All posts by Tor Håkon Haugen

Security Through Stupidity

Security through obscurity is a well-known term in the computer industry, but what if the security is not even obscured? Security through obscurity implies that some efforts were made to hide something, anything. But this does not always seem to be the case – because if it were, the people responsible would not just be ignorant, but also stupid; hence the term “security through stupidity.”

Maybe I am being a bit harsh; but let us look at a few examples.

The information was there all along

In 2021, a journalist for St. Louis Post-Dispatch discovered teachers’ social security numbers on the state of Missouri’s website. The sensitive information was not directly visible on the webpage, but it was there if you right clicked and selected “view source” in your browser.

Allegedly, this journalist had “hacked” the website to gain access to this information. Let me repeat that: The state of Missouri leaked social security numbers on their website and threatened the person who found out and reported the vulnerability.

The stupidity here is not only the governments lack of security, but also how they chose to react.

Ask and you shall receive

Ever wondered what would happen if you replaced your user id in the address bar with someone else’s? Maybe you would find some personal information, or maybe you would find a lawsuit.

A Norwegian developer found himself in such a situation. He wanted to make a mobile app where you could find the owner of a vehicle using the license plate. This is not secret information by the way; you can get it by sending a text message to the Norwegian department of motor vehicles.

This developer wanted a more seamless interaction however, and he found a solution. When logged into the department of motor vehicles, he would see his own car details. No surprise there. However, by changing the address in the browser he could find the owner of other cars as well. He decided to use this to generate his own database of vehicle information. Scraping the information using publicly available APIs.

The department of motor vehicles were not amused when he told them he had found a solution to his problem, and they presented him with a lawsuit. Now the most astonishing part, from my point of view, is he lost the first trail, which tells you a lot about the legal system and its understanding of technology. Luckily, the verdict was later overturned and once again we are allowed to change the address bar in the browser.

Ordering off-menu

This may be my favorite. Probably because I used it with immense success in the past. It is also a variant of the “ask and you shall receive” listed above. It boils down to a simple “let’s trust the user’s input.”

In my case, I discovered that I could get my hands on the license key to any combination of Volvo car and a DVD containing map updates for the satnav. The website handling license requests worked like this: You entered your cars VIN, vehicle identification number, and a list of previously bought maps for this vehicle would show up. Select one, enter your email address, and a license key would arrive in your inbox along with a “thank you, and have a nice day.”

Now, what do you think happened if you changed one of the available maps with a map you did not legally own? Bingo, you got mail: “Thank you, and have a nice day.” And just how do you change this you ask? Well, developer tool in Chrome, Edge or Firefox would do fine.

Conclusion

If you want to hide or protect information, at least give it some effort. More importantly, if you get a heads-up that you may be leaking secrets; thank them for sharing, fix it, and move on. Do not sue or threaten to sue them. And lastly, if you do not understand technology, do not pretend you know technology. It is that simple.

My Year in Books

And by “My Year in Books” I obviously mean 2022, the year we just left behind.

Cover of three books: The Storyteller by Dave Grohl, Project Hail Mary by Andy Weir and Becoming by Michelle Obama
Three of the books I read in 2022.

In 2022 I started the year with a goal to read 36 books; I ended up reading 31. There are several reasons why I didn’t reach my goal, but the main one is that I simply didn’t read enough.

This year my goal will be (at least) 40 books. I selected that goal because a) based on last year’s reading habit, it is ambitious but still realistic, and b) I may or may not turn 40 this year.

To be able to reach this goal I have realized that I must read more fiction in between the “heavy stuff” of self-help, biographies, technical books and what not. Some books are just easier to digest than others. Barack Obamas brick, A Promised Land, is not one of them, and that’s why I still haven’t finished it. Sorry Barack, but I preferred your wife’s writing.

Back to fiction, the best book I read last year: Project Hail Mary. I cannot stress how good this book was. It is a book I want to read again, and again. It is just so darn good.

I can also recommend “The Storyteller” by Dave Grohl, the Foo Fighter himself. I’m currently reading (among other books) “Born to Run” by Bruce Springsteen. So far Dave Grohl has been more captivating in his storytelling, but I’ve just started “running”, maybe it will change once I get a bit further into the book.

To see the whole list of books I read, you can roam around in my Goodreads profile.

On Writing a Meeting Agenda

I have attended too many meetings without a clear agenda, or no agenda at all – except for a vague subject line – then I can count. Writing a good meeting agenda can be the difference between a productive conversation bringing you closer to your goals, or a waste of time.

Sadly, a good agenda is no guarantee to a productive meeting. It all depends on the participants. You can write a clearly defined agenda, right down to what the outcome should be: decide on X or Y, and still people could show up unprepared. But now it is clear who is not doing their part, who is not paying attention.

By writing a good agenda, you have done your part to maximise the success of any meeting.

Write a good title

The subject line should be short and to the point. The tighter the group of participants, the shorter it can be. If you invite in people from other parts of the organization, or external people, it may have to convey some more information. In any case, the title needs to be self-explanatory to the group attending.

State the expected outcome

Write down what the outcome of the meetings should be. Is it a decision? Is it another meeting? In other words: what do you want to achieve? Since this is the most important part of a meeting, I would suggest keeping this at the top of the agenda.

Ask for input in advance

Be clear on the input needed to make decisions. A meeting is not the time to look up information that could have been prepared in advance. Make sure to tag the person(s) responsible for doing this, otherwise it will not happen. Again, this may not be a guarantee that they do their part, but it is on them, not you. If someone has not done their job, make them aware of it. Make them learn to respect you and the meeting culture you want to build.

Be succinct and to the point

You are not writing a novel, so keep the content brief and use bullet points if possible. Nobody wants to read more than necessary. You should attach any related reading material as separate documents. If you are to discuss an incident, the deviation report should be an attachment.

As with asking for input, tag people if they need to familiarize themselves with the attached documents beforehand.

Invite the right people

Invite the right people and make sure they stay onboard. I have been in meetings that have been forwarded to a bunch of people that have no clue on what is going on, and the person you really wanted – that you needed – have dropped out. Do not allow this to happen. Be strict. Cancel if necessary. Do not waste time if the right people are not present.


There you have it: my five tips to a better meeting. Now, make sure to take notes. Who attended, what did you discuss, who should follow up on what. This is valuable information, especially if you are to have a follow-up meeting.

Even if you are “just” a participant: take notes. It will make you a better human being.

Muscle memory is amazing

This is something every gamer will recognize. And although I am not a gamer, I still feel it deservers to be said: Muscle memory is amazing. Put in enough repetitions, and your body will remember them for life.

Even though I wrote that I am not a gamer – because I do not spend much time playing games – it was during gameplay (ironically enough) that this thought was born, and therefor this writing.

As part of my battle with (a possible) long term depression – which I just call life; I try to notice and appreciate the smaller things in life, so take this writing for what it is: observational. And as far as things to admire and appreciate goes, muscle memory is certainly on the list.

Muscle memory kicks in

It was probably an act of distraction (from something, obviously), that lead me to opening up Steam and noticing an update to Kerbal Space Program (KSP) being downloaded. And I thought: “Now that is a name I haven’t heard in a long time“. And true enough, last gameplay was March 2021.

So, I started the game. Entered the hangar, found a saved spacecraft which still had a valid design (updates sometimes add or remove modules, rendering a saved spacecraft useless), and brought it to the launchpad. Amazingly, I was still able to get this thing into orbit – on the second try, having forgotten to enable SAS (Stability Assist) at first launch. Whoops.

But on the seconds launch I knew which key to press to enable SAS. I knew which key to set full throttle and how to engage the various stages. And after a successful rendezvous with a space station (which I left there almost two years prior), I also knew how to enable RCS and do the finer manoeuvre to dock.

And it is not only in gameplay. I use muscle memory for passwords and PIN codes, when writing, using the VIM editor or even driving a car. The clutch/gearbox; foot/hand coordination. It is all there, ready to be used when the environment is correct. And I think that last part is key: The environment has to be set up correctly. Once it is, muscle memory takes over. It is simply amazing.

A quick side note: After getting a new keyboard, I found the number of typos going up. The keyboard is just a tad to sluggish, so sometimes I miss a key. And working with a keyboard (for me) is all muscle memory.

What do you want to achieve?

What do you want to achieve? This is probably the most important question you can ask someone who comes to you with a request. People (usually) know what they want, but that does not mean they know what they actually need. [1]

Let me try to put this into context; I work as an operation manager for a mid-sized IT company, which means people come to me asking for resources. And by people, I mean developers, and by resources, I mean anything from a new server to a firewall opening.

It is in this context; I have learned to ask the question: what do you want to achieve?

Most of the time, what they want is also what they need. But occasionally, what they ask for just makes no sense, like: “can you create a subdomain pointing to a specific path on the webserver?” [2] Even if they do ask for something sensible, they still might not know what they really need.

In this example, what they wanted was to display a specific landing page depending on the subdomain that was used. The solution, if you wonder, is to have a piece of code that checks the incoming http request header rather than trying to make DNS into something it is not.

It is not that developers are stupid, on the contrary, developers actually apply a great deal of logic to their thinking; leading to assumptions like: “If a domain name points to a website, it should also be able to point to a specific path of a website.”

The point is: if you ask someone what they want to achieve, you can potentially save yourself and others from wasting time doing the wrong things. And time is the most valuable resource we have.

It is such a simple question, yet so powerful: What do you want to achieve?

Notes

[1] A lot of people struggle with what they want in life – as do I – but in this context I am talking about when people ask for something specific.

[2] This is of course a made-up example (or is it?)