When it's been a publicized vulnerability since at least 2003, but nobody's had the good sense to actually pay attention to it, you assholes.

Avi Rubin on the Christopher Soghoian fake-boarding-pass generator kerfluffle:

RUBIN: When we find a security vulnerability, we think about how to publish that information responsibly, and what information we may need to omit. When we find an exploit, the first thing we do is have a meeting about who to tell and how.

Avi, this is all well and good if you're talking about a brand new exploit that nobody's ever imagined before, or even if you combine a few old attacks in a new and unexpected way. But Christopher Soghoian only did one new thing: he implemented an attack which had only been described in theory, even though that attack was already easy enough for the average thirteen-year-old with a MySpace to pull off in practice. Now it's easy enough for the average kindergartner. You cannot possibly give a convincing argument that our nation's security is under appreciably greater risk from the grade-school age bracket than it was last week. Nor, I believe, can you give a convincing argument that terrorists who have the technical savvy to coordinate dozen-man attacks haven't figured out how to edit a webpage or hire someone who can.

No, this is a matter of practice getting better press than theory. I'm willing to believe that not a single one of the 535 members of the U.S. House and Senate was reading Crypto-Gram back in August 2003 and that none have happened across Schneier's article since. I'm less willing to believe that no member of Congress reads Slate magazine, which covered the same issue last year -- especially since Sen. Charles E. Schumer (D-NY) issued a press release about the loophole a mere six days after the Slate article came out. But theoretical attacks make people's eyes glaze over, especially people who can't be bothered to learn anything about the systems which make those attacks possible. If people have to do actual work to see that the emperor has no clothes, most of them will gladly continue to believe whatever the emperor wants them to think. Soghoian reduced the process to "push button => naked emperor," and now people are scared of something they should have already been clamouring about for the last three-plus years.

Keep this one in mind, all you academics out there. By and large, you don't care about whether your work ever gets implemented or not, as long as it works out on paper. But the Christopher Soghoian incident should stand out as a reminder and a warning: your work is only going to affect the rest of the world if someone puts it into practice. That someone might be you, or it might be somebody else's grad student; it's up to you to decide who's going to get the recognition.

Assuming, that is, it's the kind of recognition you want.

Tonight's steaming double shot of hatred gets flung into the twin gaping maws of the American National Standards Institute and the International Standards Organization. Pull up a chair, all of you -- I may be about to rant about a programming language, but it'll make sense even to the non-geeks in the house, I promise.
( So, you were saying, Ms. Furious... )

In my advisor's office the other day, $collaborator2 and I were going back and forth about this soft-query interface my advisor wants us to build. (This is what CHARUN has come back from Development Hell to provide. I talked about that a few entries ago, so I won't repeat myself.) One thing led to another, and when the dust settled, it was on me to write the backend (in C) and retool the frontend (in PHP and, now, Javascript via Sajax), while $collaborator2 did the middleware (based on SVM-light, which is also in C, which I would then write a SWIG PHP wrapper for).

Well, he emailed me tonight to say he'd finished the middleware portion to do what I wanted. I took a look at what he'd written, and was immediately suspicious: I'd asked for a function which returned a vector of weights in the form of a double[], and he had indeed written such a thing, but the parameters were (int argc, char* argv[]). Further, the elements in argv[] were mostly turning into file handles. "The hell?" I said to myself, dug through this rather baroque function, found the part that actually computed the weight vector, and rewrote that as a much smaller function. (Still not elegant, as this is C, but at least it was easier to read.)

I fired that off to him, and a few minutes later he came online to discuss what I'd written. During the course of the discussion, he admitted he'd simply yanked main() part and parcel from another part of SVM-light which did what I wanted (among other things), which I'd already suspected from the parameter names. DO NOT DO THIS, PEOPLE. IT MAKES CODE LOOK UGLY AND REUSES UNNECESSARY MATERIAL.

Now, don't get me wrong: $collaborator2 is a smart guy, and he understands the math behind this way better than I do. I would have a hard time doing this project without him, because among other things, I've never done a partial differential equation before. But it's really frustrating when people parcel out the work on a project and then I have to go back and micromanage them because they do something dumb and slipshod. I could have spent the same amount of time writing the code myself in the first place, you know?

Oh well. In happier news, tonight I discovered DOM-Drag and its offspring, dragsort, which are going to make the UI for this so very very pretty. Still don't like Javascript (though I like C less), but the fact that it has a good DOM API redeems it somewhat (ok, a lot) in my sight.

Also, availability of online library resources will be one of the deciding factors in my choice of institutions to do a postdoc with. A subscription to Safari would be ideal.

I really need to stop writing software in languages I hate. It would do wonders for my mood.