Sean Middleditch » Work
I finally got my hands on the domain I’ve been drooling over for over a year now, and am currently in the process of converting AwesomePlay Productions, Inc. into Mojodo Inc.
I’ve kind of hated the name awesomeplay for a long time. I came up with it back when I was, oh, 11. I think it was a direct rip of Interplay Productions, my favorite computer game company at the time (they published Dungeon Master II and Stonekeep). The name is pretty lame, dated, and unprofessional. Mojodo on the other hand is totally Web 2.0, which is also kind of lame in its own way, but what else is expected when every other reasonably intelligent domain name is taken. :)
The actual company site, once I get it developed, will be hosted at mojodoinc.com, and a new Service (oh crap) will be hosted at mojodo.com once I have the time to invest in that.
In slightly unrelated news, it’s kind of surreal that I’ve found articles written about PHP-Sugar already. Hopefully soon the new domain will be the top hit for Google searches, and the online reference manual should be ready in a week or so. 1.0 isn’t far away.
note: fairly personal, rather angsty, and especially whiny post. I would heartily condone skipping it, unless you like reading cheesy teen drama novels or like listening to emo alternative rock. you have been warned.
I don’t think I can take this anymore.
I am not the world’s greatest programmer. Not even close. I follow the work of people far greater than me, I know my place on the Hierarchy of Computer Science, and it’s midling, at best.
But… i just… I can’t fathom how these fucking idiots keep getting jobs to write software. Jobs that pay more than $80/hour, well more than twice what I make… and why after they inevitably end up failing to produce something that works, I have to clean up after it. This code is… every project I’ve worked on in my professional endeavors - every last single one - was apparently written by the most clueless fucking morons on the planet.
I know I’m not some sole soul stranded out in the Idiot Programmer Woods. I know that most Good programmers stuck in Commercial settings end up working on Horrific Code. Why do any of us have to put up with this shit? If car engineers consistently produced parts that just broke or exploded or dissolved the second they were put in a simulator, the engineers would be fired. Why do shitty coders get away with this kind of crap you can’t get away with anywhere else, and why do they get hired over the people who have a freaking clue? Why do sites like WorseThanFailure even have to exist, when those kinds of mistakes and incompetence just flat out aren’t tolerated in almost any other field?
I work mostly on web stuff for a living. Now, I dislike that in and of itself. “Programming the Web” is a lot like programming a VCR, except slightly easier. It’s mindnumbingly boring. The challenges in this kind of work are far and few between. It’s boring. It’s really, really, really boring. I LIKE hard challenges. They’re exciting. Something to do. Something to learn. Something to get a rush off of. Web programming does not offer those challenges, not even close. Yet, somehow, doing it right seems to be beyond 90% of the employed web programming work force.
The current HUGE client I’m working for has a codebase written partly by a man who has published books on PHP programming. This man, clearly, knows his stuff. Except, not so clearly. Aside from just being ugly code (you know what I mean - the kind that’s just hard to read, even though it really shouldn’t be), it’s way over-complicated. Can you say “design pattern?” Because he obviously can. a lot. If it’s possible to maybe kind of find a way to make one of the four or five Super Popular Patterns fit the code, he found a way to do it. Even if there’s a simpler one-line equivalent that a nice dynamic language like PHP offers, his code instead favors the 18-classes-over-12-files approach that strict and forced-OO languages like Java shove down your throat. And he doesn’t even program in Java, so what’s his excuse? Worse, the code is in some spots just flat out wrong, to a dangerous level.
Super basic security holes like not checking user input before opening a file, or going through the effort to make sure that all SQL query code is using place-holders, but using the ! placeholder instead of the ? placeholder (note: ? replaces the input with its escaped equivalent, while ! is really no different than passing %s to *printf functions). The code rigorously checks for errors on every single possible call into PEAR or MDB2 or other library functions, but does not in even a single place anywhere check for errors in user input. Users can, aside from trivially causing SQL injection attacks, also just insert data into the database with no value for a ‘name’ column which, in the admin UI, is the content of the link used to edit/delete the item. So link content, no link, so no way to edit the content the user submitted with calling up a DB admin. Eventually I will fix all of this. Assuming the client can be convinced that he needs it. Because, if the client is not convinced, he’ll go with what he has, with is maybe 5% my work at tops, and when it finally does come crashing down, I’ll be blamed for it instead of the idiot friends-of-the-CTO or whatever they hired in to write the original mess.
Let’s not forget that apparently not one freaking PHP programmer on the planet that I’ve had the luck to be hired after seems to understand the basics of XSS and related attacks. It’s not hard at all for a user to fill in a contact form, put some quite malicious JavaScript in the body (which when viewed in the admin UI could then easily reload the page in a frame and keep a key logger or other kind of trojan running on every page that admin user access there-after, it’s really quite trivial to do this, even for a javascript novice). Unfortunately, it’s a bit easier to understand how attacks like these get in with a language like PHP, since it’s a fucking langauge _designed solely for doing websites_ that makes it harder to do the Right Thing than the Wrong Thing. Nobody with a clue is using PHP to generate all of the HTML of the page; they use templates and such for most of the actual content. Most of the dynamic content spit out by PHP is stuff that needs to be properly escaped (just like with DB queries). So why then by default does PHP not escape its output? Wouldn’t it make more sense to escape by default and then, in those much rarer cases when you code does need to spit out raw HTML, add a method to do that? Shouldn’t the easiest, shortest way of doing something be the correct way to do it?
If a language is 90% SQL queries and HTML template processing, you’d think that those two things would be a core language feature that makes it super freaking simple to do the right thing. You wouldn’t expect database access to be a horrendously misdesigned and inconsistent add-on that requires 8 times the work to write safe SQL queries that aren’t injection-susceptible, and you wouldn’t expect the language that is itself meant to be embedded in HTML to require an add-on template engine to make up for all the design mistakes of the original language (while introducing a billion more, in the case of Smarty), would you? PHP programmers seem to think it’s pretty damn normal. You’d be surprised how hard it is to convince some of these Professionals that there just might be an easier way to do things that produces safer, faster, smaller code. Because, you know, they get paid six-figure salaries and have published books and are employed by huge Top 10 Internet Companies and I’m just the guy who fixes their broken shit that (news to them) doesn’t smell like roses.
I’d love to replace PHP. It wouldn’t be hard. I’ve written high-performance general-purpose and special-domain language runtimes before. Really, I would have to suffer repeated head trauma to even be capable of producing something as bad as PHP. But what’s the point? None of the jobs I’d get would ask for that language, they’d all ask for PHP (Or Java, or C#, or even C++ - yes, there are people who try to use C++ to write web apps, great idea, geniuses). Maybe 10 years down the road any new language I publish for this would be popular enough that I could work in it for a living, but by then I will have already gone batshit fucking insane and jumped in front of a bus from working on projects like this current one for a living every single day of my life.
I mean, this project… When you have bug after bug after bug after hole after bug all on top of a gigantic codebase that requires you to edit 12+ files (literally) just to do the basic handling of a 3 column database table used on one page on the site… i can’t take this. And it’s not even just this project. Every single one, save the very few that I have gotten to do from scratch, and gigantic messes that will take MONTHS to clean up and make work properly and securely. I just can’t imagine how people can write code like this and not say to themselves, “This is horrifically wrong, I should learn to do better.” I don’t understand how people can just shovel this shit out and realize that they could not only do it better, but do it _easier_ too. I just don’t get it. I’m not the best, but I don’t understand how you could possibly be this bad and let yourself get away with it.
I cannot keep doing this for a living. I can’t. I can’t do this. Just the thought of having to do this for another 10 years, much less 50, is making me want to cry.
The answer might appear to be to go back to school and finish that CS degree I was barely a year away from earning, and then maybe I’d be the fresh hire and not the after-thought budget coder pulled in to fix the mess the Rock Star coder couldn’t manage to build, but is that really going to make a difference? Or am I just going to get a degree that cements me in a career that I’m just going to hate for the rest of my life? Should I get a degree in something else? What? What else could I possibly do? Christ, do you know how hard it is to go back to school when you’re in my position? Especially a Good School, which invariably means “hates undergrads with a passion because they’re just a pain in the ass that gets in the way of research,” like the University of Michigan where I suffered through two years of attending and having to figure out how to keep working enough hours to pay for over-priced classes where nobody wanted to actually teach anything but wanted to take a ton of my money for the honor of not being taught anything at their prestigious school. Yeah, that’s worthwhile.
I’ve loved working on software since I was 9. I spent most of my childhood coding and learning how to do better. It’s really the only damn thing I know how to do. At this age, with an entire life devoted to one field, a field I am coming to hate more than anything else in the world… what the hell am I going to do now, if not computers?
Is there some small hope that maybe somehow I can get a job programming somewhere that I’m actually accomplishing something? Where I’m not just cleaning up after people who can’t name the difference between an integer and a b-tree? Where maybe - just maybe - I’m doing something that is actually useful, actually going to result in software people will actually use and actually need? Something where I’m actually challenged? Something where I don’t literally dread going to sleep because I know it’s followed by waking up to another day of this kind of work?
What the hell am I doing wrong that I can’t work at a company that does interesting things and hires actual programmers and not script-monkeys and where real software is produced by skilled people that ends up being used by people to actually accomplish things? Is my lack of a degree really that big of a show-stopper, in the face of damn near 10 years of real work experience? Am I just as bad of a programmer as the script-monkeys and I don’t realize it, just another worthless unhirable with too big of an ego to know what I really am? Do I just not know how to find a job, the lack of such a simple skill that shouldn’t even need much use somehow holding me back from finding work I can finally enjoy? Am I holding myself back, or is this kind of job exactly what someone like me deserves?
I don’t want to do this anymore.
Argh. Well, back to trying to hack something functional out of this pile of crap before I go to bed. Rent isn’t free after all, and only the movie critics get paid to bitch.
Work has been murder. Not even because there’s so much of it, but just the particular projects and the jumping around it entails. I’m very much a 90/10 sort of guy when it comes to projects. (I love the first 90% of the project, and despise the last 10% of polishing and tweaking.)
SCA practice has been going well. Finally bought a piece of armor (a gorget). Still need all the other bits. Every time I can find a good deal, I either am just too late or piece doesn’t fit me or the time period I’m aiming for. Being 6′3″, 240lbs., and picky is a real problem with armor, it seems.
Quit Kanar last weekend. Showed up to hand off my character’s responsibilities so somebody else could run the guard. Hopefully it works out for everyone. I even banned myself from the Kanar boards (yay DNS tricks) so I wouldn’t keep wasting hours every day posting there. Why bother if I don’t play anymore? I don’t want to be like most the BOCs who spend a grotesque amount of their life posting on the boards for a game they won’t play.
Japan trip is still in the air. Planning on going at the end of April still, but haven’t gotten my passport back yet. Will be cutting it close. Don’t want to buy tickets until I’m sure I’ll actually be able to go.
Ashes of Eradur (K3) is coming along. Lots of people have been working on rules stuff, which is nice. I haven’t had much time for it, unfortunately. We’re having a setting discussion on Saturday, so that will be good.
Also trying to get a couple other projects started for Ogre Lord. Want to get a “old fashioned” type card deck out their for LARPers and maybe SCA players. People like to play modern card games in those settings, and it’s a lot nicer to have a “fitting” deck than a regular Aviator deck or whatever. I’m sure some people will bitch that the entire project is misguided since modern cards didn’t exist in old times, but I’ll get over it.
I’ve got a full plate of projects right now. Which is good, as it’s keeping my mind busy, which means it doesn’t have time to wonder down unpleasant alleys filled with memory thugs with big sticks with nails in. Yes, very good indeed.
My work projects are things I need to keep relatively secret. Boo.
My semi-work personal projects I also need to keep secret. Boo again.
My Kanar projects are… well, there aren’t any. Fuck Kanar. More important things to do, and the game is dying. Little sense to put effort sprucing up something headed very quickly for the grave.
I’m doing a job with Kyndig of MUD Magic working on his MUD client, adding some new ZMP features, including the new ZMP-driven markup system “ZML,” and eventually also an auto-mapper.
For AweMUD, I’ve got my usual assortment of “would like to do”s, with nowhere enough time to actually do most of them.
Also, I’m trying work a bit more on Cloud9 (my fully HTML/JavaScript MUD client). I have an auto-mapper prototype I might be able to integrate at some point. I’m also planning on axing the HTTP proxy server. It’s a pain in the ass and a source of some silly bugs. Better to just swallow my pride and use a Flash applet for the network connection. For Firefox users, I could also use the native socket bindings, assuming the security controls don’t bite me in the ass too hard.
Life update:
I moved out of my parents’ house. I’m now living in an apartment with my friend Shawn Pearce.
I quit my job at the Township. I now do freelance work for considerably more money at considerably fewer hours.
Laura and I broke up.
I’m in therapy for severe depression, which I’ve been suffering from for the last four years or so.
Suffice to say, my life looks almost nothing like it did a few short months, or even weeks, ago.
Anyway, this blog is back. I’ve had quite a few people, both those I know personally and even many I’ve never met, tell me they actually read it, which implies to me that there is some value in continuing to write it, so I will do so.
Finally got my SATA drive back from Maxtor after it broke. Sadly, the mounting brackets that my case requires for disks are all missing except for the one already in use. After much looking, I think I just need to buy a new case. Whcih isn’t too bad since I wanted a new one anyhow. Of course, I had planned on buying a Shuttle XPC case/mobo and with that a new CPU and memory, all of which is just right out of the question given the cost, so I will have to find a bearable ATX case.
My Maxtor drive in my work station at work died on Monday. Have it back already and most of the system working again (running Ubuntu instead of Fedora, as a bonus) except for the install of Windows in VMWare, which I had just gotten done last week and which took many many hours.
I hate hardware. Software only ever fails because it was told to do something wrong. Hardware fails just because the universe hates me. ;-)
I’ve now got a copy of VMware Workstation installed on my box at work, and am (after only three hours) about three-fourths of the way through getting Windows XP Professional SP2 + updates installed.
The sole benefit to getting all this up-and-running is being able to test Internet Explorer against the website and intranet applications I develop at work. That’s a lot of time, resources, and money spent just to test a bloody browser.
On the upside for me, I can probably use this to test development of projects like AweMUD on FreeBSD or Open Solaris when I don’t have anything important to do at work.
It’s sad that I couldn’t use Bochs or one of the other VMs to do this, or even to test FreeBSD on my machine at home. I wrestled with Bochs and QVM for several hours and gave up. Until one of the Free VMs has the ease of use of VMware, or can at least come within a galaxy’s breadth of that ease of use, I’m going to be sticking with the proprietary software. I’d rather have software that actually works and which I can actually get running than software which is Free but useless.
My two final contracts are just about wrapped up. That’s a huge load off of my shoulders. Not to mention it’ll give me a little extra cash to pad out my savings so I won’t feel like I’m living quite so dangerously in the financial department.
I still, of course, have tons of school work to do, KANAR.org work to do, AweMUD work to do, friends to hang out with, and possibly a new project with a friend making a computer game/game-engine. (Yet to determine if it will be OSS, although I’d like to be, especially given that this project will largely just be a learning exervise.) At least, however, none of those other than school have any sort of deadlines attached to them, so I can slip and not worry about it. :-)
On a completely different note, I added a plugin to WordPress to let me see the search engine queries people are using to find my blog. Some of the more interesting ones:
* rampant mouse - company and website owned by a friend, now unfortunately defunct
* dovecot gssapi - this and quite a few variations on searches regarding GSSAPI and Kerberos, it’s almost like I’m the only guy blogging about trying to get that stuff working
* ghost in the shell sex scene - o_O just weird to begin with given that I didn’t write about such a thing, and whoever found this blog searching for that: shame on you!
* kanar - great, the last thing I really want is all my fellow players finding my personal blog
* the slayers manga - close to the top hit for one of my most favorite mangas ever and I only blogged about it once, how cool/weird is that?
The worst thing is, I really don’t want that kind of exposure. This blog was intended more for friends and others in the developer community, not weirdos looking for Ghost in the Shell hentai. :-/
Here’s my Todo from the last week. Looking good.
- Complete gateway exam for Calculus III **- Done**
- Study for Latin Exam 2 **- Done**
- Minor contract work for one website **- Mostly Done**
- Minor contract work for a second website **- Punted**
- Kanar.org PayPal code to test with the winter feast **- Punted**
- Push the final releases of AweMUD 0.23 and Scriptix 0.31 which are several weeks behind **- Punted**
- Clean my room **- Done**
- Clean my Ranger **- Punted**
- Drink lots of rum **- Done**
5/9 done (the “mostly done” will be “done” by tonight). That’s more than 50%, which is probably a new record for me. :-)
Only two of the punted items are in any way important. Once I get them complete, I think I am going to feel a *lot* better. Huge drop is stress levels and all that.
At work, my boss installed Groupwise 7, which includes the SOAP access method for Evolution. For the first time in five years, I can finally access the contacts and calendar of the township’s groupware system. The LDAP entries exported by Groupwise were never useful to Evolution (the users had no names, just email addresses and their login ids) and the calendar just wasn’t accessible at all.
Now we just need the server to have an updated iFolder system that works with the iFolder client available on Mono/Linux, and I’ll finally be all up-and-up with the township’s network. :-)
I installed OpenLDAP at home to run the user accounts. I’ve been poking at LDAP a bit lately as I’ve really wanted an object-oriented database, a very fast and efficient one that isn’t Java or CLR based, and LDAP is (although they don’t admit it) an object-oriented database system. it is, unfortunately, not particularly well optimized to the use I have in mind, which has rather frequent changes to the stored data. Still, LDAP would be a good reference for building system a database, and it’s even possible that, although LDAP isn’t designed for efficient-writes, that some particular implementation of an LDAP server (or, preferably, an embedded LDAP engine) would pull it off nicely. Samba4’s ldb may be the answer, if and when it’s ever stable, documented, and released.
Anyways, OpenLDAP is up. I migrated the user accounts and setup my machines. Authentication works over GSSAPI. It’s all rather nice, I think.
I had two big problems, amid a number of smaller ones, while setting things up. The first was that Dovecot, in its infinite perfection, eschewed cyrus-sasl in favor of its own SASL library. Which doesn’t support GSSAPI. Nor does it support binding to an LDAP server with SASL to authenticate. It (shudder) directly queries the userPassword attribute of the LDAP server if configured to authenticate with LDAP. Thankfully, because PAM and NSS both work with LDAP and GSSAPI, I didn’t really have to change much in the Dovecot configuration, although it took me a while to realize that. I just told it to stop using /etc/passwd for the user database and to instead use LDAP, while continuing to use PAM for authentication. Still no single sign-on with my IMAP server, but at least it still works. Oddly, Dovecot doesn’t seem to be able to use NSS for querying user account properties. Either that or I’m missing something.
The second problem was that GDM on my desktop refused to work. I made many changes to the configuration files, some of which looked quite broken but which didn’t seem to inhibit login from working (the user accounts in question had been completely removed from /etc/passwd, so it had to have been using LDAP properly). I still have no idea what exactly I did to fix it. After making another batch of changes and getting a different error message (I received no less than four different error messages, randing from “invalid credentials” to “could not create groups” to “administrator has disabled logins”), I ran /etc/init.d/gdm restart and GDM started working.
Confusing, but hey, at least is works now!
My next system administration task is getting DNS SRV records setup for the various services I run. With a decent DNS-SD (service discovery) implementation, it should then be possible find any service on the network without manually entering any information. That is, the DNS-SD implementation should know the domain the host is in and query that domain for services. Current DNS-SD implementations that I know of all are limited to using M-DNS (multicast DNS), which while useful for ad-hoc networks, is not that useful for engineered/administrated networks.