Coding 101 48 (Transcript)

Father Robert Ballecer: On this episode of Coding 101, it's the best of 2014.

Voiceover: Netcasts you love from people you trust. This is TWiT! Bandwidth for Coding 101 is provided by

Fr. Robert: Welcome to Coding 101. It's the TWiT show where we let you into the world of the code monkey. I'm Father Robert Ballecer and this is out 2014 Best Of episodes. That's right, we're going to take you through some of the best moments of Coding 101. Some of the best interviews, some of the best segments and some of the best juicy bits of code to distill it down to what it means to be a code monkey. So without further ado, here's the best.

(From Episode 9)

Fr. Robert: Mr. Liam Kennedy. Liam - thank - you so much for coming up.

Liam Kennedy: Thank you for inviting me.

Fr. Robert: Now, you are from Pasadena right?

Liam: I am. Yes, I am the little old coder from Pasadena.

Fr. Robert: The home of the Big Bang Theory!

Liam: The home of the Big Bang Theory and yes. If you sort of look at what I’ve got going on here in front of me, and imagine my house. We’ve pretty much been living in the Big Bang Theory in my house for the last three months.

Fr. Robert: Now Liam, before we get into the wonderful hardware that is in front of us, could you give the TWiT Army, the Coding 101 Code Monkeys a little idea of who you are, where you come from, and why you’re standing in front of the ISS-Above.

Liam: Sure. So, first things, the ISS-Above, obviously what it does is on the basics of it, it just lights up whenever the space station is around, which happens more frequently than you’d imagine. My interest in the ISS is really what brought me to develop this. So for many years I’ve been passionate about public outreach for astronomy. A common thing that I would always get involved in is looking out for when the Space Station is coming over.

(cut to later in episode)

Fr. Robert: How do you go about moving from, “I like the ISS, I like space exploration,” to, “I'm going to make a Raspberry Pie program that can tell me when it's above me.”

Liam: So yes. Go back three years. I think this bears mentioning, three years ago, I heard about a project, another project, called ISS-Notify that was going to create a little Arduino-based device that would light up whenever the Space Station comes over. I backed it, along with quite a few other people. After seeing a lot of great progress by the creator for a couple of years. Then it just looked like things just stopped happening. You can speculate as to why that happened -

Shannon: Sometimes that happens.

Liam: Yes, but the end result is, three years and I didn’t have this cool little device that lit up when the space station came by. So I just really gave up waiting and decided to see what I could create. And thankfully, in the time that elapsed from then to now, we ended up building the Raspberry Pie version.

(cut to later in episode)

Fr. Robert: Why would you choose the Pie over anything else? Was it just convenience, was it just because you already had one for this other project?

Liam: So I would say it was a matter of coincidence that I happened to have the Raspberry Pie in front of me. But I did some very quick testing of what I needed my code to do and it’s perfectly adequate for it. Absolutely. The other project, I believe, the way it was going to work was pull information every few days off of the web and some websites out there that list the same data. But my code actually does all of the calculations for where the ISS is on the device. There’s basically a standard library you can get called Ephem, it's for Ephemeris, it's an astronomical term. But I used that to do the calculations on the device and it works just great.

Fr. Robert: Wait, wait, wait. I was under the impression that your projects scraped some sort of public data base to say, “Oh, yeah it is over your latitude and longitude”. You’re saying Pie would know just because of the calculations you’ve programmed in.

Liam: Yeah. I tell you, if I didn’t need the access to the internet for the clock you could just unplug it from the internet and it would just work perfectly well. What it does pull down every few days is what’s called the NASA 2 line element. It is actually basically a set of data points that defines the orbit and NASA updates that every few days. But they probably update it minute by minute. But the ISS shifts its position, usually it is dropping down naturally because although it is up in space, it is still impacted a little bit by the upper atmosphere. So it tends to drag itself back down and then they use rockets to push it back up.

Fr. Robert: They'll use that to push it back up to the proper orbit.

Liam: Yes. So the equation has to be updated. So that is what the Raspberry Pie does use the internet for is to pull down that information every few days.

(cut to later in episode)

Fr. Robert: We’ve got people in the chat room who actually – they're impressed. They understand what you are trying to do. We’ve have Eric Duckman and Bebo who are both saying, “Look, the calculations to do that, the number crunching that you have to make your Pie do in order to figure out the orbit, that’s not trivial.” That is actually a lot of work.

Liam: It is and I am not a rocket scientist. So I really couldn’t do that math but this library that you can get, you just install it with one line, you’ve seen it. Pseudo, whatever it is, App Get … blah, blah, blah.  Python installed whatever it is, I’ve forgotten it. Then there is the Ephem library. Then you can start coding against that yourself. Of course, the code is visible for anyone to see, you can look at what I’ve done.

Shannon: So you had this code figured out, all the mathematical equations to find the ISS above you at a certain time. You figured out that you can put this on the Raspberry Pie. What is next?

Liam: What was next was just figuring out how I could use the Raspberry Pie display options to indicate what’s going on and that is really what you see in front of you here.

Shannon: So that is why we have these little LEDs blinking!

Liam: Yeah. I’ve always enjoyed anything with a blinking light.

Fr. Robert: You know, yes. Let’s get into the hardware. Because our guys love hardware and we’ve got all these wonderful boxes sitting in front of us. Tell us, what are they doing?

Liam: Yes. So where do I start? I’ll start with this one that is just very easy to look at. Well, maybe I will go over here. Okay, here we go. So this is the basic one with the Raspberry Pie platform and it simply has a very simple display on it called a Pie Glow.

Fr. Robert: It's a shield, right? It plugs right into the GPIO

Liam: It plugs right into the GPIO  port, in fact, you can even see that I haven’t put it in very nicely there. But that is all it is. Then I just programmed the light to do a certain sequence based on where the Space Station is. This is another version.

Shannon: So that one is blinking.

Liam: Yes, and this one, if you count the number of green flashes, okay. Four, five… Six flashes. So if it's approximately an hour or less the ISS above flashes green the number of times for the number of 10 minute intervals. So now I’ve messed around with the time on these so I’m not sure if this is real time now. I don’t think it is. But essentially, that says that it is 60 minutes away from the next pass of the ISS. So, you know, not all the passes are visible and that is why I've got another website. So the other thing I’ve got going on here, you know you were talking about the Raspberry Pie being underpowered just think of this. This thing tweets. So when the Space Station is going – is particularly close to you all of the lights on here will start going crazy. But it also sends a tweet!

Fr. Robert: So I could program it to say, “The ISS is above me!”

Shannon: Does it tweet to the ISS?

Liam: Well, sort of. It tweets to the ISS by tagging at the request of NASA. So, during the kickstarter program they got wind of what was going on and their public affairs at NASA Johnson Space Center which is Mission Control for ISS, sent me an email saying, “Could you please make sure you tag @NASA_Johnson.” So that was neat. They also do tweet to @ISS_Research which is the research arm. They’re the organization for NASA that actually determines what research has done on the Space Station by the astronauts.

Fr. Robert: So they are receiving thousands of tweets from all your Pies, saying , “Hey, I see your ISS!”

Liam: Well yes, and that gives it - that is a good point. So, I’ve run a kickstarter that was very successful but before that I wanted to make absolutely certain that people wanted this and also that they could see that it was working already. So bearing in mind the other kickstarter didn’t fulfill what it was going to do -

Shannon: Wait, what?

Liam: So I created a beta program and I was heading over to the UK in December and I installed a couple of them for my grand kids. So the grand kids got them.  Then there was a post on Hackaday and on Reddit and then people suddenly started to approach me saying, “Hey can I get in on this beta program?” So I had about 20 sites. So what you’re seeing right here now are the tweets. So I’m just on my page here. You'll actually see the tweets that are coming from those Beta sites that are around the world.

Shannon: That is so cool.

Liam: The way that it is done is that this little device is posting to my WordPress site and the WordPress site is sending the tweet.

Fr. Robert: What I like about this is, that you are leveraging a lot of existing tools to do something that is very different and that is very much in the hacker spirit.

(From Episode 13)

Fr. Robert: … we want to talk about Heartbleed because it actually addresses something very, very basic in programming and something that’s very important. It’s all about sanitizing inputs. It’s about -

Shannon: Sanitizing your comments.

Fr. Robert: …your comments. Well, sanitizing your code.

Shannon: Yes, your code.

Fr. Robert: You have to make sure that the data you receive is what you expected.

Shannon: Exactly.

Fr. Robert: But unfortunately the writer of the piece of code in open SSL that is responsible for the Heartbleed bug didn’t do that. Now Bryan, you actually have a link for the Github that has all the open SSL code. While you get that up, let me really briefly state what’s going on in the Heartbleed bug. So what we’re talking about is the heartbeat. Anytime I establish a secure connection, so Snubs, let’s say that you're Facebook. Okay, you're the Facebook server, I'm talking to you, you know that little - how you get that little padlock in the upper corner of you browser?

Shannon: Yes.

Fr. Robert: It tells you that you're secure right?

Shannon: Yeah, it tells me I'm using HTTPS.

Fr. Robert: Exactly, secure sockets layer or TLS, which give me an encrypted tunnel between the client and the server. You're the server, I'm the client. Now, that’s a good thing because without that anyone can just snoop in on our conversations and they could read everything that I'm sending and everything that you're sending back to me.

Shannon: Especially if they have a WiFi pineapple.

Fr. Robert: “Brought to you by Hak5.” No, but see, here’s the thing, I can’t just keep those open.

Shannon: Right.

Fr. Robert: Right, once I've established one of those connections, I need a way to tell the server that even when I'm not using it, let’s say, I'm reading something that’s on my page and I'm reading it for three minutes. My client, my computer still needs to be able to tell the server, “I'm still connected, I still need you. Don’t shut off the connection.”

Shannon: So this is the heartbeat that’s going between us.

Fr. Robert: This is the heartbeat, right. It’s just a nonsense piece of data. It’s a minimal data set. It’s a very small handshake, very small packet essentially saying, “Keep me alive. Keep me alive, keep me alive.” It does that every once in a while.

Shannon: So why do we have these jelly beans up here?

Fr. Robert: Okay, so this is your system memory, you're the server right?

Shannon: Oh yeah.

Fr. Robert: Don’t eat your memory.

Shannon: I won’t eat my memory.

Fr. Robert: Oh man, she's going to eat all my memory. All right so you -

Shannon: My hard drive just failed.

Fr. Robert: Now this, this one jelly bean, this is my heartbeat packet. So what I have to do is I have to send you two things. I have to send you my payload and the payload is the jelly bean, right? But I also have to send you a description of how big this is.

Shannon: Ah, okay.

Fr. Robert: So in all non-open SSL implementations of the SSL, of the secure sockets layer of the encryption, whenever I, the client, sends something to you, the server, you check what you received against what I told you I sent.

Shannon: Ah, okay.

Fr. Robert: So, let’s say I do this. I go ahead I say, “I’m sending you one jelly bean.” I give it to you.

Shannon: I just received one jelly bean.

Fr. Robert: Right, and that’s it and so you said,” Well, you told me that you sent me on jelly bean, I read that.”

Shannon: It looks like a jelly bean.

Fr. Robert: It looks like a jelly bean, and now you send back to me.

Shannon: I'm sending you one jelly bean.

Fr. Robert: There we go. So now the connection stays alive. If I did this. I am sending you five jelly beans and I give that to you, what do you think you as a server do?

Shannon: I only have one jelly bean.

Fr. Robert: That’s it, right.

Shannon: This is odd, hacks!

Fr. Robert: “This is odd.” It’ll kill the connection, right. Or it’ll ask for the heartbeat again. That’s simple checking, right? That’s sanitizing your inputs. That’s making sure that you’ve actually received what you expected to receive. That’s good coding.

Shannon: That makes sense.

Fr. Robert: That makes sense. There’s a bug in open SSL.

Shannon: No.

Fr. Robert: And Bryan if you go ahead and bring up that Github, it’ll actually show you the code that goes behind SSL. Now go ahead and forward, what line was that, we need you to go to line 3972. There, right there. See where it says, “read type and payload length first.” These next four lines of code, actually three lines after the comment, are entirely responsible for the Heartbleed bug. Now let me explain, this looks kind of crazy. But let me explain what’s here. HB type is just setting the type of data, okay so that’s like from C# that just says this is the kind of data that I'm going to be receiving. P++, we've seen that, it just incrementing the counter so it’s P+1, right?

Now here’s the big line, NS2, which is calling a function because we know it’s in parenthesis right? So it’s calling a function and it’s passing it to parameters. P is the location, it’s called the pointer of the payload, the jelly bean. So it’s telling it where the jelly bean is located, right. Payload is the length. That’s me telling you I'm passing you one jelly bean. Okay, now a good piece of code would’ve had an extra line here that says, “Is P, the length of P, equal to the length of payload?”

Shannon: Right, yes.

Fr. Robert: Right, so if I told you -

Shannon: It would be sanitizing their code.

Fr. Robert: It’s sanitizing the code, sanitizing the input. It’s saying, “If I told you I'm giving you one jelly bean, what is P? How long is P? Is P actually one jelly bean? If it is, allow it. If it’s not then ,X, kill the connection.”

Shannon: And since they didn’t do that, there is no line that says, “If it’s this long then it should equal P.”

Fr. Robert: Right, right.

Shannon: That pretty much means that the payload could be as long as they want.

Fr. Robert: Or short. So this is how it works. If you come back to me, now we’re talking about this jelly bean, all right. So I'm still talking to you in the server, and I'm passing you this one jelly bean and I'm saying, “I sent you 64 thousand jelly beans.”

Shannon: It looks like 64 thousand jelly beans.

Fr. Robert: That’s how open SSL works because it doesn’t check, it’s just going to trust me. And unfortunately, that’s not good.

Shannon: That’s not good.

Fr. Robert: So what it’s going to do is it’s going to say, “Well, he must’ve sent me 64 thousand jelly beans. So I'm going to send him back the one jelly bean plus 63999 he shouldn’t have received.”

Shannon: That’s so bad.

Fr. Robert: Which means I take your system memory and it’s all for me.

Shannon: Hello, hacks. Oh, that’s bad.

Fr. Robert: Hello hacks, exactly. See, the problem with that is they can do it over and over and over and each time they’ll get a different set of the memory until they can put it all together and they can essentially have everything.

Shannon: From the server end, everything looks cool so nobody ever checks for any difference.

Fr. Robert: Right, so the server end, if you're using open SSL, the unpatched version, all it knows is that someone is sending a lot of heartbeats, and that’s normal because that’s how we keep the connection open. It doesn’t realize that it’s giving away the keys to the kingdom every time it sends you that 64k.

Recording: Authorization acknowledged.

Fr. Robert: Precisely, exactly. We got a computer fault.

Shannon: Yes.

Fr. Robert: So that’s how Heartbleed works. Go back to that code Bryan. This is the crazy part, this is what we’re trying to drill into you people. When you’re writing your code, you got to make sure to check for things like that. This was an innocent mistake, this was, again, we know that this was submitted something like, what was it, an hour or two before midnight two years ago. December 2011. So it was probably some guy staying up late, writing some code. It looked right, it worked right, but he never actually made sure that he was receiving what he was supposed to receive.

Shannon: That’s true. Oh man, I feel bad for that guy.

Fr. Robert: Simple mistake, I feel bad for him but, you know, simple mistake that anyone can make.

Shannon: Yeah, it’s true. That’s unfortunate, but it’s a really good example of what can happen if you don’t sanitize.

Fr. Robert: Very good example.

(From Episode 10)

Fr. Robert: And who do we have this week, Shannon?

Shannon: This week, I'm super excited about this because I'm kind of a fan. This is Randal Schwartz with his Perls of knowledge. I just like saying that because I think it’s hilarious.

Fr. Robert: It is kind of cool.

Shannon: Hi Randal, how are you?

Randal Schwartz: Hi, hey.

Fr. Robert: Randal Schwartz the host of Floss Wednesday, the earliest show on the TWiT TV network. Thank you so very much for coming.

Randal: Oh yeah, and actually I got to sleep in a little bit today too which is really nice so -

Shannon: Nice.

Randal: I have to wake up in time for my other show. Yeah, no, great. Thanks for having me on.

Fr. Robert: We don’t do sleep. Yeah we don’t do sleep -

Shannon: Yeah, we never sleep here.

Fr. Robert: No, no, no but the reason why we asked you to come in this because you are one of the acknowledged experts in Perl, right? I mean, you’ve written a series of books about Perl, you teach Perl, you talk about Perl and more importantly, you program in Perl.

Randal: Well, I program in a lot of languages, but Perl’s made me the most money over the last 25 years, exactly. I wrote the top five selling best books and 255 magazine articles. Yes, I ran a training company that was extremely busy during the late 90s as the .com boom rolled out, it’s not so much – it's much more in moth balls now because there aren’t 20 people wanting to learn something about Perl and sitting in one place for a week anymore so I don’t do much of that. But yes, Perl’s only like one of the 70 languages I list on my resumes so I've got plenty else to talk about besides Perl, too.

(cut to later in episode)

Fr. Robert: Now, Randal, we want to talk a little bit about something that I actually asked you beforehand because I want to make sure you were comfortable with this.

Randal: Oh, yes.

Fr. Robert: You are, I think, the only host on the TWiT TV network and definitely the only guest we’ve had on Coding 101 who at some point had a felony on his record.

Randal: Mhm.

Shannon: Oooh.

Fr. Robert: Yes, yes. Now this stemmed from a - was it 1995 case brought against you by the state of Oregon. Not a financial case by the way, it was actually a criminal case -

Randal: Yes.

Fr. Robert: - stemming from your time as a system administrator from Intel.

Randal: Yes.

Fr. Robert: Doing some very standard system administrator stuff but - and I’d like to think that this is one of the very first cases in which the law didn’t quite understand what people in computer science did.

Randal: And still doesn’t.

Shannon: So true.

Fr. Robert: And still doesn't, right. But this is one of the very, very first great examples of, “Wait, he got in to trouble for what?” Can you explain how this happened, what happened and then talk a little bit about how your record got expunged.

Randal: Yeah, so 1990 through 1995 – 1993 actually - from 1987 to 1993, there we go. I was a contractor at Intel in seven different slots. One of the things about being a contractor is you're always looking for, you know, doing the items one through ten that the boss wants but also looking for item eleven that shows that you're still valuable in some way because you're bringing something to the table.  You're not just being the code monkey that’s doing the things that are on the table. I would do these - sort of odd projects from time to time right. I would see something that needs to be done and just go ahead and do it and I got really practiced at that. Well, the particular thing that we have in question is I was running Crack, which is a standard tool for evaluating the strength of passwords in the Unix system. I was running Crack against the password file of the current group that I was in. Well, there was only like five passwords and it didn’t show up anything. And Crack, I think, 3.0 had just come out so I was actually just testing the new version of Crack. Again, I done all the stuff for the day and I thought, “Well, I’ll try this one out.” Well, I still had access to the previous group, where I was one of the key system administrators and I’d moved on to the new group. But they still gave me access previously - to the previous system because I was still maintaining some code for them. I ran Crack against this much larger password file and something like, I forgot the number now, something like 67 of the passwords were guessable. Now, this shocked me to no end because when I was in that group, I was running Crack against the local password file and I made sure, anybody got guessed I would - and this was complex things like, you know, like, the word hello with the E changed to a 3. It would find stuff like that. And the O changed to a zero. So it would find these sort of normal, you know, combination of things. People’s first names, pet names, thing like that. It would look for all that stuff. It was really good at doing that.

I actually met the author of Crack a few years ago, cool guy. So I couldn’t imagine that 67 passwords were guessable. Now, what I didn’t realize at the time was one of the passwords was the vice president's. His password was president with the S changed to a dollar sign. I suspect that’s why I got prosecuted because I actually embarrassed somebody. Now I was going to go over the group and say, you know, to the people taking over my job essentially at the other group but I then realized, “Wait a second, I'm going over to tell them they're not doing their job. How do I do that?” I spent a few weeks kicking back, trying to figure out how to do this best. In the meanwhile, somebody at my new group noticed I was running Crack and running it against the password file of the old group and didn’t understand my motivation. I was simply just trying to do one of these things again where it’s like the eleventh item on the one to ten list. Never intending any harm to anybody, not trying to do anything at all. But you know the problem is they showed up at my house, they took my computers away, they only returned them like four months later. Imagine having all your data in your computers and then not having them for four months. It was just really crazy. They didn’t arrest me until they put out a warrant for my arrest four months later which shows you that they had to figure out, “Wait, we've accused him of being bad, he’s only done exactly what he told us he was doing and with the intentions that probably that he told us he was doing it. So now what do we do?”

Well, it turns out Oregon’s computer crime law is over-broad and vague. Basically, if I pick up your cell phone and I change the background color on the screen, that’s a class C felony, $100 thousand and five years in jail.

Shannon: Wow.

Randal: So the law is way out of proportion in this thing so I got basically nailed with a law that makes criminals out of anybody they want to prosecute. I got three felonies, eventually, in ’95, convicted on me and it was devastating. I got to tell you I was suicidal for two times - because here’s the thing, since ten I wanted to be a programmer and I said, “Who’s going to hire me now?” But luckily I had a lot of friends come forward and they brought me into their companies and stuff. So it was quite a transition period. In about ten years later you're eligible for expungement in Oregon so I applied for that. So technically I can now tell you, “I have never been convicted of a crime in my life.” But it doesn’t matter as far as the Feds go apparently so I can’t get like a global early entry. I have troubles going to Australia and Canada still. I can go anywhere else in the world, I just can’t go to Canada and Australia. It’s just very, very weird.

Shannon: Of all places.

Randal: Yeah, of all places.

Fr. Robert: Now, you know, Randall, this is interesting. You bring up a great point and actually I think there's a lot of programmer out there, and especially a lot of programmers who might know Snubs because Snubs has a couple of the program of shows and one of them specifically talks about security.

Shannon: We’ve dealt with banks telling us that we can’t have a checking account with them because the name of our show. It’s called Hak5 and people have told us that we can’t get jobs because of the name of our show. My friend had a problem getting a loan for his house because of it and it’s just ridiculous how Feds and how a lot of government companies look down at us just based on the fact that we know how to do these type of things. It’s just kind of irritating.

Fr. Robert: The thing that hits me the most is something that Randal alluded to which is these over-broad laws which, that’s one thing. Most laws are over-broad. They try to catch all the outliers. But the very selective way that they are applied - and it always seems as if it’s not every hacker who's going to persecuted. It’s going to be the hacker who insulted or embarrassed the wrong person that the book is going to get thrown at.

Randal: Exactly.

Fr. Robert: And I know you touched on this on Floss, which is why it’s a great program to watch even though it’s early in the morning on Wednesdays at 8:00 on It’s something that you should watch because they talk about cases like this. I think what I’d like to hear from you is looking back on your experience now and knowing that there’s a new generation of programmers. There’s a new generation of people who are going to be curious about the networks that they're connected to. there's this little air of insecurity about, “Well, this seems really easy but someone’s telling me that this is a crime.”

Like for example, “I'm on a network and the system administrator knows absolutely nothing about security and for some reason I can access all the files of all the executives because it’s a standard Samba share with no protection.” But for some reason, if they accidentally click in to one of those folders they're now guilty of a felony and that could be held against them. I actually hear these stories every once in a while. I get people who have freaked out and are writing me saying -

Shannon: Me too.

Fr. Robert: “I accidentally did this and I'm afraid that someone’s going to check the logs and I'm going to get fired and persecuted.” But there doesn’t seem to be that much momentum. There is no political will to fix the laws that haven’t caught up with technology.

Shannon: Yes and it always seems like, if you're the person that’s trying to help the company, you're trying to bring this problem to them and say, “Hey, I found this vulnerability, We need to make sure that it gets fixed.” If you're the person that found that vulnerability, they're going to go after you.

Randall: Yeah, there's no safe harbor for whistle-blowers in this arena and that’s where the problem is.

Shannon: No, there's not.

Randall: And also remember that the laws are written and paid for by the people who pay for our government, which is big companies that have good lobbyists. So of course the laws are going to be biased towards not the individual but towards protecting the corporation, the corporate status quo. I love that you keep saying persecuted instead of prosecuted. I don’t think we mean too much persecution these days, but it sort of may feel like it, actually, but no.

Fr. Robert: Well, I come from a background where we persecute everyone.

Randal: Exactly.

Fr. Robert: That’s my preferred word.

(From Episode 46)

Fr. Robert: So before we get into Santa's Little Helper, let's go ahead and take a look at an item that I thought programmer's around the world probably should take a closer look at. This one comes to us from a blog by Kevin Williams called, “The 10 Things That Annoy Programmers the Worst.” Now, it's funny, whenever we get one of these top ten lists, there's always going to be people that have differing opinions. But these ten are really good.

Number 10 was, comments that say nothing. Now, Lou, both of us know this, right? I mean, we tell people, “Comment, comment, comment.” But there's a difference between a comment that helps and a comment that just leaves you going, “Okay? Now what?”

Lou: It's a holy war, almost, with comments in code. I mean, a lot of people like to over comment and sometimes, I like over commenting more than I like vague commenting. Because if you don't comment – and then, some people will – the ones that do the best actually write a design document that talks about and puts little links into the code so you can go look at the code comments too. That's even better. But code commenting is super important so you know exactly what a piece of code is doing, and what it's meant to do and what it's purposes do. If it's breaking or not doing what it's supposed to, then at least you'll know the original intent.

Fr. Robert: I had to work on a project, what, maybe a year ago? All the comments were, “This is a loop. This is a counter. This resets the counter.” I was like, “Yes, but why is it there?” That's what that's all about.

Number 9 is, being interrupted by coding. I kind of thought this was just petty but then I thought about it. It's kind of true. Programmers tend to be the kind of people that get into a zone. It takes a while to get into the zone. You know this. You might be sitting there, staring at your screen, for the longest time and thinking about how you're going to do something. Then you start feeling it and you start pumping out code. It's all good. Then someone comes in and they bother you, and it's normally something that's just lame. It's stupid. They're wandering around, asking a dumb question. I think this applies. Are you like that? Do you hate it when people bother you when you're in the zone?

Lou: So, I don't hate it because – in fact, sometimes I have to literally – in fact, right now, I have locked my office door and there's a sign on the door that says, “Do Not Disturb.” But sometimes I have to do that because if I don't do that, I'm doing something, I'm thinking about something, I haven't written notes about it to kind of keep context. So then, somebody interrupts and I'm like, “Okay, I've got to answer them and be nice.” I talk to them and come back and I'm like, “Okay, now what the heck was I doing?” So that happens all the time. I haven't seen a tool today that can fix it, whether it's Link or Skype or whatever communication device you use, that I can put that I'm busy on there. Unless I lock the door, pull my shades down and turn the lights out, I'm pretty much open for business.

Fr. Robert: This next one. Number 8, this is near and dear to my heart. Scope creep or mission creep. We all know this. This is that idea that as the project progresses, they're just going to start adding on requirements, features that they'd like – where they see something in another application and they go, “Oh, you know what? Our program should do that too.” With no regard for the fact that might completely change what you were doing with the code. Of course, you've never run into anything like this, right?

Lou: No, never. We don't have that problem every day that I work here at all, either. But one of the biggest things that you'll see is, there's an old saying – an acronym called MVP, most viable product. That's one of the things that startups are very, you know, pushed very hard to do, is ship a very simple thing up front. Let leisures complain, ask for things, and then add to it. But companies, whether it's Microsoft, Apple, Google, they never do that. So there's always scope creep that come in and force the release dates out.

Fr. Robert: My favorite is the scope or feature creep that happens and then they expect you not to change the release date. “Because we're just asking you to add 3G features, that's like two or three lines of code? What?”

The next thing, I think, this gets a little bit whiny because this happens for everyone. This is not just coders. But having a project manager who does not code and does not understand – or doesn't care about understanding what programmers actually do. This still does exist. You won't find this a lot at companies that are well run. But having a programming manager who cannot program is tortuous. Lou, have you experienced that?

Lou: So there's different levels of programmers. So here at Microsoft, we have what we call domain experts and then the technical leads. So the domain experts are ones, for instance, I work in financial software or business software. So one's that might understand sales, and financials, and general ledger and accounting. Those are actually still fairly good PMs that could understand the domain expertise around calculations and so on, but they might not necessarily understand how coding or that technology behind it. So there's a little bit of a crutch there, but they're still fairly good PMs. So it all depends on if you're a domain expert, if you're a technical expert, and what the project requires. Sometimes it requires both, so they're at kind of a loss at that point.

Fr. Robert: Number 6 and number 5 are interesting because they're kind of the same thing but not. Number 6 was listed as, being asked to document our own code. Number 5 is, working on code that is not documented. I think this is absolutely altruism. I hate documenting my code. I know I have to do it and I end up doing it because I felt the pain of not having it. But I don't want to do it and sometimes, people have to ask me to do it. Yet, on the other side, if I find code that's not documented to me liking, I think that programmer is the worst thing ever.

Lou: Yes, I mean – actually, I require what I call a white paper. So when you do a project, you have to write a white paper about it too. It's like, you kind of remember the Old English engineering English classes I had to take in college and thinking, “Man, I could've used a little bit more of those,” because I literally have to write a document that customers have to read about my code. It's sometimes difficult to do, I guess you could say.

Fr. Robert: Number 4 is an interesting one, because I'm more of a hardware guy. But hardware-generated faults, specifically errors that are generated because we're running code, especially like beta code, on janky hardware. It's a pet peeve. I've actually seen this happen a lot, we're running on pre-release hardware and we get change logs back saying, “Well, it doesn't work on XXY that's going to be released next year.” I'm thinking, “Well, is that a finished version? Then why do I care?” If you can't show me something that they say is stable, why am I going to change my code to accommodate them?

Number 3, vagueness. You know this one. In fact, anyone who's in IT knows this one. You don't have to be a programmer. That idea of, “It's broken.” Well, what's wrong with it? “It just doesn't work right.” Can you tell me what happened? “It didn't do what I wanted it to do.” That's – yes, you see that a lot, I think. You're kind of – I'll just leave you with that one.

Number 2, other people. I think programmers, as a rule of thumb, we don't like other programmers. Oh, I mean, we may understand that other programs are necessary but Lou, and again, I'm going to throw you under the tracks here. Do you sometimes feel as if the world would be better if everyone just programmed like you?

Lou: Honestly, I'm going to be honest with you. I only stay on teams if I have somebody who's better than I am there.

Fr. Robert: There we go, okay.

Lou: That's the truth. It makes me better, anyways. If I'm not on a team that I can learn from somebody, then I normally jump off that team. So that's the rule I follow and that's the one I have. But I do agree, there's sometimes that you work with programmers and they just don't have the skill. They don't have – they maybe are kind of just getting started and they cause some issues and cause some delays. It does cause some problems with our code, too. So it's kind of a balancing act.

Fr. Robert: The number 1 from this posting and yes, this is true. My code. Six months later, I think every programmer has had this moment where they'll look back at a program, a project that they started and they'll go, “What was I thinking? This is not elegant, this is not good. I should rewrite all of this.” Of course, this happens a lot but never at the corporate level. Right, Lou?

Lou: Honestly, I've had emails from people. So I've been here 11 years. I've had emails from people that will come and be like, “You wrote this, can you help us fix this?” And it's like 11-year-old code. So I do. I have that all the time. Don't worry about that.

Fr. Robert: Other potentials that weren't listed in the blog – actually, my number 4 was that, exactly. Answering questions about my code, especially if it's code I can't remember. I almost feel shame whenever someone says, “Your code is breaking this and we don't know why. You wrote this, can you tell us what it does?” I normally don't have an answer.

I also hate code repositories with really, really bad revision keeping that tend to want us to fork projects. That's been a pet peeve of mine.

One other thing is, and I've seen this in the Valley recently. Star programmers, superstar programmers who are brought into a project who don't seem to ever want to program. They do all the high-level thinking and then they leave it to the peons to turn that into code. What pet peeves do you have, Lou?

Lou: I think that is one of them. So one of them, where they'll come up with a really complex design, they never communicate with the team and then they go and say, “Here's the design, go code it.” Then you really have no idea where to even start. I think that's the first one that I have, especially with teams.

The second one, the last one, would be if I go to a developer and they wrote the code but there's no comments. There's no tests. They don't even – it doesn't even necessarily compile, sometimes. You ask them what they were even thinking and they have no idea. So there's those two things, obviously, that could cause some huge blips in a project, I guess you could say.

(From Episode 20)

Fr. Robert: … we want to welcome to the show Mr. Karl Auerbach. Karl, thank you so very much for coming on. I know you're a busy man, we've had you on several TWiT shows before including This Week in Enterprise Tech. You may be a little bit of a man of mystery to many people out on the internet but whether or not they realize it, you've probably created something they're using, yeah?

Karl Auerbach: Almost certainly.

Shannon: I am intrigued.

Fr. Robert: I'm going to ease you into this because I think that our code monkeys are going to love knowing who you are but let's start with something very simple, which is, how did you get into coding? How did you get into computers? How did you get into the IT revolution? You've been around for a while, including a time before the internet. So how did you get to where you are now?

Karl: Well, I was one of the infamous members of the UCLA computer club in 1968 next to imp number one. I set forth to learn basic programming. My first language back then was PL1 and it was a simple program. It took me a year to get my first piece of code running, of course, then it was on card decks and things like that. I happened to also be right next – besides right next to imp number one, next  to the transportation institute where we were doing early car crashes and I was hired as a film scanner. Which is where we had these machines watching cars getting off of freeways from helicopters and we're punching cards, showing coordinates in a big program that would use those. So I had an IBM 70-94 to myself whenever I wanted. So I set forth to learn how to use that and I wrote some trivial programs then. I've been on to bigger and greater things since then.

Fr. Robert: The mention of those systems are probably bringing some bad flashbacks for the older programmers.

Shannon: Or for me I'm going, “What is that?”

Fr. Robert: Yeah, blinky boxes with the switches. You actually have with you a piece of gear from one of those early computers.

Karl: This wasn't that early this was from the 80s or 70s, I mean, a PDP-11/70 console.

Fr. Robert: Oh gosh, that brings back all sorts of memories.

Karl: I used to load boot codes into this thing and load it into memory and just get this thing going. You could tell a lot from these lights, you could tell whether your program was idling, whether it was in supervisor mode, what part of memory it was in. You could get a lot of useful data by watching those lights.

Fr. Robert: Let's talk a little bit about that because in our first module we did a binary to decimal conversion.

Shannon: That's interesting. Right.

Fr. Robert: There were people who were like, why would I need to know binary? It's because the old programmers, that's how we had to program. You didn't have a keyboard, you had to flip switches and then you committed it to memory. Could you actually show us what you would typically do for a sequence?

Karl: Well, most of the time, we would do the boot sequence and I can't remember the codes but it was something like this. One of these switches went up to store things in memory. Then you'd finally hit the Go button which would cause it to jump to that location, which would begin to bring the system up. That system backed by the way, was Unix. Well before DOS even came out from Microsoft so Microsoft went backwards because we had multi-user operating systems before DOS even came out.

Shannon: And here we're still using a lot of the basics of Unix.

Fr. Robert: Karl, one of the things that often fascinates the new generation of code monkeys is, when they start stepping back and realize that a lot of things that they're learning, that they just take for granted, actually have a backing. There's a reason why programming works the way it does and that's because we're basing it off of the first generation of computers. We see that a lot, we see that in learning binary. We see that in learning hexadecimal. We see that because that's how you originally had to program those computers. Now, let's step back from that, because -

Karl: I was going to raise the point that most people today don't even know the difference between Ones' Complement arithmetic and Two's Complement arithmetic and that's kind of important.

Fr. Robert: (Whispering)What's the difference? I don't know what that is.

Shannon: (Whispering) I don't know, what is the difference?

Fr. Robert: We'll get to that in just a little bit. But Karl, it's good that you're a geek, it's good that you're an old-fashioned geek. It's good that you were at the cusp or the start of the IT generation. But that's not-

Karl: Oh, I'm a long way from it.

Fr. Robert: Right, but that's not the only reason why we brought you on. You actually have a lot of experience with things that are not just hacking together computers. You were on the board of directors for the Open Voting Consortium. You were a member of the Intellectual Property section of the Cal State BAR. You are a co-founder for the Boston Working Group. You are part of the IETF, the Internet Engineering Task Force. And you're on ICANN.

Karl: I was affiliated with ICANN, I was on the board of directors. Most of these are past sort of things but I'm doing new and greater things. Going back to first generation coding, I can't forget, the first programmers were doing the ENIAC machine and the Sage computers and those were almost exclusively women.

Shannon: Yes, go women!

Fr. Robert: But with all of this experience and all of the influence you've had over the internet, you've seen it change a lot over the years, right? I mean, this used to – it was a geek project at first, but how have you seen it evolve?

Karl: Well, when I first came across the Internet, there was no word for it, but it was a collection of communications vehicles for us to do exchanging basic applications like email, file transfer, things like that. We got pretty much down and dirty with the hardware modems, and wires and what have you. It's evolved a lot since then. But the first 15, 20 years of the internet were largely people playing around with not a lot of restrictions. What's happened scares me the most recently are the changes of the legal environment around the internet. The restrictions that are rising and the attempted transformation of making the internet into a utility. We're not clear whether it's a utility or a vehicle for innovation anymore.

Same thing has happened in programming. We used to see - programming used to be like a Wild West kind of thing where everybody could write their own piece of code. But we're getting to the point where not everybody is going to be able to write code for say, the braking system in a self-driving car. You're going to need some pretty stringent tests on that kind of code.

Fr. Robert: I want to get back to that but before that, Snubs had a question about something I was talking to her about before the show. She got really excited by it.

Shannon: I did. So I know that you were one of the creators of IP TV and this is what we're doing now. This is the basis of what we have created our careers around. So I got really excited about it, myself. You were also one of the first paid employees of Precept Software before it was acquired by Cisco. So I want to know from you, how do you feel IP TV has changed since the late 1990s?

Karl: I've been an unpaid early employee of several startups. I think I've done like six or seven and if you want to make billions of dollars, you go to the places I turned down. But IP TV was part of Precept Software and that was the start-up done by Judy Estrin in 1995. She brought me in with Steve Kasner, and Chachi Quan and her sister Debra Estrin. We gathered together one evening and said, “what should we do? Should we do IPV6; should we do this or that; should we do multimedia?” We said, “Oh, multimedia, that seems like a lot of fun.” Well, Steve Kasner had spent a long time at USCISI. He was part of the team that sent the van out in, I guess, the 1960s and 70s doing the first internet voice projects, mobile voice. He was also one of the co-inventors of the RTPRTCP protocols. So we took that and held it up with IP Multicast. There was a model already put together by Van Jacobson on the internet which was – oh, I can't remember the name of it. It was what the IETF used for sharing low-level videos and things like that. So we decided to start building that up and commercializing it. So what I did at this company is, Steve handled all of the real time algorithms. How do you synchronize lip sync? Lip sync is really, really hard to do especially when you have multiple streams. I did the RTPRTCP code which was a heavily, multi – well, not necessarily multi-threaded, heavily asynchronous piece of C++ code that handled multiple media streams, handled the synchronization, handled the hand-offs to the codex and all that sort of thing. We put that together into a commercial product and made it work.

(From Episode 41)

Fr. Robert: I want to take a little side trip. It’s going to be a small tangent but I think it’ll be worth it because I’m seeing this discussion going on in the chat room. I actually hear this a lot, much to the ire of my embedded programming friends. That is, when people say, “Oh, well with Arduino, now people can actually program a  microprocessor.” And they always kind of bristle a little bit because they were doing this way back with Motorola embedded processors, back when I was playing with my PCs. What’s your take on this? Because, of course, Arduino really made it popular with the maker’s scene. It made it possible to easily - and artists, right. You could be an artist, or someone with no knowledge of embedded programming whatsoever, and you could pick up on Arduino. Follow a couple of instructions, read some forums and figure out how to make something work in the real world. What’s your take on that? It’s got to be a good thing, but that the same time, I heard you at DefCon grumble a little bit that ,” Well, Arduino is okay, but you can’t forget all of this other stuff.”

Mark: I don’t think it was me that was grumbling about that. I think you might have - you’re probably talking about the panel I was on two years ago. So that panel actually, I think, I was the one who defended Arduino. Because I was the only nonprofessional embedded programmer up there. I was the only hobbyist. So here’s the thing with Arduino.  Arduino took a real, honest to goodness micro-controller, an Atmega 328, I think they started out with the 168. But they took a real honest to goodness micro-controller. It's not a toy, right? It's a real micro-controller. They took a real C compiler. It's not a toy, this is backed by GCC. The most popular C compiler on the planet. They wrapped it with a pretty interface and made it very easy to use and they removed all of the complexity of the build chain, and all of the optimization tools, and the assembler, and the linker and all of that crap. They just made a simple, easy to use IDE. They didn’t say you were programming, they said you were making a sketch, right? That appeals to an artist. That’s not program. They basically made it very non-aggressive. They made it very non-computer-y. I think a lot of the computer people got turned off by that. But let me give you a hint. All you artists out there that are doing things with Arduinos, you’re writing C code. You might even be writing C++ code. You might be doing object-oriented programming and you don’t even know it. That’s awesome.

So we have made it so that it is so easy to do, that people who wouldn’t otherwise have gotten into the hobby are getting into the hobby because we didn’t say, “It’s like, well, you’ve got to go through all of these arcane steps and you have to install this package, and this other package and then you’ve got to take the output of this program and feed it into the input of another -” We’ve removed all of that. And it’s just, “Here's how you write these commands in this IDE, developer environment, and you click this button, and it will upload it to the Arduino. Done.” That’s something that artists can get behind. So they kind of took the Apple approach, right? Apple originally - the original Macintosh wasn’t targeted toward computer users, it was targeted toward artists. They’re doing kind of the same thing. They removed all of the complexities, they hid it all underneath a good UI and turned it into something that anyone can use. I think there’s nothing except good to come out of Arduino. Everything that Arduino has done has been good for the hobby. Because if you have an Arduino, you can still pull out your old school development environment and do all of your same libraries, all of the same compiler and everything else. It takes the same hex file output, and upload it to an Arduino hardware and you get the nice hardware prototyping platform with all of the shields and all of that kind of standardization that someone makes a module that you want to plug into your micro-controller to get it to do something, whatever that shield does. So you get to benefit from all of that for prototyping and still use your old tool chain.

Or, this is actually what I do, I use the Arduino IDE, and then I make my own embedded Atmel-based projects. I think that’s what you eventually want to talk to me about is the Darknet project, what I did there with the Darknet ID badge. That is all written with the Arduino IDE. I just told it to output – to build and I went into the temp directory, grabbed the output file, and wrote my own AVR dude with lines to program it out to the chips. The badge itself is Arduino compatible. You can program it with the Arduino software if you’ve got the right FTDI cable, which is a very standard, very common serial cable. Serial on one side, the USB on the other. You know, I think it’s fantastic. It’s not as powerful as a lot of the commercial tools. So a lot of the hardcore embedded developers will say, “Well, Arduino doesn’t do this feature, or that feature or whatever.” If you don’t need those features, who cares? It really doesn’t matter. And so if it gets more people into it and doing it, awesome.

(From Episode 29)

Fr. Robert: … without further ado, we welcome our security expert, my security guru, Mister Raphael Mudge. The Armitage Hacker from Penn. He's a Penn tester. Raphael, can you tell the folks where they can find you?

Raphael Mudge: Sure, yes. Hi. I’m Raphie, Raphael. You can learn a little bit about the work I do, I actually develop software to hack into systems to test their security, and you can learn about that at

Fr. Robert: Okay, now we’re going to back up, we got the plug in. Now what we actually wanted to do is talk about you. Because I know the work that you do and Snubs knows the work that you do, because you have worked with her on her show as well, just as well as you have worked on mine. But your specialty is interesting. You go beyond white hack, black hat, gray hat. You’re a guy who programs who happens to know security really, really well. Can you tell us a little bit about your background?

Raphael: Oh sure. So what’s the best place to start? I always say I’m a developer first, and everything I have or do is because I like to program. I happen to be working in the security space, and I have my own company now, but I was active duty Air Force before, for four years -

Shannon: Thank you for your service, sir.

Raphael: Thank you very much, Snubs, it was definitely a labor of love. I bleed blue, as they say.

Shannon: Yeah!

Raphael: Yeah! Very nice! So, by the way, see this beard? This is what happens if you apply all the coding lessons. You will grow a nice, fluffy beard.

Shannon: You do, you have a coding beard. I just shaved mine, so I’m very, very clean shaven.

Raphael: It looks nice.

Shannon: Yeah. He just shaved his too. But thank you, your beard is awesome.

Fr. Robert: I can’t grow a beard.

Raphael: Thank you. Anyway, back to the question. My background: so I was active duty Air Force, I worked as a researcher for the Air Force, in cyber operations, and this is one Padre might not know about me. When I left the Air Force, I invented a spelling and grammar checker After the Deadline. And I sold it to a guy named Matt Mullenweg, who created WordPress.

Shannon: Oh, that’s awesome.

Raphael: Yes, so if you have a blog, and you go check your spelling or grammar, you’re actually using my software right now to do that.

Fr. Robert: There’s always a little piece of you in there. I like that.

Raphael: Oh, yeah, after the deadlines meet.

Shannon: It’s a small world. That's cool.

Raphael: I’m a grammar checker, a grammar teacher, to millions of people through my programming efforts.

(cut to later in episode)

Fr. Robert: Raphael, one of the questions that I have had is where do you get the inspiration for looking for these exploits? Because I’d say, it’s this weird combination. You need to be a good programmer, because you need to know where they probably put the flaws in their code. Or you need to know where they put the flaws in their process, which I think is what you go after. But you also need to have sort of the troll-ish glee of finding something wrong, finding something unique that only you would know about.

Shannon: Are you calling Mudge a troll?

Fr. Robert: In the best possible way, Mudge is a great troll. But Raphael, how do those things come together in your mind?

Raphael: Sure. So, why is Twitter successful? This does relate to your question. Why is easy to write on Twitter or to write a tweet?

Shannon: They make it easy for consumers. They just simplified it, it’s very simple.

Raphael: There is one other reason, too.

Shannon: It’s pretty?

Fr. Robert: Yes, it’s attractive.

Raphael: 144.

Fr. Robert: Also short.

Shannon: Oh, yeah. It’s very short.

Raphael: 144 characters, okay. So with Twitter, one of the reasons it is so popular is because of constraint. Everybody is given this default constraint to work with, 144 characters. You are allowed to be creative within that space. I see hacking a lot like that. Sometimes I find folks will try to pick something, anything, in this big universe of all possible things to do, when what will really make you successful as a hacker is narrowing in and focusing on something. Let me give you an example from my own experience. When I was doing Production Red teaming, I do a lot of exercise and support now, but I had just done a reconnaissance shot against my target and what I did was, I sent a web application, or sent a link to a web application, to a few people in this organization. Those people clicked, it was a LinkedIn invitation, and it came to my server. My web application discovered all this information about their systems, and then sent them on to like nothing ever happened. What that gave me was a constraint. It gave me, “Here is what my target has, this is the things running on their system.” And now, when I had to come up with an attack, it wasn’t, “Okay, let me pick something cool that is random.” It’s, “I need to sit here in this box I’ve been put into, and come up with something that’s going to work here.” For me, I find when I have good constraints, good assumptions, good things that narrow what I have to do, that’s where the magic really happens. Because I can be creative within that space, and there’s not that much room to spin out of control and end up in a lot of different directions.

Shannon: So you like to constrain yourself whenever it comes to programming?

Raphael: Absolutely. I like to constrain myself when it comes to programming, and attacking something, finding the problem and putting it to use. Constraint is a beautiful, beautiful thing, and that’s what reconnaissance gives you. It gives you constraints, so you know what the reality of what you’re dealing with is.

Shannon: That’s really interesting. You know, it kind of makes me think of - in a lot of programming, you have constraints that you have to deal with. You are restrained to the rules of different program language and each one is so different, you have to stay within those rules to make your program work. So I totally get that. Wow, that's interesting.

Fr. Robert: Yeah, and I guess reconnaissance, or what Mudge does, when he reconnoiters a particular system. He’s looking at the constraints that they work with, because that’s going to necessarily affect the way that the programmers worked to both code and guide the process of data through the system. I’ve never thought about that but, yeah, I guess -

Shannon: It totally makes sense.

Fr. Robert: It really makes sense, now. That’s how you hunt for vulnerabilities.

Shannon: That’s why we have experts on the show.


Fr. Robert: Thank you for staying around for the best of 2014 of Coding 101. I have to say, we've gone through a lot of changes, everything from losing Snubs, who I loved working with every week to another program, to changing the format of the show. It's one of the things that we do because we respond to you when you tell us that you want to see certain things on the show, we try to incorporate it. We're going to keep growing as we go into the new year because we think that this is an important show to have. We want people to understand the world in which they live, and you know what? Learning about code is a big part of that.

Now, we've got some great things planned for 2015. So you're going to want to stay tabbed. You're going to want to stay subscribed to Coding 101 because it's going to be fun. We've got Steve Gibson coming up, who's going to be showing us a little bit about Spin, right? We've got lessons for PHP. We've even got some embedded programming coming up with some members of the TWiT TV army. That's right, it's going to get loud.

Until then, I want to take this time to wish you and your family, no matter what you believe or you don't believe, just have a happy holiday. Have a happy New Year's. Have a happy Christmas. Have a happy celebration of light and of life as you head off into the new year. I'm Father Robert Ballecer, the digital Jesuit. Until we meet again, end of line.

(buzzing noise) Like a boss. You see me flinch? Because I didn't.

Other: Don't be afraid, Padre!

All Transcripts posts