Nerdlife

So I figured I’d jump on the blogger bandwagon in the debate on whether or not PHP is a good first language.

First, a little context.  PHP was the first language I did anything useful in.  I learned QBASIC in middle school, which I used to make some neat games.  Around 7th grade I taught myself PHP by hacking on phpBB installations.  I didn’t learn any other language until college, where I quickly picked up Java, C, and SML (in that order).  I agree that PHP is a horrible language to teach proper programming practices, but that’s not the point of it.

I’ve had the privledge of talking to Rasmus a number of times over the last few years, and while I didn’t get permission to reproduce his comments and so I won’t (I will say he has some funny stories about David Filo…), I can quote an article he wrote approx. 4 years ago on PHP:

PHP was never meant to win any beauty contests. … It was designed to solve a single problem: the Web problem.

It does this very well, as shown by it’s outstanding adoption rate.  The truth is that PHP is hacky, but it’s hacky in a logical way.  It was written to help a programmer have an easier time writing for the web by one in that exact situation, and it does it’s job.  If you need to throw a page together in 5 minutes, you can do that!  Which is exactly what budding programmers should be exposed to.

Think of it this way: why do people learn programming in the first place?  Nowadays, it’s either as a career path, in which case they probably aren’t destined to be hackers in any sense, or because they need to solve a problem and writing a program is the best way to do it.  What is going to turn a newbie on to programming faster: learning proper structure, or being able to pump out a solution to his/her problem in 5 minutes?  I would bet a lot it’s the later.  That’s what hackers do, they pump out a solution to a problem quick and, quite possibly, dirty.

“But Brian, have you ever seen dirty code?” you ask.  Of course I have, and I despise it.  But I contest that proper style is something that can be learned after the fact.  The ability to pump out a prototype in 5 minutes can’t be learned as easily.  The ability to ignore all convention and generate an import script to move all of your data from A to B to get your site back up, or hack together a script to bulk rename files in a really wonky way, while trivial to do for most programmers, can be done much faster with a hacker mentality.

I am a hacker, but I have no problem following convention.  I don’t like to, since it slows down coding, but when I’m in a group of programmers, or working on code that needs to be maintained, I do recognize the point of doing so and follow them (to the letter even).  Of course, I’m by no means the norm on anything, so take what I say with a grain of salt, but it seems to have worked well for me: I can follow convention, but at the same time I can adjust, I can change my style as the situation demands, and I can code up a storm when need be.

Today TechCrunch reported on a paper describing a way to use Facebook for malicious means.  The paper describes a DDoS attack that can be done, leveraging the large number of users of an application to attack a victim site.

While this attack vector is legitimate, I see a number of things that make it inherently infeasibly, and don’t think it really warrants being called a “FaceBot” (implying similar power to a botnet).

In order to create an application, one obviously needs to create a Facebook account, though that can be done anonymously.  The real issue is that in order to execute such an attack, one would need to make an application that is incredibly popular.  The attacker would need to devote a large number of resources to keeping such a popular app up, which would all need to be done anonymously (though would need to be paid for in one way or another).

Let’s say an attacker has gone through all of this to make a popular application: why doesn’t he/she just use those resources for a direct attack?  One possibly answer is that the Facebook DDoS would be hard to shut down, or better in some other way in executing the attack.  This is false because as soon as someone realizes that their traffic is coming from Facebook (whether by referrers, or FB trying to pull images for its cache, or some other mechanism), it can in most instances be stopped immediately, especially considering how most Facebook calls to other sites include the application’s API keys.  Even barring that, IP addresses and Facebook’s logging can be used to determine what application a user was in when they requested the victim’s site.

Additionally, DDoSs using this attack vector are relatively easy to mitigate.  If a hacker already has all of these resources dedicated to keeping an application up, why wouldn’t they just launch a TCP SYN flood or similar lower-level attack, much more potent DoSs, even if launched from a more limited IP range.

Let’s take a different route: suppose a hacker attacks one of Slide’s applications and somehow manages to break in and add an attack iframe.  This is a completely legitimate and anonymous way of attacking a site (though it begs the question of why the hacker didn’t just break into the target site in the first place, assuming both have similar levels of security).  While this is a legitimate issue, the same holds true for all websites.  Should someone hack into Yahoo! and figure out how to deploy a new home page (somewhere between almost-impossible and no-freaking-way on the difficulty scale), almost any site on the internet could easily be taken down.  I certainly hope top app developers take security as seriously as top website owners, but this is nothing special for Facebook.

On the topic of information theft, this is why Facebook requires you to explicitly permit an application to access your information.  The concept of an API implies this potential for theft…users are trusting applications to access their information and not keep it.  There is no way to prevent this for the same reason DRM doesn’t work: if people can view things they can store things.  While this is a legitimate concern, again it is nothing new, and not much can be done about it short of user education.

So seeing as how my summer is just about over, I had a bunch of things to wrap up.  One of them was canceling my Comcast subscription.  I called them and setup the cancellation.  A few days later I got a call from a representative “confirming” that I really wanted to cancel.  I said yes, I was moving out of their service area, and they told me that they would note that on the account.

Then I flew to Whistler, Canada for Firefox+ Summit 2008, where the calls are outrageous, so I didn’t answer my phone.  Here’s my call log from that trip (note that Whistler is the same timezone as Mountain View):

• Jul 31, 6:08 am – Comcast
• Jul 31, 1:23 pm – Comcast
• Aug 1, 10:45 am – Comcast
• Aug 1, 1:53 pm – Comcast
• Aug 2, 7:30 am – Comcast

Aug 4 I was back stateside so I could answer my phone.  Just like clockwork, at 7:21 am I got another call from Comcast.  This time I was a little more stern in my request to not be called again (though still polite, I can’t blame that particular phone rep for anything), and lo and behold, they actually stopped calling.

I’m going to assume the first rep forgot to mark my cancellation confirmed and ignore that, but what the hell is with this policy?  Not only do they call at ungodly hours (can’t they do timezone conversions there?), but they kept calling back every single day.  I told them I wanted to cancel, were they really that desperate to make sure I wanted to?

It’s been a pretty bad week for me and customer service…before I cancelled Comcast, I called XBox Live to cancel that.  I got a notice via email that my subscription (which I only took our for Eric to use this summer) was going to be automatically renewed, and to make sure that my payment info was up to date.  I searched through that site for a good 15 minutes…there is no mechanism or instruction on how to cancel your subscription.  I’m sure this was done for retention purposes, since a cancel option is usually pretty standard for a web interface, but I suppose it’s way too easy to allow people to cancel in less than 20 minutes.

So I hunted down a phone number and called them, got transfered around, and finally found someone who could cancel my account.  I had to guide the rep through the “customer retention” script, where he kept asking me if there was anybody I could transfer the account to or another XBox I could recover the account on, and I kept having to remind him that all of my friends had Live accounts, and I still owned an XBox.  They may as well have a machine play the script, they read each line regardless of context.  In fact. most big companies do that.

</rant>

I’m sitting here in a front-row seat for the f8 keynote.  I’ll be keeping this post updated as interesting things happen…so stay tuned!

1:29 pm: Waiting for the talk to start…great seat!  Music is good but a little loud

1:35 pm: Music out, Zuck in.  That is an amazingly hi-res projector!

1:36 pm: FB has been learning how to work with developers, made some mistakes along the way.

1:39 pm: FB mission: “Give people the power to share and make the world more open and connected.”

1:42 pm: 24mil users at f8 ’07, 90mil users now.  f8 ’07 US/International ratio was 50/50, now more like 30/60

1:44 pm: Opening up translation tool for platforms, they can use FB’s users to translate apps.

1:45 pm: Over 400k developers, more than half outside the US.

1:48 pm: Top 5k bands have more fans on iLike than anywhere else (including MySpace Music).  Causes app has more users than Al Gore’s alliance campaign (the two have since merged).

1:49 pm: Over 30 different developers have been funded to develop FB apps.  Flixter got $6m and Zynga raised $29mil just this morning.

1:54 pm: Lessons learned: Need to work more closely with developers.  Need to align incentives better, reward good apps, punish bad apps.

1:56 pm: Walking us through new FB, explaining the new Wall.

2:04 pm: “We’ll do it live!”, giving us a live tour of the new feed.

2:10 pm: Talking about the decentralization of social networking, comparing the social network movement to the PC movement.  FB expects in a few years all good applications and uses will come from sources other than FB, just utilizing their platform.

2:13 pm: FB Connect: Goals: Build the same kinds of apps across the web, share info across the web, control your info across the web.  3rd party sites can use it to pull profile info, friend lists, etc.  You can also send FB hashes of your users emails and it will tell you if they are FB users.

2:15 pm: “It goes to their profile, and Christmas is ruined.”  Zuck has a sense of humor…nice!

2:18 pm: Someone from Digg is on stage to demo the Digg/FB Connect inegration, nice, clean, and simple.

2:20 pm: Six Apart is next, demoing comment authentication with FB Connect, followed by Citysearch for reviews & recommendations.

2:26 pm: Profile is being rolled out over time, FB Connect Beta is today.

2:27 pm: That’s it for Zuck.  Ben Ling takes the stage.

2:32 pm: They had a slide that lists universities researching FB Apps…they used a logo from Central Michigan University instead of Carnegie Mellon!!!

2:38 pm: Talking about what makes great apps, building trust, etc.

2:46 pm: Talking about partnerships with MS, Joyent, and AWS.  New Developer Website (about time!).  Also promising to build up a team to work more closely with the community.  Applause for initial fbFund recipients, discussing Connected Weddings as an example.

2:48 pm: New program: giving out $2mil over the next 2 months.  25 finalists get $25k, 5 finalists (voted by community) get $250k.

2:49 pm: Announcing FB Verification program: Apps that feel they are Secure, Respectful, and Transparent can apply and be verified (they get a badge).  Verified apps get more visibility on the site.

2:50 pm: Announcing FB Great Apps program: Apps that feel they are super-awesome (10 criteria + history of adherence to policies + minimum user base).  Great Apps are more integrated and more trusted, as well as getting early access to new features and feedback directly from FB.  iLike & Causes are the first 2 Great Apps, though the program is in Alpha.

2:53 pm: Talking about a more transparent and consistant process for enforcing abuse policies.

2:56 pm: FB Connect will be released for Desktop, Web , and Mobile (they have an iPhone Cocoa API).

2:58 pm: FB Connect launches full on next summer.  There’s a hackathon today running until 9pm, winners announced at 11pm.  That’s all .