I’ve been accused of preaching when it comes to software process and quality, so I decided to own it — thus the name of my blog.
Our world is at a crossroads with ubiquitous surveillance and criminals exploiting the flaws in our software. The two issues go hand-in-hand. Insecure software allows governments and criminal organizations to break into your computer, and use your computer to spy on you and others. A lot of people think they don’t need to care because they’re too innocuous for government notice, and they don’t have enough for a criminal to bother stealing.
Problem is that everyone with an online presence, and everyone with an opinion has something to protect. Thieves want to garner enough of your personal information to steal your credit. Many bank online, access their health records online, and display their social life online. Every government, including our own, at one time or another has suppressed what they thought was dissident speech.
So let’s talk about encrypting everything, and making the encryption convenient and powerful. Before we get there, though, we have to talk about not writing crappy software. All the security in the world does no good if you have a broken window.
My favorite language happens to be C++, so I’ll mostly show examples from that language. Just to show problems are translatable into other languages I’ll toss in an example in Java. I promise I will devote a entire future posting to why I hate Java, and provide the code to bring a Java server to its knees in less than 30 seconds. Meanwhile I’ll also toss in examples in Java. With every post I’ll try to include a little code.
Today’s little code snippet is about the use of booleans. It actually has nothing to do with security and with me learning how to blog. I hate it when I encounter the coding jokes
if (boolVariable == true || anotherBool == false) ...
It’s obvious that the author of that line didn’t understand evaluation of booleans. When I asked about that line, the author claims “It’s more readable that way”. Do me and other rational people a favor; when creating a coding guideline or standard, never ever use “it’s more readable that way…”. Beauty is in the eye of the beholder. Many programmers actually expect idiomatic use of the language. Know the language before claiming something is less readable than another. In this particular case, the offending line defies logic. What is the difference between
boolVariable == true
and
boolVariable == true == true == true ...
Cut to the chase and just write the expression as
if (boolVariable || ! anotherBool) ...
Believe it or not (try it out yourself by compiling with assembly output) the different styles make a difference in the generated code. In debug mode the actual test of a word against zero gets generated with the Clang and GNU compilers. Thankfully, the optimizing compilers will yield the same code. It is helpful, though, to have the debug code close to the optimized code.
The above coding joke is related to using a conditional statement to set a boolean, for example:
if (aardvark > 5) boolVariable = true;
Basic problem here is you don’t know if the programmer actually meant boolVariable = aardvark > 5
or did they mean
boolVariable = boolVariable || aardvark > 5;
Write what you mean.