I Am Not a Teacher

…anymore. Specifically, I’m not teaching the game programming course again this autumn, as I had hoped. I was interested to do it, but Mohawk was a bit tight on funding for sessional instructors this year, so one of the regular professors took over.

It is unfortunate for me, as I had a number of ideas for improving the course and my framework that I wanted to try. On the other hand, it means I still have my free time—teaching required me to go to Mohawk twice a week for 4 hours in total (and transportation and preparation time on top of that) while still maintaining full hours at my primary job at Mac, which was draining. Not that I’m making much productive use of my free time, but still… it’s nice to have.

I think this may be the last time this course is taught at Mohawk, at least using the current platform (OpenGL via C++). I know that Mohawk is restructuring its Software Engineering program (for one thing I believe it’s going to be renamed to “Software Development” which is just as well; I don’t think we had much actual engineering discipline taught) and as part of that C++ is being phased out. Depending on when that happens (or happened) this course may yet be taught once more, but once only. After that, it will either have to change (perhaps to C#/XNA?) or be retired.

Incidentally, I taught Assembly Language the previous year and that too was phased out. I’m not sure if these changes are good or not. Although I feel C++ and even Assembly are important and worthwhile to learn (and I’m sure quality university programs will continue to teach them), Mohawk is focused very much on catering to the broad needs of Industry, and getting their graduates jobs. And the bulk of the jobs these days seem to be in Java or C#, and typically on a web platform. So perhaps overall it is the correct direction for the college.

I am not a programmer

… but I wish I were.

Well ok, actually I am a programmer, in that I am employed to (among other things) write programs. But it’s not in the professional sense that I wish to be a programmer, it’s in the amateur sense. That is, the original meaning of “amateur”, one who does something for love, not money. (However I certainly am an “amateur” programmer in the more common sense, “novice” rather than “expert”–sometimes words can be so difficult.) I say this because although I love programming in the abstract, I just don’t do a lot of it! Ergo the conspicuous absence of posts about my programming projects, which is what this blog was ostensibly for.

I just haven’t been greatly motivated to do anything for quite some time, and I’ve been struggling to figure out why that is. I’ve identified a couple reasons:

Programming at work makes me disinclined to do programming at home. This is a feeling that a number of my programmer friends have reported also. For some it goes even further–they don’t even want to be on the computer at home. I don’t seem to have that problem; I’ve no difficulty spending much (and probably too much) of my time at home playing games, browsing the web, whatever. But focusing on projects, even when they are fun stuff compared to the boring stuff at work, is often difficult.

Programming alone is dull. When I was younger I learned programming by myself, and most of my early experiments and projects were done solo. It wasn’t a problem then, though I would have liked working with other programmers. I just hadn’t had many friends who were interested in it. But I find now that my disposition has changed, and I more strongly crave the interaction with others. I had the opportunity for it in college, and now prefer it. This is a major thing lacking from my job actually, the fact that I am not on a team of programmers.

Fortunately these factors don’t always prevail; sometimes I can manage to overcome them and get stuff done. Sometimes I can even reach the mood described by Nikola Tesla:

“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success… Such emotions make a man forget food, sleep, friends, love, everything.”

All summer I did no programming at all, but when September came and I realized I had a lot of work on AMazeBot yet to be done, I managed to slowly get back into it. I’m not yet in the Tesla state, but I’m gaining some momentum.

Now if I can only find the motivation to write blog posts more frequently…

Hash your passwords!

At my place of work we use a certain program. It’s a multi-user client/server program, with authenticated user accounts. Recently while I was logging in something unexpected happened. After providing my credentials and hitting enter I realized I’d inadvertently typed one extra character at the end of my password. I expected to have to retype it, but to my surprise the program granted me access. To be sure I logged out and tried it again, this time purposely appending an extra character, and again I was granted access. A few more experiments revealed that my password would be accepted with any number of characters added at the end, whereas any other change was properly rejected.

This peculiarity baffles me; I can’t fathom why anyone would program a password check in such a way. But leaving that aside, what are the implications of this behaviour? Minimally, that the program must know the length of my password. Without that information it couldn’t know how many characters to ignore, were I to type too many. (Well, actually that isn’t strictly true—there is a way to do it without knowing the length of my password, but it’s a silly trick.) Now, there are basically 2 ways in which the program could know the length of my password. The most direct and obvious way is to store my password in its database and thus be able to simply count the characters. Alternatively, it could store only the length as a number but not the password itself.

But how could the program possibly be not storing my password? How can it check whether the right password has been supplied, if it doesn’t know what the right password is? By using a form of encryption known as hashing. A hash function takes plaintext (original, readable text) of arbitrary length and converts it into a ciphertext (encrypted, unreadable text) of fixed length, which is called the hash. The important property of this function, that differentiates it from other kinds of encryption, is that the reverse operation can’t be done. This means the function is “one-way” only: you can turn any plaintext into a hash, but given a hash it’s practically impossible to reconstruct the plaintext.

Using this scheme then, instead of storing the password as plaintext, the program could store just the hash. To authenticate a user, the program need only hash whatever the user has typed in, and compare the result against what’s in the database. Thus, without even knowing what the password actually is, it could ensure that the correct one was given. Because all hashes produced by a particular function are the same size, even the length of the original password is obscured. That’s why if the program were using hashing to avoid storing the password itself, it would have to store the length of the password separately. Unless, that is, it used the silly trick I mentioned—which I’ll not reveal here, as it should be fairly trivial to figure out (feel free to ask in the comments if you’re stuck though).

So what is the program actually doing? Well, the observed behaviour is most straightforwardly explained by the storing of plaintext passwords. In fact I jumped to that conclusion when I discovered the peculiarity, and it was only after analyzing the situation in depth for this post that I realized that it wasn’t quite certain. But anyway what does it matter whether it’s storing plaintext or hashed passwords? In a word, security.

Consider what would happen if an attacker were to compromise the database and obtain read access. If the passwords are stored in plaintext, then it’s a disaster; but if only hashes are stored, then the passwords themselves are still (for the moment) secret. Even under normal circumstances there is a benefit—hashed passwords are secret also to the administrators of the system. Users commonly use the same password for many services, so they are better protected if they don’t have to risk placing undue trust in admins; and if something does go wrong, an admin is under less suspicion if they could not possibly have known a user’s password.

This is a very basic security technique, but the knowledge of it seems depressingly uncommon in the software engineering field. A major part of the blame lies with educational institutions; I was not taught this in college, having instead to learn it on my own (fortunately not the hard way). Hashing is only the beginning though, as there are still ways an attacker could defeat such a system. The second line of defense is to add salt, which I’ll cover in a future post.