Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

(Ovid) Re: Programming Laws

by Ovid (Cardinal)
on Jan 24, 2002 at 21:41 UTC ( #141252=note: print w/ replies, xml ) Need Help??


in reply to Programming Laws

Ovid's Law of Security

Allowing a known security weakness into a program is automatically a security hole, regardless of whether or not it can be exploited.

Okay, so it's a bit wordy, but it's true. I've seen this too many times to think otherwise. I was bit by this a few months ago. I was told that I had to get a page up fast. I had to write a program to regularly grab financial data from some files that are sent to us via ftp. Then, this data is stored in a database and later served on a page.

The program that actually gets the data from the database was thrown together in a few hours. Since I was rushed, I was lazy (the bad lazy, not the good) and put the username and password for the database into the script. Hey, this is in the cgi-bin directory and no one will ever see it. Naturally, a couple of weeks later, someone had to move the site and misconfigured the server. Instead of running the script, it was being sent to the browser.

I knew it was a weakness and it's a trivial matter to move the username and password to a config file outside of the Web root. I whine and moan when I see anybody else do this, yet I was hoist on my own petard.

Ovid's Law of User Interfaces

No matter how well thought out the interface, if it confuses the user, it's a bug.

In tilly's homenode, he provides a link to the the Interface Hall of Shame for Lotus Notes. I have had the, um, pleasure of working with this piece of crud. One of the "features" of the program is in the email portion. To save space, copying any email to another folder does not copy the email. It creates an alias to the original email. Deleting either the original or the alias results in both being deleted. I can't even begin to tell you how many times I heard language that would make George Carlin blush when people discovered this "feature".

One of the curious side effects of this is that whenever I received email from a coworker, it would often be copied back to themselves. Thus, they could delete their "sent" mail safely, since they couldn't copy important sent email to another folder. Read the Hall of Shame link. It's hilarious. What's worse is the "defense" given by many of the Lotus Notes developers. Invariably they scream that the users needed to be trained. While admittedly, Bloatus Notes is much more than an email client and any company that uses it solely for that purpose is wasting their money, users shouldn't need to be sent to a training class for something as trivial as email!

Update: Just gotta add this. In case you're not entirely sure what Lotus Notes is, here is how the developers describe it:

  • a sophisticated non-relational database environment
  • document-based-development-platform-with-integrated-mail-features
  • an applications development environment for tools that facilitate the open exchange of information between geographically dispersed individuals
  • a workflow application
  • a workflow collaboration software [sic]
  • a distributed client/server development and deployment environment
  • a database-manager

Now, that clears things up, right? :)

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.


Comment on (Ovid) Re: Programming Laws
Re: (Ovid) Re: Programming Laws
by Hero Zzyzzx (Curate) on Jan 25, 2002 at 00:21 UTC

    Just to back up Ovid (like he needs it) developing for Notes/Domino is what pushed me into perl- "There HAS to be a better way. . ."

    I remember there was this 700 pixel HR tag that I wanted to change in Domino- I found where it was created in the nsf, changed the pixel width- AND THE WHOLE DATABASE CRASHED PERMANENTLY. It had to be restored from backup, and needless to say, further attempts were unsuccessful, and the HR never got changed.

    Gotta love having near-complete control of your web apps, without getting too into the muck, like perl affords you.

    -Any sufficiently advanced technology is
    indistinguishable from doubletalk.

      Holy cow! That is so not the way to alter images. You edit stuff by using the designer client or via one of the APIs. You got what you deserved mucking around in the raw NSF file.


      Fun Fun Fun in the Fluffy Chair

        HR tags weren't images, the last time I checked. . .

        -Any sufficiently advanced technology is
        indistinguishable from doubletalk.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://141252]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (11)
As of 2014-09-22 15:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (198 votes), past polls