The Changelog: Software Development, Open Source - The six dumbest ideas in computer security (News)
Episode Date: July 15, 2024Marcus J. Ranum's 2005 post on dumb ideas in computer security still holds up, Barry Jones argues why story points are useless, Posting is an HTTP client as a TUI, Varnish ceator Poul-Henning Kamp (_p...hk_) reflects on ten years of working on the HTTP cache & es-tookit is a major upgrade to Lodash.
Transcript
Discussion (0)
What up nerds?
I'm Jared and this is Changelog News for the week of Monday, July 15th, 2024.
Are you struggling to ship?
Do you want to hear about others struggling even more?
I got you!
Kien is a video game for the Game Boy Advance that started development in 2002.
It has finally been released.
After 22 years, it now holds the record as the longest development journey in history.
Sounds like the Duke Nukem Forever devs can finally sleep at night.
I'm looking for some alien toilet to park my bricks. Who's first?
Okay, let's get into the news.
The six dumbest ideas in computer security.
Can it still count as news if it was written in 2005?
Let's check the conclusion and see if this one's still relevant.
Quote, computer security is a field that has fallen far too deeply in love with the whiz bang of the week and has forsaken common sense. Well, I think it? End quote.
Well, I think we have our answer.
Here's the six things with very brief explainers.
Dumb idea number one, default permit,
which is giving permission and asking for forgiveness.
Dumb idea number two, enumerating badness,
which is where you list out all the known bads and think you got it all covered.
Dumb idea number three, penetrate and patch.
This is where folks continually use new code to fix old holes.
Dumb idea number four, hacking is cool, which is penetration testing.
Dumb idea number five, educating users, which is a fool's errand.
And dumb idea number six, action is better than inaction, which is a fool's errand. And dumb idea number 6.
Action is better than inaction, which is where you end up doing dumb things.
Follow the link in your chapter data and newsletter for full explainers,
plus a couple of predictions that have aged like milk.
This one is my favorite.
Quote, my prediction is that the hacking is cool dumb idea will be a dead idea in the next 10 years.
I'd like to fantasize that it will be replaced with its opposite idea.
Good engineering is cool.
But so far, there is no sign that's likely to happen.
Story points are pointless.
Measure cues.
I knew I was going to like this piece by Barry Jones before I even clicked the link.
Setting that confirmation bias aside for a moment, here's the hook.
Quote, their creator has disavowed them.
People cannot agree on what a story point even represents.
The measure is different for every team that uses it.
They sow confusion, create conflict, unreliable timelines, are easily gamed, demotivate, and degrade the performance of your team.
For everyone involved, this is a waste of time. Let's deep dive into why story points are so
broken and how to avoid dealing with them ever again. End quote. This is a detailed piece with
a lot of strong arguments against story points, but it doesn't stop there. Barry also makes the argument for measuring cues instead.
Quote, measured cues address short-term and long-term estimation issues, handle scope changes
naturally, and provide a much more valuable exercise to larger teams while removing uncertainty
from the team's initial plans. Measured cues also provide a leading indicator of problems 20 times faster
than velocity or cycle time related metrics, end quote. If this sounds at all familiar to you,
it might be echoes of our conversation with Lucas F. Costa called Product Development Structures
as Systems. We touched on much of the same issues. That's worth a listen, or re-listen, if this topic interests you.
A powerful HTTP client that lives in your terminal. Posting is an HTTP client not unlike
Postman and Insomnia. As a 2E application, it can be used over SSH and enables efficient
keyboard-centric workflows. Your requests are stored locally in simple YAML files,
meaning they're easy to read and version control.
End quote.
This looks excellent.
It's built with Textual,
which we've talked about on the show a couple of times,
and that means you can install it with PIPX.
Check your chapter image to see what it looks like,
and give it a try.
Link in the newsletter.
It's now time for sponsored news. Instant branching for Postgres. We create branches
in our code all the time, but what if we could branch our database just as easily? Thanks to
Neon, that's actually a thing. Branch your data with a single click or API call and their copy on write technology makes it
happen instantaneously and cost effectively. This is great for dev, but also for easily rolling out
preview environments with up-to-date copies of your production data. Don't take my word for it,
try branching in your project by following the link in your chapter data and newsletter.
And thank you to Neon for sponsoring Changelog News.
ES Toolkit is a major upgrade to Lodash.
ES Toolkit is a state-of-the-art, high-performance JavaScript utility library
with a small bundle size and strong type annotations.
End quote.
Thanks to built-in tree-shaking support, ES Toolkit bundles down 97% further than Lodash.
It also has built-in TypeScript support,
if you're into that kind of thing.
I don't even know what this is.
This sort of thing ain't my bag, baby.
Boasts 100% test coverage
and achieves 2-3x better performance
in modern JavaScript environments.
This looks like a no-brainer swap-out
if you're still using Lodash,
or God forbid, underscore,
for your utility function needs.
Going fast, slowly.
Varnish creator Paul Henningkamp,
or PHK for short,
reflects on 10 years of working on the HTTP cache
and the accumulated 150,000 lines of code in the repository.
Quote, Varnish has been in existence for 10 years,
so that's 15,000 lines per year.
200 workdays a year makes that 75 lines a day.
7.5 hours of work per day gives 10 lines per hour.
Even though I have written the vast majority of the source
code, Varnish is far from a one-person project. I have no way to estimate the average number of
full-time persons over the last 10 years, so let's pick the worst case and say that only two persons
were full-time. It follows that there is no way average output of those two persons exceeded
five lines per hour measured over the 10 years history of the project. Does
that number seem low or high to you? End quote. It surprised me at first, but I knew very little
about the project and nothing of its makers prior to this post. Then I read this, quote,
I was 40 years old when in his Varnish post.
Perfection is attained not when there is nothing more to add, but when there is nothing more to remove.
Have a great week, leave us a 5-star review if you dig our work, and i'll talk to you again real soon