So a good while ago I decided to start a project called TinySigma, an email service. While it technically exists, there is no way to manage your email properly (like changing your password and then like).
So a little while after TinySigma was initially set up, I decided that I wanted an identity platform, TinySigmaID. Of course, me being me, I decided that the best way to program it would be in Haskell. I don't know too much about Haskell but I can comfortably program in it because I know the basics of type theory and have some experience working with Coq.
But not enough.
And so this Security Saturday is simple: I had a problem (cannot manage email access properly) I chose a path (make an OAuth identity service) and then I picked a way to implement it (Haskell).
Haskell is type safe and is very good at limiting several kinds of errors (given that the compiler does it's work) which makes it very suited for something sensitive like an identification platform. However, I was never going to finish it in Haskell. I do not know enough of translating stateful behavior (databases, JSON data manipulation) in Haskell. I could learn but it would make building the TinySigma ID application a toilsome project, and that is exactly not what I would want.
So, in order to pick and stick with the TinySigma ID project, I am ditching Haskell in favor of Node.js.
Node.js is, in a way, a security nightmare (what with the upstream package sabotage: https://blog.sonatype.com/npm-libraries-colors-and-faker-sabotaged-in-protest-by-their-maintainer-what-to-do-now ) and for the longest time I was considering using PHP instead.
But then I realized that for PHP I am probably going to have to set up a FastCGI mod into NginX (which I am already running, so I'm not switching to some other webserver) and I don't like all the extra management. For Haskell I was going to reverse-proxy using NginX anyways so switching to Node.js would not increase complexity like switching to PHP would.
As some people (including @CalvinRempel ) said, PHP would be more stable and Node.js would be a security risk or annoyance in the long run. To all of which I agree. But that is where I should say "You know, once the project is running, I could slowly replace parts of the API with Haskell code instead, limiting the domain in which I am learning Haskell to just the piece of API that I am replacing."
Actually, the point that I should have learne3d earlier because of my day job, and what my wife said to me is that in the end, the most secure and stable option is the one where you get the work done without feeling pressured or burdened. Which I guess means I will develop the initial version in Node.js
Is this Security Saturday about security then? Why yes, because a happy workflow and a happy security guy (like me) is a healthier way to manage the processes around staying secure :)
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
