly, though, I think it’s the lack of closures and blocks, language features that I’ve come to expect and rely on. Peter Williams brings up the same point about PHP.

I first learned blocks and closures about two years ago and now find programming without them mildly painful. I think that Mark Jason Dominus got it right when he said

in another thirty years people will laugh at anyone who tries to invent a language without closures, just as they’ll laugh now at anyone who tries to invent a language without recursion.

There are just so many common classes of problem that are simply and cleanly solved by closures that not having them seems like a crime.

I think I’m holding out for JRuby on Rails.

The Java Posse have posted a delightful three-part interview with Van Simmons of the ComputeCycles Project: one (#82), two (#84) and three (#86). This is an excellent introduction to Jini. I’ve been excited about Jini since it was first announced, but it kinda fell off the radar for a while and I haven’t pursued it. I might grumble about working with Java (okay I do more than grumble!), but to my mind Jini rescues it from the dustbin. I just haven’t had need for it at work, which is no excuse, and I spend as little of my free time as possible working with Java. That might change. The whole area of distributed computing  intrigues me deeply. That and concurrency; it’s about time I read Java Concurrency in Practice, which is just collecting dust on my shelf.

Also of note, a presentation about Jini by Daniel Steinberg, “Beyond the Choir.”

I had lunch with Gary and Matt the other day. After politely reminding me that I hadn’t blogged at all lately (it seems del.icio.us doesn’t count), they listened to me blather on about what’s been occupying my thoughts and time lately, especially 1) JavaScript malware, and 2) dynamic languages in thhe JVM and CLR. Thanks, guys. Once I get started on a topic I can be hard to shut up, so I appreciate your patience. Here’s that blog post you asked for.

So. JavaScript malware? Three presentations at Black Hat caught my attention.

1. Jeremiah Grossman and T.C Niedzialkowski on Intranet hacking wiith JavaScript malware.
2. Billy Hoffman’s “Analysis of Web Application Worms and Viruses” (PDF slides). Shortly before Black Hat, SPI Dynamics (where Hoffman works) released a paper and proof of concept code on “Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript Malware.”
3. Tom Ptacek and Dave Goldsmith, “Do Enterprise Management Applications Dream of Electric Sheep?” If enterprise agents don’t make you nervous yet, they will.

The first two talks explore different aspects of what Grossman is calling JavaScript malware. The upshot is that cross-site scripting is much, much worse than we had ever thought — “the new buffer overflow” — and opens the door to internal network scanning, JavaScript worms and viruses, and all sorts of other excitement.

This is bad enough, but taken as a backdrop to the Matasano presentation on attacks behind the firewall — ridiculously insecure enterprise management agents — it’s terrifying enough to send me whimpering into a corner.

Subsequent work has made it even worse. JavaScript is everywhere, and its environmental restrictions vary. PDF, QuickTime, MP3 (!), Flash, RSS feeds… dang. The outlook is not good. From a recent email exchange in which I responded to an assertion that PDFs don’t yet have the ability to transmit worms/viruses:

Because PDFs can run JavaScript, whether they can themselves transmit worms/viruses isn’t terribly important. PDFs can make web services calls over HTTP & HTTPS, they can connect to databases, they can retrieve and play backdoored media files like Quicktime and Flash (QT can run JavaScript, btw), they can cause a web browser to launch and make arbitrary HTTP requests. With JavaScript (in the browser, at least), I can scan an internal network, probing and fingerprinting network devices (or intranet sites) use them as a launching pad for a more devious attack. Is that printer vulnerable? Quite possibly. Does that router have a web interface? Ooh, that’s interesting. Does that intranet portal have XSS vulnerabilities that can help me transmit a JavaScript worm? Quite probably.

The usual network admin concern with perimeter security is insufficient. The likelihood of running across cross-site scripting over the course of a day of surfing is pretty high; cross-site request forgeries are likely everywhere. They can blast undetected right through your network perimeter and tackle all the fun stuff on the inside. Even trusted web sites are not safe, and the consequences are getting worse every day. Remember: script kiddies are not the danger anymore. The real threat is well-trained and funded crime syndicates motivated by scads of cash.

I’m barely scratching the surface but wanted to give you at least some idea of what’s been banging around in my head. Read Jeremiah Grossman, RSnake, pdp (architect) to start if you’re interested in studying up.

One of the reasons I didn’t enable comments on this blog for so long was that I didn’t want to deal with comment spam. I’m happy to say that so far, Akismet has done quite well and blocked all comment spam.

Dang, I suppose I just threw down the gauntlet, didn’t I?

Me: Good answer!

K: Yeah, I’d totally make a good dad. I can build stuff and make up bullshit on the fly.

Me: We don’t call it bullshit.

K: Oh yeah. Wisdom.