Category Archives: Essay

Security Through Stupidity

Security through obscurity is a well-known term in the computer industry, but what if the security is not even obscured? Security through obscurity implies that some efforts were made to hide something, anything. But this does not always seem to be the case – because if it were, the people responsible would not just be ignorant, but also stupid; hence the term “security through stupidity.”

Maybe I am being a bit harsh; but let us look at a few examples.

The information was there all along

In 2021, a journalist for St. Louis Post-Dispatch discovered teachers’ social security numbers on the state of Missouri’s website. The sensitive information was not directly visible on the webpage, but it was there if you right clicked and selected “view source” in your browser.

Allegedly, this journalist had “hacked” the website to gain access to this information. Let me repeat that: The state of Missouri leaked social security numbers on their website and threatened the person who found out and reported the vulnerability.

The stupidity here is not only the governments lack of security, but also how they chose to react.

Ask and you shall receive

Ever wondered what would happen if you replaced your user id in the address bar with someone else’s? Maybe you would find some personal information, or maybe you would find a lawsuit.

A Norwegian developer found himself in such a situation. He wanted to make a mobile app where you could find the owner of a vehicle using the license plate. This is not secret information by the way; you can get it by sending a text message to the Norwegian department of motor vehicles.

This developer wanted a more seamless interaction however, and he found a solution. When logged into the department of motor vehicles, he would see his own car details. No surprise there. However, by changing the address in the browser he could find the owner of other cars as well. He decided to use this to generate his own database of vehicle information. Scraping the information using publicly available APIs.

The department of motor vehicles were not amused when he told them he had found a solution to his problem, and they presented him with a lawsuit. Now the most astonishing part, from my point of view, is he lost the first trail, which tells you a lot about the legal system and its understanding of technology. Luckily, the verdict was later overturned and once again we are allowed to change the address bar in the browser.

Ordering off-menu

This may be my favorite. Probably because I used it with immense success in the past. It is also a variant of the “ask and you shall receive” listed above. It boils down to a simple “let’s trust the user’s input.”

In my case, I discovered that I could get my hands on the license key to any combination of Volvo car and a DVD containing map updates for the satnav. The website handling license requests worked like this: You entered your cars VIN, vehicle identification number, and a list of previously bought maps for this vehicle would show up. Select one, enter your email address, and a license key would arrive in your inbox along with a “thank you, and have a nice day.”

Now, what do you think happened if you changed one of the available maps with a map you did not legally own? Bingo, you got mail: “Thank you, and have a nice day.” And just how do you change this you ask? Well, developer tool in Chrome, Edge or Firefox would do fine.

Conclusion

If you want to hide or protect information, at least give it some effort. More importantly, if you get a heads-up that you may be leaking secrets; thank them for sharing, fix it, and move on. Do not sue or threaten to sue them. And lastly, if you do not understand technology, do not pretend you know technology. It is that simple.

On Writing a Meeting Agenda

I have attended too many meetings without a clear agenda, or no agenda at all – except for a vague subject line – then I can count. Writing a good meeting agenda can be the difference between a productive conversation bringing you closer to your goals, or a waste of time.

Sadly, a good agenda is no guarantee to a productive meeting. It all depends on the participants. You can write a clearly defined agenda, right down to what the outcome should be: decide on X or Y, and still people could show up unprepared. But now it is clear who is not doing their part, who is not paying attention.

By writing a good agenda, you have done your part to maximise the success of any meeting.

Write a good title

The subject line should be short and to the point. The tighter the group of participants, the shorter it can be. If you invite in people from other parts of the organization, or external people, it may have to convey some more information. In any case, the title needs to be self-explanatory to the group attending.

State the expected outcome

Write down what the outcome of the meetings should be. Is it a decision? Is it another meeting? In other words: what do you want to achieve? Since this is the most important part of a meeting, I would suggest keeping this at the top of the agenda.

Ask for input in advance

Be clear on the input needed to make decisions. A meeting is not the time to look up information that could have been prepared in advance. Make sure to tag the person(s) responsible for doing this, otherwise it will not happen. Again, this may not be a guarantee that they do their part, but it is on them, not you. If someone has not done their job, make them aware of it. Make them learn to respect you and the meeting culture you want to build.

Be succinct and to the point

You are not writing a novel, so keep the content brief and use bullet points if possible. Nobody wants to read more than necessary. You should attach any related reading material as separate documents. If you are to discuss an incident, the deviation report should be an attachment.

As with asking for input, tag people if they need to familiarize themselves with the attached documents beforehand.

Invite the right people

Invite the right people and make sure they stay onboard. I have been in meetings that have been forwarded to a bunch of people that have no clue on what is going on, and the person you really wanted – that you needed – have dropped out. Do not allow this to happen. Be strict. Cancel if necessary. Do not waste time if the right people are not present.


There you have it: my five tips to a better meeting. Now, make sure to take notes. Who attended, what did you discuss, who should follow up on what. This is valuable information, especially if you are to have a follow-up meeting.

Even if you are “just” a participant: take notes. It will make you a better human being.

Muscle memory is amazing

This is something every gamer will recognize. And although I am not a gamer, I still feel it deservers to be said: Muscle memory is amazing. Put in enough repetitions, and your body will remember them for life.

Even though I wrote that I am not a gamer – because I do not spend much time playing games – it was during gameplay (ironically enough) that this thought was born, and therefor this writing.

As part of my battle with (a possible) long term depression – which I just call life; I try to notice and appreciate the smaller things in life, so take this writing for what it is: observational. And as far as things to admire and appreciate goes, muscle memory is certainly on the list.

Muscle memory kicks in

It was probably an act of distraction (from something, obviously), that lead me to opening up Steam and noticing an update to Kerbal Space Program (KSP) being downloaded. And I thought: “Now that is a name I haven’t heard in a long time“. And true enough, last gameplay was March 2021.

So, I started the game. Entered the hangar, found a saved spacecraft which still had a valid design (updates sometimes add or remove modules, rendering a saved spacecraft useless), and brought it to the launchpad. Amazingly, I was still able to get this thing into orbit – on the second try, having forgotten to enable SAS (Stability Assist) at first launch. Whoops.

But on the seconds launch I knew which key to press to enable SAS. I knew which key to set full throttle and how to engage the various stages. And after a successful rendezvous with a space station (which I left there almost two years prior), I also knew how to enable RCS and do the finer manoeuvre to dock.

And it is not only in gameplay. I use muscle memory for passwords and PIN codes, when writing, using the VIM editor or even driving a car. The clutch/gearbox; foot/hand coordination. It is all there, ready to be used when the environment is correct. And I think that last part is key: The environment has to be set up correctly. Once it is, muscle memory takes over. It is simply amazing.

A quick side note: After getting a new keyboard, I found the number of typos going up. The keyboard is just a tad to sluggish, so sometimes I miss a key. And working with a keyboard (for me) is all muscle memory.

What do you want to achieve?

What do you want to achieve? This is probably the most important question you can ask someone who comes to you with a request. People (usually) know what they want, but that does not mean they know what they actually need. [1]

Let me try to put this into context; I work as an operation manager for a mid-sized IT company, which means people come to me asking for resources. And by people, I mean developers, and by resources, I mean anything from a new server to a firewall opening.

It is in this context; I have learned to ask the question: what do you want to achieve?

Most of the time, what they want is also what they need. But occasionally, what they ask for just makes no sense, like: “can you create a subdomain pointing to a specific path on the webserver?” [2] Even if they do ask for something sensible, they still might not know what they really need.

In this example, what they wanted was to display a specific landing page depending on the subdomain that was used. The solution, if you wonder, is to have a piece of code that checks the incoming http request header rather than trying to make DNS into something it is not.

It is not that developers are stupid, on the contrary, developers actually apply a great deal of logic to their thinking; leading to assumptions like: “If a domain name points to a website, it should also be able to point to a specific path of a website.”

The point is: if you ask someone what they want to achieve, you can potentially save yourself and others from wasting time doing the wrong things. And time is the most valuable resource we have.

It is such a simple question, yet so powerful: What do you want to achieve?

Notes

[1] A lot of people struggle with what they want in life – as do I – but in this context I am talking about when people ask for something specific.

[2] This is of course a made-up example (or is it?)

Writing Tips

Twice I have been fortunate enough to have one of my posts featured on Hacker News. Well, fortunate might be a strong word because the attention comes with a price.

The first post was a tongue-in-cheek essay about digital natives and boy did it get some attention. Mostly negative. HN is a lovely community, but reading those comments were not an enjoyable experience.

This brings me to my first tip: Humor can easily get lost in translation. I’m not saying you shouldn’t use it, but you should be aware that humor – especially irony and sarcasm – doesn’t translate well into writing.

In my second post, Writing is Hard, I wrote about what I find difficult about the writing process, and what I believe is the best way to solve it. This time the comments were far nicer, and I enjoyed reading them. There were different opinions, obviously, but the general tone was much better and the feedback more constructive – which I attribute to the fact that I wrote a more constructive essay as well.

I could say: Write more constructive, but I don’t think it’s a constructive advice. Instead, my second tip would be: Keep your promise to the reader. This applies even if you think nobody will read it; if you promise something in the title or the beginning of the text, follow up on that. In my first draft, the title of this essay was “Writing Tips”. So now I must either deliver on that or change the title.

This brings me to my third tip: Change your title accordingly. Sometimes the title is clear from the start, but usually the title is just a placeholder until you know what the text is about. Writing can be an evolving process; in some cases, you don’t know the text until after you have written it and done the first round of editing.

As mentioned, I find much joy in the HN community, and I’ve noticed that people often want evidence. This is a good thing; It means people are paying attention. So, if you claim something, make sure to back it up. This is not a hard rule; I just broke it myself claiming that people on HN want more evidence.

Speak the truth and be honest with your reader. I don’t mean that you shouldn’t write fictional stories or fairy tales, but if you try to sell something; be upfront about it.

English is not my first language, but I believe I can use that to my advantage by keeping it simple and make the text readable. I don’t try to impress with words I don’t understand, and neither should you.

Equally important, no matter how simple words you use: Fix spelling and grammar. Our brain is incredible when it comes to filling in the gaps. One way to fix spelling is to read the text backwards, word for word. But I’m lazy and just copy the whole thing into Microsoft Word and let it advice me.

Still, weirdness can get through. In the original draft I managed to write “thong-in-cheek” instead of “tongue-in-cheek” – now that will certainly conjure up an image in your head. Both will pass the spellchecker; but one is not like the other.

Once you have written your piece; let it mellow for a while. I know it’s tempting to press the publish button, or in other ways release it to the world, but let it rest. As with tasty food, the flavors must get to know each other. I think this applies to words and sentences as well. If they taste sour when you get back to them after a few hours, or a few days, re-write or throw them out.

The written word doesn’t have an expiration date; it won’t go bad, but it won’t get any better either. Make sure your text is tasty before you serve it to other people.

I want to finish with this: We all make mistakes. It’s not the end of the world if you make a typo or two, as long as the text is readable, understandable and you get your point across.

To summarize:

  1. Be careful with humor, especially with irony and sarcasm
  2. Keep your promise to the reader
  3. Change your title (if necessary) once the text is ready
  4. Backup your claims with facts and references
  5. Speak the truth and be honest with your reader
  6. Keep the language simple, avoid using words you don’t fully understand
  7. Fix spelling and grammar
  8. Let your text mellow and re-read before you publish

So, there you have it: My writing tips. They may not be perfect, but I didn’t promise that either, so I believe I have delivered according to my own advice on this one. Now, what are you waiting for? Start writing.