lixo.org

I’ve heard all sorts of opinions for and against Ruby, from “what God himself would’ve used for all its OO scripting needs” to “what Smalltalk scraped off its womb with its bare hands after being raped by Perl”, all quite amusing at the very least. A few months ago I read some introductory stuff at the website, played with it a bit, segfaulted the VM a few times, but didn’t end up doing anything particularly interesting or useful (unless you consider adding numbers and printing silly messages interesting or useful, but I digress).

Last week, though, my co-worker Obie had this very cool idea for a web app, and after considering a few technological dead ends (like, uh, Java), we decided to do it using Rails. To make it a more interesting experience, we’d pair on it while listening to things like Chicks On Speed and Crystal Method.

Indeed, and paraphrasing my colleague Wilkes Joiner, if you aren’t familiar with Rails, you’re not trying hard enough.

The whole thing is so tightly integrated and the work flows so nicely that I hardly feel like wanting to come back to Java and the whole “3 hours to build, test and deploy” land.

Putting the web side of things apart for a moment, as we haven’t played too much with it yet, I’d like to focus on the persistence part of Rails, ActiveRecord. From the website:

Active Record connects business objects and database tables to create a persistable domain model where logic and data is presented in one wrapping. It’s an implementation of the object-relational mapping (ORM) pattern by the same name as described by Martin Fowler (…)

Think Hibernate, but with no mapping files and no need to cut against the grain – thus removing the need for code generation tools like XDoclet – and add nifties like support for pluralization, so that the Person class gets mapped to the people table, Invoice to invoices, and so on, automatically. Also, add lovely methods like belongs_to and has_many to connect the entities, even at runtime if you're so inclined.

We spent some time figuring out the proper entities and relationships we needed for our first couple of stories - not the best way to do it, we've been told later - and after a few hours of head-scratching when Rake started hanging for no apparent reason - a bug in test/unit-, we found that we could just run the test class as a regular Ruby script and started coding our first ever test case.

One particularly nice trick we used was to avoid naming join relationships like people_project, and coming up with a single noun to define it (in this case, slots). This way you can probably phrase your whole domain model in one or a few sentences, connecting all the nouns ("a project sponsor starts a new project and staffs its slots with people" would be an example). This simplified our domain language enormously, and communication is much easier. Also, we don't have to spend more than two seconds coming up with a name for a variable, always a good thing.

And then, after less than 25 lines of model code, and 25 lines of test code, we had a green bar. Actually, a dot, but still, it kinda shows the power of this thing. Can you imagine what you'd be able to do in Java if you had just started using it and had only a couple of days to implement a story?

You know the kind of stupid stuff you do when you’re 16? And they suddenly appear again many years later to haunt you? You know, like having kids, smoking crack cocaine, burying corpses on your backyard… or even, on those moments of utter carelessness, sharing root passwords?

Some may have noticed this website was compromised yesterday and asked me what happened, so here goes a little advice: don’t use the same “low-security” password you’ve been using for the past 7 years out of sheer laziness on a public website that gets syndicated. In fact, don’t use it anywhere, dammit.

In this particular case, I had a few friends from high school days who happened to know this password, as we shared a few local user accounts on eachother’s machines, and sometimes needed to get root access to help fix things. Being the idiot I am, I ended up using this same password for many other things, some of them not as low security as I’d think, and completely forgot about the fact that one of these friends has his moments low self-esteem, and needs to draw attention to himself every so often. But instead of getting a nicer or more expensive car, computer, cellphone or girlfriend, like everyone else who was beaten up as a child would, he goes around annoying people. Sad.

So, I’m changing all my passwords to 50-character passphrases. With alphanumerics, l33t-sp33k, spaces, non-ASCII characters and whatever else I can think of. Sure, it takes me about a minute to log in to my daily stuff, and it’s a pain in the ass, but it saves me from the trouble of thinking about all those different torture methods. Well, sort of, there’s still a lot of spam…

Chad Fowler came up with a very interesting find: the Lingua::EN::Sentence and Lingua::EN::Syllabe libs, which he used to write a random haiku generator with his own posts as input.

As I don’t have that many posts here yet, running his script over my babblings didn’t turn out to be too interesting, I needed some good quantity of weird stuff. So, of course, I ran it over the all the BoingBoing posts I had archived (since somewhere around early December).

Here are some of the best:

Throw potshots at it.
(click image for enlargement.)
We’re all gonna die!

Free registration.
Devastation & much more!
Find it on eBay!

No records of death.
And you have to be humbled.
But, IT’S NOT ENOUGH.

Shown here, “crochet crotch.”
The detail is impressive.”
Link to example.

So he called the cops.
They want dolls and baseball bats!
And those come from you!

“They were DELICIOUS.”
I demand a recipe.
I was skeptical.

Ah, the good joys of automated text processing and its usually bizarre outcome!

Here’s the full output, before randomizing it into haiku-like 5-7-5 triplets.

A small update: if you don’t feel like fiddling with Ruby in order to generate your own haikus, here’s a nifty (Python based, oh the irony) haiku generator using Cory Doctorow’s Eastern Standard Tribe as a source. Everytime you reload, you get 42 fresh ones. Check it out!

There are a couple of things pretty much every brazilian will throw at any gringo given the situation: they’ll politely remind you our capital is not Buenos Aires, and they’ll rave about the “flawless” electronic voting system put into place years ago.

I don’t have anything to say about our capital, really, Brasilia is a nice place, but that it hosts one of the country’s most respected universities, UnB, where Pedro Antonio Dourado Rezende (pt_BR link) is a professor.

He’s one of those fanatical guys who seems to know too much about too much stuff, and his recent work on security has been widely recognized. And this is where we get back to the electoral system in Brazil. If you are interested in the subject, or security in general, I can’t recommend the RSA Cryptobytes enough, particularly volume 7, out last fall (PDF link), which has an article from Rezende on this matter.

Quote from the abstract:

Rezende argues that many of the criticisms levelled against voter-verifiable paper ballots, such as the criticism that voter-verifiable paper ballots favor vote-selling, are just plain wrong.

After reading the article, I understand and perfectly agree that arguing that voter-verifiable paper trails do not favour selling votes (after all, the voters don’t have phisical access to the paper trail, it’s only displayed to them through a window). But it’s not just the machine or the presence of a paper trail that favours or not selling votes.

The general state of affairs in Brazil, and that probably relates to other countries as well – the US, perhaps? – is that no matter who gets elected, things aren’t going to change much, so few really mean to bother about it. Many choose the candidate with the best hair, or stick to a party and vote for it every time, ignoring any possible scandals, no matter how large.

Voting is mandatory in Brazil, mind you, and some people are so hopeless and live in such heart-breaking conditions they wouldn’t really bother to vote for whoever offers them some cash, jobs, food, water or whatever corrupt politicians use to buy people these days. People make jokes about Santa Claus being more realistic than the idea of a honest politician. And not even the fools laugh for too long at that.

Since I’ve opened my first bank account, back in 1998 or something, I have tried – quite hard, actually – to manage my money and what I do with it as efficiently and effortlessly as possible, something I could never quite get right, for a number of reasons.

First, I use a computer all the time. I’m usually never more than 24 hours away from one, and I can usually get online in half an hour or less if needed. So doing everything on the internet seems quite sensible. Well, it only seems.

I understand that in the eyes of script kiddies, crackers, scammers and the usual digital scum, internet banking websites are very appealing. Getting ahold of login information from any Joe Sixpack means cash in their pockets, what else on the internet could be better than that?

It’s nice that banks are worried about security, and conceptually, some of them have done a good job. Most of the problems lie in the implementations.

I’d be damned if I had visual or motor disability and had to use any internet banking I’ve tried so far, so that’s not only Citibank’s fault (which I happen to use as well), it’s something every net bank I’ve tried so far has, and it’s directly related to “making the user experience more secure”, which rings all sorts of bells – it’s the same argument used by airport security in the US after all, isn’t it?

Also, note that using a non-IE browser also counts as a disability for some banks, suspicious behaviour for others, and don’t even get me started on using mobile phones.

The culprits are numerous, ranging from bizarre Java applets, nasty OCX components, virtual keyboards, hideous JavaScript-based navigation, pop-up windows everywhere, absolute lack of standards compliance to plain general carelessness for usability.

Why can’t banks offer decent, simple, secure access to customer’s accounts on the web? Would it be so difficult to keep things secure without compromising usability and interoperability? Why can’t I have a secure RSS/Atom feed for my bank transactions, one that I can read using my phone? Where are banks that offer safe, useful web service APIs, the ones applications could use to let you buy stuff even from the most dodgy-looking online shops without fear?