Security of Ruby’s Kernel#rand

Last night I was at the Chicago Area Ruby Group, and there was a presentation by Trevor Turk on his El Dorado project. While he was showing us the code I saw the method that generates the application’s authentication token. I could not help but notice that the security of the authentication tokens depends greatly on the security of Ruby’s Kernel#rand method. Traditionally default rand functions are a bit light on security, and so I wondered if that was also true of Ruby’s Kernel#rand.

Only one way to find out! I downloaded a fresh copy of the source code for Ruby 1.8.6 and started poking around in random.c, where the function in question lives. My findings are mixed, and I have good news and bad news to report!

Read the rest of this entry »

Domain Specific Languages

I found out Friday night that chromatic from the Perl community has been writing about my previous posts:

Cosine, if you post yet another followup, please explain precisely what in the world you possibly mean by “better support DSLs” and perhaps even “DSL” in general.

Excellent comment, so I will. It goes somewhat to the Lisp idea that code is data, and that data are code. When everything has parentheses around it, that concept is slightly more obvious because they look identical. Here is some code:

(car mylist)

And here are some data:

'(car truck van)

Read the rest of this entry »

An Idea for Process Teams

My previous post on Process Hell generated some thoughts from my friend Ryan at his blog in a posting called Policy, Subjectivity and Inteligence. It seems last year he had some similar thoughts in another post titled The “What isn’t easily measurable, doesn’t exist” Rule. I think he was spot on with why many costs are ignored by policy makers:

It is easy for them [policy makers] to ignore the side effects, such as wasted bureaucratic efforts, delays to real progress, and other general dysfunctions. The side effects are outside of their purview, and highly difficult to measure. These two factors lead to application of the “What isn’t easily measurable, doesn’t exist” rule.

I did some brainstorming about what kinds of changes an upper manager could make to the organization that would provide some relief to the situation without going through the tedious and expensive task of identifying costs that generally go unaccounted for. I aimed for something simple enough that a brave manager can try it out with little effort but could really distinguish his company from most others (and hopefully in a positive way).

Read the rest of this entry »

Registration

I just turned on registration for the site so people can post comments here rather than send me email or respond in their own blog. Due to my protecting the /wp-admin part of the site some links may not work as normal, and there is no link yet for the profile update page. Use the link in this posting to get there for now. I did not just add it to the sidebar yet because I only want it to appear for logged in users, and I need to read up on how to do that in WordPress.

Policy Hell

One thing that I learned in five years of working for an FDA regulated company: policies are usually written to address fears instead of to solve problems or provide a return on investment. Often when one challenges the usefulness of a troublesome policy the answer is that Something Bad might happen if we did not have the policy. Never mind that the odds are miniscule of Something Bad happening. Never mind that the cost of Something Bad is less than the cost of maintaining the policy and training the employees on it. Never mind that the existence of the policy does not even prevent Something Bad; your company just hopes it makes Something Bad less likely. Fear has taken over, and we must avoid Something Bad at all costs.

I do not mean to belittle all those policies out there, but I would be very surprised if more than 10% of policies in medium-to-large companies provide a net positive return on investment.

Read the rest of this entry »